ISPE GAMP, leading the way to Productive Compliance

Transcription

1 ISPE GAMP, leading the way to Productive Compliance AUTHOR: Chris Reid, Chair ISPE GAMP Europe As well as presenting ISPE GAMP principles and practices for effective regulatory compliance, this White Paper includes case study information from leading pharmaceutical organizations and outlines current industry hot topics: Revision to EU Annex 11, Computerised Systems (effective June 2011) 21 CFR Part 11, Electronic Records and Electronic Records Cloud Computing SPONSORED BY:

2 ISPE GAMP, leading the way to Productive Compliance Introduction In 2012, ISPE GAMP celebrates their 21st anniversary of helping regulated industries achieve cost effective compliance of computerised systems used in support of medicinal product development, manufacture, distribution and safety monitoring. GAMP, originally named after Good Automated Manufacturing Practice, is now more a brand name synonymous with compliance of all types of computerised system utilised in the global supply chain. GAMP has evolved over the years to become a globally recognised resource by regulated users, suppliers, consultants and regulatory authorities. GAMP provides pragmatic, risk based advice that enables valuable resources to be focussed in the areas of risk to patient safety, product quality and data integrity. GAMP is very much focussed on effectiveness and efficiency with a scalable approach that addresses the specific characteristics and risks of the project, service or products being implemented. GAMP is an ever growing family of volunteers supporting ISPE to address emerging issues and technologies. Figure 1: The GAMP Family Page 1 of 14

3 Validation of Computer Systems A key objective of validation / qualification is to bring about transparency of approach and outcomes during the implementation, support and retirement of computerised systems and IT infrastructure. Tony Trill, UK MHRA inspector (retired) referred to SOUP, a hidden project methodology. SOUP relates to Software of Unknown Pedigree due to an inability to understand and evaluate processes used in the development and assurance of computerised products. Product Requirements Product Development (SOUP) Product Release Figure 2 SOUP Methodology The validation and qualification of computerised systems is a core element of the GAMP approach to effective compliance. GAMP Principles - Foundation for Effective Compliance GAMP 5 has been developed around five key concepts: Product and Process Understanding - Fundamental to system requirements and risk assessment Lifecycle approach within a QMS - Cradle to grave, integrated processes Scalable lifecycle activities - Patient safety, product quality, data integrity - System complexity and novelty - Supplier capability Science based quality risk management - Based on product and process understanding Leveraging supplier involvement - Knowledge, experience, documentation Product and process understanding and science based quality risk management are at the heart of current day thinking. Time constrained, valuable resources need to be focussed in areas of greatest risk to patient safety, product quality and data integrity. Page 2 of 14

4 Risk assessment (and management) is used throughout the implementation, operation, support and retirement phases to focus validation effort. Risk assessment however, can only determine impact with knowledge of business / manufacturing processes and product characteristics. For example, the criticality of environmental control processes will differ greatly for a system supplying a general office area, to a similar system supplying a sterile manufacturing facility. Similarly a manufacturing line processing calcium tablets will be significantly less critical than a manufacturing line processing oncology related products. Dr. Guy Wingate[6] clearly demonstrates the need for a shift to risk based thinking. Figure 3 provides a historical perspective of computerised system compliance where a one size fits all approach is taken irrespective of risk. The current approach is to focus effort where there is greatest risk, namely patient safety, product quality and critical data integrity. This approach should not however be confused with a philosophy adopted by some in terms of using Risk Based Approach simply to do less. Standard Validation Approach Risk Based Approach Focus Validation Effort HIGH MEDIUM LOW Focus Validation Effort HIGH MEDIUM LOW Historic Situation Current / Required Situation Figure 3 Focussing the compliance effort Dr. Guy Wingate [6] also concludes that our perception of the scope of patient safety and product quality related functionality across the spectrum of computerised system used by our organisations is skewed. Science based risk assessment has helped us better understand our products and processes and we can now conclude that significantly less functionality across our systems has a direct impact. The old perception at many firms* - Impact Analysis Must Be Shifted to Reflect True Risk Analysis will bring us here* - Impact Analysis Must Be Shifted to Reflect True Risk Low Impact Medium Impact High Impact Low Impact Medium Impact High Impact * Dictated by long-standing conservative approaches to compliance (zero risk was ultimate goal) * The new risk management mindset permits efficient allocation of resources to achieve an appropriate level of control that aims for low risk - not no risk Figure 4 Distribution of High Impact (Patient Safety / Product Quality) Business Processes / Functionality Page 3 of 14

