Pharmaceutical Commerce - May/June 2017 - 21
Information Technology How cloud-based IT systems address FDA validation requirements Paper validation records will disappear in the face of continuous validation By Bruce Kratz and Jon Ragati, Sparta Systems The life sciences community has always been more conservative when it comes to the adoption of new technologies, and cloudbased systems are no exception. This cautious approach to shiny new technology objects is more than appropriate given the high stakes nature of the good work these companies p e r f o r m . Mi t i g a t i n g risks and avoiding new ones is top of mind for pharmaceutical IT and quality professionals. Now that cloud-computing models are well accepted across many industries with proven security models and high reliability, it is becoming a viable option for life sciences enterprises. However, the nagging challenge of validation of these systems is still widely misundersto o d among life sciences professionals. The data with some of the highest concerns for risk in cloud environments includes records pertaining to quality systems in pharmaceutical manufacturing. Company requirements in these industries are extremely tight on computer system validation due to the need to stand up to the rigor of regulators. Life sciences companies are used to owning the controls that govern their systems, controlling the pace of upgrades, and running extensive validation cycles on those upgrades, which are often many months in length. This flies in the face of trends in the cloud computing delivery model, which favors frequent releases of new features across all customers at a pace controlled by the software vendor. However, the benefits of cloud-based deployments have ushered in a new class of Quality Management Systems (QMS) that have transitioned successfully to the cloud. Among those systems, thoughtful vendors have taken new approaches towards validation that not only meet the requirements but in many ways provides a higher quality output. They have taken the burden of managing validation processes across a multi-tenant system and turned it into an asset by taking advantage of automation techniques that streamline the execution process. Automated validation approaches take what is traditionally a onetime event that happens at the end of a major software or process upgrade and turn it into an ongoing, every-day process that, it can be argued, ensures a system that is "continuously validated"-always being evaluated against a known set of outputs. COTS software Traditionally, most pharmaceutical companies deploy on-premise software. They may purchase a commercial off-theshelf (COTS) system, install it internally on servers, configure it to communicate on the cor por ate network and w ith other corporate systems and databases, and manage it in compliance with a corporate IT strategy and set of Standard Operating Procedures (SOPs). Aside from the development of the COTS software package, everything is owned, managed solutions across all tenants and take on the burden of operating those systems with shared resources and procedures to drive efficiency. To the business, the costs are passed on as a monthly operating expense, not a capital-intensive planning session that requires months and years of planning. Basics of cloud computing On the most basic level, cloud computing refers to using "virtualized servers" distributed over the Internet to store, access and manage data instead of on Sparta Systems' Stratas QMS system. Credit: Sparta and maintained by the company. This results in significant overhead costs to the company, which includes applying patches, administer ing the internal network connections, securing the data, creating disaster recovery contingencies, and the capital-intensive nature of keeping the required hardware viable. The expense and capital burden of the on-premise model in many companies takes a back seat to the inherently slow pace of deploying functionality to the business. IT projects continue to back up as IT teams shrink and the needs of the business grow. The cloud business model changes the g ame sig nificantly. Tr ue multitenant cloud computing-based systems are able to deliver great value by sharing infrastructure and software across several tenants (customers). To deliver that value, cloud software vendors deploy physical servers inside corporate network infrastructures. The common deployment patterns of cloud computing are single and multi-tenant. The single-tenant cloud is an architecture in which a single instance of a software solution and supporting infrastructure is "hosted" on servers in the cloud for one customer. In this situation, one company has its own instance of a solution so there is no shared resourcing. The tenant is the only company able to access the software. This is a similar model to on-premise in that it is one singular system with software installed and the company is the only one accessing it. While the customer does benefit from not having to manage the solution directly or worry about the hardware involved, that solution often cannot provide the economies of scale that multi-tenant deployments can provide. The multi-tenant cloud is an architecture in which a single instance of software serves multiple customers. In the multi-tenant cloud, many customers are sharing computing resources and storage, and running on the same application, but the data of each software instance is protected by definitive access points and security features. Since resources are shared and maintained externally, the cost to each tenant is reduced. FDA-scale systems validation requirements Validation refers to the process of checking that a software system meets specifications and that it fulfills its intended purpose. Properly capturing validation documentation is key for deploying cloudbased solutions and should be documented in accordance with the company's internal SOPs. If an auditor reviews a company's software environment, the company must be able to demonstrate how the software was validated per its internal SOPs. With cloud solutions, the time-consuming tasks with regards to validation that normally occurs during the Installation Qualification (IQ) and Operation Qualification (OQ) in many cases can be provided by the software vendor. When it comes to electronic record keeping and FDA, they made an early attempt to be proactive when they came out with guidance for complying with Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (21 CFR Part 11). According to FDA: We suggest that your decision to validate computerized systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements. You should also consider the impact those systems might have on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures...We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity. If, after reading that section of the guidance, you are left with more questions than answers, you are not alone! Keep in mind, this validation guidance was last updated in 2003, well before the cloud revolution. The resulting gray area leaves many questions unanswered on the use of cloud systems for regulated workloads and how they should be validated. FDA was expected to publish additional guidance on the use of cloud, but that guidance has not May | June 2017 Visit our website at www.PharmaceuticalCommerce.com 21