1. 2016 FDA GMP Guideline
for the Web-Cloud & Software Services
White Paper and Use Case
Juan Carlos Tirado Operations Director
PSI /Pharmaway 1.0
2. Executive Summary
PSI can help customers in the manufacturing industry establish a qualification
strategy for the Windows Azure platform.
In this presentation we will discuss:
White-Paper: Guidelines to validate Microsoft
cloud technology for the life sciences industry.
Use case: PSI-Pharmaway 1.0
3. The challenge
• Biotech and pharmaceutical
systems have always been
highly regulated, complex
and expensive. Hardware
and software requirements
are daunting in scale,
variety, and speed of
obsolescence.
4. The challenge
• The industry currently requires
large teams of experts for
installation, configuration,
testing, operation, security, and
maintenance. When you scale
this effort across dozens or
sometimes hundreds of
applications, it’s easy to see why
the largest companies with the
best IT departments aren’t
getting the systems they need.
Small and mid-sized companies
don’t stand a chance.
5. A new technological vision
• We created an industry first
web based FDA-Good
Manufacturing Practices
compliance and integrated
software suite environment
including an Manufacturing
Execution System, Laboratory
Information Management
System, Change Control, None
Conformance/CAPA and
Business Intelligence system
perfect for the manufacturing,
biotechnology, biomedical and
pharmaceutical industries.
6. Microsoft Azure Clouds
• Over the last few years, Microsoft has paid an increasing amount of
attention to compliance and the cloud.
• Together these concepts represent a fairly radical departure from normal
business in the life sciences industry and manufacturing in general.
• By enabling cloud technologies, which provide an ease of use and ease of
implementation, with compliance, which provides the ability to work with
information in a regulatory compliant fashion, companies may find the
best of both worlds.
7. WindowsAzure Overview
• Windows Azure is a cloud services operating system that serves as the
development, service hosting and service management environment for
the Azure platform.
• Windows Azure provides developers with on-demand compute and
storage to host, scale, and manage web applications on the Internet
through Microsoft data centers.
• The Microsoft Global Foundation Services group administers the physical
infrastructure on which the Azure platform runs and data is stored.
• Customers provide and manage the GxP computerized systems and data
that are deployed on the Azure platform.
Applications
Infrastructure
Software & Tools
Network Components
Infrastructure Hardware
Data Center Facilities
Validation
Qualification
8. Methodology
Microsoft’s Azure platform services have undergone SSAE 16 Service Organization
Control (SOC) audits and are also certified according to ISO/IEC 27001:2005 standards
(see Section 0). This process has leveraged the reports produced by independent third
party auditors to identify procedural. relation to controls for computerized systems.
The qualification approach summarizes
the activities and responsibilities shared
between the regulated user (customer)
and the cloud service provider (Microsoft)
to qualify the system against the relevant
regulatory requirements. The assessment
described the responsibilities of the
customer and Microsoft, as well as the
activities, documentation and controls
(technical/procedural) that are required to
meet the regulatory requirement.
9. GAMP5® Category
From the perspective of a regulated user
(customer), the Azure platform is
considered to be Category 1 –
Infrastructure Software as defined
in GAMP5® (Ref. [6]).
This category contains two types of software; Established or
commercially available layered software (e.g. operating systems,
database managers, programming languages, etc.) and Infrastructure
software tools (e.g. network monitoring software, batch job
scheduling tools, security software, anti-virus and configuration
management tools).
10. FDA Classification
While Microsoft is not directly responsible for the electronic records contained within the Azure
platform, it is responsible for maintaining the Azure platform. In addition, Microsoft configures the
Azure platform infrastructure and establishes access control requirements for logical and physical
security.
The Azure platform is therefore considered to be
“open” (refer to definition in Section 1.5).
The FDA requires open systems to meet
additional requirements, such as
encryption, as defined in 21 CFR Part
11.30 (Ref. [5]).
The customer should evaluate any GxP computerized
system deployed on the Azure platform should to
determine whether it should be considered an
open or closed system per 21 CFR Part 11 and
whether additional controls / procedures need
to be implemented as a result of the evaluation.
11. Microsoft Azure Controls
• Security Policies and Procedures
• Physical and Environmental Security
• Logical Security
• System Monitoring and Maintenance
• Data Backup, Recovery and Retention
• Confidentiality
• Software Development / Change Management
• Incident Management
• Service Level Agreements
• Risk Assessment
• Documentation / Asset Management
• Training Management
• Disaster Recovery
• Vendor Management
12. Qualification Approach
Applications
Infrastructure
Software & Tools
Network Components
Infrastructure Hardware
Data Center Facilities
Validation
Qualification
According to industry best practices as proposed within the GAMP Good Practice Guide: IT Infrastructure Control and
Compliance7, in order for an IT infrastructure platform to be considered qualified and compliant, the following critical
aspects need to be considered:
• Installation and operational qualification of infrastructure components;
• Configuration management and change control of infrastructure components;
• Management of risks to IT Infrastructure;
• Involvement of service providers in critical infrastructure processes;
• Security management in relation to access controls, availability of services and data integrity;
• Data Backup, Restore, Disaster Recovery, Archiving.
Microsoft has implemented controls (see Section 2.5) which encompass these critical aspects of compliance.
