200 8 . 06 .2 5 .
The Madness of Clouds  a controlled, qualified cloud in pharma GAZDAG, Ferenc EGIS Pharmaceuticals Plc,  Head of IT Infras...
Content <ul><li>Introduction </li></ul><ul><li>Infrastructure overview </li></ul><ul><ul><li>Physical, virtual, applicatio...
EGIS Plc. <ul><li>„ A” category company on stock </li></ul><ul><li>Third budget on R&D in the region (9,3%) </li></ul><ul>...
Geography
Physical infrastructure TGY (HQ, plant) 30 Hosts, 358 VMs 1800 PCs KÖR (plant) 5 Hosts, 24 VMs, 500 PCs BÖK (plant) 6 Host...
What is the Cloud? <ul><li>A lot of water molecules flying  together  in the air </li></ul><ul><li>a model for enabling ub...
Virtual infrastructure EGIS HU cloud SAP sub-cloud EGIS Intl cloud QA system Sub-cloud
Application running virtualized (part) <ul><li>Manufacturing systems </li></ul><ul><ul><li>Pharma prod, logistic, warehous...
Licensing 1 <ul><li>Microsoft </li></ul><ul><ul><li>User CAL, Device CAL – not affected </li></ul></ul><ul><ul><li>Client ...
Licensing 2 <ul><li>IBM </li></ul><ul><ul><li>/user : not affected </li></ul></ul><ul><ul><li>„ subcapacity licencing”, pv...
Qualification and validation <ul><li>Qualification (concerning Equipment or System): Establishing documented confidence th...
V modell for  computerized system validation User Requirements  specification (URS) Functional  specification (FS) Design ...
Application validation –  Infrastructure qualification Storage Network Virtualisation layer (Hypervisor) Hardware units HA...
QA in virtual systems Virtual infrastructure Qualification of virtual template(s) Qualification of virtual platform Valida...
Results of virtualization <ul><li>Before: </li></ul><ul><li>Qualification </li></ul><ul><ul><li>80 system s </li></ul></ul...
„ Nice to have” for the auditor <ul><li>Standard, „known” environment </li></ul><ul><ul><li>Comfortable, „touchable” devic...
The reality <ul><li>Virtual environment </li></ul><ul><ul><li>New method for audit, new view is needed! </li></ul></ul>Ser...
Preparing the documentation <ul><li>Masterplan </li></ul><ul><ul><li>Qualification plan </li></ul></ul><ul><ul><li>Technic...
Server qualification (retrospective) <ul><li>Physical server qualification </li></ul><ul><li>Storage qualification </li></...
Server results x279
Network qualification  (retrospective) <ul><li>Active network devices </li></ul><ul><ul><li>VLAN, routing, VRF </li></ul><...
Network results <ul><li>x~800 </li></ul>
Security <ul><li>Firewalls (defense in depth, clusterized) </li></ul><ul><li>VPN tunnel possibilities </li></ul><ul><li>Re...
Others <ul><li>Client side qualification </li></ul><ul><ul><li>Image qualification </li></ul></ul><ul><ul><li>Deployable -...
Stuff <ul><li>Training plan </li></ul><ul><li>Trainings (GxP, SOP) </li></ul><ul><li>Technical trainings </li></ul><ul><li...
Standard Operationg  Procedures <ul><li>To maintaining validated state </li></ul><ul><ul><li>developing </li></ul></ul><ul...
Results of FDA inspection Passed
External Cloud <ul><li>Already planned and investigated </li></ul><ul><li>Financially almost OK for DR (cold backup site) ...
Summarization <ul><li>The virtual infrastructure can be qualified easily </li></ul><ul><li>The cloud-based application can...
Thank you! Any questions? [email_address]
Upcoming SlideShare
Loading in...5
×