5 Business Process and Functional Risk Assessment conducted by appropriate subject matter experts is therefore fundamental to ensuring that compliance effort is directed at critical functionality. For example, only circa 20% or less of an Enterprise Resource Planning System will contain regulated functionality and significantly less than 20% will present a direct impact to patient safety and product quality. To further illustrate the need to understand business processes, we can consider a Document Solution. The functional risk of the document management system is determined by the type of documents and business processes managed by the system. A document management system managing general Standard Operating Procedures may be significantly less critical than a Document System managing electronic Common Technical Document (ectd) submissions to regulatory authorities. Paul Motise, US FDA demonstrated the importance of risk assessment during his presentations pertaining to 21 CFR Part 11, Electronic Records and Electronic Signatures. He used an example of an analytical laboratory system being interfaced to a Laboratory Information system holding records relating to blood supply. In his example, he demonstrated that a simple interface failure between the two systems could transpose a failed analytical status into a positive result. In this example, HIV infected blood plasma was approved for release! Results of contamination test Result: HIV Infected Blood Plasma approved for release... Code 330 = Test equipment failed [3 digit results code field Code 33 = Test material is ok [2 digit results code field Figure 5 Consequence of Functional Failure on Patient Safety Page 4 of 14

6 Risk must be evaluated throughout the life of the computerised system, through planning, specification, build and configuration, verification, release, operation, change and retirement in order to enable considered decisions to be made and appropriate action to be taken to avoid and mitigate risk impact. GAMP further promotes a cradle to grave lifecycle approach. GAMP 5, supported by an additional companion volume, GAMP Good Practice Guide: A Risk-Based Approach to Operation of GxP Computerized Systems, substantially addresses the complete life of a computerised system including the operational and support phase and retirement phase. Develop Operate, Maintain Retire { Planning Specification Reporting Verification Service Configuration and or coding { Performance Monitoring System Inventories Change Handover Periodic Review Internal Audit Configuration Repair Training { Document & Software Archive Record Archive Record Retention Data Migration Document Sys Admin BCP & DRP Backup & Restore Records Figure 6: Cradle to Grave Lifecycle Approach Page 5 of 14

7 Integrated quality systems, where quality process interfaces are clearly designed (e.g. relationships between incident management and change management) are essential to effective and efficient compliance. Electronic Records and Signatures Computer Systems Validation Policy IT Infrastructure Qualification Policy Information Security Controls Policy Project / System Development Lifecycle Policy CHANGE MANAGEMENT ASSURANCE & RISK MANAGEMENT Customers New Business Need Issues Support Change Incident Service Level GxP Determination Process Mapping and RA Requirements Quality Planning Design and Design Review Func Risk Assessment & RTM Electronic Records Risk Assesment Configuration System Build System Testing Data Migration Quality Summary Reporting Post Implementation Monitoring OPERATION AND SUPPORT Handover Scaled application of change processes for minor changes and low risk changes Repair Deviation Internal Audit Periodic Review Risk CAPA ENVIRONMENT Personnel Development Document Supplier Assessment Change Incident Service Level Supply Partners Services Products System Inventory Disaster Recovery Performance Monitoring Backup and Restoration Policy and Standards Security Configuration IT Service Application Deployment RETIREMENT Incident System Admin System Archiving License Retirement, Decomm and Disposal Figure 7: Integrated Quality System Figure 7 shows a typical IT Quality System (QMS) covering change / implementation processes, operations and support processes, assurance and risk processes, environment and retirement processes. Change, Incident, Service and Supplier Assessment are key supply chain interfaces. All processes underpin a series of corporate policies / standards / guidelines that provide the company s interpretation of global regulations and industry best practice. A key consideration in the design of an effective QMS is to build on a foundation of Good Engineering or Good IT practice. Compliance activities should be an incremental level of rigour based on risk to patient safety, product quality and data integrity. Cross industry standards such as ITIL, TickIT, CMMi and ISO are all good foundations for Good Engineering / IT Practice and provide the minimum considerations for implementing any business related computerised system / IT infrastructure. All too often, the cost of computerised system compliance is measured as the whole activity within a project due to a lack of awareness of general good practice. Page 6 of 14

