You are on page 1of 48

GAMP5 as a Suitable

Framework for Validation


of Electronic Document
Management Systems
On Premise and 'In the
Cloud'
Keith Williams
CEO GxPi

Disclaimer

The views and opinions expressed in the following PowerPoint slides


are those of the individual presenter and should not be attributed to
Drug Information Association, Inc. (DIA), its directors, officers,
employees, volunteers, members, chapters, councils, Special Interest
Area Communities or affiliates, or any organization with which the
presenter is employed or affiliated.
These PowerPoint slides are the intellectual property of the individual
presenter and are protected under the copyright laws of the United
States of America and other countries. Used by permission. All rights
reserved. Drug Information Association, DIA and DIA logo are
registered trademarks or trademarks of Drug Information Association
Inc. All other trademarks are the property of their respective owners.

Drug Information Association

www.diahome.org

History and evolution of GAMP


Group founded in 1991 in the UK from life sciences manufacturing
(not called GAMP)
First GAMP (Good Automated Manufacturing Practice) guide
published in 1994
Partnered with ISPE (International Society for Pharmaceutical
Engineering) in 1994
GAMP 4 (2001) included a lot of detail in terms of checklists,
templates, proposed V model etc.
Replaced by a Quality Risk Management approach in GAMP 5
(2008) plus IT related best practice guides (2005-2012)
Its a guideline, not a Regulation, but still widely followed

http://www.ispe.org/gamp5
Drug Information Association

www.diahome.org

Context Trend of EDMS over the last 15-20 YearsMatching the Evolution of GAMP
1994
Mostly In-house
developed EDMS or
bespoke by supplier

(OP)

2002
Configured EDMS
on platforms- still
some development

(OP)

2010
Validation approaches have had to adapt
to this change as more of the activities
transfer to Outsourcing companies
(OP= On-Premise; Hosted may = Cloud)

Drug Information Association

www.diahome.org

COTS or Preconfigured (OP

and Hosted
EDMS)

Can you Use GAMP 5 for Validation of an EDMS for


On Premise and Hosted in the Cloud deployment?

In short, Yes it is suitable (otherwise this would be a short talk).


It is a framework designed to ensure that computerised systems are
fit for purpose and compliant with current regulatory requirements
BUT

It should be employed as part of, and alongside your Validation Master Plan (VMP)
A specific Validation Plan (VP) should be produced for each GxP regulated system
VP should focus on aspects related to patient safety, product quality and data
integrity
You need to have a deep understanding of the underlying technologies that are being
employed in the Hosting of the Infrastructure, Platforms and Software applications
You should leverage as much of the Suppliers expertise, testing and documentation
as possible (see examples later)

Drug Information Association

www.diahome.org

Why is GAMP 5 useful now?

Drug Information Association

www.diahome.org

Click to edit Master title style

RISK ASSESSMENT AND OVERVIEW


OF TOOLS

Drug Information Association

www.diahome.org

How can a risk based approach cut costs?

High Level Risk Assessment do you need to


validate at all?
Functional Risk Assessment where should you
focus your efforts in terms of documentation and
testing?

Drug Information Association

www.diahome.org

Assessment- do you have a GxP Critical system?

Drug Information Association

www.diahome.org

GAMP 5 Risk based approach at a functional level

Drug Information Association

www.diahome.org

10

What does GAMP 5 suggest?


Clear separation of Regulated Company and Supplier
Responsibilities
Advice on managing the interface with suppliers, including
assessments / audits
Full proposed set of documents, including templates
Acknowledges differences between Information Systems and
computer-controlled equipment.
Application of a Risk-based approach
Categorisation of Software or Components
Emphasis on the Validation Plan and Validation Report
The end-result should be not just be an auditable set of documents,
but hopefully a computer system that does what it is meant to do!

Drug Information Association

www.diahome.org

11

Click to edit Master title style

VALIDATION OF AN EDMS
ON-PREMISE VS CLOUD

Drug Information Association

www.diahome.org

12

GAMP 5 Compliance by adopting a life cycle


approach to Computerised Systems

Drug Information Association

www.diahome.org

13

The Main Components of an EDMS that need to be


managed

Platform Hardware (Servers and clients)


Server Software (Platform and Application)
Client Software
EDMS Processes (Process Owner)
EDMS Community (People, SME, System
Owner- may also be Process Owner)

Drug Information Association

www.diahome.org

14

Some definitions of Cloud and Hosting (outsourcing)