Madness of the Clouds

331

Published on

some compliance theory about IT pharma

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
331
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Mert minden diasornak ezzel kell kezdődnie, ez kötelező 
  • Röviden összefoglalva a Virtual rendszerek minőségbiztosítását, az mondható, hogy ebben a részben is jelentős áttérést ért el a virtualizáció. A fizikai világban az alapinfrastruktúrát, az egyedi szervereket és Operating systemeket kell kvailfikálni. Virtualan sem ússzuk meg a rendszer-kvalifikációt, azonban ezt csak egyszer kell megcsinálni minden rajta lévő rendszerrel. Ugyanígy az alap sablonokat is csak egyszer kell kvalifikálni, s az egyediesítést követően akutalizálni. Az Applicationokat mindkét esetben ugyanolyan erőforrás felhasználással validálni kell, de Applicationt talán kevesebbszer cserél az ember mint vasat
  • A minőségbiztosítás és a dokumentáció nem az informatikai üzemeltetők kedvenc témája. Azonban a virtualizációval ez a teher is jelentősen csökkenthető. Míg a fizikai világban egy rendszer virtualizációja nagyjából két hétig tartott, amit egy – Applicationtól függő idejű– validáció követett, addig a Virtual világban egyszer kell a kéthetes alapkvalifikációt megcsinálni, amit a Virtual sablonok (nálunk ebből kb 7 darab van) követ. A sablonokból készítünk machineeket, ezek egyediesítése utáni ellenőrzésére 1 napot még szánnunk kell. S természetesen itt is validálni kell, ami Applicationtól függ. Elképzelhető, hogy egy gyógyszergyár esetén ez mekkora időnyereséget okoz, mivel legalább 30 validált rendszerünk van, aminek az infrastruktúra részét kvalifikálni kell. Az SAP esetében ez 132 munkanap helyett 34 munkanapot vesz igénybe.
  • Madness of the Clouds

