May 23, 2013

Posts Comments

You are here: Home / Archives for Part 11

Part 2: Cloud Vendor Selection for Your Life Science Company – Strategies to Ensure Benefits and Mitigate Risk

August 9, 2012 by Leave a Comment

Russ King, Managing Partner, Methodsense

Know your Cloud options

Cloud computing is defined to have several deployment models, each of which provides distinct trade-offs which are migrating applications to a cloud environment.  NIST defines the cloud deployment models as follows:

  • Private cloud: The cloud infrastructure is operated solely for an organization.  It may be managed by the organization or a third party and may exist on premise or off premise.
  • Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g.  mission, security requirements, policy, and compliance considerations).  It may be managed by the organizations or a third party and may exist on premise or off premise.
  • Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
  • Hybrid cloud:  The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e g , cloud bursting for load-balancing between clouds).

Choosing the correct deployment can depend on who needs to access the service, budget and security concerns.

Private clouds are the most secure and most expensive. Private clouds allow companies to have isolated sections of a cloud where you can launch resources in a virtual network. You can have complete control over your virtual networking environment and place your backend systems, such as databases or application servers with no Internet access. You can limit access to these servers based on access control, physical hardware, and IP address. A Private Cloud is therefore mostly suited for sensitive data, where the customer is dependent on a certain degree of security. Private Clouds, to an extent, lose the economy of scale compared to a Public Cloud.

Community clouds spread costs over fewer users than a public cloud. This option is more expensive but may offer a higher level of privacy, security and/or policy compliance.

Public clouds are the least expensive deployment. When most people think about cloud computing, they think of a public cloud deployment. All resources are shared but can be secured. If you are comfortable with the level of security of your cloud provider or have budget constraints, public clouds are your best option.

Hybrid clouds are the typical deployment model for most enterprises. In this cloud deployment model, an organization provides and manages some resources in-house and has others provided externally. The main benefit of the hybrid cloud is that it provides the scalability and low costs of a public cloud without exposing mission-critical applications and data to third-parties.

Know your privacy, security and disaster recovery needs

When it comes to comes to privacy, security, and disaster recovery, you need to first determine your requirements and budget. The Cloud provider can provide you tools to help protect your data, but you need to implement those tools. For example, Cloud providers can allow you to limit access to your data based on their physical machine or location; but you need to remove those access rights when machine or location no longer needs access.

 

Your Cloud provider needs policies, processes, and control activities for the delivery of each of their services. The collective control environment encompasses the people, processes, and technology. Your Cloud provider needs well trained staff that has limited physical access to your data and processes that protect your data and technology by keeping prying eyes away from sensitive areas. Accordingly, you should choose a Cloud vendor that maintain proper certifications like SAS 70 (the Statement on Auditing Standards No. 70), ISO/IEC 27001, and FISMA.

You also need to ensure the Cloud provider stores your data in the proper region. The selection of a region within an acceptable geographic jurisdiction to the customer provides a solid foundation to meeting location-dependent privacy and compliance requirements, such as the EU Data Privacy Directive.

You need to have proper disaster recovery controls in place. A traditional approach to disaster recovery involves different levels of off-site duplication of data and infrastructure.  Critical business services are set up and maintained on this infrastructure and tested at regular intervals.  The disaster recovery environment’s location and the source infrastructure should be a significant physical distance apart to ensure that the disaster recovery environment is isolated from faults that could impact the source site. Accordingly, it is important that your Cloud provider has data centers located in different physical locations and are isolated from faults from the other data centers. When dealing with a disaster, it’s very likely that you will have to modify network settings as you are failing over to another site. For the most critical systems you want to choose a Cloud provider that will allow you to automate the changing of the network settings.

Although the Cloud provider is responsible to maintain the infrastructure, it is still your responsibility to test your disaster recovery plan.

