DIA 2015 – Day Three Recap

Despite being a bit worn out from two solid days of presentations and networking, day three was another good one at DIA 2015. Unlike days one and two, today was all about IT for me, from how to select and implement document management systems to how to validate SaaS/cloud GXP systems, eliminate unintentional bias in your risk management program, and how to determine whether a system needs to be validated.

The Critical Role of Document Management Supporting Submissions brought together folks from Covance and J&J who have recently selected and implemented doc management systems as well as someone from Veeva Systems who’s been involved in a wide range of implementations across many organizations. The session provided a wealth of real world advice and guidance on how to select and implement a document management system and, although it was a turbo session, the presenters clearly planned together to make sure their sections were complementary. By the end, I think folks walked away with a good general idea of what they’ll face when trying to implement a doc management system as well as a good idea of what two real world companies are doing.

The other session, Frontier Issues in Electronic Data Integrity Today, as the title suggests, handled some “edge case” topics: cloud/SaaS validation, bias in risk based analysis, and validating gray area systems (like medical information). And while all the presentations had valuable information, the cloud/SaaS validation really hit home for me, for a few reasons.

First, every life sciences person I speak with who is even remotely involved with IT has more questions than answers about this topic. Second, if you ask five cloud/SaaS vendors How can a cloud/SaaS solution be validated?, you’ll get six answers. And third, if you ask a regulator the same question, they’ll tell you that their regs are system independent so cloud/SaaS simply need to validate the same way as on prem, paper, etc.

This session definitely did not dissapoint. Teri Stokes was hugely knowledgable, having come out of the mainframe world and been involved in IT for many years in addition to having a pharma background. She brought a deep understanding, therefore, of not just GxP and pharma, but good IT practices, pharma or not. And what became clear in the talk (and what I’ve suspected for some time now), is that validation is basically the standard change management and control processes any good IT shop in any industry should have in place for any application or hardware, but scaffolded with training on requirements for GXP processes.

Given that, determining how to validate your cloud/SaaS providers becomes much clearer, but Teri raised a few issues that really resonated with the folks in the room. First, make sure you understand all the parties involved in delivering the cloud/SaaS service you’re buying. If it’s SaaS software, does the vendor also own the infrastructure it runs on or do they run their product in someone else’s data center? If they do, you need to know that and make sure your validation process accounts for it. Second, who has access as system admin to your cloud/SaaS system or environment? A critical part of validation is change/release management, i.e., ensuring that GXP data either doesn’t change or only does so based on strict control requirements and with an audit trail. So if your SaaS software provider hosts their solution in someone else’s data center, you need to know whether an employee of that data center is a SysAdmin for your data and be able to manage them according to GXP requirements. And third, make sure you understand your cloud/SaaS provider’s upgrade process, because, depending on how the solution is architected and intregrated with your other systems, you may very well need to revalidate when they apply a secyrity patch, for example…which could happen monthly or even weekly, depending on their technology.

So much for day three. Tomorrow is a short day, but I’m looking forward to a great session on legacy R&D systems and the chance to catch up with the couple of folks I’ve yet to bump into here in DC.