IVT Network brought together key players at the 19th Annual Computer & Software Validation Annual conference to review up-to-the minute coverage of regulations, trends and procedures in CSV, data integrity, mobile medical devices, and software validation. This article provides key findings from top sessions, but much more details can be found coverage can be found in our conference compendium.
Data Integrity in 2018
Chris Wubbolt of QAVC Consulting, LLC explored where we stand with data integrity in 2018 by providing updates of the regulatory landscape. As a cornerstone of pharmaceutical compliance, data integrity isn’t going away, and Wubbolt discussed how the focus will continue to be on data integrity controls, as well as data governance and organizational culture. Recent guidances on the topic include the MHRA Final GMP Guidance, WHO’s Guidance on Good Data and Records, FDA’s Data Integrity Guidance and Compliance with cGMP, and EMA’s Data Integrity Guidance Q&A. FDA expects data to be accurate and reliable, flexible and with risk-based strategies to prevent and detect data integrity issues. Data integrity is an important component of industry’s responsibility to ensure the safety, efficacy, and quality of drugs, and a reflection of FDA’s ability to protect the public health.
On Finding a Paperless Validation Solution
Lizzandra Rivera, Associate Director of Quality and IT at Alexion gave a presentation called “Leave Paper Archiving in the Past – Here’s How to Move to a Cost Effective Electronic Validation Solution.” An electronic or paperless validation system is the use of an electronic system to document validation requirements.
Benefits of paperless validation is that it eliminates or reduces paper validation documents. At the least, it allows the review and approval of all document to be done electronically, with execution of the documents being done electronically, including signatures. It also enables global collaboration between teams. What it also allows is the automated management of the validation lifecycle such as with inventory, change management, and periodic review. It allows for real time validation status, real time metrics, and extensive reporting. It is sometimes forgotten that a paperless validation is a regulated computerized system in of itself.
The key considerations when selecting a solution that works for all systems is the scope or intended use, the process, the scope, and the cost. Costs can add up when dealing with software licensing, support, training, and maintenance. Most importantly, it is importance to understand the process prior to selecting a solution. Then, it is useful to think global even if an organization plans to implement locally and to plan for change.
Transitioning to a Cloud-Based Validation Environment and GDPR
Holly A. Baldwin of UL Compliance to Performance provided a timely presentation on cloud-based validation, especially where data privacy laws have increased. For those not familiar with the term “cloud,” it is said to have originated in 1996 by a team of executives at Compaq who were describing a future in which all business transactions would take place over the web. According to The NIST Definition of Cloud Computing, it is a “convenient, on-demand network access to a shared pool of configurable computing resources.” Where traditional IT models have physical servers in data centers, in the cloud a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requirement human interaction. Cloud data can be access over a network of different platforms such as mobile devices, tablets, laptops, and work stations.
Due to the broader access to data, security concerns have been a top barrier to cloud adoption. These include:
- Unauthorized access internally and externally
- Data/Record Destruction: Accidental or intentional
- Data/Record Modification: Inappropriate altering of data
- Unauthorized usages internally and externally
Most recently, the European Union’s implemented the General Data Protection Regulation (GDPR), which is a harmonized data privacy law across Europe. This regulation came into effect on May 25, 2018.It was designed to harmonize data privacy laws across Europe, protect and empower all EU residents’ data privacy, and reshape the way organizations across the EU approach data privacy.
In consideration of GDPR, a mock privacy breach can be conducted in order to test disaster recovery. The mock privacy breach will evaluate:
- Silos in breach processes
- Detection of the breach: Security controls
- Gaps in notification process
- Crisis decision making such as with media relations, business impact mitigation, cyber insurance integration, allocation of roles and how to organize people in times of crisis.
GDPR defines a "personal data breach in Article 4(12) as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed." What should be clear is that a breach is a type of security incident and no later than 72 hours after becoming aware of the breach, the supervisory authority must be notified.
As security concerns become a rempant issue across the issue, companies must stay in compliance and find the right solutions because the time to act is now. More details on computer and software compliance be found in our conference compendium.