Cloud Computing -SaaS, Paas, Iaas,

Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing
resources (e.g. networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort or
service provider interaction.
Software as a Service (SaaS). The capability provided to the consumer is
to use the providers applications running on a cloud infrastructure
Platform as a Service (PaaS). The capability provided to the consumer is
to deploy onto the cloud infrastructure consumer-created or acquired
applications created using programming languages, libraries, services, and
tools supported by the provider.
Infrastructure as a Service (IaaS). The capability provided to the
consumer is to provision processing, storage, networks, and other
fundamental computing resources where the consumer is able to deploy
and run arbitrary software, which can include operating systems and
applications

Drug Information Association

www.diahome.org

15

Some further definitions of Cloud and Hosting


(outsourcing)

Cloud-, Private, Public, Community, and Hybrid

Private cloud: The cloud infrastructure is provisioned for exclusive use by a single
organization comprising multiple consumers (e.g., business units). It may be owned,
managed, and operated by the organization, a third party, or some combination of
them, and it may exist on or off premises.
Public cloud: The cloud infrastructure is provisioned for open use by the general
public. It may be owned, managed, and operated by a business, academic, or
government organization, or some combination of them. It exists on the premises of
the cloud provider.
Community cloud: The cloud infrastructure is provisioned for exclusive use by a
specific community of consumers from organizations that have shared concerns (e.g.,
mission, security requirements, policy, and compliance considerations). It may be
owned, managed, and operated by one or more of the organizations in the
community, a third party, or some combination of them, and it may exist on or off
premises.
Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud
infrastructures (private, community, or public) that remain unique entities, but are
bound together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing between clouds).

Drug Information Association

www.diahome.org

16

GAMP 5 Categories and what to do

Infrastructure and OS are treated as GAMP Category 1


whether On Premise or Hosted
The EDMS will be 3 if it is Pre-configured and deployed
without any major changes (not likely)
The EDMS will be 4 if it is configured
Category 5 we wont cover here but your Software
Application provider should have validated their core
product to this

Drug Information Association

www.diahome.org

17

Service and Deployment models for On Premise and


Hosted and who controls and manages them
Hybrid Clouds can be combinations of On-premise, Private or Public

Drug Information Association

www.diahome.org

18

Example Component Categorisation for EDMS Cloud


Implementation
Service

Components

GAMP
What to do?
Category

Who?

IaaS

Hardware, Internet
Connectivity, Power,
Servers, Storage and
RAM, VMWare, Hyper-V

Qualify and manage


infrastructure.
Audit procedures.

Infrastructure Vendor
(IV).
Application Vendor(AV)
or Sponsor.

PaaS

O/S, Windows Server,


SharePoint and SQL

Qualify the stack.


Manage / control
ongoing changes.
Audit procedures.

Platform Vendor (PV)


PV.

Validate the
hosted application.
URS and UAT

AV

SaaS

e.g. Hosted EDMS

Drug Information Association

www.diahome.org

AV or Sponsor

Sponsor

19

All the areas below will have difference between OnPremise and Hosted implementation
For EDMS Projects, the supplier involvement varies
with On-Premise or Hosted Variations in these areas

Drug Information Association

www.diahome.org

20

On Premise qualification and validation management

Regulated Company handles everything in-house


Owns and manages corporate IT infrastructure,
relying on in-house IT department
Sets up and qualifies separate machines / platforms /
environments for informal development, formal testing
and for live use
Audits the software supplier
Validates the application / system

Drug Information Association

www.diahome.org

21

Hosted Cloud qualification and validation


management

Regulated company uses private/public cloud-based


Software as a Service for submissible or inspectable
data
Allows IaaS provider to manage infrastructure flexibly,
adjusting capacity and even location, as needed
Relies on SaaS providers validation documentation
and testing of functionality
Carries out minimal validation of software
configuration to meet basic user requirements
Carries out audits of service providers

Drug Information Association

www.diahome.org

22

Click to edit Master title style

EXAMPLE OF CATEGORY 4 EDMS


QUALIFICATION

Drug Information Association

www.diahome.org

23

Area examined for a CAT4 EDMS example


EDMS Projects, the supplier involvement varies with
On-Premise or Hosted Variations

EDMS CAT 4
DETAILED PLAN
EXAMPLE

Drug Information Association

www.diahome.org

24

Category 4- Configuration of the EDMS

Drug Information Association

www.diahome.org

25

EDMS Cat 4: Project Activities, Deliverables and


Responsibilities Regulated Company and Supplier

Drug Information Association

www.diahome.org

26

How could this breakdown into activities for a multisupplier Cloud delivery?

