GxP Validation In The Cloud

Debunking The Most Popular Myths To Validating SaaS Apps In A GxP Environment

By: Ed Morris, The Morris Group, LLC

Ed Morris, Managing MemberThe Morris Group, LLC 

2

• Twenty plus years consulting to Life Sciences clients related to regulatory compliance (21 CFR Part 210/211, 820, PDMA, GAMP, 21 CFR Part 11) Core expertise in system implementation and validation as well as data management and analytics. Hands-on experience with validation strategy and IT governance related to new architectures including Cloud, SaaS and SOA based systems. IT Quality Assurance related to Software Development Lifecycle (SDLC) and change control

• Consulting Services

• Systems Implementation / Validation

• Audits and Assessments

• Remediation

• Technology Evaluation & Selection

• Performance Optimization

• Project Management

• Operational Domains

• Quality Assurance

• Pharmacovigilance

• Clinical Development

• Regulatory Affairs

• Manufacturing / Shop Floor

• Commercial Operations

• Current Projects

• IT Governance / Validation Strategy For Cloud Based Clinical Data Management Platform

• Network security breach investigation / remediation

• Clinical Vendor Qualification Audits

• For Cause audits / Root Cause Analysis

ZenQMS

3

• Jeff Thomas, Vice President email: jeff@zenqms.com

• ZenQMS offers a robust, affordable cloud-based QMS

• No Seat Licenses, Full access, Straightforward pricing

www.zenqms.com

• Software as a Service (SaaS) Applications Allow For Easier & More Affordable Implementations.

• Getting to SaaS requires an understanding of the facts and the myths.

SaaS / Cloud Based Solutions

Myth 1: My data is ‘floating’ around the Internet

5

•High availability gives the illusion that data is “everywhere”

•Most Tier 1 cloud providers support the ability to specify a geographic location or region e.g. by country, state or city.

Myth 2: My Data is Not Secure

6

• Often, cloud providers have multiple layers of security including network and server based intrusion detection, antivirus and malware systems.

• Data can be encrypted in-transit and at rest. The majority of Tier 1 Cloud providers operate HIPAA specific environments that are separate from the general public cloud infrastructures

Myth 3: Without A Serial Number, a Server Can’t Be Validated

7

● Traceability ● Virtual Machines should have a traceable

Instance ID● Focus should be on the Systems Development

LifeCycle (SDLC)● If SDLC follows GAMP V with a traceable ID, the

system can be considered compliant

Myth 4: There’s No Such Thing As A “Pre-validated” System

• A validated system is less about the infrastructure or where it resides and more about when it was installed and/or customized

• For instance, if a basic Customer Relationship Management (CRM) system is installed and configured according to a set of base requirements, it can be validated in that state.

• Theoretically, an organization can begin using the system provided no changes are made to the configuration e.g. data fields, screens, reports.

8

Myth 4: There’s No Such Thing As A “Pre-validated” System (continued)

• Multi-tenant Systems. Execute a full validation of the “core system” which is available for immediate use by new clients.

• Becomes the Gold Copy• Any proposed configurations must be assessed for regulatory

risk to determine if additional validation is necessary. • If so, the client specific user requirements are documented

and a UAT protocol is written and executed. Most user specific validations are very brief and can be fully executed in just a few weeks.

9

Myth 5: Cloud Providers Cannot Be Audited

• Physical audits of cloud data centers are typically not possible due to strict premises security controls.

• TMG performs multiple IT QA audits per year. Rarely do they include a detailed tour of the data center.

• Occasionally, we do make a brief visit to the data center to verify certain controls such as physical access and fire suppression.

• Maintenance logs including backups, outages, patches and updates are accessed outside of the data center itself.

10

Myth 5: Cloud Providers Cannot Be Audited (cont’d)

• Twenty years ago, data centers were busy places with lots of activity by operators running printers, loading tapes and launching jobs. Today, all of those functions have been eliminated or automated leaving data centers dark with no human presence whatsoever

• If you were to audit a data center today what would you examine? There’s just not much to see anymore

• The real audit is done through interviews with key personnel and documentation reviews.

11

Myth 6: I Am Not In Control Of My Data

●Control Vs. Possession?○ Clients always own their data. It is their intellectual property.

○ The best way to control data is to manage its flow from entry, through processing, storing, integration and archiving.

●All of this is defined in the SDLC of the given system by documenting and testing integrations including: ○ Subscribers and Publishers – Unique Identification○ Data Fields – Transport Mechanism - Encryption○ Authentication - Boundaries

12

Myth 7: Automatic Software Updates Require Re-validation

• Built-in maintenance and updates that come as part of the subscription are one of the major values of a SaaS or cloud based system.

• Your Vendor is responsible for change control and re-validation if necessary

• Check with your vendor to understand frequency of updates as well as the testing period available. 1

3

Review and Discussion

• Myth 1: My Data is ‘floating’ around the Internet

• Myth 2: My Data is Not Secure

• Myth 3: Without A Serial Number, a Server Can’t Be Validated

• Myth 4: There’s No Such Thing as A “Pre-validated” System

• Myth 5: Cloud Providers Cannot Be Audited

• Myth 6: I Am Not In Control Of My Data

• Myth 7: Automatic Software Updates Require Re-validation

Contact Information

• Ed Morris

• The Morris Group

• Ed.morris@themorrisgrp.com

• 973 713 2211

• www.themorrisgrp.com

• Jeff Thomas

• ZenQms

• jeff@zenqms.com

• 267 672 8999

• www.zenqms.com