Choose a Cloud Vendor who can support your FDA Quality Management System needs

Cloud vendors commonly implement quality measures ranging from verbally shared processes and practices to SOPs and trouble ticket software to highly structured Quality Systems.  However, advertising a level of quality management does not guarantee that the Cloud Vendor will meet your life science quality management expectations.  To meet your compliance obligations, your cloud provider may need to make existing processes and procedures more robust and in a way that is more collaborative than they originally intended. Be aware that many Cloud Vendors consider their services to be proprietary and comprised of trade secrets, which may make collaborating around quality more difficult.

Choose a Cloud Vendor who can support your FDA Vendor Management needs

When selecting your Cloud Vendor, be sure they support your vendor management obligations. Cloud vendors who rightly take pride in their SAS 70 Type II certification, for example, often mistakenly insist that the certification should satisfy all quality and auditing needs. These certifications frequently focus on security issues and may not sufficiently cover life science regulatory concerns. Life science companies face validation requirements and regulatory concerns that go above and beyond SAS 70 certification, such as installation qualifications, change control, audit trails, electronic signatures, and permissions configuration. These requirements should be defined for the cloud environment and services and then implemented in your Service Level Agreements.

Be prepared to massage and coax the understanding of the vendor for cooperation before and during this process. By educating the Cloud Vendor about your requirements, you’ll be much more likely to complete a successful migration to the cloud.

Conclusion: Your Cloud Vendor needs to be a partner who fits into your regulatory and quality framework.

Shifting your technology operation to the cloud can garner many significant benefits including:

  • Improved scalability and cost savings
  • Increased access to and utilization of key business assets
  • Improved controls on security and data access
  • Increased innovation due to collaboration and availability of resources

However, regulatory burdens are not abated by shifting to the cloud, and Cloud Vendors today are by and large unschooled on FDA regulations, which, if not addressed, can create risk.  Life science companies should select a Cloud Vendor with the expectation that many will depend on coaching and assistance in order to meet regulatory requirements.   The Cloud Vendor’s ability to accept and then in a timely fashion respond to your regulatory requirements should, therefore, become a highlighted vendor characteristic in your vendor selection criteria.

Read Part I of this series here.

About the authors:

Russ King is President of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market.   He can be reached at (919) 313-3962 or rking@methodsense.com.

Jason Rock is Chief Technology Officer of GlobalSubmit, a products and services company that provides transparency in regulated healthcare products. He may be reached at  888-840-9580.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare
Filed Under: FDA Regulated, SaaS & Cloud Computing Tagged With: , , , , ,

Protect Your Firm as FDA Inspections Spike for CROs, Sponsors

May 24, 2011 by 2 Comments

Patrick Stone, President, TradeStone QA

During the last two years of my time with FDA I noticed the amount of Sponsor and CRO inspections triple in number (for CDER, CDRH, & CBER).  CRO’s with less than adequately trained clinic staff and facilities to conduct human clinical trials are receiving warning letters and other FDA regulatory penalties.  The FDA has not conducted enhanced Sponsor or CRO Inspections in many years.  I have observed study sites get warning letters because monitors did not catch informed consent violations early in the trial or for other regulatory and subject record keeping violations.  Catching serious problems early in the trial can prevent adverse events, save time and assets in the long run.

Clinical Investigators and Sponsors  do not want to throw study data out due to preventable errors and inconsistent data.  Monitors for CRO’s and Sponsors should be proficient at the Quality Assurance (QA) they provide and be given adequate time at the study site to ensure regulatory and protocol compliance.

In my time at the FDA, even up to the end of my tenure this past March, I have observed CRO’s collecting original source site documentation from the clinic site at study close-out. I wonder how CRO’s seem to keep missing the basic reason FDA investigator’s conduct data-validation audits.  FDA wants to validate that source documentation match the case report form (CRF) and the sponsor provided data-listing with efficacy end points & adverse event lists.  CRO’s can easily scan the original documents into their system, but physically removing the source documents has conditions.