Activities:

Organisations: Regulated Software SaaS


Company Developer Provider

Validation Plan & Report


User Requirements & Acceptance Testing

IaaS
Provider

Functional & Design Documentation


Installation Qualification
Incident Management

Infrastructure Qualification
Operational Change Control

Periodic Review

Note: Can use separate matrices for Project activities and Ongoing Service
Drug Information Association

www.diahome.org

27

Summary of Compliance Risk Management in the


Cloud
You cant mitigate risks unless:
You know what you are managing
You know what the risks are

Biggest problems with Cloud are:


Lack of understanding of what the Cloud is (and is not!) and to what the
consistent terms are that apply to your company by Quality AND IT staff
Lack of understanding of the enabling technologies, how they work and
interactions between them and other applications

Suppliers Sell Cloud services:


Without understanding what the regulated company needs and where the risk is
Without defining responsibilities
Without appreciating and the cost of compliance the Life Science company
requires
*this is not unique to Cloud suppliers, this is general outsourcing and Supplier management
misunderstanding, usually after the contracts have been signed by procurement and variations
occur
Drug Information Association

www.diahome.org

28

Click to edit Master title style

SOME PRACTICAL EXAMPLES

Drug Information Association

www.diahome.org

29

Example 1

Small Pharma Company (500 users) using on-premise


EDMS software for document management.
Company keen to minimise IT costs so they set up their
server farm as virtual machines.
Software supplier contractually responsible for software
Change Management, including regression testing.
Software supplier using IaaS provider to host virtual test
environments, as part of the support provided.

Example 1: Lessons Learned

Traditional On-premise model project went to plan on


time and budget
BUT; the capability to rapidly set-up an identical
qualified test environment greatly speeded up the
testing of an unrepeatable fault, the fix and then release
of controlled changes
Good support from a specialised IaaS provider, keen to
explore ways of supporting Pharma clients
Qualification of new virtual environments can also be
greatly speeded up, via use of executable scripts to
install the relevant files and to confirm that the
installation meets specifications

Example 2

New virtual Pharma company using hosted SaaS for


electronic document management.
The Software Product is highly configurable (as distinct
from customisable) to meet client business requirements
Specialised software application / SaaS provider with
auditable development documentation ready for Pharma
clients.
Extensive auditing carried out by Pharma Companyleveraged the document set and experince of the
supplier
Separate IaaS provider used for actual hosting, audited
by the SaaS provider

Example 2 : Lessons Learned

Niche service providers do understand needs of Pharma


Clients, and expect to be audited hard as part of
supplier selection
SaaS provider can take on responsibility to audit and
manage the IaaS provider, including Infrastructure and
Installation Qualification and that can be audited by
Pharma Company.
Suppliers need to be pragmatic when faced with multiple
opinions on compliance details from different clientsmake sure that they have a robust but cost effective
system
Configuration of the application needs to be managed
carefully by the SaaS provider, with maximum input from
actual users

Click to edit Master title style

WHAT THE REGULATORS HAVE SAID


ABOUT CLOUD USAGE THIS YEAR

Drug Information Association

www.diahome.org

34

What are regulators interested in


when they discover IT is in the Cloud?

That the Integrity of the Data is assured


Risks have been clearly identified & mitigated
Client/Provider Contracts cover off key elements
Supplier Quality Systems are adequate
QMS, validation, change control, training
Cybersecurity has been tested (ethical hacking?)
Data Backup/Recovery processes are robust and fit
for requirements
Evidence of Audits of Providers by FDA/ other Clients

Drug Information Association

www.diahome.org

35

SUMMARY

GAMP 5 is widely used and referenced in our


Industry
It can help both Suppliers and Users of EDMS
It can be applied to both on-premise and hosted
environments

I would advocate closer ties with DIA and ISPE so


experiences and guidance can be shared and
knowledge built
Drug Information Association

www.diahome.org

36

Thanks for material and thoughts contributing to this


presentation go to:

Phil Harrison of GXPi


Thana Subramanian of GE
Randy Perez of Novartis (and Chair of ISPE)
David Stokes of Business Decision
ISPE for use of GAMP material
Fujitsu

Drug Information Association

www.diahome.org

37

Thanks for listening!!


Keith Williams (kwilliams@gxpi.com )

Drug Information Association

www.diahome.org

38

Click to edit Master title style

REFERENCE MATERIAL

Drug Information Association

www.diahome.org

39

Other Resources- Best Practice Guides


Operation of GxP Computerized Systems (2010)

Regulators usually focus on the integrity, consistency, and completeness of controls required
to maintain compliance.
Highlights the importance of the operation phase of the system lifecycle
When the return on investment for the significant time and resource expended in
implementing new computerized systems can be achieved.

