Embed Size (px)
Citation preview
www.qumas.com
ISPE GAMP®, leading the way to Productive Compliance
AUTHOR: Chris Reid, Chair ISPE GAMP® Europe
As well as presenting ISPE GAMP® principles and practices for effective regulatory compliance, this White Paper includes case study information from leading pharmaceutical organizations and outlines current industry hot topics:
• Revision to EU Annex 11, Computerised Systems (effective June 2011)
• 21 CFR Part 11, Electronic Records and Electronic Records
• Cloud Computing
SPONSORED BY:
QUMAS White Paper
ISPE GAMP®, leading the way to Productive Compliance
IntroductionIn 2012, ISPE GAMP® celebrates their 21st anniversary of helping regulated industries achieve cost effective compliance of computerised systems used in support of medicinal product development, manufacture, distribution and safety monitoring.
GAMP®, originally named after “Good Automated Manufacturing Practice”, is now more a brand name synonymous with compliance of all types of computerised system utilised in the global supply chain.
GAMP® has evolved over the years to become a globally recognised resource by regulated users, suppliers, consultants and regulatory authorities.
GAMP® provides pragmatic, risk based advice that enables valuable resources to be focussed in the areas of risk to patient safety, product quality and data integrity. GAMP® is very much focussed on effectiveness and efficiency with a scalable approach that addresses the specific characteristics and risks of the project, service or products being implemented.
GAMP® is an ever growing family of volunteers supporting ISPE to address emerging issues and technologies.
Figure 1: The GAMP® Family
Page 1 of 14
QUMAS White Paper
Validation of Computer Systems A key objective of validation / qualification is to bring about transparency of approach and outcomes during the implementation, support and retirement of computerised systems and IT infrastructure. Tony Trill, UK MHRA inspector (retired) referred to “SOUP”, a hidden project methodology. “SOUP” relates to “Software of Unknown Pedigree” due to an inability to understand and evaluate processes used in the development and assurance of computerised products.
The validation and qualification of computerised systems is a core element of the GAMP approach to effective compliance.
GAMP® Principles - Foundation for Effective ComplianceGAMP® 5 has been developed around five key concepts:
• Product and Process Understanding
- Fundamental to system requirements and risk assessment
• Lifecycle approach within a QMS
- Cradle to grave, integrated processes
• Scalable lifecycle activities
- Patient safety, product quality, data integrity
- System complexity and novelty
- Supplier capability
• Science based quality risk management
- Based on product and process understanding
• Leveraging supplier involvement
- Knowledge, experience, documentation
Product and process understanding and science based quality risk management are at the heart of current day thinking. Time constrained, valuable resources need to be focussed in areas of greatest risk to patient safety, product quality and data integrity.
Figure 2 – SOUP Methodology
CLOUD
Product Requirements
Product Release
Product Development(SOUP)
Page 2 of 14
QUMAS White Paper
Risk assessment (and management) is used throughout the implementation, operation, support and retirement phases to focus validation effort. Risk assessment however, can only determine impact with knowledge of business / manufacturing processes and product characteristics. For example, the criticality of environmental control processes will differ greatly for a system supplying a general office area, to a similar system supplying a sterile manufacturing facility. Similarly a manufacturing line processing calcium tablets will be significantly less critical than a manufacturing line processing oncology related products.
Dr. Guy Wingate[6] clearly demonstrates the need for a shift to risk based thinking. Figure 3 provides a historical perspective of computerised system compliance where a “one size fits all” approach is taken irrespective of risk. The current approach is to focus effort where there is greatest risk, namely patient safety, product quality and critical data integrity. This approach should not however be confused with a philosophy adopted by some in terms of using “Risk Based Approach” simply to do less.
Dr. Guy Wingate[6] also concludes that our perception of the scope of patient safety and product quality related functionality across the spectrum of computerised system used by our organisations is skewed. Science based risk assessment has helped us better understand our products and processes and we can now conclude that significantly less functionality across our systems has a direct impact.