If a CRO truly wants the original documents for whatever reason, the CRO may certify each copy as a true duplicate of the original (21 CFR describes this process).  In many cases the Clinical Investigator relocates or there is no available space and money to store the records so the sponsor may step in to take over.  There’s not going to be any problem as  long as the FDA can follow the paper trail and review original documents as needed.   Copies may and have been found to be falsified so Investigators will not review paper copies of paper source records.  Electronic printout (output) is a different way to operate now and is acceptable for review.  Sponsors & CRO’s are using more electronic case report forms CRF’s & electronic records in general.  FDA is now requiring field Investigators to review computer systems for 21 CFR part 11 compliance & legacy system maintenance.

Do a search for your competitors’ recent FDA inspections and you will see the trend I am describing.  Build quality into your system from the ground up and you will get quality product results.  Trying to retroactively validate electronic systems and equipment or implement late stage corrections will leave you vulnerable to 483 observations.

You can follow Patrick on Twitter.

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare
Filed Under: FDA Regulated, Medical Devices, Patrick Stone, Pharma/Biotech, Regulatory Tagged With: , , , , ,

Institutional Review Boards Contend with FDA, OHRP

May 9, 2011 by Leave a Comment

Patrick Stone, President, TradeStone QA

I have noticed some concern from many IRBs about the GAO & OHRP difference of opinion regarding some aspects of human subject testing. If accreditation is ever fully pulled from an IRB, the reasons will be stated by FDA or OHRP. Through my review of many types of IRBs large and small (central & institutional) I have noted a few trends.

Central IRBs have two fundamental issues to deal with: quality assurance (QA) at the study site, and having a local representative of the community where studies are being conducted present at IRB meetings.

FDA & OHRP are now expecting IRBs to conduct QA audits as is done with most institutional IRBs. If the central IRBs can do a bit more with the funds they receive for service, they will survive this transition. The IRB’s basic functions are to insure patient safety & rights and assure clinical trials are following the CFR (all applicable sections).

In the end, the most basic function of an IRB is patient advocacy & record retention of patient safety discussions (for verification of review). Institutional IRBs in some cases do not scrutinize the in-house clinical trials adequately. In-house clinical trials do not get monitored as frequently due to lack of funds.

The institutional IRB’s should insure the name of the parent company/institution is tied to CFR compliant clinical trials, or the brand may be effected.

But I have a question for IRBs using electronic records: are you ready for the FDA investigator to challenge your 21 CFR Part 11 electronic record compliance? I have observed many large IRB’s staying in the paper records format. Due to cost & physical space issues, electronic is now the obvious way to go.

IRBs are getting more ICH audits and vendor qualifications which help IRBs stay in compliance with ICH guidance and the FDA regulations. FDA needs IRBs in good standing to review the many studies FDA field Investigators will not be able to Inspect. IRB’s play a major part in regulating clinical trials.

When I was with the FDA I always tried to encourage the IRB’s after a 483 was issued to do more for the patients and to effect real change in the amount of studies audited for QA. The FDA cannot get to every study or even thirty percent of the on-going clinical trials combined (biologics, drugs, & devices).

You, IRBs, do the heavy lifting for domestic clinical trial regulatory compliance. Thanks for the hard work.

You can follow Patrick on Twitter here.

 

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare
Filed Under: FDA Regulated, Patrick Stone, Regulatory, Warning Letters/Recalls Tagged With: , , , , ,

Chicken Little Was Right: FDA Will Enforce Part 11 "Soon"

July 14, 2010 by 3 Comments
Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

I’ve got to admit, despite months (or years?) of hearing from those inside and close to the FDA that the agency intended someday to begin actual enforcement of 21 CFR Part 11, I was beginning to have my doubts.

No one likes to be told he’s crying wolf or acting like Chicken Little squawking about the sky falling.

Finally, however, the FDAs CDER division issued a blandly worded release that may have some serious repercussions for regulated drug companies:

The FDA “will be conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003 ‘Part 11, Electronic Records; Electronic Signatures — Scope and Application’ guidance (Guidance). The Agency intends to take appropriate action to enforce Part 11 requirements for issues raised during the inspections that do not fall under the enforcement discretion discussed in the Guidance.”

