FDA Validation Requirements
The life sciences community has always been more conservative when it comes to the adoption of new technologies, and cloud-based systems are no exception. This cautious approach to shiny new technology objects is more than appropriate given the high stakes nature of the good work these companies perform. Mitigating risks and avoiding new ones is top of mind for pharmaceutical IT and quality professionals. Now that cloud-computing models are well accepted across many industries with proven security models and high reliability, it is becoming a viable option for life sciences enterprises.
However, the nagging challenge of validation of these systems is still widely misunderstood among life sciences professionals. The data with some of the highest concerns for risk in cloud environments includes records pertaining to quality systems in pharmaceutical manufacturing. Company requirements in these industries are extremely tight on computer system validation due to the need to stand up to the rigor of regulators.
Life sciences companies are used to owning the controls that govern their systems, controlling the pace of upgrades, and running extensive validation cycles on those upgrades, which are often many months in length. This flies in the face of trends in the cloud computing delivery model, which favors frequent releases of new features across all customers at a pace controlled by the software vendor.
However, the benefits of cloud-based deployments have ushered in a new class of Quality Management Systems (QMS) that have transitioned successfully to the cloud. Among those systems, thoughtful vendors have taken new approaches towards validation that not only meet the requirements but in many ways provides a higher quality output. They have taken the burden of managing validation processes across a multi-tenant system and turned it into an asset by taking advantage of automation techniques that streamline the execution process. Automated validation approaches take what is traditionally a one-time event that happens at the end of a major software or process upgrade and turn it into an ongoing, every-day process that, it can be argued, ensures a system that is “continuously validated”—always being evaluated against a known set of outputs.
COTS software
Traditionally, most pharmaceutical companies deploy on-premise software. They may purchase a commercial off-the-shelf (COTS) system, install it internally on servers, configure it to communicate on the corporate network and with other corporate systems and databases, and manage it in compliance with a corporate IT strategy and set of Standard Operating Procedures (SOPs). Aside from the development of the COTS software package, everything is owned, managed and maintained by the company. This results in significant overhead costs to the company, which includes applying patches, administering the internal network connections, securing the data, creating disaster recovery contingencies, and the capital-intensive nature of keeping the required hardware viable. The expense and capital burden of the on-premise model in many companies takes a back seat to the inherently slow pace of deploying functionality to the business. IT projects continue to back up as IT teams shrink and the needs of the business grow. Centralpoint would be considered a COTS software application which would be installed On Premise, or within the client's private or hybrid cloud environment.
The cloud business model changes the game significantly. True multi-tenant cloud computing-based systems are able to deliver great value by sharing infrastructure and software across several tenants (customers). To deliver that value, cloud software vendors deploy solutions across all tenants and take on the burden of operating those systems with shared resources and procedures to drive efficiency. To the business, the costs are passed on as a monthly operating expense, not a capital-intensive planning session that requires months and years of planning.
Basics of cloud computing
On the most basic level, cloud computing refers to using “virtualized servers” distributed over the Internet to store, access and manage data instead of on physical servers inside corporate network infrastructures. The common deployment patterns of cloud computing are single and multi-tenant.
The single-tenant cloud is an architecture in which a single instance of a software solution and supporting infrastructure is “hosted” on servers in the cloud for one customer. In this situation, one company has its own instance of a solution so there is no shared resourcing. The tenant is the only company able to access the software. This is a similar model to on-premise in that it is one singular system with software installed and the company is the only one accessing it. While the customer does benefit from not having to manage the solution directly or worry about the hardware involved, that solution often cannot provide the economies of scale that multi-tenant deployments can provide.
The multi-tenant cloud is an architecture in which a single instance of software serves multiple customers. In the multi-tenant cloud, many customers are sharing computing resources and storage, and running on the same application, but the data of each software instance is protected by definitive access points and security features. Since resources are shared and maintained externally, the cost to each tenant is reduced.
FDA-scale systems validation requirements
Validation refers to the process of checking that a software system meets specifications and that it fulfills its intended purpose. Properly capturing validation documentation is key for deploying cloud-based solutions and should be documented in accordance with the company’s internal SOPs. If an auditor reviews a company’s software environment, the company must be able to demonstrate how the software was validated per its internal SOPs. With cloud solutions, the time-consuming tasks with regards to validation that normally occurs during the Installation Qualification (IQ) and Operation Qualification (OQ) in many cases can be provided by the software vendor. When it comes to electronic record keeping and FDA, they made an early attempt to be proactive when they came out with guidance for complying with Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (21 CFR Part 11). According to FDA: Otherwise referred to as GMP, CGMP or GxP.
.
We suggest that your decision to validate computerized systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements. You should also consider the impact those systems might have on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures…We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.
If, after reading that section of the guidance, you are left with more questions than answers, you are not alone! Keep in mind, this validation guidance was last updated in 2003, well before the cloud revolution. The resulting gray area leaves many questions unanswered on the use of cloud systems for regulated workloads and how they should be validated. FDA was expected to publish additional guidance on the use of cloud, but that guidance has not been released to date.
