Madness of the Clouds


Published on

some compliance theory about IT pharma

  • Be the first to comment

Madness of the Clouds

  1. 1. 200 8 . 06 .2 5 .
  2. 2. The Madness of Clouds a controlled, qualified cloud in pharma GAZDAG, Ferenc EGIS Pharmaceuticals Plc, Head of IT Infrastructure 08-09. Sept. 2011 IT Governance, Risk and Compliance
  3. 3. Content <ul><li>Introduction </li></ul><ul><li>Infrastructure overview </li></ul><ul><ul><li>Physical, virtual, application list </li></ul></ul><ul><li>Software licen s ing </li></ul><ul><li>Qualification and validation of IT elements </li></ul><ul><li>How to be ready to an audit/inspection </li></ul><ul><li>Are the external clouds useable? </li></ul>
  4. 4. EGIS Plc. <ul><li>„ A” category company on stock </li></ul><ul><li>Third budget on R&D in the region (9,3%) </li></ul><ul><li>Generic and original product </li></ul><ul><li>Over 350 M€ yearly income </li></ul><ul><li>HQ in Budapest , Hungary </li></ul><ul><li>T wo sites in Budapes t , one in Körmend </li></ul><ul><li>2 6 branch offices </li></ul><ul><li>About 4000 employees worldwide </li></ul>
  5. 5. Geography
  6. 6. Physical infrastructure TGY (HQ, plant) 30 Hosts, 358 VMs 1800 PCs KÖR (plant) 5 Hosts, 24 VMs, 500 PCs BÖK (plant) 6 Hosts, 82 VMs, 500 PCs KER (sales office) 6 VMware Hosts, 16 VMs, 400 PC MGY (storehouse) 6 PCs 1 Gbps leased line (optical) 10 Mbps leased line (micro) CWDM darkfiber (2x1Gbps) 10 Mbps leased line (optical) CWDM darkfiber (4x1Gbps) 100 Mbps micro 2 Mpbs optika 100 Mbps (optical) 10 Mbps micro Internet 17 offices (MPLS vpn) 38 Hosts, 60 VMs, 1100 PCs
  7. 7. What is the Cloud? <ul><li>A lot of water molecules flying together in the air </li></ul><ul><li>a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction </li></ul><ul><li>a set of services and technologies that enable the delivery of computing services over the Internet in real-time, allowing end-users instant access to data and applications from any device with Internet access. </li></ul>
  8. 8. Virtual infrastructure EGIS HU cloud SAP sub-cloud EGIS Intl cloud QA system Sub-cloud
  9. 9. Application running virtualized (part) <ul><li>Manufacturing systems </li></ul><ul><ul><li>Pharma prod, logistic, warehouse systems </li></ul></ul><ul><li>SAP ECC 5.0 (P, Q, D), SAP BW 7.1, (P, D) </li></ul><ul><li>Empower, Chemstore (QA laboratory systems) </li></ul><ul><li>Flowcontroll, data measurement sysetems </li></ul><ul><li>EDMS (EMC Documentum: Regulatory register ) </li></ul><ul><li>Security systems (management of network, wifi and firewalls) </li></ul><ul><li>Novell OES2 ( file and print sharing ), ZenWorks </li></ul><ul><li>Workgroup softwares : </li></ul><ul><ul><li>IBM Websphere Portal (intrane t ), Domino, SameTime, QuickR </li></ul></ul><ul><li>Internet portal </li></ul><ul><li>Microsoft AD 2008, Microsoft Exchange 2007, Citrix, MS TS 2008 </li></ul><ul><li>IBM Cognos TM1, Cognos BI 8 </li></ul><ul><li>20 MS SQL 2005 Server s , 40 Oracle DB servers </li></ul>
  10. 10. Licensing 1 <ul><li>Microsoft </li></ul><ul><ul><li>User CAL, Device CAL – not affected </li></ul></ul><ul><ul><li>Client OS/Office – annoying, only subscription </li></ul></ul><ul><ul><li>Applications – SQL, MOSS, … : can be OK </li></ul></ul><ul><ul><li>OS: Datacenter Edition, SQL: /CPU based licensing </li></ul></ul><ul><li>Oracle DB </li></ul><ul><ul><li>/user: STD: </li></ul></ul><ul><ul><ul><li>min 5 user/CPU, ENT: min 25 user/CPU (the whole cluster) </li></ul></ul></ul><ul><ul><li>/CPU: for the whole cluster </li></ul></ul>