13. Summary of Microsoft Responsibilities
• Microsoft is responsible for ensuring that Windows Azure meets the terms
defined within the governing Service Level Agreements (see Section 2.5.9).
When new virtual machines are deployed within the Azure Platform, they
are created using the default configuration established by Microsoft.
Microsoft is responsible for ensuring the deployed VM’s are capable of
meeting the specifications and the terms of the SLA(s).
• The Azure platform must be managed in a controlled and secured manner,
so as to provide the following key elements:
– Confidentiality - ensuring that information is accessible only to those
authorized to have access;
– Integrity - safeguarding the accuracy and completeness of information and
processing methods;
– Availability - ensuring that authorized users have access to information and
associated assets when required.
– The controls identified in Section 2.5 are implemented, managed and
maintained by Microsoft to ensure that the above key requirements can be
met.
14. Customer Responsibilities
1. Develop or identify procedural controls governing the use of the GxP
computerized system. These procedural controls should cover the topics as
described in Appendix A, as well as any other controlled processes which are
impacted by the GxP computerized system including the following.
2. Platform
3. Development Lifecycle on Windows Azure.
4. Windows Azure
5. Determine the GxP requirements that apply to the VM based on its
intended use.
6. Follow internal procedures governing Qualification and/or Validation
processes, expected deliverables.
7. Virtual Machine
15. Conclusion
• In summary, when considering the use of a public, off-premise, third party
managed cloud service to host GxP computerized systems it is important to assess
the adequacy of the cloud service provider’s controls which ensure confidentiality,
integrity and availability of data stored on the hosted platform. Defining roles and
responsibilities shared between the regulated user and the cloud service provider
is essential.
• As outlined within this guidance document, Microsoft has implemented
procedural and technical controls which are relevant to regulatory requirements
stipulated within US FDA 21 CFR Part 11 and EudraLex Volume 4 Annex 11. These
controls have been independently audited and could serve to demonstrate that
the Azure platform is maintained in a state of control that is in accordance with the
applicable regulatory requirements.
• Of equal importance are the activities and controls which must be implemented by
the customer to ensure that GxP computerized systems are maintained in a
secured and qualified state.
17. Introduction
The combination of this Cloud Services with the possibility of qualify them give the
industry the possibility to have for the first time cost/effective systems and
infrastructure. As we all know Biotech and Pharmaceutical systems have always
been highly regulated, complex and expensive.
Using this services we created three industry first web based products that allow
the deploying of new GMP and FDA compliance systems you can avoid the time,
costs of building a fully Qualified platform by leveraging our integrated packages
and existing IQ/OQ/PQ and SOP templates.
18. PSI New Products/Services
PSI-Pharmaway 1.0 new Cloud services/products:
1. A pre-qualified infrastructure in the MS Azure cloud
and regular webhost that companies can use to install
/handle/backup/etc. our package or their own systems.
2. An XML integration service that well follow ISO/FDA
rules and integrate ISO95 systems in level 4 and 3 into
end to end coherent processes (i.e. ERP>MES>LMS>
QMS>OEE>Equipment>BI, etc.)
3. A pre-validated web/cloud based package that include
all the software that a manufacturing plant need to comply
with the ISO95 already prequalified/reintegrated and ready
to be deploy from the public cloud or on the plant premise
servers.
***These three new products are all under one simple consolidated service we call Pharmaway 1.0.
21. SAP ”ERP”> Pharmaway “MES”
Integration Points
Create Material Master
Inventory
Create Batch Master
Create Production Orders
SAP “ERP” Pharmaway 1.0 “MES”
Update Material Master
Update Batch Master
Update Production Orders
Inventory
22. ISA95 Using the Microsoft Azure
Hybrid Cloud
Level 4
ERP/QMS/CMMS
Level 3
MES/LIMS/OEE
Level2
Controls/Automation
Level 1
Equipment & Machinery
Public Cloud
On Premise
Server
23. Use Case Approach
› Allow PSI team access to clients data and process flows
› Allocate hours required to develop for Master Data and MBR
templating for MBR development, testing and validation
› Partner with PSI to show case marketing and sales efforts for
a two-year period
› Implement solutions on Microsoft cloud
› Test of full suite of applications
› Deliver a validated core of applications
› Deploy solution in Microsoft -hosted private cloud
› Savings through startup due to Pharmaway sponsored FDA
validation and foregone CapEx from hosted infrastructure
› Reduced recurring OpEx due to lower long-term cost of
ownership
› Built operational excellence in manufacturing execution
› Delivery model for operations
› First –hand feedback from manufacturing and quality
will improve our design of core applications
improvement
› Use of client name and ‘use case’ for commercial
purposes
CommitmentsBenefits
24. Tres Monjitas Operation
Presently producing 12 dairy products under their brand, their primary product is milk
packed aseptically to preserve its nutritional value. Offering four types of milk (from whole
milk, chocolate milk, and fat free milk), 3 different flavored milks and lactose free milk
introduced in 2014. Also offering white cheese since 2014 and butter Tres Monjitas exports
milk to the Caribbean reaching Dominican Republic, Cuba and the neighboring islands and
expands to the United States (Texas, New Jersey and Florida)