GAMP®5, 2nd Edition and Alignment with FDAs Draft Guidance for Computer Software Assurance (CSA)

As technology moves forward, industry must take advantage of more efficient and cost-effective ways of doing business. Many companies in the life science industry still rely on using on-premise servers and applications. They continue to have a large base of IT staff who must handle all the system administration and overhead associated with these behemoth systems, often at the expense of delivering real functionality and capability to their business clients. The cost of ownership of t hese systems is high, and companies find themselves much like large ships that cannot pivot too readily or easily.
In the past decade, many FDA-regulated companies have considered moving to cloud solutions and Software-as-a-Service (SaaS). Other models, like Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) are also options. They tend to be reluctant, however, as they recognize the need to validate these systems and maintain them in a validated state throughout their entire life cycle.
Questions arise, such as:
“How can we perform an Installation Qualification (IQ) when the server is completely under the control of a vendor?”
“How do we know the vendor will be able to manage security, backups, disaster recovery, and other aspects required to ensure data is collected and maintained with integrity?”
“What about change control?”
“How will we handle compliance with 21 CFR Part 11, FDA’s guidance for electronic records and electronic signatures?”
“Won’t our validation documentation be lacking?”
Fortunately for these companies, there are good answers to all of these questions. First of all, a cloud service provider can generally deliver and manage cloud servers and software in a more cost-effective way. With multi-tenant cloud services, multiple clients can share the infrastructure and administrative services, while the vendor maintains segregation of data and access. With a single-tenant solution, there is even greater security and services can be more customized, but at a higher cost to the cloud service provider and the client company.
Most of the concerns of industry can be managed through contracts and Service Level Agreements (SLAs) that benefit both provider and client. It all depends on how much a company is willing to trust a vendor and how much money they’re willing and able to pay for the service. A key to success is having a tight contract where the client can include the leverage they want to hold the cloud service provider accountable. It’s all a matter of figuring out a company’s tolerance for risk, their desire to provide state-of-the-art technology to internal clients, and their budget.
The FDA has been moving in the direction of newer technology in an effort to no longer be a bottleneck to industry innovation. As part of the Case for Quality program US FDA Center for Devices and Radiological Health noted how an excessive focus by industry on compliance rather than quality may be diverting resources and management attention toward meeting regulatory compliance requirements vs. investing in automation and digital technologies, which could greatly improve quality and process control. A key element is a risk-based, product quality and patient-centric approach to Computer System Assurance (CSA) vs. the traditional Computer System Validation (CSV) waterfall approach. This encourages critical thinking based on product and process knowledge and quality risk management over prescriptive documentation driven approaches.
This is where FDA determined that “WHAT” is required can be done in different ways (the “HOW”) and does not have to be according to the “checklist” mindset of most CSV work, where you crank out documents without specifically addressing the risk of potential failure of each requirement.
GAMP®5 2nd Edition issued in July 2022 supports the use of incremental, iterative, and evolutionary approaches including agile and automated testing for development of custom applications, and aligns with CSA. Keys to success include a robust Quality Management System (QMS) and well trained and highly disciplined teams following well-defined processes supported by tools and automation.
Advancements in technology have forced organizations to rethink business models. Once controlled and orderly, these organizations are now more chaotic and complex, serving patients and customers that are better informed and with higher expectations than ever before. Work practices and tools must change to meet these challenges.
The approach to developing software, performing validation and maintaining a system in a validated state through its entire life cycle should be carefully considered in order to meet changing needs. This webinar will include a comparison of the agile and waterfall methodologies for software development, testing, and release, along with the pros and cons of each. There may not be one size that fits all, and so it is important to understand what needs to be considered when making such a determination.
We’ll also cover COTS, SaaS, IaaS, PaaS, and cloud services, indicating the benefits and risks of each model. In discussing these hardware and software options, we’ll include the best practices for meeting FDA’s requirements for validation, 21 CFR Part 11, as applicable, and data integrity. Part of the session will identify the FDA’s current concerns and how to ensure your systems will meet their expectations.