HIGH MEDIUM
Historic Situation
LOWFocu
s Val
idat
ion
Effor
t
Standard Validation Approach
Current / Required Situation
LOW
Focu
s Val
idat
ion
Effor
t
Risk Based Approach
MEDIUM
HIGH
Figure 3 – Focussing the compliance effort
The old perception at many firms*- Impact Analysis Must Be Shifted to Reflect True Risk
Low Impact
MediumImpact
HighImpact
* Dictated by long-standing conservative approaches to compliance (zero risk was ultimate goal)
Analysis will bring us here*- Impact Analysis Must Be Shifted to Reflect True Risk
Low Impact
MediumImpact
HighImpact
* The new risk management mindset permits efficient allocation of resources to achieve an appropriate level of control that aims for low risk - not no risk
Figure 4 – Distribution of High Impact (Patient Safety / Product Quality) Business Processes / Functionality
Page 3 of 14
QUMAS White Paper
Business Process and Functional Risk Assessment conducted by appropriate subject matter experts is therefore fundamental to ensuring that compliance effort is directed at critical functionality. For example, only circa 20% or less of an Enterprise Resource Planning System will contain regulated functionality and significantly less than 20% will present a direct impact to patient safety and product quality.
To further illustrate the need to understand business processes, we can consider a Document Management Solution. The functional risk of the document management system is determined by the type of documents and business processes managed by the system. A document management system managing general Standard Operating Procedures may be significantly less critical than a Document Management System managing electronic Common Technical Document (eCTD) submissions to regulatory authorities.
Paul Motise, US FDA demonstrated the importance of risk assessment during his presentations pertaining to 21 CFR Part 11, Electronic Records and Electronic Signatures. He used an example of an analytical laboratory system being interfaced to a Laboratory Information Management system holding records relating to blood supply. In his example, he demonstrated that a simple interface failure between the two systems could transpose a failed analytical status into a positive result. In this example, HIV infected blood plasma was approved for release!
Figure 5 – Consequence of Functional Failure on Patient Safety
Results of contamination test
Code 330 = Test equipmentfailed [3 digit results code field
Code 33 = Test material is ok [2 digit results code field
Result: HIV Infected Blood Plasma approved for release...
Page 4 of 14
QUMAS White Paper
Risk must be evaluated throughout the life of the computerised system, through planning, specification, build and configuration, verification, release, operation, change and retirement in order to enable considered decisions to be made and appropriate action to be taken to avoid and mitigate risk impact.
GAMP® further promotes a cradle to grave lifecycle approach. GAMP® 5, supported by an additional companion volume, GAMP® Good Practice Guide: A Risk-Based Approach to Operation of GxP Computerized Systems, substantially addresses the complete life of a computerised system including the operational and support phase and retirement phase.
Figure 6: Cradle to Grave Lifecycle Approach
{{ {
Planning Reporting
Configurationand or coding
Specification Verification
PerformanceMonitoring
ServiceManagement
Handover
PeriodicReview
Internal Audit
Training
Repair
Configuration Management
Change Management
System Inventories
Document Management
Sys Admin
Backup & Restore
BCP & DRP Records Management
Document & Software Archive
Record Archive
Record Retention
Data Migration
Develop Operate, Maintain Retire
Page 5 of 14
QUMAS White Paper
Integrated quality systems, where quality process interfaces are clearly designed (e.g. relationships between incident management and change management) are essential to effective and efficient compliance.
Figure 7 shows a typical IT Quality Management System (QMS) covering change / implementation processes, operations and support processes, assurance and risk processes, environment and retirement processes. Change Management, Incident Management, Service Management and Supplier Assessment are key supply chain interfaces. All processes underpin a series of corporate policies / standards / guidelines that provide the company’s interpretation of global regulations and industry best practice.
A key consideration in the design of an effective QMS is to build on a foundation of Good Engineering or Good IT practice. Compliance activities should be an incremental level of rigour based on risk to patient safety, product quality and data integrity. Cross industry standards such as ITIL, TickIT, CMMi and ISO are all good foundations for Good Engineering / IT Practice and provide the minimum considerations for implementing any business related computerised system / IT infrastructure. All too often, the cost of computerised system compliance is measured as the whole activity within a project due to a lack of awareness of general good practice.