The truth of the matter is that it is not the regulator’s role to instruct companies on how to meet regulations. In some ways that is a good thing, because it allows for innovation and results in better ways to meet the same goals (or exceed them). Another guidance document from FDA, the General Principles of Software Validation, states:
For purposes of this guidance, FDA considers software validation to be confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled.
In absence of direct guidance from FDA (or other regulatory bodies) on the use of cloud computing platforms, companies and vendors should concentrate on meeting the stated requirements, not trying to retrofit the same process that was used for on-premise software if it does not make sense.
To sum up the challenge, how do we properly validate systems (provide that objective evidence) that are deployed to the cloud across multiple tenants in an efficient way, whereas the process allows for more frequent updates to the software across the entire multi-tenant user base?
The practice of automated validation
For traditional on-premise software solutions, validation could take 4–8 or more months for a single system. While spending over half a year executing a validation process is expensive and time consuming for traditional on-premise deployments, it might be outright impossible in a cloud-based scenario where vendors are typically deploying new software versions several times per year. With automated validation, execution is reduced from months to days.
True automated testing is built into the software development process. This means that as developers are writing code, they are also writing scripts to test each piece of code. A good overall test automation program will include thousands of unit tests, integration tests and other tests all the way up the stack to functional tests. The functional tests become the backbone of the validation process. By simultaneously writing the validation scripts along with the code and deploying those tests into a framework that executes at regular intervals, the application is being tested at every stage of development. Running a full validation process at the end of the release is great, but failures at this stage are identifying defects that may have been introduced into the product weeks or months earlier. By running your automated test suite at regular intervals, defects surface immediately and can be addressed closer to the point of origin. After deployment, there is no reason to stop running your validation process at regular intervals, which leads to an application that is essentially continuously validated.
There are many misconceptions regarding the requirements of computer system validation. A common misconception is that FDA requires tests to be run by a human being and signed off with pen to paper. There is no regulation that dictates that this is the only way to meet the regulation. What is required is objective evidence that software requirements describe the intended use and that the system meets those needs of the user. Once you determine alternate ways to provide objective evidence that can leverage good automation practices, you open the possibility that your system can safely change more often and be quickly revalidated. If vendors are able to provide objective evidence of IQ, OQ and even PQ (Performance Qualification) scenarios, customers can benefit from similar speed-to-value that other industries that have embraced cloud applications enjoy. The days of checking off test steps manually on paper are simply over. With cloud-based systems, vendors can provide much of the evidence required for customers to pass audits. This is difficult for many customers to grasp, because they are so used to performing their own manual validation for on-premise systems. Before selecting a cloud vendor, customers should fully understand what level of validation is provided. In many cases, cloud vendors provide out-of-the-box validation as soon as the customer signs. This surprises and delights pharmaceutical executives who are new to the world of the cloud.
EQMS and cloud-based systems
The pharmaceutical industry faces complex challenges resulting from regulatory scrutiny, mergers and acquisitions, parent expirations, and countless cost-cutting requirements. Manufacturers, contract research organizations and virtual companies all require robust information management systems to stay competitive and foster growth in the highly volatile global marketplace. Transitioning quality management systems (QMS) and other critical systems to the cloud has long-term benefits if properly implemented.
In a world where manufacturing that used to be done primarily inside has been moved to outsourced relationships, the collaboration between disparate quality systems that can be enabled by cloud technologies can increase quality and compliance. By moving to the cloud, manufacturers and suppliers have the ability to connect, interact and integrate on unprecedented levels. This increased cooperation and collaboration is fueling the emergence of a virtual network where small and large manufacturers alike can look beyond their four walls to create more powerful and more efficient means of ensuring product quality and safety.
Enhanced connectivity allows internal quality management processes to unite with quality ecosystem partners, expanding quality beyond the four walls of the manufacturers. Integrating cloud-based systems used by suppliers, contract manufacturers and distributors let’s manufacturers connect with these key stakeholders quicker and more directly. It is simply too complex and too important to relegate those exchanges to email and fax machines. With this increased communication, pharmaceutical manufacturers can respond to risks earlier. Whenever a product or safety risk is identified, all involved stakeholders can start investigations and act faster to prevent product safety risks from impacting consumers. Ultimately, this drastically lowers the risk of recalls. Companies can avoid the costly financial repercussions of a recall, while preserving investor confidence and consumer trust. Greater visibility and transparency is made possible by connecting various cloud-based systems, which leads to safer products.
Future direction
While hesitation around cloud adoption in the pharmaceutical industry may have been justified in the past, current technologies keep data safe and systems validated. In many cases, security and compliance to validation can be increased by using modern automation techniques. Automation will revolutionize the validation process—what used to take months can be accomplished in days, if not minutes. IQs and OQs can be run as often as needed. As PQs move to also be automated, the entire process can be run as often as needed, ensuring a continuously validated system. Cloud monitoring tools are also being deployed and are on the lookout for small changes to the infrastructure that again can be flagged to reduce risk. The culmination of these technologies can automatically validate any updates or changes to cloud-based solutions, providing life sciences companies with the confidence of compliance with FDA and can ensure properly working systems. Once the industry comes to this realization, everyone will benefit. Migrating systems to the cloud dramatically increases connectivity with key players across the quality ecosystem and helps all stakeholders work more collaboratively to create safer pharmaceuticals.