This webinar will cover the following key areas:

• Learn how to identify “GxP” Systems
• Learn about FDA’s current thinking about technology and software development, and how this will impact industry
• Discuss the current state of Computer System Validation (CSV) approach based on FDA requirements
• Learn about Computer Software Assurance (CSA), the draft guidance from FDA in September 2022
• Learn about the System Development Life Cycle (SDLC) approach to validation and how this can be modernized through a more agile approach, including automated testing for continuous validation
• Learn about cloud services and cloud service providers to optimize your experience
• Learn ways to validate in the cloud without compromising quality or compliance
• Learn the pros and cons of an agile vs. waterfall approach
• We will discuss cloud computing and Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) systems that can be embraced and validated effectively
• Discuss the best practices for documenting computer system validation efforts, whether using a waterfall or agile approach, including requirements, design, development, testing and operational maintenance procedures, including ways to improve efficiency and effectiveness of managing related documentation
• Understand the best approach to Installation Qualification (IQ) testing when the system components are not on premise, but in the cloud
• Understand how to maintain a system in a validated state through the system’s entire life cycle in a more cost-effective manner, applying an Agile continuous validation approach
• Learn how to comply with FDA’s 21 CFR Part 11 guidance for electronic records/signatures
• Learn how to assure the integrity of data that supports GxP work, despite changes and advances in new technology
• Discuss the importance of “GxP” documentation that complies with FDA requirements
• Learn about the policies and procedures needed to support your validation process and ongoing maintenance of your systems in a validated state
• Know the regulatory influences that lead to FDA’s current thinking at any given time
• Finally, understand the industry best practices that will enable you to optimize your approach to validation and compliance, based on risk assessment, to ensure data integrity is maintained throughout the entire data life cycle
• Q&A

• FDA GxPs
• Computer System Validation (CSV)
• System Development Life Cycle Methodology (SDLC)
• Agile SDLC
• Waterfall SDLC
• Automated Testing
• Critical Thinking
• Computer Software Assurance (CSA); draft guidance from FDA
• GAMP®5, 2nd Edition
• GAMP®5 Software Categories
• Risk Management
• Validation Planning
• Validation Execution and Testing
• Validation Reporting
• Maintaining a System in a Validated State
• Policies and Procedures Supporting Validation
• Training
• Leveraging a Vendor’s Work Products
• Cost vs. Compliance
• 21 CFR Part 11; FDA Guidance for Use of Electronic Records and Electronic Signatures (ER/ES) in FDA-Regulated Systems
• Data Integrity Compliance
• Cloud Services
• Software-as-a-Service (SaaS)
• Platform-as-a-Service (PaaS)
• Infrastructure-as-a-Service (IaaS)
• Vendor Audit and Management
• Industry Best Practices
• Common Pitfalls
• FDA Trends in Compliance and Enforcement

The attendee will learn about FDA’s approach to modernizing technology, and how that will benefit both the Agency and industry.  We will discuss ways to modernize the System Development Life Cycle (SDLC) approach to software development, testing, and release, Computer System Validation (CSV), and Computer Software Assurance (CSA) by using automated testing tools that will result in a continuous validation of software products. This approach is amenable to the agile software development methodology, which can be adapted for use in validation. We’ll discuss the pros and cons of each approach, and industry best practices for success.
You’ll learn how the newest version of GAMP®5 2nd Edition issued in July 2022 aligns with the CSA approach, addressing non-linear forms of software development, testing, and release, such as agile. This provides a more efficient and effective way to ensure software changes can be done much more quickly using automated testing.
We’ll cover Computer-Off-the-Shelf (COTS) software, Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and cloud services. You’ll learn how to select an optimal solution and ensure that whatever that might be, you can build a contract and Service Level Agreement (SLA) that best suits your environment and needs.
 

This webinar is intended for those working in the FDA-regulated industries, including pharmaceutical, medical device, biological, animal health and tobacco.  Functions that are applicable include research and development, manufacturing, Quality Control, distribution, clinical testing and management, adverse events management and post-marketing surveillance.
You should attend this webinar if you are responsible for planning, executing or managing the implementation of any system governed by FDA regulations, or if you are maintaining or supporting such a system.  Examples of who will benefit from this webinar include:

• Information Technology Analysts
• Information Technology Developers and Testers
• QC/QA Managers and Analysts
• Analytical Chemists
• Compliance and Audit Managers
• Laboratory Managers
• Automation Analysts
• Computer System Validation Specialists
• GMP Training Specialists
• Business Stakeholders/Subject Matter Experts
• Business System/Application Testers

This webinar will also benefit any consultants working in the life sciences industry who are involved in computer system implementation, validation and compliance.

Carolyn Troiano has more than 35 years of experience in computer system validation in the tobacco, pharmaceutical, medical device and other FDA-regulated industries. She has worked directly, or on a consulting basis, for many of the larger pharmaceutical and tobacco companies in the US and Europe. She is currently building an FDA computer system validation compliance strategy at a vapor company. Carolyn has participated in industry conferences, and is currently active in the Association of Information Technology Professionals (AITP), and Project Management Institute (PMI) chapters in the Richmond, VA area. Carolyn also volunteers for the PMI’s Educational Fund as a project management instructor for non-profit organizations.