Figure 7: Integrated Quality Management System
Page 6 of 14
Electronic Records and Signatures
Computer Systems Validation Policy IT Infrastructure Qualification Policy
Information Security Controls Policy
Project Management / System Development Lifecycle Policy
Supplier Assessment
Change Management
Incident Management
Service Level Management
Services
Products
Change Management
New Business Need
Incident Management
Service Level Management
Issues
Support
GxPDetermination
Design and Design Review Data Migration Handover
Process Mapping and RA
Func Risk Assessment &
RTM
Quality Summary Reporting
RequirementsManagement
Electronic Records Risk Assesment
Post Implementation
Monitoring
Quality Planning Configuration
Management
System Build Management
System Testing
System Inventory
ManagementDisaster
RecoveryPerformanceMonitoring
Backup and Restoration
Repair
SecurityManagement
ConfigurationManagement
IT ServiceManagement
ApplicationDeployment
Incident Management
SystemAdmin
SystemArchiving
LicenseManagement
Deviation Management
Internal Audit
Periodic Review
Risk Management
CAPA
PersonnelDevelopment
Document Management
Policy andStandards
Management
Retirement, Decomm’ and
Disposal
CHANGE MANAGEMENT
OPERATION AND SUPPORT
Customers
Supply Partners
Scaled application ofchange processes forminor changes and lowrisk changes
ASSURANCE & RISK MANAGEMENT
ENVIRONMENT
RETIREMENT
QUMAS White Paper
The regulated company must also consider how they will demonstrate assurance of the services and environments provided by the external organisation. Due diligence, audits, performance reviews are all key to ensuring that the service provider is meeting business and regulatory needs
Dr. David Selby[7], a founding father of GAMP® has conducted an exercise over a number of years to identify areas for continuous improvement. In his benchmarking exercise he identifies that regulated organisations typically consider their strengths to be in the area protocols, documentation and change management. Companies considered themselves reasonable at implementing policies and procedures, project management, specifications, design review and training. Areas of greatest concern are during handover to operations, post project evaluation and maintaining a controlled state during operation, all areas that GAMP® has addressed in more recent publications.
Leveraging of supplier expertise, documentation and effort is becoming more common place as organisations realise that they are duplicating effort of their suppliers and further they can draw on subject matter expertise and experience that may not be readily available within their own organisations. A GAMP® Special Interest Group has recently concluded that supplier effort can be leveraged irrespective of criticality of the solution being provided as long as supplier assessment, planning, management and verification controls reflect the degree of risk. This approach becomes more relevant as an increasing number organisations are utilising pre-configured Software as a Service (SaaS) solutions.
GAMP® – Productivity Case StudiesISPE’s conference in New Jersey, July 2011 and repeated in Brussels, November 2011 included a keynote address by Dr. Guy Wingate and Dr. David Selby. The key note address provided many case studies where adoption of GAMP® principles and approaches has improved productivity of the validation process. Table 1 provides a subset of the case studies presented:
Approach Case Study Acknowledgement
Re-engineering the verification process
• Adopting Good Practices savings circa 5%• Adopting Standardised Practices savings circa 30+%• Focus on Patient Safety / GMP savings circa 20%• Scalable Approach savings circa 10%• Other areas included leveraging supplier expertise and rigorously applied risk assessment
Average cost of validation now < 4% of project cost
Dr. Guy Wingate, GSK
Leveraging Supplier Testing
• Extended audit to verify supplier functional risk assessment and test coverage• Additional effort 4 days to conduct review• Regulated company conducted spot check testing of critical functions (3 days)• Original regulated company test plan was 6 man weeks effort
Chris Reid, Integrity Solutions Limited
Application of Risk Management (Scalability)
• Rigour of verification / testing effort influenced by functional criticality and probability of software failure (custom, configured, non configured OOTB)• Intensive approach for patient safety related and custom / configured applications. Positive and challenge testing. QA involvement• Standard approach for Low risk customised, high / medium risk configured applications. Positive, multipath testing• Minimal approach for non configured OOTB applications and low risk configured applications. Leveraged supplier effort
