1/16/2020
1
Compliant Computer
System Validation
in an “as-a-Service” World
James Hughes
Sr. Manager, IT CSV
bluebird bio
January 16, 2020
Royal Sonesta
Cambridge, MA
ispe.org
Connecting Pharmaceutical Knowledge
Jimmy Hughes
• 10+ years experience in biotech Quality, Validation, and IT
• Consulting, full-time experience at Genzyme, Shire
• Currently at bluebird bio, a gene therapy company based in
Cambridge, MA, with ~1,200 employees and growing, preparing for
commercial launch of our gene therapy platform in 2020.
• bluebird is operating in >95% hosted/cloud/SaaS systems
Sr. Manager, IT CSV
2
1
2
1/16/2020
2
ispe.org
Connecting Pharmaceutical Knowledge
Agenda
• Context
• How are things changing in CSV?
• How are things changing in technology?
• Life Cycle Approach – what’s needed for SaaS systems?
• Concept, Project, Operation, Retirement
• Organizational Needs
• Whose support do you need to operate in the cloud?
What will we cover today?
3
ispe.org
Connecting Pharmaceutical Knowledge
Context
• New FDA guidance in 2020?
• FDA's upcoming Guidance on Computer Software Assurance for
Manufacturing, Operations, and Quality System Software
• ICH Q7 (10Nov2000)
Previous/Recent Guidance
4
3
4
1/16/2020
3
ispe.org
Connecting Pharmaceutical Knowledge
Context
• Regulations haven’t changed, but guidance needs to
change with technologies
• Move from CSV -> CSA in industry aligns with what is
needed for cloud technology
Previous/Recent Guidance
5
Documentation
Testing
Activities
Assurance
Needs
Critical Thinking
Documentation
Tes tin g Activities
Assurance
Needs
Critical
Thinking
Adapted from: “Computer System Assurance for Manufacturing, Operations, and Quality System Software” F. Vicenty, D. Matlis (source)
ispe.org
Connecting Pharmaceutical Knowledge
Context
We still need to:
• Demonstrate that we’re meeting regulations
• Evidence that the system is meeting intended use
• Documented controls
• Manage risk
• Understanding impact to product/patient, understanding high-risk
features
What isn’t changing?
6
5
6
1/16/2020
4
ispe.org
Connecting Pharmaceutical Knowledge
Context
• What are we trying to achieve through CSV?
• Data Integrity
• Risk Management
• Adherence to regulations
• Security
• Knowledge / awareness
• Confidence in our systems, and consequently confidence in running
our businesses through automated electronic systems
• And yes… some proof/evidence… documentation
What are we trying to achieve?
7
ispe.org
Connecting Pharmaceutical Knowledge
SaaS Systems
• What are talking about?
• SaaS – Software as a Service (Veeva)
• IaaS – Infrastructure as a Service (Amazon Web Services, AWS)
• PaaS – Platform as a Service (Salesforce Health Cloud)
• Most applications that we’re working with are SaaS sitting
on their own contracted IaaS
Also IaaS, PaaS…
8
7
8
1/16/2020
5
ispe.org
Connecting Pharmaceutical Knowledge
SaaS Systems
• Traditional IT responsibilities change moving to cloud
Roles and Responsibilities
9
Source: “SaaS applications: A new division of responsibilities between vendor and IT” Spanning
ispe.org
Connecting Pharmaceutical Knowledge
ISPE GAMP Guidance
Good Practice Guide: IT Infrastructure Control and Compliance
10
9
10
1/16/2020
6
ispe.org
Connecting Pharmaceutical Knowledge
ISPE GAMP Guidance
• Good practice guide discusses XaaS Infrastructure in-
depth
• Appendix 11, “Traditional versus XaaS Mode Comparison”
discusses:
• Differences between traditional/on-premise
• Positives
• Risks
• Mitigation Strategies
• Many mitigation strategies are procedural and rely on
strong SLA with your vendor
Good Practice Guide: IT Infrastructure Control and Compliance
11
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle Approach
• Regular patching/releases
• Previously, upgrades would happen on user-controlled basis, now
patching can happen even daily
• Validation
• Does your SaaS vendor understand your life science needs?
• Ownership of responsibilities
• Traditional concepts change
• Infrastructure Qualification
• Backup and restore
• How do you truly test this in the cloud?
• Data storage
• Where you operate and where you store your data matters!
What are we worried about in the cloud?
12
11
12
1/16/2020
7
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle Approach
• This model still applies, but faster!
What are we worried about in the cloud?
13
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle Approach
What are we worried about in the cloud?
14
13
14
1/16/2020
8
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle
• Intended Use
• What will the system be used for?
• Critical thinking!
• Regulatory Applicability
• Based on intended use, which regulations will apply to the system
you’ll be working on? Who should be involved in decision-making
early in the project?
• GxP? 21 CFR Part 11, 210, 211, Annex 11
• Financial? SOX
• HIPAA, PHI, GDPR, etc.
Concept
15
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle
• Procurement
• Work with finance to implement IT purchasing controls
• Vendor Assessment / Audit
• Working with your quality team, assess your vendor’s software
development practices, ITSM, and QMS
• Assessment depends on your organization – assessments,
questionnaires, interviews, audits
• Partner with your quality team – initial assessment is only the
beginning of the relationship between your two companies
Concept
16
15
16
1/16/2020
9
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle
• Requirements Definition
• Important to understand your requirements in the context of the
system
• Functional requirements and configuration specifications start to look
very similar – define a tool that’s useful to your org/team
• Informal Testing
• For highly configurable SaaS systems, informal testing becomes
more important than formal when it comes to ensuring your users get
what they want
• Highly configurable workflows should be tested
• Risk Assessment
• Focus on process risks, but also learn by using the system
• Use RA to inform your Change Management process
Project
17
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle
• Change Management
• Determine ahead of time how your will generally accommodate:
• Configuration Changes
• Scheduled upgrades
• Regular bug fixes
• Integrations
• Periodic Review
• ITSM – Access management, Incident, Break/fix
• Data Management
• Define “what’s ok?” for your application
• By building a framework for validation and system life cycle at your
organization, application owners/administrators can maintain
compliance efficiently
Operation
18
17
18
1/16/2020
10
ispe.org
Connecting Pharmaceutical Knowledge
Life Cycle
• Data Migration
• Track where you’re moving your data and what is the “source of truth”
• Retirement
• Industry is constantly shifting – what do you do when your SaaS
provider is purchased?
• Considerations when moving to a new application
• Data security
• APIs
• Compatibility
Retirement
19
ispe.org
Connecting Pharmaceutical Knowledge
Organizational Needs
• Foundation
• Standardizing Language – make sure everyone is on the same page!
• Understanding risk in the cloud – training and education
• Trust between IT and Quality
• Leadership Buy-In
• Scaling work with company over time
• Risk-based approach
• Cross-functional operations
• Quality Compliance/Operations
• Vendor Assessments, Vendor Audits, Quality Agreements
• Buy-in on key concepts / language
• Get everyone on the same page up front, save time, money, effort and
improve Quality down the line!
What do you need from your org?
20
19
20
1/16/2020
11
Questions?
Please use the microphone indicated so
our recording includes audio of your
question
21
For further information, please contact
Jimmy Hughes at
Jimmy Hughes
Sr. Manager, Computer System Validation
bluebird bio
60 Binney St., Cambridge, MA 02142
21
22