8 The regulated company must also consider how they will demonstrate assurance of the services and environments provided by the external organisation. Due diligence, audits, performance reviews are all key to ensuring that the service provider is meeting business and regulatory needs Dr. David Selby[7], a founding father of GAMP has conducted an exercise over a number of years to identify areas for continuous improvement. In his benchmarking exercise he identifies that regulated organisations typically consider their strengths to be in the area protocols, documentation and change management. Companies considered themselves reasonable at implementing policies and procedures, project management, specifications, design review and training. Areas of greatest concern are during handover to operations, post project evaluation and maintaining a controlled state during operation, all areas that GAMP has addressed in more recent publications. Leveraging of supplier expertise, documentation and effort is becoming more common place as organisations realise that they are duplicating effort of their suppliers and further they can draw on subject matter expertise and experience that may not be readily available within their own organisations. A GAMP Special Interest Group has recently concluded that supplier effort can be leveraged irrespective of criticality of the solution being provided as long as supplier assessment, planning, management and verification controls reflect the degree of risk. This approach becomes more relevant as an increasing number organisations are utilising pre-configured Software as a Service (SaaS) solutions. GAMP Productivity Case Studies ISPE s conference in New Jersey, July 2011 and repeated in Brussels, November 2011 included a keynote address by Dr. Guy Wingate and Dr. David Selby. The key note address provided many case studies where adoption of GAMP principles and approaches has improved productivity of the validation process. Table 1 provides a subset of the case studies presented: Approach Case Study Acknowledgement Re-engineering the verification process Adopting Good Practices savings circa 5% Adopting Standardised Practices savings circa 30+% Focus on Patient Safety / GMP savings circa 20% Scalable Approach savings circa 10% Other areas included leveraging supplier expertise and rigorously applied risk assessment Dr. Guy Wingate, GSK Leveraging Supplier Testing Application of Risk (Scalability) Average cost of validation now < 4% of project cost Extended audit to verify supplier functional risk assessment and test coverage Additional effort 4 days to conduct review Regulated company conducted spot check testing of critical functions (3 days) Original regulated company test plan was 6 man weeks effort Rigour of verification / testing effort influenced by functional criticality and probability of software failure (custom, configured, non configured OOTB) Intensive approach for patient safety related and custom / configured applications. Positive and challenge testing. QA involvement Standard approach for Low risk customised, high / medium risk configured applications. Positive, multipath testing Minimal approach for non configured OOTB applications and low risk configured applications. Leveraged supplier effort Chris Reid, Integrity Solutions Limited Lilly Mo, Pfizer Global Quality Operations and Pfizer Global Supply Business Table 1: Summary of Productivity Case Studies Page 7 of 14

9 The approaches taken not only ensure that effort is scaled according to risk but ensure that significant effort is applied where there is a patient safety, product quality or data integrity risk. The risk based approach has also enabled companies to challenge key areas of their quality management approach including: Contribution of participants in the validation process. Ensuring that all participants have a clear role, authority and expertise to make decisions and availability to support project commitments. Further ensuring that project personnel are engaged through need rather than company position or organisational role Review the value of the documentation set to ensure that documents are necessary and focussed on areas of greatest risk Review of signatory requirements to ensure that appropriate business, technical and quality representatives are engaged where their subject matter expertise is most relevant Simplification of SOPs within an integrated QMS, SOPs that drive intelligent thinking rather than prescriptive practises Industry / Regulatory Hot Topics Regulatory authorities tend to focus their attention on areas of observed risk and emerging technology / service provision. Hot topics remain the focus of attention until risks are well understood and industry establishes standards and approaches to mitigate such risks. Current hot topics within industry include, but are not limited to: Revision to EU Annex 11, Computerised Systems (effective June 2011) 21 CFR Part 11, Electronic Records and Electronic Records Cloud Computing Mobile Devices and Applications Revision to EU Annex 11, Computerised Systems (effective June 2011) EU Annex 11 (Computerised Systems) and Chapter 4 (Documentation) were refreshed in order to bring EU regulations in line with risk based thinking and electronic records management. GAMP provided significant feedback on early drafts of Annex 11 and Chapter 4. The effective versions are significantly more concise than original drafts and focus on objectives to be achieved rather than solutions. The revised Annex 11 promotes a risk based approach to computerised system compliance and like GAMP, emphasises the need for process ownership and a cradle to grave approach to compliance. In large, Annex 11 and Chapter 4 reflect current industry approach and there are few areas of concern for those already complying with previous versions. Some areas did however require further clarification. EU regulators can now request sight of supplier audit reports. This further necessitates the use of experienced auditors to ensure that supplier audit findings are a true and fair reflection of supplier practices. Regulated companies must ensure that they discuss and protect supplier confidentiality. Regulated companies must be able to demonstrate that they have based the need for audits on appropriate risk based decisions, that they have an appropriate assessment process in place and that they have taken appropriate action to address significant GMP related findings and observations. The primary objective of regulatory authorities is to ensure that risks are appropriately mitigated and managed. Annex 11 recognised that internal IT functions are akin to external suppliers in that they provide services to business functions across the regulated company. The primary expectation is that IT functions are covered by company quality systems including policies, procedures and internal audit programs. Where this is evident there is no need to establish internal agreements between businesses and IT although on occasions internal SLAs, OLAs as described in ITIL can be useful. Page 8 of 14

