Data Integrity in the Cloud –so what’s new?gxpi.com/.../02/JPAG-Data-Integrity-in-the-Cloud-16...• Data corruption can occur either accidentally or deliberately • There are

•Data Integrity in the Cloud

– so what’s new?

•

Mark Stevens, Managing Director,

Formpipe Life Science

JPAG Conference: Assuring data

integrity best practice

Thursday 16th March 2017, Royal

Society of Chemistry, London

Proprietary and Confidential

Not for Disclosure Without Written Permission from Formpipe

www.formpipe.com/lifescience

Agenda

• Introduction

• Cloud computing and GxP compliance

• Data Integrity

• The Bus

• Case Study

• Managing Risk and Compliance in the Cloud

• Close


• Managing Director, Formpipe Life

Science

• Chemical Engineer

• 20+ years Pharma industry

• Design engineering, commissioning,

validation, project management and

range of GxP Compliance consulting

projects around the world

• 2005 – 2017 GxP compliance

remediation and data integrity

improvement projects

• Likes cycling up and down hills

The presenter – Mark Stevens


Cloud computing from a

GxP perspective


What Is the ‘Cloud’?

■ Distributed and flexible computing over a network

■ Provides the ability to run an application on many connected

computers simultaneously

■ Allows Software, Platforms and Infrastructure to be sold as a service

and separately dependent on need

■ Offers cost savings in hardware and infrastructure components

because of scale


Where did the name ‘cloud computing’ come from?

The concept of cloud computing dates to the 1960s.

The phrase originates from the cloud symbol used

by flow charts and diagrams to symbolize the

Internet. The diagram underscores the idea that any

Web-connected computer has access to a pool of

computing power, applications and files.Ref: Mark Koba, CNBC, 2013


Scalable, flexible and distributed

e.g. Microsoft’s Chicago DataCenter

The reality for most GxP

applications so far :

1. Co-Location of separate

physical racks

2. Managed Hosting

3. Enterprise Private

Cloud

Future direction??- Azure

and hosted Multi-tenant

model (Risk vs. Cost)

Definition

The cloud is any computer system

hosted off-site and administered by a contracted party.


• Cloud computing offers the following characteristics

• On demand usually ‘Self Service’

• Broad Network Access

• Resource Pooling

• Rapid elasticity

• A measured service

Characteristics


• Cloud Computing is offered in three basic service

models:

• IaaS: Infrastructure as a Service

• PaaS: Platform as a service

• SaaS: Software as a Service

Service Models


Service and Deployment models for ‘On Premise’ vs

‘Cloud’ and who manages them


The increased adoption of Cloud in Life science

Copyright © 2016 Deloitte Development LLC. All rights reserved


• Data• Data Location

• Co-mingled Data

• Cloud Data Ownership

• Audit Record Protection

• Data Erasure

• CSP Processes

• Security Policy/Procedural Transparency

• CSP Business Viability

• Identity and Access Management

• Due Diligence

• Disaster Recovery

Risk Types - overview


Data Integrity


Data Integrity


• Data corruption is the opposite of data integrity

• Data corruption can occur either accidentally or deliberately

• There are 2 main reasons in computerised systems for ‘failure to maintain

the data integrity’

1. Poor operation of the system

2. Poor design, build and testing of the system

• Data integrity is not new, BUT the level of focus and inspection is high now

• Quality groups are used to reacting to identified, actual problems and putting

preventative measure in place

• Data integrity testing uses threats and vulnerabilities as measures before

anything has happened, so findings are occurring before anything bad has

actually happened

Data integrity- some thoughts…


The Bus


• Before the invention of

Google and the creation

of the Simpsons

• Back when we used to

worry about whether

anyone had brought

correction fluid into the

QA office…

The Risk of being knocked down by a bus - before


• Bigger

• Faster

• Higher volumes / capacity

• Cameras

• Satellite Navigation

• Computerised controls

• Internet of Things

• Driverless in future???

• Does technology increase

or decrease the risk?

