Beruflich Dokumente
Kultur Dokumente
CEO GxPi
GAMP5 as a Suitable
Framework for Validation
of Electronic Document
Management Systems
On Premise and 'In the
Cloud'
www.diahome.org
Disclaimer
www.diahome.org
http://www.ispe.org/gamp5
2002
www.diahome.org
(OP)
Configured EDMS
on platforms- still
some development
(OP)
Mostly In-house
developed EDMS or
bespoke by supplier
1994
and Hosted
EDMS)
2010
COTS or Preconfigured (OP
Context Trend of EDMS over the last 15-20 YearsMatching the Evolution of GAMP
www.diahome.org
It should be employed as part of, and alongside your Validation Master Plan (VMP)
A specific Validation Plan (VP) should be produced for each GxP regulated system
VP should focus on aspects related to patient safety, product quality and data
integrity
You need to have a deep understanding of the underlying technologies that are being
employed in the Hosting of the Infrastructure, Platforms and Software applications
You should leverage as much of the Suppliers expertise, testing and documentation
as possible (see examples later)
BUT
www.diahome.org
www.diahome.org
www.diahome.org
www.diahome.org
www.diahome.org
10
www.diahome.org
11
www.diahome.org
VALIDATION OF AN EDMS
ON-PREMISE VS CLOUD
12
www.diahome.org
13
www.diahome.org
14
www.diahome.org
15
Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing
resources (e.g. networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort or
service provider interaction.
Software as a Service (SaaS). The capability provided to the consumer is
to use the providers applications running on a cloud infrastructure
Platform as a Service (PaaS). The capability provided to the consumer is
to deploy onto the cloud infrastructure consumer-created or acquired
applications created using programming languages, libraries, services, and
tools supported by the provider.
Infrastructure as a Service (IaaS). The capability provided to the
consumer is to provision processing, storage, networks, and other
fundamental computing resources where the consumer is able to deploy
and run arbitrary software, which can include operating systems and
applications
www.diahome.org
16
Private cloud: The cloud infrastructure is provisioned for exclusive use by a single
organization comprising multiple consumers (e.g., business units). It may be owned,
managed, and operated by the organization, a third party, or some combination of
them, and it may exist on or off premises.
Public cloud: The cloud infrastructure is provisioned for open use by the general
public. It may be owned, managed, and operated by a business, academic, or
government organization, or some combination of them. It exists on the premises of
the cloud provider.
Community cloud: The cloud infrastructure is provisioned for exclusive use by a
specific community of consumers from organizations that have shared concerns (e.g.,
mission, security requirements, policy, and compliance considerations). It may be
owned, managed, and operated by one or more of the organizations in the
community, a third party, or some combination of them, and it may exist on or off
premises.
Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud
infrastructures (private, community, or public) that remain unique entities, but are
bound together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing between clouds).
www.diahome.org
17
www.diahome.org
18
Hardware, Internet
Connectivity, Power,
Servers, Storage and
RAM, VMWare, Hyper-V
IaaS
PaaS
SaaS
Components
Service
www.diahome.org
Validate the
hosted application.
URS and UAT
GAMP
What to do?
Category
Sponsor
AV
AV or Sponsor
19
Infrastructure Vendor
(IV).
Application Vendor(AV)
or Sponsor.
Who?
www.diahome.org
All the areas below will have difference between OnPremise and Hosted implementation
20
www.diahome.org
21
www.diahome.org
22
www.diahome.org
23
EDMS CAT 4
DETAILED PLAN
EXAMPLE
www.diahome.org
24
www.diahome.org
25
www.diahome.org
26
www.diahome.org
Note: Can use separate matrices for Project activities and Ongoing Service
Periodic Review
Infrastructure Qualification
Incident Management
Installation Qualification
Activities:
How could this breakdown into activities for a multisupplier Cloud delivery?
27
IaaS
Provider
www.diahome.org
*this is not unique to Cloud suppliers, this is general outsourcing and Supplier management
misunderstanding, usually after the contracts have been signed by procurement and variations
occur
Without understanding what the regulated company needs and where the risk is
Without defining responsibilities
Without appreciating and the cost of compliance the Life Science company
requires
Lack of understanding of what the Cloud is (and is not!) and to what the
consistent terms are that apply to your company by Quality AND IT staff
Lack of understanding of the enabling technologies, how they work and
interactions between them and other applications
28
www.diahome.org
29
Example 1
Example 2
www.diahome.org
34
www.diahome.org
35
www.diahome.org
36
SUMMARY
www.diahome.org
37
www.diahome.org
38
www.diahome.org
REFERENCE MATERIAL
39
www.diahome.org
The validated status of EDMS applications that are dependent upon an underlying IT
Infrastructure
Being updated for Cloud elements
ID and assessment of components
Qualification
Maintenance of the Qualified State
40
Regulators usually focus on the integrity, consistency, and completeness of controls required
to maintain compliance.
Highlights the importance of the operation phase of the system lifecycle
When the return on investment for the significant time and resource expended in
implementing new computerized systems can be achieved.
www.diahome.org
41
www.diahome.org
Annex 11:http://ec.europa.eu/health/files/eudralex/vol-4/annex11_012011_en.pdf
21CFR Part11:
http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm
GAMP 5: http://www.ispe.org/gamp-5
NIST: http://www.nist.gov/itl/cloud/index.cfm
ICH: http://www.ich.org/
Useful References
42
www.diahome.org
43
www.diahome.org
44
www.diahome.org
45
www.diahome.org
BUT
Cost of compliance adds to cost of doing things and ultimately cost
of goods (which we want to reduce)
Minimise the risk that something goes wrong with the end
customers health and safety
46
47
www.diahome.org
QMS: Infrastructure suppliers may prefer not to work within the confines of
specifications and procedures developed by others (Pharma Sector). If you
are going to rely on suppliers, they may not want to bear the cost of
implementing a formal QMS that will tick all of your requirements, especially
the cloud providers who have many other customers
www.diahome.org
48
Ideally
They have detailed experience of the compliance needs of the Life Sciences industry
and tools to aid and ensure that compliance is achieved efficiently
They have validation documents of a suitable quality that allows you to leverage,
using risk-based approach to reduce your validation effort
They can clearly communicate and educate complex technology environments to
your team so they can understand the operation and design elements
They have been audited by other Life Sciences companies
They have a robust and suitable QMS that matches Life Sciences industry
expectations
They have adequate Subject Matter Experts that span IT technical and compliance
Minimum
Documents and schematics that are understandable by the non-expert
They manage change in an acceptable manner
They have clear contracts and allocation of responsibilities
They have been audited by other regulated companies
They audit their suppliers
Suitable test scripts for their environment to prove security and data integrity