  11. 11. Licensing 2 <ul><li>IBM </li></ul><ul><ul><li>/user : not affected </li></ul></ul><ul><ul><li>„ subcapacity licencing”, pvu – very nice </li></ul></ul><ul><ul><li>license metring server is needed (agent to any server) </li></ul></ul><ul><li>Novell </li></ul><ul><ul><li>/user : not affected (OES2, ZenWorks) </li></ul></ul><ul><ul><li>SLES: only hardware based licensing </li></ul></ul><ul><li>Any application </li></ul><ul><ul><li>Depends on database and vendor! Be aware! </li></ul></ul>
  12. 12. Qualification and validation <ul><li>Qualification (concerning Equipment or System): Establishing documented confidence that process equipment and ancillary systems are capable of consistently operating within established limits and tolerances </li></ul><ul><li>Validation (concerning Processes): Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its pre- determined specifications and quality attributes </li></ul><ul><li>In GOD we trust, but all others have to bring documents! </li></ul><ul><ul><li>Unknown FDA inspector </li></ul></ul>
  13. 13. V modell for computerized system validation User Requirements specification (URS) Functional specification (FS) Design Specification HW/SW (DS) Implementation Installation Qualification (IQ) Operational Qualification (OQ) Performance Qualification (PQ) Checks
  14. 14. Application validation – Infrastructure qualification Storage Network Virtualisation layer (Hypervisor) Hardware units HA DR Mentés Qualification Validation Application Operating system Virtual hardware Application Operating system Virtual hardware Application Operating system Virtual hardware Application Operating system Virtual hardware
  15. 15. QA in virtual systems Virtual infrastructure Qualification of virtual template(s) Qualification of virtual platform Validation of application Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual machine Application OS Virtual template OS Virtual machine Application OS
  16. 16. Results of virtualization <ul><li>Before: </li></ul><ul><li>Qualification </li></ul><ul><ul><li>80 system s </li></ul></ul><ul><ul><ul><li>(machine,OS) </li></ul></ul></ul><ul><ul><li>1 storage </li></ul></ul><ul><ul><li>1 backup device </li></ul></ul><ul><ul><li>not re useable documentation </li></ul></ul><ul><ul><li>~2 week s / system </li></ul></ul><ul><li>After: </li></ul><ul><li>Qualification </li></ul><ul><ul><li>1 server system (blades) </li></ul></ul><ul><ul><li>1 virtualization layer </li></ul></ul><ul><ul><li>1 storage </li></ul></ul><ul><ul><li>1 backup device </li></ul></ul><ul><ul><li>reusable documentation </li></ul></ul><ul><ul><li>~2 weeks/virtual platform </li></ul></ul><ul><ul><li>~2 days/ virtual template </li></ul></ul><ul><ul><li>~1 day/ virtual machine </li></ul></ul><ul><li>Validation </li></ul><ul><ul><li>No change </li></ul></ul><ul><li>Apprx. 158 mandays / yr savings </li></ul>
  17. 17. „ Nice to have” for the auditor <ul><li>Standard, „known” environment </li></ul><ul><ul><li>Comfortable, „touchable” devices </li></ul></ul>Server1 router switch Server2 SAN /NAS router switch
  18. 18. The reality <ul><li>Virtual environment </li></ul><ul><ul><li>New method for audit, new view is needed! </li></ul></ul>Server1 routing switch Server2 SAN/NAS routing switch Cloud vSwitch VM VM Server VLAN managementVLAN iSCSI PC VLAN Printer VLAN Local vm, Virtual application, Remote desktop / VDI, „BYOPC” External Cloud VM VM
  19. 19. Preparing the documentation <ul><li>Masterplan </li></ul><ul><ul><li>Qualification plan </li></ul></ul><ul><ul><li>Technical specification </li></ul></ul><ul><ul><li>Acceptance plan </li></ul></ul><ul><ul><li>Test result sheets </li></ul></ul><ul><ul><li>Closing document </li></ul></ul><ul><li>Closing document </li></ul><ul><li>Network (LAN/WAN) </li></ul><ul><li>Site 1 server </li></ul><ul><li>Site 2 server </li></ul><ul><li>Site 3 server </li></ul><ul><li>Site 4 server </li></ul><ul><li>Security </li></ul><ul><li>Client </li></ul><ul><li>Middleware / Database </li></ul>