The risk of being knocked down by a bus

– present day, and future


• The fundamental risk has not changed (i.e. bus vs. pedestrian)

• Although things become bigger, faster, better, with more technology,

third-parties and specialists involved these do not fundamentally

change the risks we are assessing, only how we approach this

• As our knowledge, understanding, availability of information and

consistency of approach improve we are evolving from investigation

of what went wrong to what could go wrong, adopting

methodologies used extensively in Information Security etc.

• All elements of the situation are evolving, so absolute, direct

comparison is often very difficult

• Don’t lose sight of what the real risks are…

What can we learn from the Bus?


Data Integrity - Risks


What are the outcomes of Data Integrity (Data

corruption) problems?

• May compromise the safety / efficacy / quality of

products

• Increase risk of non-compliance with GxP’s

• Regulatory Authorities to initiate product recalls

or impose import bans


What are we actually talking about?

• Protect original data from

– Accidental / malicious modification

– Falsification

– Deletion

• Data needs to be Attributable, Legible,

Contemporaneous, Original, and Accurate

(ALCOA)

– Following Good Documentation Practices


Common Data Integrity Issues - 1

Common

passwords

Analysts share passwords, unable to identify

who created or changed a record

User privileges System configuration does not adequately define

or segregate user levels

Users have access to unauthorised functions

Computer System

Operational

Controls

Inadequate controls over data

Unauthorised access to modify or delete files

No automatic saving of files, records not

accurate or complete

Processing

methods

Integration parameters not controlled,

chromatograms may be re-integrated without

correct change process

Audit trails Functionality turned off, no complete record of

the data life cycle – who modified a file and why


Common Data Integrity Issues - 2

Conflict of interest Business process owners granted enhanced

security access e.g. system administrator

“Unofficial”

documentation

Recording data first on a scrap of paper then

transferring to the official document (e.g. the

laboratory notebook)

Failure to review

“original data”

Data and metadata not reviewed together to

ensure context is maintained

Errors or omissions may be undetected

Inadequate data

retention

arrangements

Failure to avoid inadvertent or deliberate

alteration or loss throughout the retention period


Data Integrity in the Cloud -

example


• Chromatographic data from QC analytical laboratory for GMP product release (multi-region)

• Major issues raised in respect to data integrity by multiple Regulatory Authorities (2013-2015)

• Manual alteration of chromatographic data performed during and after the runs without adequate explanation and investigation

• Instances where ‘invalidated’ results were not adequately investigated

• Potential re-naming of datasets after completion of the runs

• Would the use of cloud computing services have improved compliance risks to data integrity?...

Example 1 – QC Analytical Lab


• Let’s take a look at the root causes of the data integrity issues…

• Ability for QC analysts to make adjustments to settings, and to “raw

data”, that they should not have had access to

• Poor processes for investigation and Quality oversight of these

changes

• Poor processes for investigation of ‘invalidation’ events, combined

with difficulties in performing consistent and meaningful assessment

of data audits

• Access controls

• Audit trails

Example 1 - background


Worse Better

Poorly defined and managed procedures Improved processes and demonstrate

effectiveness of change

Poor system administration with large number of

users assigned inappropriate level of admin rights

Re-establish correct admin rights for each type

of system user. Review existing user base. Apply

changes. Demonstrate effectiveness of ongoing

controls of system administration

Unclear roles and responsibilities for how and

when alterations to data were to be reviewed and

approved by a supervisor

Improved processes and demonstrate

effectiveness of review and approval

Lack of consistency in audit trail details (reason

for change)



Example 1 – System administration


Worse Cloud? Better

Poorly defined and managed

procedures

Service Provider may define

and manage some parts of

procedures or processes



Poor system administration

with large number of users

assigned inappropriate level

of admin rights

System Administration may

be managed remotely and

independently from users

Re-establish correct admin rights for

each type of system user. Review

existing user base. Apply changes.

Demonstrate effectiveness of ongoing

controls of system administration

Unclear roles and

responsibilities for how and

when alterations to data were

to be reviewed and approved

by a supervisor

Mostly a user activity.

