Your Compliance and Technology Today

People-on-a-computer-V9

USDM hosted its first virtual event with an all-star line up of life sciences thought leaders. If you missed our Forward-Thinking GxP Compliance & Process Optimization event, you can watch the replays of the four thought-provoking sessions here.

Session 1 – Your Compliance and Technology Today

You have to know where you are to know where you are going. What systems are on-prem vs. cloud? Where do you want to be?

  • Understanding your organization’s compliance and technology maturity today – people, process, technology
  • How ever-changing, global regulations impact your IT roadmap and how to create a sustainable strategy
  • Considerations for harmonizing your regulated and non-regulated processes and data
  • Q&A

Speakers

Stepheni Norton, Director of Product Management, USDM Life Sciences
David Blewitt, VP of Cloud Compliance, USDM Life Sciences
Roger Davy, Director Customer Engagement, USDM Life Sciences (moderator)

Learn more about this topic in our companion white paper, Top 5 Opportunities to Improve Compliance Maturity.

The structure of the event addressed various stages of cloud compliance maturity. Whether you are getting started, getting better, or getting ahead, this discussion will provide guidance for your cloud transformation journey.

Here are links to the other session replays and companion white papers:

Session 2 video: Managing Your Regulated Cloud Technology
Companion white paper: Why You Should Consider Outsourcing Your Cloud Vendor Qualification

Session 3 video: FDA Perspectives on Cloud Technologies
Companion white paper: Considering CSA? Here’s what you need to know

Session 4 video: Extracting Value from Your Cloud Data and Processes
Companion white paper: Google Cloud Platform for Life Sciences and Health Technology

Q&A: Your Compliance and Technology Today

Is the IQ/OQ/PQ model becoming irrelevant for software?

In the cloud, companies are moving away from installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ). They’re not doing installation; instead, they are leveraging their cloud vendors and third-party audits. They are following the same processes every time and data is secured in a particular manner.

IQ becomes configuration qualification (CQ) and you do need to verify configurations. Your system must be built and used as intended and documented.

Operational and functional testing are typically done by the cloud vendor or a partner of theirs. There should be daily automated testing of your system to ensure changes from the vendor aren’t affecting functionality.

Performance testing ensures that your functional requirements, on top of regulatory and compliance requirements, are being met and that they are not broken because something else changed.

The difference, then, is you don’t have control over those other pieces, but you are verifying that your vendor is doing them for you and doing them well.

The cloud changes the perspective of IQ. How can this be met?

GAMP 5 defines IQ as verification with documentation that a system is installed according to a pre-approved specification. Verification is achieved through testing that demonstrates the installation and configuration of software and hardware is correct.

The cloud is a shared responsibility model; think of it as assurance “of” the cloud versus assurance “in” the cloud. The cloud service provider is responsible for assurance of the cloud and you are responsible for assurance in the cloud.

In a traditional on-prem environment, you design, install, maintain, and qualify the network infrastructure. For cloud systems, the cloud service provider is responsible for the physical installation, security, maintenance, and verification. They are also responsible for the cloud infrastructure, which includes hardware, networking, and facilities. Cloud service providers have their own qualification process that is verified through a vendor audit.

In the cloud, you must document your technical specifications, build the cloud infrastructure to approved specifications, and verify that the build and configuration meet approved specifications.

Whether you call this activity IQ or CQ is tomayto/tomahto; what is important is that you have audited your vendor, pre-approved the specifications, and verified your build and configuration.

How does a vendor determine what is part of the equipment IQ/OQ system acceptance testing (SAT) and what functional testing falls under product development, especially when providing equipment IQ/OQ as a service?

USDM’s Vendor Assurance Report, an annual assessment driven by USDM’s proprietary Unified Compliance Matrix (UCM), assesses your compliance activities related to global regulations.

USDM’s Cloud Assurance Certified technology vendors meet the quality and compliance demands of the life sciences industry. Cloud Assurance Certified establishes the vendor’s credibility and compliance maturity and provides leverageable validation documentation.

Can you provide a specific example of how the UCM works regarding regulation and requirements and how they are covered with and linked back to testing?