Lilly Mo, Pfizer Global Quality Operations and Pfizer Global Supply Business
Table 1: Summary of Productivity Case Studies
Page 7 of 14
QUMAS White Paper
The approaches taken not only ensure that effort is scaled according to risk but ensure that significant effort is applied where there is a patient safety, product quality or data integrity risk. The risk based approach has also enabled companies to challenge key areas of their quality management approach including:
• Contribution of participants in the validation process. Ensuring that all participants have a clear role, authority and expertise to make decisions and availability to support project commitments. Further ensuring that project personnel are engaged through need rather than company position or organisational role
• Review the value of the documentation set to ensure that documents are necessary and focussed on areas of greatest risk
• Review of signatory requirements to ensure that appropriate business, technical and quality representatives are engaged where their subject matter expertise is most relevant
• Simplification of SOPs within an integrated QMS, SOPs that drive intelligent thinking rather than prescriptive practises
Industry / Regulatory Hot TopicsRegulatory authorities tend to focus their attention on areas of observed risk and emerging technology / service provision. Hot topics remain the focus of attention until risks are well understood and industry establishes standards and approaches to mitigate such risks. Current hot topics within industry include, but are not limited to:
• Revision to EU Annex 11, Computerised Systems (effective June 2011)
• 21 CFR Part 11, Electronic Records and Electronic Records
• Cloud Computing
• Mobile Devices and Applications
Revision to EU Annex 11, Computerised Systems (effective June 2011)
EU Annex 11 (Computerised Systems) and Chapter 4 (Documentation) were refreshed in order to bring EU regulations in line with risk based thinking and electronic records management. GAMP® provided significant feedback on early drafts of Annex 11 and Chapter 4. The effective versions are significantly more concise than original drafts and focus on objectives to be achieved rather than solutions. The revised Annex 11 promotes a risk based approach to computerised system compliance and like GAMP®, emphasises the need for process ownership and a cradle to grave approach to compliance.
In large, Annex 11 and Chapter 4 reflect current industry approach and there are few areas of concern for those already complying with previous versions. Some areas did however require further clarification.
EU regulators can now request sight of supplier audit reports. This further necessitates the use of experienced auditors to ensure that supplier audit findings are a true and fair reflection of supplier practices. Regulated companies must ensure that they discuss and protect supplier confidentiality. Regulated companies must be able to demonstrate that they have based the need for audits on appropriate risk based decisions, that they have an appropriate assessment process in place and that they have taken appropriate action to address significant GMP related findings and observations. The primary objective of regulatory authorities is to ensure that risks are appropriately mitigated and managed.
Annex 11 recognised that internal IT functions are akin to external suppliers in that they provide services to business functions across the regulated company. The primary expectation is that IT functions are covered by company quality systems including policies, procedures and internal audit programs. Where this is evident there is no need to establish internal agreements between businesses and IT although on occasions internal SLAs, OLAs as described in ITIL can be useful.
Page 8 of 14
QUMAS White Paper
Annex 11 and Chapter 4 address electronic records and electronic signatures, the objectives of which parallel US FDA 21 CFR Part 11. Audit trail requirements are defined and the need to periodically review audit trails is stated. The key value of audit trails is during problem investigation and routine review of audit trail content is unlikely to uncover potential issues and risks. Periodic review should therefore focus on ensuring that audit trail functionality is enabled for required GMP records and that audit trails can be reviewed in a meaningful form during problem investigation.