Responsibilities for data

storage and backup

covered by service

provider(s) and defined in

SLA(s)


effectiveness of review and approval

Lack of consistency in audit

trail details (reason for

change)

No change – user

responsibility



Example 1 – System administration


Worse Better

Poor clarity on the data being collected within

each audit trail

Clearly established and controlled audit reports

with confidence of relationship to source data

Poor controls or understanding of what

information is being shown in the audit history

Clarity on the process by which the defined view

has been created and how this provides a full,

true and consistent representation of the event

history file

Poor controls or understanding of what

information is NOT being shown in the audit

history

As above…

Poor naming conventions or classification of

events leading to delays or confusion in

understanding the significance of a non-standard

event

Clearly established and controlled audit reports

with confidence of relationship to source data

Lack of immediate clarity on what constitutes an

acceptable change and a deviation that requires

review and approval

Established quality processes by which all change

events can be identified and appropriate linkage

to deviation management controls. Demonstrable

evidence that there has been a thorough Quality

check of the full audit history as part of the routine

review process

Example 1 – Effectiveness of audit trail


Worse Cloud? Better

Poor clarity on the data being

collected within each audit trail

No change – user

responsibility

Clearly established and controlled audit

reports with confidence of relationship to

source data

Poor controls or understanding

of what information is being

shown in the audit history

Partly user

responsibility?

Partly configuration by

SaaS provider?

Clarity on the process by which the defined

view has been created and how this

provides a full, true and consistent

representation of the event history file

Poor controls or understanding

of what information is NOT

being shown in the audit

history

Partly user

responsibility?

Partly configuration by

SaaS provider?

As above…

Poor naming conventions or

classification of events leading

to delays or confusion in

understanding the significance

of a non-standard event

No change – user

responsibility to carry

out audit trail reviews

Clearly established and controlled audit

reports with confidence of relationship to

source data

Lack of immediate clarity on

what constitutes an acceptable

change and a deviation that

requires review and approval

No change – user

responsibility

Established quality processes by which all

change events can be identified and

appropriate linkage to deviation

management controls. Demonstrable

evidence that there has been a thorough

Quality check of the full audit history as part

of the routine review process

Example 1 – Effectiveness of audit trail


• System Administration by a third party service provider (could be internal or

external)

• Electronic records held on a centralised database, hosted by a third party

service provider

• SLAs defining responsibilities

• Security risks

• Better or worse?...

• Probability?

• Impact?

• Detectability?

So what changes if we switched to a cloud service?...

The most significant impact to data integrity remains with

the quality and accuracy of processes and the controls

associated with manual input interfaces


Data Integrity in the Cloud –

Managing risks and

compliance requirements


Regulatory Viewpoint

• As with all “Outsourced IT Services”, the regulators

will want to ensure:• Risks are clearly identified and mitigated

• Data integrity is assured

• Data Backup/Recovery is in place and tested

• Cyber security exists for Networked Systems

• Contracts exist between Sponsor and Providers

• The Provider/s has a Quality System

• The Provider/s and Sponsor have SOP’s Validation, Change

Control, Training etc

• Suitable Audit/s of the provider/s has/have been carried out


Risks- overview

As the cloud service and deployment models become more complex, so

the risks increase

Infrastructure-as-a-Service

(Iaas)

Platform-as-a-Service (PaaS)

Software –as-a-Service

(SaaS)

Com

plia

nce R

isk

Private

Clo

ud

Hybrid C

loud

Public

Clo

ud

Business Requirements


• Selection, control and management of GxP cloud provider, can be brought into a compliant state if:

• You follow a pre-defined framework that suits your regulated business

• Step 1 - Perform Due Diligence and Audit

• Step 2 - Perform a Risk Assessment of the potential impact of using the service (in terms of Regulatory, Security and Business Risk),

• Step 3 - Set up a mutually managed agreement and metrics with the supplier, that can be used to ensure Service Performance and Compliance with your pre-defined regulatory requirements.

Managing Risk and GxP Compliance requirements


• How long has the provider been supplying IT outsourcing?

• Has the provider worked in the Life Sciences industry previously?

• Is the provider aware of the Cloud Security Alliance?

• Has the provider taken the time to ensure that their security

initiatives and processes are of a recognised standard?

• Has the provider taken the time to ensure that their processes follow

a tried and tested methodology- evidence of defined KPI’s and

performance achieved?