IT Infrastructure Control & Compliance Guide

The validated status of EDMS applications that are dependent upon an underlying IT
Infrastructure
Being updated for Cloud elements
ID and assessment of components
Qualification
Maintenance of the Qualified State

Drug Information Association

www.diahome.org

40

Other Resources- Best Practice Guides

Testing of GxP Systems (2012)

Very Process and prescriptive Driven (around 200 pages)


Helps maximize testing efficiency without compromising the quality of GxP Systems
focusing testing on areas that have the greatest impact
has been recently expanded and updated and reflects ICH Q8, Q9, and Q10
contains new information on Cloud computing

Global Information Systems Control & Compliance (2005)

Project Management on multiple geographic site Computer system projects


Validation and Implementation approaches
Global System management of Change Control
Record retention

Drug Information Association

www.diahome.org

41

Useful References

GAMP 5: http://www.ispe.org/gamp-5
NIST: http://www.nist.gov/itl/cloud/index.cfm
ICH: http://www.ich.org/

Annex 11:http://ec.europa.eu/health/files/eudralex/vol-4/annex11_012011_en.pdf
21CFR Part11:
http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm

GAMP Community of Practice: http://www.ispe.org/gampcop

Drug Information Association

www.diahome.org

42

How Risk Management ICH maps to GAMP 5

Drug Information Association

www.diahome.org

43

The Advantages of using GAMP 5


Has had a lot of thought gone into it in a pragmatic way
Is process driven and risk based so you can use the framework to
do as much or as little as you see fit
Gives you the latitude to do what is necessary for your business and
allocate appropriate resource
Establishes a common language and terminology (BUT see Cloud
terms for further confusion)
Has been harmonised where possible with other standards such as
ICH Q8, Q9 and Q10 and various ISO standards
Is designed to be compatible with other computer and software
models and methods like ITIL, RUP etc.
The validation of a computerised system to achieve and maintain
GxP compliance throughout the lifecycle of that system
It clarifies scalability of and central role of Quality Risk Management
in a sensible justifiable approach to what you do (but document it!!)
Drug Information Association

www.diahome.org

44

The Disadvantages of using GAMP 5

May not fit well to your existing Quality process


Comes from a Manufacturing/Production bias
So there may be a feeling of it doesnt apply to me
Terminology and nomenclature may be different
Less prescriptive than previous GAMP iterations
The risk based approach requires complete product, process and
technology understanding
This in turn means you have to understand deeply the technologies
being employed and their quality impact, and/or employ or pay for
Subject Matter Experts (SMEs)
For Hosting situations, you will require (and may have to educate)
your Supplier to manage their QMS and activities in a way
commensurate with GAMP (see next slide)
Cost- perceived and otherwise, but mostly getting everyone on the
same page and with agreed nomenclature
Drug Information Association

www.diahome.org

45

Just a reflection on why we bother to validate?


Minimise the risk that something goes wrong with the end
customers health and safety
Keep the regulators confident in your business and prevent them
issuing restrictions and actions against you (note: they require to
see documented evidence in Human Readable format)

BUT
Cost of compliance adds to cost of doing things and ultimately cost
of goods (which we want to reduce)
Computer System Validation (and GAMP) was traditionally
associated with extra workload and greatly increased costs of
compliance
Drug Information Association

www.diahome.org

46

Challenges of imposing GAMP 5 on Suppliers of


Hosted Services for the Life Sciences sector

Change control: Sometimes even minor software tweaks or patching,


whether necessary or not, can cause major breakdown. The rigour of
change management, impact assessment and testing adds to the work
burden and short term cost (and is one that the supplier may not be used to)

QMS: Infrastructure suppliers may prefer not to work within the confines of
specifications and procedures developed by others (Pharma Sector). If you
are going to rely on suppliers, they may not want to bear the cost of
implementing a formal QMS that will tick all of your requirements, especially
the cloud providers who have many other customers

Documentation: Effective documentation management is fundamental to


demonstrate compliance, again suppliers may not be able to manage this,
or their training records, auditing of their suppliers etc.

Drug Information Association

www.diahome.org

47

Some things to look for in a Supplier to ease the


implementation of a Cloud EDMS
Minimum
Documents and schematics that are understandable by the non-expert
They manage change in an acceptable manner
They have clear contracts and allocation of responsibilities
They have been audited by other regulated companies
They audit their suppliers
Suitable test scripts for their environment to prove security and data integrity
Ideally
They have detailed experience of the compliance needs of the Life Sciences industry
and tools to aid and ensure that compliance is achieved efficiently
They have validation documents of a suitable quality that allows you to leverage,
using risk-based approach to reduce your validation effort
They can clearly communicate and educate complex technology environments to
your team so they can understand the operation and design elements
They have been audited by other Life Sciences companies
They have a robust and suitable QMS that matches Life Sciences industry
expectations
They have adequate Subject Matter Experts that span IT technical and compliance
Drug Information Association

www.diahome.org

48