21 CFR Part 11, Electronic Records and Electronic Records
US FDA is including 21 CFR Part 11 within planned inspections in the human drug area for both domestic and international inspections. Part 11 inspections are focussing on areas of highest risk where industry may not be complying with, or understand the current enforcement approach as explained in Scope and Application guidance. Inspections including Part 11 considerations commenced in December 2010 with no planned end date. FDA indicated that they will evaluate the findings and make decisions once sufficient information is available. Compliance with Part 11 will continue to be enforced in line with the Scope and Application guide. FDA has indicated that they remain open minded to the potential outcome of the review and possible outcomes are:
• Maintain the status quo, plus publishing additional guidance focused on issues and concerns
• Amending the existing Part 11 regulation and/or preamble
• Proposing new wording/language to existing Compliance Policy Guides or Compliance Program Manual Guides that contain outdated interpretations of Part 11 requirements
• Revoking the current Part 11, Electronic Records; Electronic Signatures — Scope and Application‘ guidance
• Amending the current Part 11, Electronic Records; Electronic Signatures — Scope and Application‘ guidance
• Other – yet to be determined
Cloud Computing Cloud is an over arching term for a number of different services. The “Cloud” is essentially the internet. Cloud is about putting more of our assets, applications and data in the hands of service providers. In turn, your service provider may put some of those services into the hands of other service providers. As such, the supply chain is extended and assurance of essential controls becomes complex.
Cloud Computing provides a number of significant benefits to consumers:
• Focus on core, value adding business activities (making drugs and devices!)
• Access applications and data from anywhere via the internet
• Outsourcing the burden of maintenance of infrastructure and applications
• Increased service delivery performance
• Service delivery cost optimisation
• Efficient management of service portfolio
• Leverage expertise and technology
• Optimum utilisation of assets and resource
• Consistency of approach
Page 9 of 14
QUMAS White Paper
• Simplified organisation
• Simplified supply chain
• Improved quality and compliance
The primary compliance risk arises from the delegation of service delivery and quality responsibilities to the service provider. Service quality and demand are driven by multiple consumer organisations that may not always have aligned business drivers and regulatory pressures.
Cloud Deployment Models
A number of Cloud deployment models are available with varying degrees of risk as described in Table 2.
Type Description Risks
Private Cloud Computing architecture that provides hosted services to a limited number of people behind a firewall. Can be internal or external, with private space dedicated to your company with the service provider’s data centre. Used by organizations that need more control over their data
Management controls more easily evaluated, influenced and assured.
Public Cloud Resources, such as applications and storage, are made available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model.
Management controls more difficult to assess and enforce due to the extended supply chain. Much of the concern surrounding public clouds is related to security and compliance.
Community Cloud Cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Management controls reflect the need of a community (potential for Regulated Community Cloud!)
Hybrid Cloud Uses both public and private Depends on scope of public cloud
Table 2: Cloud Deployment Models
Page 10 of 14
QUMAS White Paper
Cloud Service Models
Different service models are offered by service providers. The level of service provided by the external provider increases with each service model increment and consequently the level risk to the consumer increases.
Infastructure As A Service (IaaS) Platform As A Service (PaaS) Software As A Service (SaaS)
Storage Operating System Email
Servers, Virtual Servers Web CRM / ERP
Network SharePoint, SQL Quality / Document Management
IAAS, PAAS and SAAS services have been utilised for many years under the heading of “Out Sourced Service” provision. In fact, similar risk considerations have been made with respect to on-shoring, near-shoring and off-shoring outsource models. With such services, it is not typically the technologies utilised that present the main focal point of risk consideration, rather the ability of the regulated company to evaluate, influence and manage the service provision in accordance with required standards and competencies.
Regulators are taking an interest in the rapid expansion of cloud service provision. The US Food and Drug Administration have established an internal task team to evaluate the risks and implications of cloud service provision. At the ISPE conference in Brussels, November 2011, Robert Tollefsen of the FDA outlined key areas of interest to regulators:
• What systems are currently outsourced?
• What issues or concerns have come up?
• What resolutions/mitigations were employed?
• Common terminology and definitions for outsourcing IT systems
• What type of systems will be outsourced in the future?
From a regulated company perspective, there are key risks to be addressed including:
• Responsibility for application management and performance with the service provider
• Responsibility for data integrity and security with service provider
• Availability, business continuity / disaster recovery
• Quality Management
• Security
• One sided Service Level Agreements
Table 3: Cloud Service Models
Increasing Level of Service & Risk
Page 11 of 14
QUMAS White Paper
• Staff turnover
• Service provider business failure
• Management of service change or contract exit
Mobile Devices and Applications
FDA recognises that a subset of mobile applications present a potential risk to patient safety if they do not work as intended. Draft guidance released by the FDA in July 2011 (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm263280.htm) defined a small subset of mobile medical applications that may impact on the performance or functionality of currently regulated medical devices.