• Audit the provider but with realistic expectations and treat them as an

outsourced resource

Step 1 Due Diligence and Audit


• Using a method compliant with GAMP 5

Step 2- Risk Assessment

Stage 1

• Perform an Initial Risk Assessment and determine the system impact

Stage 2

• Identify the functions which may impact on Patient Safety, Product Quality and Data Integrity

Stage 3

• Perform a functional risk assessment and identify controls

Stage 4• Implement and verify appropriate controls

Stage 5• Review risks and monitor controls


• Imperative to have a coherent and robust framework in place that provides processes within the regulated business aligned to that of the service provider’s

• Business As Usual processes are robust and reporting is adequate

• Regular monitoring of the service should be set up

• This should be backed up by a set of robust Operational and/or Service Level Agreements

• Must also be prepared to rescind our agreement, if the cloud service does not meet Levels, or it proves to be too costly

• Contractual penalties

• Management of the Cloud provider during the withdrawal period

• Return of data to regulated business and deletion removal of all trace from the cloud

• How the service required will be managed in house, or once again outsourced to another provider.

Step 3 Ongoing Cloud Compliance Framework


• Selection, control and management of GxP cloud provider, can be brought into a compliant state if you follow a pre-defined framework that suits your regulated business

• Using real examples and applying a risk-based approach (probability, impact, detectability), the biggest impact still remains driven by the quality of work processes, definition of roles & responsibilities and the actions of people

• The way in which we assess risk and audit systems and their associated data is evolving, with more emphasis now on identification and action upon risks of what could happen, as well as issues of what has happened

• Cloud computing does introduce compliance and data integrity risks that maybe did not exist before, however, we are also evolving the way in which we assess data integrity risks to a more preventative approach

• Whichever way we choose to manage our computing requirements and data storage the fact remains they are significantly increasing year on year

Conclusions


Thank you for listening

Contact details:

Web: www.formpipe.com/lifescience

Tel: +44(0)115 924 8475

LinkedIn: linkedin.com/in/mrmarkstevens

http://www.formpipe.com/lifescience


Supporting information

• References to current regulatory guidance

• Data Integrity overview and example cases

• Cloud vendor Risk Assessment process

• Formpipe – overview


Current Regulatory Position and guidance

MHRA GxP Data Integrity Definitions and

Guidance for Industry Draft version for consultation July 2016

FDA Data Integrity and Compliance with GMP –Guidance for Industry, April 2016

WHO Guidance on Good Data and Record Management Practices, Sept 2015

PIC/S Guidance Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, Draft Aug 2016


Data Integrity


What is data Integrity?

• The assurance that data records are accurate, complete,

intact and maintained within their original context,

including their relationship to other records

• This applies to data recorded in electronic and paper

formats or a hybrid of both

• “The extent to which all data are complete, consistent

and accurate throughout the data life cycle” MHRA Data

Integrity Definitions and Guidance, Revision 1.1 March 2015


Why is Data Integrity Important?

• Regulatory agencies, as well as industry, rely on

accurate information to ensure drug quality

• Data integrity problems break trust between

industry and regulatory agencies

• Regulatory agencies rely largely on trusting the

firm to do the right thing when they are not there

Reference: Karen Takahashi,

ISPE/ FDA/ PQRI Quality Manufacturing Conference,

1-3 June 2015, Washington, D.C.


Data Integrity – Example

regulatory audit findings


• Recent Data Integrity Findings - 1

Recent Data Integrity Findings - 1

Wockhardt

Limited

July 2013 MHRA 2003/94/EC (EU

GMPs)

Issues were identified which compromised the integrity of

analytical data produced by the QC department. Evidence

was seen of data falsification. A significant number of

product stability data results reported in the Product Quality

Reviews had been fabricated. Neither hard copy nor

electronic records were available. In addition issues were

seen with HPLC electronic data indicating unauthorized

manipulation of data and incidents of unreported trial

runs prior to reported analytical runs.



Seikagaku

Corporation

December 2013 Competent

Authority of

Sweden

2003/94/EC (EU

GMPs)

The critical deficiency concerns systematic

rewriting/manipulation of documents, including QC raw

data. The company has not been able to provide acceptable

investigations and explanations to the differences seen in

official and non-official versions of the same documents.



Sun

Pharmaceutical

Industries

Limited

May 2014 FDA Warning

Letter

211.68(b)

Delete raw data files on computers used for your GC

instruments in your quality control laboratory.