10 Annex 11 and Chapter 4 address electronic records and electronic signatures, the objectives of which parallel US FDA 21 CFR Part 11. Audit trail requirements are defined and the need to periodically review audit trails is stated. The key value of audit trails is during problem investigation and routine review of audit trail content is unlikely to uncover potential issues and risks. Periodic review should therefore focus on ensuring that audit trail functionality is enabled for required GMP records and that audit trails can be reviewed in a meaningful form during problem investigation. 21 CFR Part 11, Electronic Records and Electronic Records US FDA is including 21 CFR Part 11 within planned inspections in the human drug area for both domestic and international inspections. Part 11 inspections are focussing on areas of highest risk where industry may not be complying with, or understand the current enforcement approach as explained in Scope and Application guidance. Inspections including Part 11 considerations commenced in December 2010 with no planned end date. FDA indicated that they will evaluate the findings and make decisions once sufficient information is available. Compliance with Part 11 will continue to be enforced in line with the Scope and Application guide. FDA has indicated that they remain open minded to the potential outcome of the review and possible outcomes are: Maintain the status quo, plus publishing additional guidance focused on issues and concerns Amending the existing Part 11 regulation and/or preamble Proposing new wording/language to existing Compliance Policy Guides or Compliance Program Manual Guides that contain outdated interpretations of Part 11 requirements Revoking the current Part 11, Electronic Records; Electronic Signatures Scope and Application guidance Amending the current Part 11, Electronic Records; Electronic Signatures Scope and Application guidance Other yet to be determined Cloud Computing Cloud is an over arching term for a number of different services. The Cloud is essentially the internet. Cloud is about putting more of our assets, applications and data in the hands of service providers. In turn, your service provider may put some of those services into the hands of other service providers. As such, the supply chain is extended and assurance of essential controls becomes complex. Cloud Computing provides a number of significant benefits to consumers: Focus on core, value adding business activities (making drugs and devices!) Access applications and data from anywhere via the internet Outsourcing the burden of maintenance of infrastructure and applications Increased service delivery performance Service delivery cost optimisation Efficient management of service portfolio Leverage expertise and technology Optimum utilisation of assets and resource Consistency of approach Page 9 of 14

11 Simplified organisation Simplified supply chain Improved quality and compliance The primary compliance risk arises from the delegation of service delivery and quality responsibilities to the service provider. Service quality and demand are driven by multiple consumer organisations that may not always have aligned business drivers and regulatory pressures. Cloud Deployment Models A number of Cloud deployment models are available with varying degrees of risk as described in Table 2. Type Description Risks Private Cloud Computing architecture that provides hosted services to a limited number of people behind a firewall. Can be internal or external, with private space dedicated to your company with the service provider s data centre. Used by organizations that need more control over their data controls more easily evaluated, influenced and assured. Public Cloud Resources, such as applications and storage, are made available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model. controls more difficult to assess and enforce due to the extended supply chain. Much of the concern surrounding public clouds is related to security and compliance. Community Cloud Cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. controls reflect the need of a community (potential for Regulated Community Cloud!) Hybrid Cloud Uses both public and private Depends on scope of public cloud Table 2: Cloud Deployment Models Page 10 of 14

12 Cloud Service Models Different service models are offered by service providers. The level of service provided by the external provider increases with each service model increment and consequently the level risk to the consumer increases. Infastructure As A Service (IaaS) Platform As A Service (PaaS) Software As A Service (SaaS) Storage Operating System Servers, Virtual Servers Web CRM / ERP Network SharePoint, SQL Quality / Document Increasing Level of Service & Risk Table 3: Cloud Service Models IAAS, PAAS and SAAS services have been utilised for many years under the heading of Out Sourced Service provision. In fact, similar risk considerations have been made with respect to on-shoring, near-shoring and off-shoring outsource models. With such services, it is not typically the technologies utilised that present the main focal point of risk consideration, rather the ability of the regulated company to evaluate, influence and manage the service provision in accordance with required standards and competencies. Regulators are taking an interest in the rapid expansion of cloud service provision. The US Food and Drug Administration have established an internal task team to evaluate the risks and implications of cloud service provision. At the ISPE conference in Brussels, November 2011, Robert Tollefsen of the FDA outlined key areas of interest to regulators: What systems are currently outsourced? What issues or concerns have come up? What resolutions/mitigations were employed? Common terminology and definitions for outsourcing IT systems What type of systems will be outsourced in the future? From a regulated company perspective, there are key risks to be addressed including: Responsibility for application management and performance with the service provider Responsibility for data integrity and security with service provider Availability, business continuity / disaster recovery Quality Security One sided Service Level Agreements Page 11 of 14