    1. 1. 200 8 . 06 .2 5 .
    2. 2. The Madness of Clouds a controlled, qualified cloud in pharma GAZDAG, Ferenc EGIS Pharmaceuticals Plc, Head of IT Infrastructure 08-09. Sept. 2011 IT Governance, Risk and Compliance
    3. 3. Content <ul><li>Introduction </li></ul><ul><li>Infrastructure overview </li></ul><ul><ul><li>Physical, virtual, application list </li></ul></ul><ul><li>Software licen s ing </li></ul><ul><li>Qualification and validation of IT elements </li></ul><ul><li>How to be ready to an audit/inspection </li></ul><ul><li>Are the external clouds useable? </li></ul>
    4. 4. EGIS Plc. <ul><li>„ A” category company on stock </li></ul><ul><li>Third budget on R&D in the region (9,3%) </li></ul><ul><li>Generic and original product </li></ul><ul><li>Over 350 M€ yearly income </li></ul><ul><li>HQ in Budapest , Hungary </li></ul><ul><li>T wo sites in Budapes t , one in Körmend </li></ul><ul><li>2 6 branch offices </li></ul><ul><li>About 4000 employees worldwide </li></ul>
    5. 5. Geography
    6. 6. Physical infrastructure TGY (HQ, plant) 30 Hosts, 358 VMs 1800 PCs KÖR (plant) 5 Hosts, 24 VMs, 500 PCs BÖK (plant) 6 Hosts, 82 VMs, 500 PCs KER (sales office) 6 VMware Hosts, 16 VMs, 400 PC MGY (storehouse) 6 PCs 1 Gbps leased line (optical) 10 Mbps leased line (micro) CWDM darkfiber (2x1Gbps) 10 Mbps leased line (optical) CWDM darkfiber (4x1Gbps) 100 Mbps micro 2 Mpbs optika 100 Mbps (optical) 10 Mbps micro Internet 17 offices (MPLS vpn) 38 Hosts, 60 VMs, 1100 PCs
    7. 7. What is the Cloud? <ul><li>A lot of water molecules flying together in the air </li></ul><ul><li>a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction </li></ul><ul><li>a set of services and technologies that enable the delivery of computing services over the Internet in real-time, allowing end-users instant access to data and applications from any device with Internet access. </li></ul>
    8. 8. Virtual infrastructure EGIS HU cloud SAP sub-cloud EGIS Intl cloud QA system Sub-cloud
    9. 9. Application running virtualized (part) <ul><li>Manufacturing systems </li></ul><ul><ul><li>Pharma prod, logistic, warehouse systems </li></ul></ul><ul><li>SAP ECC 5.0 (P, Q, D), SAP BW 7.1, (P, D) </li></ul><ul><li>Empower, Chemstore (QA laboratory systems) </li></ul><ul><li>Flowcontroll, data measurement sysetems </li></ul><ul><li>EDMS (EMC Documentum: Regulatory register ) </li></ul><ul><li>Security systems (management of network, wifi and firewalls) </li></ul><ul><li>Novell OES2 ( file and print sharing ), ZenWorks </li></ul><ul><li>Workgroup softwares : </li></ul><ul><ul><li>IBM Websphere Portal (intrane t ), Domino, SameTime, QuickR </li></ul></ul><ul><li>Internet portal </li></ul><ul><li>Microsoft AD 2008, Microsoft Exchange 2007, Citrix, MS TS 2008 </li></ul><ul><li>IBM Cognos TM1, Cognos BI 8 </li></ul><ul><li>20 MS SQL 2005 Server s , 40 Oracle DB servers </li></ul>
    10. 10. Licensing 1 <ul><li>Microsoft </li></ul><ul><ul><li>User CAL, Device CAL – not affected </li></ul></ul><ul><ul><li>Client OS/Office – annoying, only subscription </li></ul></ul><ul><ul><li>Applications – SQL, MOSS, … : can be OK </li></ul></ul><ul><ul><li>OS: Datacenter Edition, SQL: /CPU based licensing </li></ul></ul><ul><li>Oracle DB </li></ul><ul><ul><li>/user: STD: </li></ul></ul><ul><ul><ul><li>min 5 user/CPU, ENT: min 25 user/CPU (the whole cluster) </li></ul></ul></ul><ul><ul><li>/CPU: for the whole cluster </li></ul></ul>
    11. 11. Licensing 2 <ul><li>IBM </li></ul><ul><ul><li>/user : not affected </li></ul></ul><ul><ul><li>„ subcapacity licencing”, pvu – very nice </li></ul></ul><ul><ul><li>license metring server is needed (agent to any server) </li></ul></ul><ul><li>Novell </li></ul><ul><ul><li>/user : not affected (OES2, ZenWorks) </li></ul></ul><ul><ul><li>SLES: only hardware based licensing </li></ul></ul><ul><li>Any application </li></ul><ul><ul><li>Depends on database and vendor! Be aware! </li></ul></ul>
    12. 12. Qualification and validation <ul><li>Qualification (concerning Equipment or System): Establishing documented confidence that process equipment and ancillary systems are capable of consistently operating within established limits and tolerances </li></ul><ul><li>Validation (concerning Processes): Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its pre- determined specifications and quality attributes </li></ul><ul><li>In GOD we trust, but all others have to bring documents! </li></ul><ul><ul><li>Unknown FDA inspector </li></ul></ul>
    13. 13. V modell for computerized system validation User Requirements specification (URS) Functional specification (FS) Design Specification HW/SW (DS) Implementation Installation Qualification (IQ) Operational Qualification (OQ) Performance Qualification (PQ) Checks
    14. 14. Application validation – Infrastructure qualification Storage Network Virtualisation layer (Hypervisor) Hardware units HA DR Mentés Qualification Validation Application Operating system Virtual hardware Application Operating system Virtual hardware Application Operating system Virtual hardware Application Operating system Virtual hardware
    15. 15. QA in virtual systems Virtual infrastructure Qualification of virtual template(s) Qualification of virtual platform Validation of application Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual template OS Virtual machine Application OS