USDM’s Unified Compliance Matrix is a comprehensive, global approach to assessing your regulatory and security maturity. It is an automated tool to determine the global regulatory requirements, standards, and guidelines that govern your quality management practices and assesses your organization’s compliance with these business needs.

Once your regulatory landscape has been defined, your specific fundamental functional and non-functional requirements are generated, including the trace to your defined regulatory requirements.

The UCM exposes the overlap between regulations. Tracing a standard fundamental requirement to multiple regulatory requirements allows for the consolidation of testing activities and compliance artifacts. It increases efficiency and decreases the cost of initial and continuous compliance, and provides a single line from regulation to requirements and configuration to test results.

Will the U.S. Food and Drug Administration (FDA) modernize various computer system validation (CSV) guidelines to make approaching cloud technologies more palatable?

Computer Software Assurance (CSA) is a framework designed to help companies achieve CSV. CSA provides clarity on the stance and methodology used to determine what is high risk and what is not, minimizing misinterpretation. The clarification in the CSA approach flips the paradigm to focus on critical thinking (risk based), assurance needs, testing activities, and documentation, in that order.

If you think of the 80/20 rule, the current CSV methodology has you spending 80% of your time documenting and only 20% of your time testing. With the CSA methodology, the FDA wants to flip this so that 80% of your time is spent on critical thinking and applying the right level of testing to higher-risk activities, while only 20% of your time is spent documenting.

The CSA model fits well with the cloud shared responsibility model.

Traceability to operational processes affected by a functional failure should be captured in a risk assessment. What it the benefit of adding these details to the overall traceability matrix?

USDM finds that auditors are looking for a holistic view of an application and its compliance status. The purpose of the Requirements Traceability Matrix is to ensure that defined requirements—both functional and non-functional—have been documented, approved, and confirmed, whether that be confirming the procedure is correct and effective or that the functionality has been tested.

Do you have any Standard Operating Procedure (SOP) templates for implementing data integrity controls internally (preferably within a Microsoft environment)?

Yes, USDM has SOP and policy templates for implementation of data integrity controls.

Are you considering pegging risk management (for computer systems) to a common framework like the NIST RMF (National Institute of Standards and Technology Risk Management Framework)?

USDM’s Cloud Assurance managed service subscription includes a risk rating system that helps us evaluate each customer’s regulatory landscape and risk tolerance. Ultimately, it is up to the customer to decide which approach they use.

Do major cloud providers (e.g., Amazon, Google, Microsoft) let other companies audit them?

Vendor qualification can be accomplished in one of two ways: You can perform vendor audits to specify what you need and if the vendor has it, or you can engage another company like USDM to do that for you. You can state in your SLA that the vendor must have these items in place in order to be considered a vendor.

USDM can manage your internal auditing schedule and ensure you are prepared. We have conducted many internal audits for organizations facing such resource challenges. Our services are comprehensive and offer flexible delivery options to meet your needs. Should we find issues, we can help with remediation or assess your next steps.

How does FDA validation and change control deal with the nimbleness of continuous integration and continuous deployment/delivery (CI/CD)?

Regulated companies wanting to build out a GxP framework in their agile development operations often need to audit their CI/CD pipeline with regular monitoring to determine if ongoing work meets GxP goals. USDM’s Cloud Assurance delivers continuous validation and meets the necessary FDA requirements. You can qualify your CI/CD procedure and code once, set up validation monitors on execution, and code is kept in a controlled state.

As a supplier of equipment that generates data that can but does not need to be used for GMP, how do we understand compliance with respect to technical controls and documentation?

USDM’s Cloud Assurance Certified technology vendors meet the quality and compliance demands of the life sciences industry. Cloud Assurance Certified establishes the vendor’s credibility and compliance maturity and provides leverageable validation documentation.

We’ve heard about Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) workloads, but what about guidance for SaaS related applications and providing assurance of compliance for those apps within the company architecture?

Delivered for CSV or CSA, USDM’s SaaS onboarding and initial validation for GxP applications includes a defensible annual vendor audit for the FDA, 21 CFR Part 11 and EU Annex 11 assessment, a validation plan, URS/FSR, IQ/OQ/PQ protocol and test scripts, a traceability matrix, and a validation summary report.

Comments

There are no comments for this post, be the first one to start the conversation!

Resources that might interest you