d2.t3.s1.p1 -sion wyn - cloud and outsourcing · pdf file•archiving and long term...
TRANSCRIPT
![Page 1: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/1.jpg)
Outsourcing and the Cloud -Ensuring Quality and Compliance
Sion Wyn
Conformity Ltd.
+44 (0) 1492 642622
![Page 2: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/2.jpg)
Overview
• Quality & Compliance in the Cloud
• Regulations and Guidance
• A Proposed Approach
2
![Page 3: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/3.jpg)
Quality and Compliance
in the Cloud
• Ensuring patient safety, product quality,
and data integrity…
• …while exploiting the potential benefits of
cloud computing (and wider aspects of
outsourcing)
3
![Page 4: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/4.jpg)
4
Sources of Information…
http://www.nist.gov
www.enisa.europa.eu
https://cloudsecurityalliance.org
![Page 5: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/5.jpg)
Elastic rapid response
On-demand, measured, self-service
Wide access
Pooled resources
“Cloud computing is the utility of the future”
![Page 6: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/6.jpg)
![Page 7: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/7.jpg)
Need to balance
risk vs. benefit
Benefit
Risk
Cloud
Compliance
7
Sometimes risk is
compensated by opportunity
The risks of using cloud
computing should be
compared to the risks of
staying with traditional
solutions, such as
desktop-based models
![Page 8: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/8.jpg)
Risks
8
Benefit
Risk
Cloud
Compliance
• Loss of governance
• Lock-in
• Isolation failure
• Compliance risks
Identified by
• Management interface
compromise
• Data protection
• Insecure data deletion
• Malicious insider
![Page 9: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/9.jpg)
Benefits
• Pay per use
• Scalability
• Down-time
• Security
– benefits of scale
– a market
differentiator 9
• Tools, techniques, resources
• Audit and evidence-gathering
• Faster, more effective updates
• Audits and SLAs force better
risk management
• Benefits of resource
concentration
Benefit
Risk
Cloud
Compliance
![Page 10: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/10.jpg)
Compliance
10
EU
FDA
Benefit
Risk
Cloud
Compliance
UK Medicines and Healthcare
products Regulatory Agency
![Page 11: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/11.jpg)
GCP Guidance
• Good Clinical Practice Guide (2012)
• UK Medicines and Healthcare products
Regulatory Agency (MHRA)
11
![Page 12: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/12.jpg)
GCP Guidance
• Good Clinical Practice Guide (2012)
• Section 14.5 Computer Systems Validation
12
• Principles:
– Appropriate controls through the life cycle
– Documentation available to support
application of controls
– System is fit for purpose and performs
reliably and consistently as intended
Refers to GAMP 5 …
![Page 13: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/13.jpg)
GCP Guidance
• Good Clinical Practice Guide (2012)
• Section 14.5 Computer Systems Validation
13
• Other Considerations:
– System backup
– System security
– Interaction between systems
– Audit trails
– Continued accessibility
– Training of staff
![Page 14: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/14.jpg)
GCP Guidance
• Good Clinical Practice Guide (2012)
• Section 14.5 Computer Systems Validation
14
• “The above considerations apply if the
system is hosted on the server of the
sponsor or of the vendor, or if it hosted
in a so-called ‘cloud’ space…”
• “…it must meet the requirements for
managing and storing data for clinical
trials.”
![Page 15: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/15.jpg)
Key Considerations
• Technical / Quality Agreements
• Approved supplier status
• Change control and validation
• Data security
• Data access and retention
15
![Page 16: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/16.jpg)
Data Storage and Access
• Do you know where your data is stored?
• If in a third country, what further
considerations must be made, e.g. legislation
on data privacy and misuse?
• Do you understand the potential restrictions on
access to the data?
• Can you move the data to another provider
without data loss or corruption?
16
![Page 17: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/17.jpg)
Data Storage and Access
• What security aspects are in place?
• Is your data stored in a private dedicated
storage area, or is it intermixed with other
users data?
• Who else has visibility of your data?
• Is there secure access to your data?
• What guarantees are available with respect to
lost or corrupted data?
17
![Page 18: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/18.jpg)
Data Storage and Access
• What are the arrangements for backup and
system / data restoration?
• Under what circumstances can your data be
deleted by the service provider?
• What are the implications with respect to your
data and your ability to maintain regulatory
compliance should the service provider
become insolvent or be taken over by another
provider?18
![Page 19: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/19.jpg)
“FDA Want to Understand…”
• What systems are currently outsourced?
• What issues or concerns have come up?
– What resolutions/mitigations were employed?
• Common terminology and definitions for
outsourcing IT systems
• What type of systems will be outsourced in the
future?