  20. 20. Server qualification (retrospective) <ul><li>Physical server qualification </li></ul><ul><li>Storage qualification </li></ul><ul><li>Virtual layer qualification </li></ul><ul><li>Virtual templates qualification </li></ul><ul><li>Virtual servers qualification </li></ul><ul><li>Backup system </li></ul><ul><li>Environment (datacenter) </li></ul>application OS (Infra software) Virtual layer Physical server Backup Storage Environment
  21. 21. Server results x279
  22. 22. Network qualification (retrospective) <ul><li>Active network devices </li></ul><ul><ul><li>VLAN, routing, VRF </li></ul></ul><ul><li>Passive network elements </li></ul><ul><ul><li>Random measurements (~15%) </li></ul></ul><ul><ul><li>Qualified measuring devices! </li></ul></ul><ul><li>Wifi system security (WLAN, 3G) </li></ul><ul><li>WAN devices </li></ul><ul><li>Environment </li></ul>
  23. 23. Network results <ul><li>x~800 </li></ul>
  24. 24. Security <ul><li>Firewalls (defense in depth, clusterized) </li></ul><ul><li>VPN tunnel possibilities </li></ul><ul><li>Remote office (remote application offer) </li></ul><ul><li>Content filter (Mail filter, web filter) </li></ul><ul><li>Intrusion test ( by external company) </li></ul>
  25. 25. Others <ul><li>Client side qualification </li></ul><ul><ul><li>Image qualification </li></ul></ul><ul><ul><li>Deployable - Application pack qualification </li></ul></ul><ul><ul><li>Stuff / management software qualification </li></ul></ul><ul><li>Database </li></ul><ul><ul><li>Through application validation </li></ul></ul><ul><ul><li>Security qualification </li></ul></ul><ul><li>Middleware </li></ul><ul><ul><li>Through application validation </li></ul></ul>x~50
  26. 26. Stuff <ul><li>Training plan </li></ul><ul><li>Trainings (GxP, SOP) </li></ul><ul><li>Technical trainings </li></ul><ul><li>CV s </li></ul><ul><li>Job description s </li></ul>
  27. 27. Standard Operationg Procedures <ul><li>To maintaining validated state </li></ul><ul><ul><li>developing </li></ul></ul><ul><ul><li>operation </li></ul></ul><ul><ul><ul><li>Incident and problem management </li></ul></ul></ul><ul><ul><ul><li>Disaster recovery </li></ul></ul></ul><ul><ul><ul><li>System description </li></ul></ul></ul><ul><ul><ul><li>maintenance </li></ul></ul></ul><ul><ul><li>Data backup, recovery, preserve </li></ul></ul><ul><ul><li>System backup, recovery </li></ul></ul><ul><ul><li>(user side ) data archiving </li></ul></ul><ul><ul><li>Change management </li></ul></ul><ul><ul><li>System decommission </li></ul></ul>
  28. 28. Results of FDA inspection Passed
  29. 29. External Cloud <ul><li>Already planned and investigated </li></ul><ul><li>Financially almost OK for DR (cold backup site) </li></ul><ul><li>Technically not OK (multisite company in a star network topology need of internet everywhere ) </li></ul><ul><li>Licensing is not really definite </li></ul><ul><li>GxP relevant systems are not allowed to move by the QA </li></ul>
  30. 30. Summarization <ul><li>The virtual infrastructure can be qualified easily </li></ul><ul><li>The cloud-based application can be validated if the provider gives us a documented infrastructure </li></ul><ul><li>Security depends on the security system and mainly on the stuff, independently from the cloud. </li></ul><ul><li>GxP and the local labour code sometimes says different things </li></ul>
  31. 31. Thank you! Any questions? [email_address]