iSpeak Blog

GAMP® Pragmatic Quality & Risk-Based Approaches: Part 2 Infrastructure - Embrace Automation

Sion Wyn
Christopher J. Reid
Part 2 Infrastructure - Embrace Automation

In the previous blog, GAMP® Support for Pragramtic Quality & Risk-Based Approaches, we saw how as part of the Case for Quality program US FDA CDRH (Center for Devices and Radiological Health) are promoting a risk-based, product quality and patient-centric approach to computerized systems assurance.

This Blog focuses on the topic of infrastructure, covering recommendations made by an FDA / industry team linked to the FDA Case for Quality initiative, and the GAMP re-examination of approaches to infrastructure.

Infrastructure – Embrace Automation!

As reported in the Panel Discussion - FDA and Industry Collaboration on Computer Software Assurance (CSA) - 20th Annual Computer And IT Systems Validation, April 23, 2019, the FDA / Industry team recommendation is to embrace automation in the management of IT infrastructure and to use electronic means rather than paper documentation, and to leverage continuous data and information for monitoring and assurance. This approach also provides higher quality, better process control, and lower quality, security and integrity risk.

The team reported case studies on replacing manual paper-based and error-prone test evidence and specification maintenance with an automated error-free approach based on standard tools. These case studies showed time savings of 10X (i.e. taking only a tenth of the time!).

GAMP Global Leadership strongly support and endorse the application of infrastructure management tools, especially supported by a good practice IT and infrastructure service delivery framework such as ITIL.

GAMP Re-examination of Infrastructure Approaches

IT Infrastructure management is increasingly achieved using automated deployment, monitoring, and configuration management controls. Traditional approaches to IT Infrastructure Qualification with manually documented specifications and qualification protocols do not effectively address the need for ongoing operational management of IT Infrastructure and continuous verification that controls are operating effectively. The use of traditional IQ / OQ activities do not ensure the effective operation, security and performance of IT Infrastructure, and do not adequately protect against cybersecurity threats.

A GAMP review is underway to identify areas where a traditional qualification approach may not provide the desired controlled state, and to advise on the application of contemporary methods of managing IT Infrastructure through the effective deployment of good IT practices supported by automation.

Objectives for the review include:

  • Encouraging the application of Good IT Practice e.g. use of ITIL wherever possible
  • Encouraging the use of CMDB (Configuration Management Database) and associated tools at all times, and discourage use of paper and documentation approaches including spreadsheets
  • Encourage automated review by exception approaches
  • Re-emphasize that tools and applications used to support infrastructure and IT processes are Category 1, as per GAMP guidance, and that infrastructure is neither GxP nor Non-GxP, but rather must support all applications with an efficient approach applied across the whole landscape.
  • For topics like CAPA, incident management, change management, etc., explain and re-emphasize that there is a fundamental difference between the critical GxP processes directly supporting the regulated product life cycle, and the IT and infrastructure management level processes below.
  • Encourage use of automation and the ability of automation to effectively manage risk and achieve effective data security and integrity
  • Promoting integration of appropriate controls into ongoing and routine operational processes (even when manual) rather than one-off qualification activities
  • Enabling quality and oversight, by not just automating current practices using tools, but refining and improving infrastructure management processes to achieve better governance and improved oversight of threats, trends, and compliance

Figure 1.1: Applications, Infrastructure Processes, and Platforms
Figure 1.1: Applications, Infrastructure Processes, and Platforms

In summary – apply current IT good practice and embrace automation for better, more effective and efficient control of infrastructure!