13 Staff turnover Service provider business failure of service change or contract exit Mobile Devices and Applications FDA recognises that a subset of mobile applications present a potential risk to patient safety if they do not work as intended. Draft guidance released by the FDA in July 2011 ( GuidanceDocuments/ucm htm) defined a small subset of mobile medical applications that may impact on the performance or functionality of currently regulated medical devices. Some of these new mobile applications are specifically targeted to assisting individuals in their own health and wellness management. Other mobile applications are targeted to healthcare providers as tools to improve and facilitate the delivery of patient care The guidance identifies mobile platforms as commercial off-the-shelf (COTS) computing platforms, with or without wireless connectivity, that are handheld in nature. Examples of these mobile platforms include mobile computers such as the iphone, BlackBerry phones, Android phones, tablet computers, or other computers that are typically used as smart phones or personal digital assistants (PDAs). Mobile Medical Applications are defined as applications that meet the definition of device in section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C Act); and either: Is used as an accessory to a regulated medical device; or Transforms a mobile platform into a regulated medical device. FDA is encouraging comment on the draft guidance. Key considerations for mobile platforms and applications is whether they are developed and maintained in accordance with appropriate quality management systems and whether security of such platforms and devices is robust. Page 12 of 14

14 Conclusion Adoption of GAMP principles and practices has led to increased effectiveness and productivity of computerised system compliance processes within our organisations. GAMP will continue to monitor developments within industry and regulatory arenas in order to provide an agile response to emerging issues, technologies and service delivery approaches. Business process and product understanding, subject matter expertise, risk management and a standardised, yet scalable approach is paramount to ensuring patient safety, product quality and data integrity. These key principles further allow us to focus valuable resources in areas of greatest importance and avoid duplication of effort. This White Paper was authored by Chris Reid, Chair of ISPE GAMP Europe & CEO Integrity Solutions. Chris has contributed to the development of GAMP 5 and a variety of Good Practice Guides. This White Paper was sponsored by QUMAS. Page 13 of 14

15 About QUMAS QUMAS is the leader in Compliance and Quality Solutions for the Life Sciences industry, with more than 270 global customer deployments and domain expertise in regulatory compliance since QUMAS Quality solutions provide Electronic Document (SOPs, QA documents), Electronic Process (CAPA, Deviation, Change Control, Audit), and GMP Compliance. QUMAS Regulatory Affairs solutions provide content and Submission including ectd authoring templates, collaborative review, full integration with leading publishing solutions, scanning, and automated import of paper documents. The QUMAS Compliance Platform is available on Microsoft SharePoint 2010, Oracle, Microsoft SQL Server and EMC Documentum. For more information, visit or Contact Us for More Information QUMAS 66 York Street Jersey City, NJ Phone: Free Phone: Visit: QUMAS Cleve Business Park Monahan Road, Cork, Ireland Phone: Visit: Acknowledgements and References 1. GAMP 5, A Risk Based Approach to Compliant GxP Computerized Systems, ISPE, February EudraLex The Rules Governing Medicinal Products in the European Union Volume 4 Good Manufacturing Practice Medicinal Products for Human and Veterinary Use, Annex 11: Computerized Systems [Effective June 2011) 3. US FDA 21 CFR Part 11; Electronic Records and Electronic Signatures, August FDA Guidance for Industry Part 11, Electronic Records and Electronic Signatures Scope and Application, August George Smith, US FDA, Presentation at ISPE GAMP Conference, Washington Dr. Guy Wingate, GlaxoSmithKline (Risk Models and Productivity Case Study) 7. Dr. David Selby, Selby Hope International (Validation Good Practice Case Study) 8. Lilly Mo, Pfizer Global Quality Operations and Pfizer Global Supply Business (Productivity Case Study) 9. Tony Trill, UK MHRA (Retired) Page 14 of 14