Controlling Pharma data in the Cloud-
Overview
• Example of a CAPA from 3 years ago (2010)
• Example of a CAPA today (2013)
• Example of CAPA in Azure(2014)
I am trying to use this presentation as an
example of evolution over time but the issues
raised will be relevant to any cloud based GXP
application
3 Years ago (Private Cloud)
• Data secured on shared qualified physical host servers running dedicated virtual servers (‘Single Tennant’), but with the capacity option to increase the virtual server and connection pipe as the customer needed (flexible compute) • Linear CAPA, mainly for recording activities and outcomes,
but all data in an SQL database meant it was good for data reporting
• Cloud used for Troubleshooting (Dev and Test)
Hosted (‘Private’ cloud) CAPA dedicated setup from
2010
3 Years ago- issues
• Password management- how the users can
change it themselves and not the service provider
• Consistent environments- restore meant it had to
be an exact physical server
• Bandwidth- fine for daily CAPA activities, terrible
for upload, and high volume migrations
• Backup good, restore bad (though it was
acceptable for 24 hours from disaster)
Today’s (2013) CAPA (Private Cloud)
• Data secured on shared qualified physical machine with
multi-tennanted front end and back end servers, still with
the capacity to increase the virtual servers and connection as the customer requires (flexible compute). More
monitoring at the firewall needed to see who is using what • Multi-threaded CAPA more complex, and customer
reporting requirements are more sophisticated
• Lots of trust built up with our datacentre provider, they
were big enough to be safe and secure, small enough to put in processes and procedures so it now runs very smoothly. No downtime in 3 years, (slight issue with bandwidth
Hosted (‘Private’ cloud) ‘multi-tenant’ CAPA setup from
2013
Some Current Issues…
• Much more emphasis from customers on proving
robustness (e.g. 2e2 a UK data-center provider) and non crossover of data and users from the multi-tenant
environment
• Multinational customers have requirement to know where the data is stored and require that their data is kept in
certain countries
• Passwords can and must be changed and managed by the customer
• Backup and Disaster Recovery concerns: More data
Multi-threaded CAPA management
CAPA Process 2013
Future (mid 2014) CAPA (Azure
Cloud)?
• We are working on true Cloud environment using
Azure, with Office 365 and CAPA as SaaS in a flexible
multi-tennant compute environment.
• 2 Customer options
a. Simple OOB Client configurable CAPA set-up
b. GXPi configured setup attaching lego blocks of .pdf
publishing tools, OCR scanning, digital signatures, archiving solution
• Interface and training materials to talk the customer
through the set-up for simple out of the box (credit
card payments) for ‘a’
• Service oriented offering for ‘b’
Microsoft’s Chicago
DataCenter
What is Cloud, Really?
CAPA in the Cloud- set up your
architecture
Future CAPA Issues
• You can now know where the data is being kept
at least
• Monitoring (intrusion/virus/changes/
bandwidth/data/ software licensing other) will be
crucial
• Cloud can easily be used for training test dev and
production environment as needed- need to have
audit trail that those temporary environments are
removed or known where they are
• Software licensing will need to be on weekly
monthly ‘pay as you go’
What about GAMP and Validation?
How could this breakdown into activities for a Cloud
delivered CAPA?
Organisations: Activities: Regulated Company Software Developer SaaS Provider IaaS ProviderValidation Plan & Report User Requirements & Acceptance Testing
Functional & Design Documentation
Installation Qualification
Incident Management
Infrastructure Qualification Operational Change Control Periodic Review
Conclusions about Controlling Pharma data
in the Cloud
• A CAPA system (or any other GXP-data system)
can exist in the cloud
• Can it be validated in the traditional sense? Yes,
but the process needs some thought
• It will be much more about monitoring the
infrastructure and ensuring that you control the
data
Minimum
• They have documents and schematics that are understandable by the non-expert • They manage change in an acceptable manner
• They have clear contracts and allocation of responsibilities
• They have been audited by regulated companies (or understand what to do having been advised by suitable experts…)
• They audit their key suppliers
• They have suitable and appropriate test scripts for their environment to prove security and data integrity
Ideally
• They have detailed experience of the compliance needs of the Life Sciences industry and tools to aid and ensure that compliance is achieved efficiently
• They have monitoring to identify change from the qualified state. (see Example below)
• They have validation documents of a suitable quality that allows you to leverage, using risk-based approach to reduce your validation effort
• Their subject matter experts can clearly communicate complex technology environments to your team so they can understand the operation and design elements
• They have been audited by Life Sciences companies • You can use their Change Control system
• They have a robust and suitable QMS that matches Life Sciences industry expectations • They have adequate Subject Matter Experts that span IT technical and compliance needs
What to look for in a Pharma
Simple Component Categorisation for CAPA Cloud
Implementation (or other Cloud Applications)
Service Example
Components GAMP
®
Category What to do? Who?
IaaS Hardware, Internet Connectivity, Power, Servers, Storage and RAM, Antivirus, Router Software, Firewall, VMWare, Hyper-V, Azure
1 Qualify and manage infrastructure and manage
configuration
changes (or monitor changes/ monitor challenge Intrusion) Audit procedures Infrastructure Vendor (IV) Application Vendor(AV) or Sponsor. (If different)
PaaS O/S, Windows Server, SharePoint Server and SQL Server,
webServers, search etc
1 Qualify the ‘server’ stack. Manage/control ongoing changes Audit procedures Platform Vendor (PV) PV AV or Sponsor
SaaS e.g. X-Forms™ CAPA 4 “Validate” the
configured software application
URS and UAT
AV
Sponsor
