CAPA in the Cloud Keith Williams CEO GXPi 12 th June 2013
Controlling Pharma data in the Cloud- Overview Example of a CAPA from 3 years ago (2010) Example of a CAPA today (2013) Example of CAPA in Azure(2014) I am trying to use this presentation as an example of evolution over time but the issues raised will be relevant to any cloud based GXP application 2
3 Years ago (Private Cloud) Data secured on shared qualified physical host servers running dedicated virtual servers ( Single Tennant ), but with the capacity option to increase the virtual server and connection pipe as the customer needed (flexible compute) Linear CAPA, mainly for recording activities and outcomes, but all data in an SQL database meant it was good for data reporting Cloud used for Troubleshooting (Dev and Test) We worked with our datacentre provider to ensure they had good processes and trained people so that we had a qualified infrastructure for our compliant application 3
Hosted ( Private cloud) CAPA dedicated setup from 2010 4
3 Years ago- issues Password management- how the users can change it themselves and not the service provider Consistent environments- restore meant it had to be an exact physical server Bandwidth- fine for daily CAPA activities, terrible for upload, and high volume migrations Backup good, restore bad (though it was acceptable for 24 hours from disaster) Virtualisation was relatively new and HyperV was just not as good as VMWare 5
6
Today s (2013) CAPA (Private Cloud) Data secured on shared qualified physical machine with multi-tennanted front end and back end servers, still with the capacity to increase the virtual servers and connection as the customer requires (flexible compute). More monitoring at the firewall needed to see who is using what Multi-threaded CAPA more complex, and customer reporting requirements are more sophisticated Lots of trust built up with our datacentre provider, they were big enough to be safe and secure, small enough to put in processes and procedures so it now runs very smoothly. No downtime in 3 years, (slight issue with bandwidth throttling) 7
Hosted ( Private cloud) multi-tenant CAPA setup from 2013 8
Some Current Issues Much more emphasis from customers on proving robustness (e.g. 2e2 a UK data-center provider) and non crossover of data and users from the multi-tenant environment Multinational customers have requirement to know where the data is stored and require that their data is kept in certain countries Passwords can and must be changed and managed by the customer Backup and Disaster Recovery concerns: More data (attachment of supporting data/documents/pictures) more reporting larger server farms, backup great (images can be taken) restore better (focus on more robust and immediate failover solutions forming part of your DR plan) 9
Multi-threaded CAPA management 10
CAPA Process 2013 11
CAPA Process 2013 12
Future (mid 2014) CAPA (Azure Cloud)? We are working on true Cloud environment using Azure, with Office 365 and CAPA as SaaS in a flexible multi-tennant compute environment. 2 Customer options a. Simple OOB Client configurable CAPA set-up b. GXPi configured setup attaching lego blocks of.pdf publishing tools, OCR scanning, digital signatures, archiving solution Interface and training materials to talk the customer through the set-up for simple out of the box (credit card payments) for a Service oriented offering for b 13
What is Cloud, Really? Microsoft s Chicago DataCenter 14
CAPA in the Azure Cloud multi-tenant and dedicated setup from 2014? 15
CAPA in the Cloud- set up your architecture 16
Azure Cloud multi-tenant CAPA setup from 2014? 17
Future CAPA Issues You can now know where the data is being kept at least Monitoring (intrusion/virus/changes/ bandwidth/data/ software licensing other) will be crucial Cloud can easily be used for training test dev and production environment as needed- need to have audit trail that those temporary environments are removed or known where they are Software licensing will need to be on weekly monthly pay as you go 18
What about GAMP and Validation? Who will do what from a GAMP perspective? How can you know what has changed? 19
How could this breakdown into activities for a Cloud delivered CAPA? Activities: Validation Plan & Report Organisations: User Requirements & Acceptance Testing Functional & Design Documentation Installation Qualification Regulated Company Software Developer SaaS Provider IaaS Provider Incident Management Infrastructure Qualification Operational Change Control Periodic Review 20
Conclusions about Controlling Pharma data in the Cloud A CAPA system (or any other GXP-data system) can exist in the cloud Can it be validated in the traditional sense? Yes, but the process needs some thought It will be much more about monitoring the infrastructure and ensuring that you control the data Security aspects such as Challenge testing of the environment (like ethical hacking) will become key, in addition to conventional audit 21
Thanks for listening!! Keith Williams (kwilliams@gxpi.com ) 22
What to look for in a Pharma Cloud/Platform/Software Supplier Minimum They have documents and schematics that are understandable by the non-expert They manage change in an acceptable manner They have clear contracts and allocation of responsibilities They have been audited by regulated companies (or understand what to do having been advised by suitable experts ) They audit their key suppliers They have suitable and appropriate test scripts for their environment to prove security and data integrity Ideally They have detailed experience of the compliance needs of the Life Sciences industry and tools to aid and ensure that compliance is achieved efficiently They have monitoring to identify change from the qualified state. (see Example below) They have validation documents of a suitable quality that allows you to leverage, using risk-based approach to reduce your validation effort Their subject matter experts can clearly communicate complex technology environments to your team so they can understand the operation and design elements They have been audited by Life Sciences companies You can use their Change Control system They have a robust and suitable QMS that matches Life Sciences industry expectations They have adequate Subject Matter Experts that span IT technical and compliance needs 23
Simple Component Categorisation for CAPA Cloud Implementation (or other Cloud Applications) Service Example Components GAMP Category What to do? Who? IaaS Hardware, Internet Connectivity, Power, Servers, Storage and RAM, Antivirus, Router Software, Firewall, VMWare, Hyper-V, Azure 1 Qualify and manage infrastructure and manage configuration changes (or monitor changes/ monitor challenge Intrusion) Infrastructure Vendor (IV) Application Vendor(AV) or Sponsor. (If different) Audit procedures PaaS O/S, Windows Server, SharePoint Server and SQL Server, webservers, search etc 1 Qualify the server stack. Manage/control ongoing changes Platform Vendor (PV) PV AV or Sponsor Audit procedures SaaS e.g. X-Forms CAPA 4 Validate the configured software application URS and UAT AV Sponsor 24
Example of Qualified Infrastructure monitoring and review 25