When health authorities like the FDA craft new regulation to govern GxP regulated areas, they consult academic and industry experts for input. One of the few organizations to have a formal cooperation with the FDA in such matters is the Pharmaceutical User Software Exchange (PhUSE), an independent not-for-profit organization established as a discussion forum for clinical data scientists and life sciences IT professionals.
Since 2013, a group under PhUSE has worked to develop a framework to lower the barriers for adoption of cloud technologies in regulated life sciences organizations. The group members included experts from pharma companies like JNJ, Merck, Pfizer, GSK and Sanofi, along with FDA representatives.
NNIT is represented in the work group by Anders Vidstrup, Senior IT Quality Subject Matter Expert, who has been a member of the group from the beginning and has served as group chairman for the past two years.
– After years of intense discussions and frequent meetings and presentations, we have produced a guide that points out the key elements for a successful adoption of cloud services in the regulated life sciences industry whilst complying with international regulatory standards. Four documents have passed public review and are now officially published on the PhUSE website, says Anders Vidstrup.
The PhUSE guidelines outlines the roles and responsibilities of both cloud service customers, cloud service providers and cloud service brokers. The documentation deals with cloud services in a “total stack” format, covering everything from physical hardware and infrastructure over operating systems and database engines to the GxP organization and intended use. All this aligned in accordance with the regulated approach, as described in the figure below.
– The guidelines describe everything pharma companies and their cloud service partners must do to ensure that they achieve compliance with existing general GxP regulations. They do not cover specific solutions, but rather outline a set of publicly available universal principles for GxP cloud services, which life sciences companies, cloud providers and brokers can reference. For example, all four documents reflect NNIT’s current approach to cloud compliance, says Anders Vidstrup.
The guidelines describe in detail how to take care of the quality activities to make sure the Cloud Service will be fit for intended use. They also discus supplier evaluation, risk approach, life-cycle activities and Quality Agreements considerations.
– In adopting cloud-based solutions for GxP workloads, understanding the essential characteristics of cloud services and solutions is important for determining the applicability of GxP requirements to specific Cloud Service Providers and/or cloud-based solution models. It is essential for compliance with e.g. 21 CFR Part 11, FDA guidance on Data Integrity and EU Annex 11, that controls are in place when using different Cloud Services and Cloud Service Providers. The main conclusion is that despite technology having undergone many evolutionary steps, the fundamental principles associated with regulatory predicate rules and good engineering practices still very much apply and can be fully exploited, says Anders Vidstrup
With the publication of the PhUSE guidelines, it is now up to the FDA to review the documents and determine how they will be incorporated into FDA regulations. One option is for the FDA to adopt the guidelines as is, while another is for the FDA to reference the work in their own version of GxP cloud regulations. This review process is likely to take three years before new FDA guidance can be approved.
– The strength of this work is that it reflects the combined insights of QA and IT compliance experts from some of the biggest companies in the life sciences industry. The FDA is represented in the work group, and a member of the group trains FDA staff in inspection and validation. So, these position papers will also serve as the basis for the practical inspection procedures as well as the legal framework, says Anders Vidstrup. He continues:
– and based on our many years working with life sciences customers and collaboration with FDA, we can support customers due to our inspection readiness mindset. Especially our Quality Management System is aligned with GxP regulations, and training program for the people to enter with inspection is in place.
The four PhUSE Cloud Framework documents:• Cloud Framework, Pre-Amble • Cloud Framework, Audit Activities • Cloud Framework, Regulatory Requirements • Cloud Framework, Terminology
If you are interested in hearing more about NNIT’s impact on international standards and regulations, please contact Anders Vidstrup, Senior IT Quality Subject Matter Expert @: firstname.lastname@example.org