That’s about all they said publicly, but it’s a mouthful after waiting a long long time for any agency activity backing the Part 11 rule.

While this announcement focuses on drugs, don’t be surprised to find a similar action coming soon on the device side.

“I’d expect FDA inspectors to focus on Part 11, too, when they inspect device manufacturers,” agrees former FDA inspector Ken Miles.

When it comes to preparing for FDA inspections, Ken says he’s a big fan of the Boy Scouts motto: Be prepared.

We’ve heard in the past that many FDA inspectors weren’t comfortable yet inspecting or enforcing Part 11 provisions. The result: Very few inspections, and some inconsistent inspectors.

In the coming weeks, we’ll report back on what kind of inspections FDAers are conducting, and how you can best prepare for them.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare
Filed Under: FDA Regulated, Featured, Medical Devices, Michael Causey, Pharma/Biotech, Quality Management, Regulatory Tagged With: , , ,

21 CFR Part 11’s Long and Winding Road: The Trip Ain’t Over Yet

July 7, 2009 by 1 Comment

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

The FDA’s approach to regulating electronic records has gone through more changes than the wardrobe of a temperamental starlet at the academy awards ceremony – and there are likely a few more changes to come in 2009.

We’re hearing that the rule may finally emerge in a “new, improved” way sometime this year. But a word of caution: If we had a dollar for every time the FDA missed an informal Part 11 deadline, we’d be able to buy a pretty nice lunch.

That said, a revitalized FDA does finally seem to be showing signs that it has its Part 11 revisions – and its related eMDR revisions – are indeed on track for unveiling sooner rather than later.

And while all indications are that the changes are likely to be relatively minor, they will probably be welcome ones.

For example, look for the FDA to drop most of its specific requirements for how companies should control or maintain electronic records. Also, while the FDA is not expected to spell this out, don’t expect them to change their current policy that they will not initiate an inspection based on Part 11. Instead, it is more like “seat belt” laws in most locations; you won’t be pulled over for not wearing one, but if you are pulled over for something else and aren’t wearing a seat belt, that will be added to the charges against you.

The FDA will also probably more clearly spell out that it does not expect validation of commercial software. I also wouldn’t be surprised if they back off some of their recommendations on changing passwords so often. Instead, they may call more for the creation of difficult-to-crack passwords (with numbers, capital letters, etc.), and less on the concept of changing an “easy” password every few weeks.

I do expect the FDA to get tougher vis-a-vis Part 11 when it comes to medical device and drug manufacturing done overseas for importation into this country. Bottom-line, watch for the FDA to clearly state that if there’s a problem anywhere along the line, the manufacturer will be blamed by the agency.

In March of 1997, FDA issued final Part 11 regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. That sounds pretty simple, right?

Unfortunately, the FDA’s then-approach was less of a helping hand and more of a chokehold on the medical device and drug industries.

We’re hearing that the agency knows it way overstepped itself then, and didn’t help much when it first unveiled the rule via guidance in February 2002. The agency was accused, with some grounds, that it was micro managing and stifling the very adoption of technology it wanted to advance.

The agency recovered somewhat in August 2003 when it relaxed its interpretations in what some then dubbed a “kinder, gentler” version of Part 11. In essence, the agency tried to shift away from telling drug and device companies how to achieve electronic record compliance and instead focus on what kind of results it was looking for in a good electronic record program.

Even that relaxation didn’t answer all the questions, but it was a good start.

Now we are waiting and hoping that the agency will address some of those in its next iteration of Part 11. At agency meetings, industry conferences, and in informal discussions with folks like me, agency officials seem to “get it” now and say they’re working to unveil a revised Part 11 that will make it easier for drug and device companies to harness the advantages of electronic records.

It’s been a long and winding road, but I’m still willing to believe if you are.

The best one stop shop for FDA Part 11 info can be found here: http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare
Filed Under: FDA Regulated, Michael Causey, Regulatory Tagged With: , , ,