19
![Page 20: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/20.jpg)
“FDA are interested in…”
• Integrity of the data is assured
• Risks clearly identified & mitigated
• Client/Provider Contracts
• Provider Quality Systems
• SOPs, validation, change control, training
• Cyber-security for Networked Systems
• Data Backup/Recovery
• Audits of Providers by FDA/Clients20
![Page 21: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/21.jpg)
So…
21
• Same requirements
• Same activities
• Same controls
…but distributed differently…
![Page 22: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/22.jpg)
EU GMP Annex 11
Volume 4, EU Guidelines to Good
Manufacturing Practice
Annex 11 - Computerised Systems
Revision came into operation: 30 June 2011
22
Requirements, but also solutions!
![Page 23: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/23.jpg)
Quality Risk Management
• Risk management should be applied
throughout the lifecycle of the computerised
system taking into account patient safety, data
integrity and product quality.
• Decisions on the extent of validation and
data integrity controls should be based on a
justified and documented risk assessment of
the computerised system.
23
![Page 24: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/24.jpg)
Suppliers and Service Providers
• When third parties (e.g. suppliers, service
providers) are used e.g. to provide, install,
configure, integrate, validate, maintain (e.g.
via remote access), modify or retain a
computerised system or related service or for
data processing…
24
![Page 25: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/25.jpg)
Suppliers and Service Providers
• [Then]…formal agreements must exist
between the manufacturer and any third
parties and these agreements should include
clear statements of the responsibilities of the
third party.
25
![Page 26: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/26.jpg)
26
ICH Q10 - Useful Guidance
• The pharmaceutical company is ultimately
responsible for assuring the control of outsourced
activities...
ICH Q10 – Pharmaceutical Quality System
(ICH - The International Conference on Harmonisation of
Technical Requirements for Registration of Pharmaceuticals
for Human Use. (www.ich.org)
Assessing suitability and competence
prior to outsourcing operations…
Defining the responsibilities and
communication processes for quality-
related…in a written agreement…Monitoring and review
of the performance…
![Page 27: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/27.jpg)
Data Integrity/Security Controls
• Access Control
• Interfaces
• Entry of critical data
• Backups
• Data Migration
• Archiving and long term retention of data
• Electronic records and signatures
27
![Page 28: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/28.jpg)
Other Operational Controls
• Periodic Evaluation
• Change Management
• Configuration Management
• Incident Management
• Business Continuity
28
![Page 29: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/29.jpg)
So…Cloud Provider Management
• Assess the risks
• Define quality requirements
• Assess provider
• Define and agree responsibilities (SLA)
– Which controls?
– Where applied
– Who is responsible?
• Monitor and review performance
29
![Page 30: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/30.jpg)
Many Variables
• Use (the process supported)
• Content (the data managed)
• Service model (e.g. SaaS, IaaS)
• Deployment model (e.g. private, public)
• Nature and capability of provider(s)
30
![Page 31: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/31.jpg)
Initial Assessment
• Define Scope (Exactly what are we dealing with?)
– Data / Records
– Applications / Functions / Processes
31
![Page 32: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/32.jpg)
Initial Assessment
• Initial Risk Assessment (how important is it and why?)
– How would you be harmed if..
• the asset became widely public and distributed?
• a cloud provider employee accessed the asset?
• the process or function were manipulated by an outsider
• the process or function failed to provide expected
results?
• the information/data was unexpectedly changed?
• the asset were unavailable for a period of time?
• the asset were lost?
32
![Page 33: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/33.jpg)
GAMP® 5
33
• Guidance includes:
• Life Cycle activities and controls
• Quality Risk Management
• Supplier Assessment
![Page 34: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/34.jpg)
GAMP® GPGs
• Other GAMP® Good Practice Guides also
relevant…
See www.ispe.org/publications34
• Electronic records and
signatures
• Operation of GxP
systems
• E-data archiving
![Page 35: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/35.jpg)
35
Figure 2.2: Managing Risks to Electronic
Records
GAMP Good Practice Guide:
A Risk-Based Approach to
Compliant Electronic Records
and Signatures
Taken as a model…
![Page 36: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/36.jpg)
36
Define Requirements
Assess Provider
Define SLA
Monitor and Review
Record Risk Management Cloud Provider Management
Define Scope /
Initial Assessment
![Page 37: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/37.jpg)
Challenges
• Certifications and audits
• Big providers - not just GxP
• Chain of suppliers/providers involved?
• Responsibilities clear?
• Finger pointing?
• Complex – a lot to check
• Technologies and services change…
37
![Page 38: D2.T3.S1.P1 -Sion Wyn - Cloud and Outsourcing · PDF file•Archiving and long term retention of data ... Managing Risks to Electronic Records GAMP Good Practice Guide: ... D2.T3.S1.P1](https://reader031.vdocument.in/reader031/viewer/2022021816/5a7eb7017f8b9a0a668f00fb/html5/thumbnails/38.jpg)
Conclusions
• Assess the risks
• Define quality requirements
• Apply appropriate controls
• Manage the provider(s)…through
appropriate agreements
38
Define
Requirements
Assess Provider
Define SLA
Monitor and
Review
Define Scope /
Initial
Assessment
Benefit
Risk
Cloud
Compliance