Some of these new mobile applications are specifically targeted to assisting individuals in their own health and wellness management. Other mobile applications are targeted to healthcare providers as tools to improve and facilitate the delivery of patient care
The guidance identifies mobile platforms as commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity, that are handheld in nature. Examples of these mobile platforms include mobile computers such as the iPhone®, BlackBerry® phones, Android® phones, tablet computers, or other computers that are typically used as smart phones or personal digital assistants (PDAs).
Mobile Medical Applications are defined as applications that meet the definition of “device” in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act); and either:
• Is used as an accessory to a regulated medical device; or
• Transforms a mobile platform into a regulated medical device.
FDA is encouraging comment on the draft guidance. Key considerations for mobile platforms and applications is whether they are developed and maintained in accordance with appropriate quality management systems and whether security of such platforms and devices is robust.
Page 12 of 14
QUMAS White Paper
Conclusion
Adoption of GAMP® principles and practices has led to increased effectiveness and productivity of computerised system compliance processes within our organisations. GAMP® will continue to monitor developments within industry and regulatory arenas in order to provide an agile response to emerging issues, technologies and service delivery approaches.
Business process and product understanding, subject matter expertise, risk management and a standardised, yet scalable approach is paramount to ensuring patient safety, product quality and data integrity. These key principles further allow us to focus valuable resources in areas of greatest importance and avoid duplication of effort.
This White Paper was authored by Chris Reid, Chair of ISPE GAMP Europe & CEO Integrity Solutions. Chris has contributed to the development of GAMP 5 and a variety of Good Practice Guides.
This White Paper was sponsored by QUMAS.
Page 13 of 14
QUMAS White Paper
About QUMASQUMAS is the leader in Compliance and Quality Management Solutions for the Life Sciences industry, with more than 270 global customer deployments and domain expertise in regulatory compliance since 1994.
QUMAS Quality Management solutions provide Electronic Document Management (SOPs, QA documents), Electronic Process Management (CAPA, Deviation, Change Control, Audit), and GMP Compliance Management. QUMAS Regulatory Affairs solutions provide content and Submission Management including eCTD authoring templates, collaborative review, full integration with leading publishing solutions, scanning, and automated import of paper documents.
The QUMAS Compliance Platform is available on Microsoft SharePoint 2010, Oracle, Microsoft SQL Server and EMC Documentum.
For more information, visit www.qumas.com or email [email protected] <mailto:[email protected]>.
Acknowledgements and References1. GAMP® 5, A Risk Based Approach to Compliant GxP Computerized Systems, ISPE, February 2008.
2. EudraLex The Rules Governing Medicinal Products in the European Union Volume 4 Good Manufacturing Practice Medicinal Products for Human and Veterinary Use, Annex 11: Computerized Systems [Effective June 2011)
3. US FDA 21 CFR Part 11; Electronic Records and Electronic Signatures, August 1997
4. FDA Guidance for Industry Part 11, Electronic Records and Electronic Signatures – Scope and Application, August 2003.
5. George Smith, US FDA, Presentation at ISPE GAMP® Conference, Washington 2011
6. Dr. Guy Wingate, GlaxoSmithKline (Risk Models and Productivity Case Study)
7. Dr. David Selby, Selby Hope International (Validation Good Practice Case Study)
8. Lilly Mo, Pfizer Global Quality Operations and Pfizer Global Supply Business (Productivity Case Study)
9. Tony Trill, UK MHRA (Retired)
Contact Us for More InformationQUMAS66 York StreetJersey City, NJ 07302Phone: 973-805-8600Free Phone: 800-577-1545 Email: [email protected]: www.qumas.com
QUMASCleve Business ParkMonahan Road, Cork, IrelandPhone: +353-21-491-5100 Email: [email protected]: www.qumas.com
Page 14 of 14
