IT trends and cGxP compliance?

Current IT trends and cGxP compliance?

Big Data, Cloud, ByoD, VM, Industry 4.0, SCRUM, WEB 2.0 – current IT trends. How much trouble does that mean for your validation engineer?

 

Big Data, Cloud, ByoD, Industry 4.0, VM, SCRUM, WEB 2.0 – these technologies and principles serve mainly one purpose: to provide quick and secure access to modern IT infrastructures, development methods and the infinite vastness of the World Wide Web. But how can a company subject to cGxP rules gain the most benefit from all those innovations in a pragmatic and legally compliant manner?

 

With the emergence of the New Economy at the start of the millennium, the accompanying increase in the use of mobile devices and the rising number of business apps available for those devices, the formerly self-contained corporate IT opened up:

  • Managers want to be able access to their figures – anytime, anywhere, in easily readable form.
  • Sale forces want online access to product and contact information so they can check product or quality status and availability or place orders directly during customer visits.
  • Customers demand information on their order status, access to quality certificates as well as to product information and want to file their error reports or complaints directly.
  • Doing business on the internet and using online payment systems have long since become routine.
  • No matter where in the world they are, employees want and should be able to use their company’s e-mail and booking systems with their own personal profiles.
  • Maintenance and support teams can work directly with remote workstations or generate error and status logs.
  • Production processes and maintenance intervals are managed directly by machine-to-machine (M2M) communication.
  • And in between everyone wants to surf on XING, LinkedIn or Facebook, post a tweet, read and answer whatsapp / hangout messages, book theater tickets, etc. - the list is almost endless.

These demands pose numerous challenges to corporate IT departments not only with regard to hardware and software, but particularly in conjunction with issues of security and compliance.

 

Big Data: Almost unlimited amounts of data are stored in companies and on the internet every day – not only by the NSA, but by companies or individuals storing their data legally and intentionally. Analyzing and correlating these data in order to predict traffic jams, accidents, the buying behavior of customers or sales forecasts is serious business. But to succeed in these endeavors, corporate IT departments need to access data sources inside and outside of the company and provide end-device users with a huge variety of ready-to-use operating systems and apps from numerous sources. For the traditional validation engineer, the trouble starts when critical data are transmitted or when quality-relevant decisions to block batches or release or recall products are based on these data.

 

Cloud: In the very beginning the Cloud services only offered storage capacity so that huge amounts of data could be accessed in various ways – no Cloud storage and apps, no Big Data! In the meantime, these providers are increasingly offering application services as well. The user rents a certain amount of storage space and the services that he wants, but he doesn’t usually know where the storage or application servers are physically located. For business applications, adequate provisions need to be clearly defined in service level agreements, as legal requirements vary from country to country. For example, it is illegal in Germany to store personal data on servers outside of the EU (German Data Protection & Privacy Act).

 

ByoD – Bring your own Device: With the emergence of smartphones and tablet computers, another issue arose: why have one device for personal use and another one for the company? Employees want to be able to use their mobile devices to access both company and private data any time, anywhere – for example to check the day’s sales figures, release a batch of products or approve a document. Access to e-mail accounts at any time is a must. IT departments have to deal with numerous questions: what apps or how many versions of an operating system should be used? What about security, licenses, liability issues, etc.? In addition to all the technical matters, questions arise regarding tax law (e.g. regarding non-cash benefits) if the device is provided by the company and used privately.

 

Industry 4.0 / M2M (machine-to-machine): Machines as well as laboratory devices have been equipped with microchips and computers for years, resulting in the development of intelligent machines capable of monitoring themselves and contacting service centers when signs of wear are detected or scheduled maintenance is required. Just think of your new printer that tells you when the toner is running low or when the barrel is worn. Certainly such intelligent functions are desirable – but what happens in a GMP environment when machines detect quality problems and respond accordingly (for example by blocking the current production batch) and humans depend on them?

 

VM – Virtualization: Running several instances of an operating system on one physical computer or a computer farm serving as dedicated application environments has been the state of the art for years. Load distribution and optimal utilization of resources were the drivers behind this innovation. But is this still a discrete infrastructure environment that can be qualified in accordance with a hardware specification?

 

Agile development methods (e.g. SCRUM): The traditional waterfall and (extended) v-model software development methods have turned out to be too cumbersome in dynamic environments, as they require strict phase models with precise specifications and test models. Agile methods seek to reach their goal earlier with small, iterative development steps and minimal specification stages. Developers and users are in constant touch and work together in small groups towards the target application, which is outlined only very vaguely. But how do we reconcile this with the requirements for controlled software development subject to quality assurance in accordance with GAMP 5©?

 

WEB2.0 – Social networking: For successful online communication with the target markets it no longer suffices to have a static website under a www address or a simple web shop. Almost every company that does business with end customers has its own XING, Twitter or Facebook account, blogs and communication portals. These are all used to communicate product information, provide service and support advice, post spare-parts lists and scientific reports, etc. Sometimes a special login is required  implying that the information provided is valuable and binding. Customers, on the other hand, share their opinions of or experiences with companies and their products on the internet. Employees use their private accounts in the corporate environment as well (particularly with ByoD). Bearing this in mind, there are legal aspects and security issues that demand attention. Today, companies are frequently both providers and operators as defined by telecommunications law; in the future that will be standard. What happens if sensitive data is suddenly published or altered via the corporate infrastructure?

 

Although Annex 11 of the EU-GMP guideline was updated, regulatory requirements lag considerably behind the lightning-fast technological advances. For the most part, the same old requirements and tools that have been around for years are still used for valid IT environments. Moreover, the GAMP5©, also several years old, is still the methodological basis for validation/qualification in IT environments. Several SIGs (Special Interest Group) in the GAMP organization have been drafting proposals to deal with these developments and publishing them as guides to best practice.

 

The basic requirements for secure operation of IT systems as outlined in GAMP5© remain the same even for the latest technologies. However, these are frequently open systems for which the required precise specifications or adequate configuration management are more difficult to produce. More than ever before, thorough assessment of the potential risks to product or patient safety is required to meet regulatory requirements.

 

The cGxP requires you to provide special documentation (FDA: “written evidence”) for the implementation or operation of a system, regardless of whether you use one of the aforementioned technologies or methods or not. Performing the activities outlined in GAMP5© results in a documented chain of evidence that covers everything: from the requirements of an application to the release for intended use and the change management throughout the life cycle of the product or service. The latter in particular is more difficult to fulfill in the mostly open environments mentioned above, and requires adaptation of the methods presented in GAMP5©. Nevertheless, in open and agile environments it is possible to provide all the validation, qualification and development documents that are necessary. Thus, adapted, iterative processes must be developed for this as well, and firmly anchored in the corresponding documents (CSV-SOPs, VMPs, VPs). GAMP5© already offers some approaches that allow an iterative creation of the documentation during the project.

 

Conclusion

If a company is planning projects involving the aforementioned issues, its project management, development methods, test procedures and reports, the SOPs for routine operation, change control system and documentation structures must be adapted so that they meet the quality requirements of the QM system and those of the validation/qualification plan and risk assessments defined for the project. Should your company’s IT staff or users lack the necessary experience with these topics, Chemgineering’s consultants will be happy to share the knowledge and expertise they have acquired over many years of conducting IT /application projects.

 

For further information please contact Dr. Thomas Karlewski

 

Chemgineering Business Design AG | Binningerstrasse 2 | 4142 Münchenstein | T +41 61 467 89 00 | F +41 61 467 89 01 | www.chemgineering.com | info@chemgineering.com