Computer systems without security controls. As an example

there are equipment with PLC controls and/or MMI. Each of

the equipment access is via use of a password for each of

the three levels of access i.e. operator, supervisor and

administrator. There is a common password used by

several individuals.



Micro Labs Ltd May 2014 WHO Notice of

Concern

WHO ref. 15.9,

17.3d, 15.1

HPLCs did not have audit trails enabled, some audit trails

missing when peaks were manually integrated, no SOP

to describe when manual integration is acceptable. Some

instruments had date and time functions unlocked and

were not linked to a server, so timestamps could be

manipulated. One HPLC had a shared password so

actions were not attributable to an individual. In some cases,

trial injections were made but were not part of the test

record.



Cadila

Healthcare Ltd

December 2015 FDA Warning

Letter

211.68(b)

Your firm failed to exercise sufficient controls over computerized

systems to prevent unauthorized access or changes to data.

....laboratory manager had the ability to delete data from the

Karl Fischer Tiamo software….found that one file had been

deleted. However, because the audit trail function was not

activated, and because eight different analysts share a single

username and password, you were unable to demonstrate

who performed each operation on this instrument system.


GxP Cloud vendor Risk

Assessment


• Using a method compliant with GAMP 5

GxP Cloud Vendor Risk Assessment

Stage 1

• Perform an Initial Risk Assessment and determine the system impact

Stage 2

• Identify the functions which may impact on Patient Safety, Product Quality and Data Integrity

Stage 3

• Perform a functional risk assessment and identify controls

Stage 4• Implement and verify appropriate controls

Stage 5• Review risks and monitor controls


Note- How Risk Management ICH maps to GAMP® 5


• Stage 1 Initial Risk Assessment and System Impact

• What are the regulatory/business/security risks if data security or

data retrieval is compromised?

• Stage 2 Identification Of The Functions Which May

Impact On Patient Safety, Product Quality And Data

Integrity

• What could go wrong (Who controls what, is our data safe)?

• Where is our data?

• Who controls the data?

• Who can access our data?

• Can we retrieve our data?

Risk Assessment Stages


• Stage 3 Perform A Functional Risk Assessment And

Identify Controls

• What controls does the provider have in place?

• Are they adequate?

• Will they put extra in place?

• What controls do we put in place?

• Stage 4 Implement And Verify Appropriate Controls

• Implement the control measures from the previous step

• Are they adequate?

• Are they acceptable to the business?

Risk Assessment Stages (2)


• Stage 5 Review Risks And Monitor Controls

• Carry out a periodic assessment to ensure controls are still valid

and appropriate

Risk Assessment Stages (3)


Who we are

• Formpipe founded in Sweden, 2004 now with 250+ employees globally

• Global organization; offices in UK, USA, Netherlands, Sweden, Denmark and Ukraine

• Listed on Nasdaq Stockholm with $40m dollar in revenue in 2014


Formpipe Offerings

Formpipe Life Science

ProductsX-Products

(X-Docs, X-Forms, X-Train, X-Reports?)

Platina LS

Long Term Archive

Lasernet

Consultancy

(formerly GXPI)

Quality & Compliance Consultancy

Computer Systems Validation

Compliance Remediation


Introduction to Formpipe Life Science

The Formpipe Life Science

simplifies complex quality

process and technology

environments to deliver its

customers’ quality and

compliance goals within their

regulatory framework.

This is achieved through a

combination of Consultancy to

‘Get Compliant’ and Products

and Consultancy to ‘Stay

Compliant’, both delivered by

experts from the sector.

The Life Science division of

Formpipe offers a suite of

different products to address the

compliance and quality needs of

the life science sector, all

designed to be easy to use,

increase efficiency and reduce

costs across organisations from

50-25,000 users. All of the Life

Science products are developed

and managed using an internal

Quality Management System

(managed on Formpipe’s own

Products) and are supported

and maintained by a dedicated

global team.

Documents

Data Integrity in the Cloud –so what’s new?gxpi.com/.../02/JPAG-Data-Integrity-in-the-Cloud-16...• Data corruption can occur either accidentally or deliberately • There are