Posted by Kip Wolf ● 5/14/20 8:30 AM
Best Practices for Achieving Compliant Cloud-Based Life Sciences Systems
Navigating FDA guidance during a computer software validation project can be a daunting task - and it certainly doesn’t help that the existing regulations pre-date today’s cloud-based life sciences systems. In this article, Management Consultant and 25-year industry veteran, Kip Wolf sheds light on the subject while also summarizing the best practices for managing compliance for Cloud-Based Life Sciences Systems.
While originally written to apply to paper records (and in some cases, handwritten signatures or initials), the predicate rules (i.e., GLP, GCP, CGMP, QSR) apply equally to cloud-based systems. And where electronic records or electronic signatures are involved, 21 CFR Part 11 also applies. In addition to the regulations, there are almost 2,000 FDA guidance documents, some of which refer to data, records, and information, that may apply to cloud-based systems as well as paper-based systems.
These include, but are not limited to, the following (depending on the scope of operations and related data):
- General Principles of Software Validation; Final Guidance for Industry and FDA Staff
- Guidance for Industry, Part 11, Electronic Records; Electronic Signatures - Scope and Application
- Guidance for Industry, Computerized Systems Used in Clinical Investigations
- Use of Electronic Health Record Data in Clinical Investigations, Guidance for Industry
- Data Integrity and Compliance With Drug CGMP, Questions and Answers, Guidance for Industry
The important point to understand is that cloud-based solutions do not necessarily have any new regulations or guidance. On the contrary, the cloud solution must adhere to the existing regulations and guidance. With on-premises cloud solutions, there is a greater obligation and opportunity to confirm the intended use. It is the keystone of the entire discussion around risk, compliance, and quality. In a nutshell, you know what you want – make sure that you get it.
Software as a Service (SaaS) and the subscription-based cloud solutions offer great value and an opportunity to focus on validating for the intended use (i.e., the usability and user experience) and less on the unit, system, and infrastructure testing that is typically at the core of on-premises solutions. To overgeneralize, we may (to a great degree) focus our valuable and limited resources on the user experience and leave the architecture to the experts with whom we contract the cloud services.
Choosing and Implementing Cloud QMS Solutions
Traditional approaches to regulatory compliance require shifts in rigor and responsibility when it comes to choosing, and implementing cloud solutions. Supplier qualification and management are of utmost importance. Thus, build metrics, measurements, and robust risk management processes for continual risk assessment for supplier management is key. Minimum practices may include a service level agreement (SLA) with specific supplier targets and metrics for regular measurement that are reported to senior management. Robust practices may include integrating supplier risk management with quality risk management and enterprise risk management.
No matter the size of the cloud solution or the maturity of your operations, cloud supplier qualification is a critical success factor for compliant cloud computing. Know your vendor!
Operating a Cloud-Based QMS in Compliance with GxP Regulations
Clearly defined internal processes for operations (a regulatory requirement) using an input/output, or I/O, perspective is terribly useful as a recommended best practice. Requiring data to be “securely accessed” is not the same as specifying input requirements using “128-bit encryption” or output requirements in “proprietary database format” (for example).
By clearly understanding, defining, and documenting the various process inputs and outputs (e.g., between operations, suppliers, transactions, etc.), we may best inform the requirements for the cloud solution. And formally documenting these I/O requirements may apply to an SLA, specification, or quality technical agreement, to name a few.
Where you choose to document the requirements is not as important as simply ensuring that they are documented in a formal way that is discoverable in an inspection or other legal proceeding to be able to enforce and make reference to the I/O requirements (and related validation testing).
Computer Software Validation (CSV): Focus on Performance Qualification and User Acceptance Testing
The risk management and process I/O requirements will inform the computer system validation (CSV) planning, implementation, and sustainability. There will be less (or no) installation qualification (IQ) and operational qualification (OQ) testing necessary in a cloud solution, as the vendor will likely provide sufficient documentation to meet the regulatory and operational requirements. Therefore, the focus may be applied to configuration and performance qualification (PQ) and/or user acceptance testing (UAT) to confirm validation for the intended use. The ability to abbreviate some CSV activities is entirely dependent on the adequate risk management and supplier qualification and the internal processes and understanding of I/O and other requirements.
Remember that the responsibility to validate for intended use still falls on the sponsor of the cloud solution or user of the cloud-based system and NOT on the cloud solution provider. When implementing a cloud solution, it is imperative to trust the supplier qualification process and your organization’s understanding of internal processes (to inform requirements for configuration and testing). Only then may the CSV activities be abbreviated to some vendor-provided IQ/OQ documentation and some robust PQ/UAT.
AODocs Cloud QMS for Life Sciences
AODocs for Life Sciences is a Quality Management platform for organizations to confidently build their Quality Program and reduce the cost of Computer System Validation & Assurance (CSV&A) while accelerating time to deliver business solutions.
About the Author
Kip Wolf is a principal at Tunnell Consulting, where he leads the data integrity practice. Wolf has more than 25 years of experience as a management consultant, during which he has also temporarily held various leadership positions at some of the world’s top life sciences companies. Wolf can be reached at Kip.Wolf@tunnellconsulting.com.
This content was originally published by Pharmaceutical Online and has been made available by AODocs with approval from the author.