    16. 16. Results of virtualization <ul><li>Before: </li></ul><ul><li>Qualification </li></ul><ul><ul><li>80 system s </li></ul></ul><ul><ul><ul><li>(machine,OS) </li></ul></ul></ul><ul><ul><li>1 storage </li></ul></ul><ul><ul><li>1 backup device </li></ul></ul><ul><ul><li>not re useable documentation </li></ul></ul><ul><ul><li>~2 week s / system </li></ul></ul><ul><li>After: </li></ul><ul><li>Qualification </li></ul><ul><ul><li>1 server system (blades) </li></ul></ul><ul><ul><li>1 virtualization layer </li></ul></ul><ul><ul><li>1 storage </li></ul></ul><ul><ul><li>1 backup device </li></ul></ul><ul><ul><li>reusable documentation </li></ul></ul><ul><ul><li>~2 weeks/virtual platform </li></ul></ul><ul><ul><li>~2 days/ virtual template </li></ul></ul><ul><ul><li>~1 day/ virtual machine </li></ul></ul><ul><li>Validation </li></ul><ul><ul><li>No change </li></ul></ul><ul><li>Apprx. 158 mandays / yr savings </li></ul>
    17. 17. „ Nice to have” for the auditor <ul><li>Standard, „known” environment </li></ul><ul><ul><li>Comfortable, „touchable” devices </li></ul></ul>Server1 router switch Server2 SAN /NAS router switch
    18. 18. The reality <ul><li>Virtual environment </li></ul><ul><ul><li>New method for audit, new view is needed! </li></ul></ul>Server1 routing switch Server2 SAN/NAS routing switch Cloud vSwitch VM VM Server VLAN managementVLAN iSCSI PC VLAN Printer VLAN Local vm, Virtual application, Remote desktop / VDI, „BYOPC” External Cloud VM VM
    19. 19. Preparing the documentation <ul><li>Masterplan </li></ul><ul><ul><li>Qualification plan </li></ul></ul><ul><ul><li>Technical specification </li></ul></ul><ul><ul><li>Acceptance plan </li></ul></ul><ul><ul><li>Test result sheets </li></ul></ul><ul><ul><li>Closing document </li></ul></ul><ul><li>Closing document </li></ul><ul><li>Network (LAN/WAN) </li></ul><ul><li>Site 1 server </li></ul><ul><li>Site 2 server </li></ul><ul><li>Site 3 server </li></ul><ul><li>Site 4 server </li></ul><ul><li>Security </li></ul><ul><li>Client </li></ul><ul><li>Middleware / Database </li></ul>
    20. 20. Server qualification (retrospective) <ul><li>Physical server qualification </li></ul><ul><li>Storage qualification </li></ul><ul><li>Virtual layer qualification </li></ul><ul><li>Virtual templates qualification </li></ul><ul><li>Virtual servers qualification </li></ul><ul><li>Backup system </li></ul><ul><li>Environment (datacenter) </li></ul>application OS (Infra software) Virtual layer Physical server Backup Storage Environment
    21. 21. Server results x279
    22. 22. Network qualification (retrospective) <ul><li>Active network devices </li></ul><ul><ul><li>VLAN, routing, VRF </li></ul></ul><ul><li>Passive network elements </li></ul><ul><ul><li>Random measurements (~15%) </li></ul></ul><ul><ul><li>Qualified measuring devices! </li></ul></ul><ul><li>Wifi system security (WLAN, 3G) </li></ul><ul><li>WAN devices </li></ul><ul><li>Environment </li></ul>
    23. 23. Network results <ul><li>x~800 </li></ul>
    24. 24. Security <ul><li>Firewalls (defense in depth, clusterized) </li></ul><ul><li>VPN tunnel possibilities </li></ul><ul><li>Remote office (remote application offer) </li></ul><ul><li>Content filter (Mail filter, web filter) </li></ul><ul><li>Intrusion test ( by external company) </li></ul>
    25. 25. Others <ul><li>Client side qualification </li></ul><ul><ul><li>Image qualification </li></ul></ul><ul><ul><li>Deployable - Application pack qualification </li></ul></ul><ul><ul><li>Stuff / management software qualification </li></ul></ul><ul><li>Database </li></ul><ul><ul><li>Through application validation </li></ul></ul><ul><ul><li>Security qualification </li></ul></ul><ul><li>Middleware </li></ul><ul><ul><li>Through application validation </li></ul></ul>x~50
    26. 26. Stuff <ul><li>Training plan </li></ul><ul><li>Trainings (GxP, SOP) </li></ul><ul><li>Technical trainings </li></ul><ul><li>CV s </li></ul><ul><li>Job description s </li></ul>
    27. 27. Standard Operationg Procedures <ul><li>To maintaining validated state </li></ul><ul><ul><li>developing </li></ul></ul><ul><ul><li>operation </li></ul></ul><ul><ul><ul><li>Incident and problem management </li></ul></ul></ul><ul><ul><ul><li>Disaster recovery </li></ul></ul></ul><ul><ul><ul><li>System description </li></ul></ul></ul><ul><ul><ul><li>maintenance </li></ul></ul></ul><ul><ul><li>Data backup, recovery, preserve </li></ul></ul><ul><ul><li>System backup, recovery </li></ul></ul><ul><ul><li>(user side ) data archiving </li></ul></ul><ul><ul><li>Change management </li></ul></ul><ul><ul><li>System decommission </li></ul></ul>
    28. 28. Results of FDA inspection Passed
    29. 29. External Cloud <ul><li>Already planned and investigated </li></ul><ul><li>Financially almost OK for DR (cold backup site) </li></ul><ul><li>Technically not OK (multisite company in a star network topology need of internet everywhere ) </li></ul><ul><li>Licensing is not really definite </li></ul><ul><li>GxP relevant systems are not allowed to move by the QA </li></ul>
    30. 30. Summarization <ul><li>The virtual infrastructure can be qualified easily </li></ul><ul><li>The cloud-based application can be validated if the provider gives us a documented infrastructure </li></ul><ul><li>Security depends on the security system and mainly on the stuff, independently from the cloud. </li></ul><ul><li>GxP and the local labour code sometimes says different things </li></ul>
    31. 31. Thank you! Any questions? [email_address]

    ×