myths of validation
TRANSCRIPT
GxP Validation In The Cloud
Debunking The Most Popular Myths To Validating SaaS Apps In A GxP Environment
By: Ed Morris, The Morris Group, LLC
Ed Morris, Managing MemberThe Morris Group, LLC
2
• Twenty plus years consulting to Life Sciences clients related to regulatory compliance (21 CFR Part 210/211, 820, PDMA, GAMP, 21 CFR Part 11) Core expertise in system implementation and validation as well as data management and analytics. Hands-on experience with validation strategy and IT governance related to new architectures including Cloud, SaaS and SOA based systems. IT Quality Assurance related to Software Development Lifecycle (SDLC) and change control
• Consulting Services
• Systems Implementation / Validation
• Audits and Assessments
• Remediation
• Technology Evaluation & Selection
• Performance Optimization
• Project Management
• Operational Domains
• Quality Assurance
• Pharmacovigilance
• Clinical Development
• Regulatory Affairs
• Manufacturing / Shop Floor
• Commercial Operations
• Current Projects
• IT Governance / Validation Strategy For Cloud Based Clinical Data Management Platform
• Network security breach investigation / remediation
• Clinical Vendor Qualification Audits
• For Cause audits / Root Cause Analysis
ZenQMS
3
• Jeff Thomas, Vice President email: [email protected]
• ZenQMS offers a robust, affordable cloud-based QMS
• No Seat Licenses, Full access, Straightforward pricing
www.zenqms.com
• Software as a Service (SaaS) Applications Allow For Easier & More Affordable Implementations.
• Getting to SaaS requires an understanding of the facts and the myths.
SaaS / Cloud Based Solutions
Myth 1: My data is ‘floating’ around the Internet
5
•High availability gives the illusion that data is “everywhere”
•Most Tier 1 cloud providers support the ability to specify a geographic location or region e.g. by country, state or city.
Myth 2: My Data is Not Secure
6
• Often, cloud providers have multiple layers of security including network and server based intrusion detection, antivirus and malware systems.
• Data can be encrypted in-transit and at rest. The majority of Tier 1 Cloud providers operate HIPAA specific environments that are separate from the general public cloud infrastructures
Myth 3: Without A Serial Number, a Server Can’t Be Validated
7
● Traceability ● Virtual Machines should have a traceable
Instance ID● Focus should be on the Systems Development
LifeCycle (SDLC)● If SDLC follows GAMP V with a traceable ID, the
system can be considered compliant
Myth 4: There’s No Such Thing As A “Pre-validated” System
• A validated system is less about the infrastructure or where it resides and more about when it was installed and/or customized
• For instance, if a basic Customer Relationship Management (CRM) system is installed and configured according to a set of base requirements, it can be validated in that state.
• Theoretically, an organization can begin using the system provided no changes are made to the configuration e.g. data fields, screens, reports.
8
Myth 4: There’s No Such Thing As A “Pre-validated” System (continued)
• Multi-tenant Systems. Execute a full validation of the “core system” which is available for immediate use by new clients.
• Becomes the Gold Copy• Any proposed configurations must be assessed for regulatory
risk to determine if additional validation is necessary. • If so, the client specific user requirements are documented
and a UAT protocol is written and executed. Most user specific validations are very brief and can be fully executed in just a few weeks.
9
Myth 5: Cloud Providers Cannot Be Audited
• Physical audits of cloud data centers are typically not possible due to strict premises security controls.
• TMG performs multiple IT QA audits per year. Rarely do they include a detailed tour of the data center.
• Occasionally, we do make a brief visit to the data center to verify certain controls such as physical access and fire suppression.
• Maintenance logs including backups, outages, patches and updates are accessed outside of the data center itself.
10
Myth 5: Cloud Providers Cannot Be Audited (cont’d)
• Twenty years ago, data centers were busy places with lots of activity by operators running printers, loading tapes and launching jobs. Today, all of those functions have been eliminated or automated leaving data centers dark with no human presence whatsoever
• If you were to audit a data center today what would you examine? There’s just not much to see anymore
• The real audit is done through interviews with key personnel and documentation reviews.
11
Myth 6: I Am Not In Control Of My Data
●Control Vs. Possession?○ Clients always own their data. It is their intellectual property.
○ The best way to control data is to manage its flow from entry, through processing, storing, integration and archiving.
●All of this is defined in the SDLC of the given system by documenting and testing integrations including: ○ Subscribers and Publishers – Unique Identification○ Data Fields – Transport Mechanism - Encryption○ Authentication - Boundaries
12
Myth 7: Automatic Software Updates Require Re-validation
• Built-in maintenance and updates that come as part of the subscription are one of the major values of a SaaS or cloud based system.
• Your Vendor is responsible for change control and re-validation if necessary
• Check with your vendor to understand frequency of updates as well as the testing period available. 1
3
Review and Discussion
• Myth 1: My Data is ‘floating’ around the Internet
• Myth 2: My Data is Not Secure
• Myth 3: Without A Serial Number, a Server Can’t Be Validated
• Myth 4: There’s No Such Thing as A “Pre-validated” System
• Myth 5: Cloud Providers Cannot Be Audited
• Myth 6: I Am Not In Control Of My Data
• Myth 7: Automatic Software Updates Require Re-validation
Contact Information
• Ed Morris
• The Morris Group
• 973 713 2211
• www.themorrisgrp.com
• Jeff Thomas
• ZenQms
• 267 672 8999
• www.zenqms.com