Pragmatic Compliance Solutions: Adding Value Effectively to GxP
We are delighted to welcome CompliancePath to the Tetra Partner Network and are excited to share our recent conversation with Stephen Ferrell, Co-Founder. Stephen’s experience includes supporting regulated clients around the world. He has implemented Quality Management Systems at several companies at both the corporate and divisional level and has hosted and conducted countless audits across the GxP disciplines: ISO13485 (inclusive of IEC62304/ISO14971), ISO27001, SOC 1 & 2, Electronic Healthcare Network Accreditation Commission (EHNAC) and Federal Risk and Authorization Management Program (FedRAMP). He was also instrumental in guiding TetraScience in reaching GxP compliance of the Tetra Scientific Data Cloud™.
You’ve worked in executive positions for several life sciences companies. Why have you chosen to focus exclusively on compliance?
I am very much a process driven person. For me, compliance is simply the byproduct of good processes. The challenge of working in compliance is to find the appropriate balance so that the processes created are actually adding value. My goal is always to increase product quality and patient safety while not creating unwieldy bureaucracies that diminish our customers’ goals and the software and applications that they are trying to build.
My goal is always to increase product quality and patient safety while not creating unwieldy bureaucracies.
In a sentence or two, please describe CompliancePath.
CompliancePath helps companies who are either regulated by life science health agencies or who are trying to sell into regulated life science markets to achieve pragmatic compliance solutions for their IT services and their software applications.
What types of challenges do you help your customers solve?
We've had the opportunity to be involved in some interesting projects during the pandemic. For example, we helped a company whose application had over 2 million daily users. We were also able to work collaboratively with the Medicines and Healthcare products Regulatory Agency (MHRA) in the United Kingdom to make sure that all the regulatory documentation, and testing and risk assessments, were completed so that the application continued to add value. And we helped a large, multinational lab instrument and software company to transition to the cloud.
We help customers seeking ISO 27001 certification and those who are transforming manufacturing from one-off validation and assurance projects, all the way through global enterprise system implementations.
What are the most frequently asked questions you get?
The most common question we get is, “How much validation is necessary?” Generally, there are two armed camps: those who don't see the value of validation, and those who, through a confused ‘conservatism’, create processes and documentation that are so over the top they actually add very little value to the cause of patient safety and product quality.
We try to help people understand the actual risk profile of the applications they are building or that they've bought.
We try to help people understand the actual risk profile of the applications they are building or that they've bought. Once we truly focus our customers on patient safety or impact to product quality, we're able to create a much more pragmatic compliance solution with them that, when done properly, becomes a value addition instead of a value subtraction.
What are the benefits of your validation acceleration program for quality software?
Our validation acceleration program has been utilized hundreds of times for our software vendor customers. The purpose is to assure a regulated company who wants to purchase that software that a trusted third party has evaluated it. The company selling the software also gains the ability to configure and deploy it more quickly.
This eliminates the traditional, heavy-lift validation efforts. Instead of having to rinse and repeat, the regulated company is simply able to purchase a validation package off the shelf and focus any subsequent validation activities solely on their intended use.
How have the increasing number of digital products being used in biopharma affected adherence to compliance or governance regulations?
It's been an interesting couple of years particularly for cloud delivered applications! I have come a long way with my views relative to the compliance footprint of the cloud. For example, there are a couple of dedicated life science cloud providers, but many life science companies engage AWS, Microsoft Azure, or Google Cloud. Over time I've become more accepting, to the point of advocacy for leveraging their control sets as a solid foundation for compliance.
The other thing we're seeing is that a product like the Tetra Data Platform (TDP), which would have been considered a unicorn until recently, is now becoming the new reality - even better than mainstream!
The other thing we're seeing is that a product like the Tetra Data Platform (TDP), which would have been considered a unicorn until recently, is now becoming the new reality - even better than mainstream! TetraScience’s ability to take disparate data lakes, bring them together, and then make sense out of them is truly groundbreaking, and that's why we're so excited about their value proposition. The use of augmented reality in pharmaceutical manufacturing is another particularly exciting area where we see a great deal of activity in the cell therapy space which will hopefully decrease the time to market for key therapies.
What are some of the biggest mistakes a company can make when undertaking a compliance or validation program, and how should they best avoid them?
The biggest mistake that we see, quite frankly, is what I would call “over compliance”. We avoid this with proper risk management: we gain understanding of the intended use, evaluate the true risk of that intended use either in a developed application or a configured application that has been purchased, then apply appropriate testing rigor to those risks. This is often easier said than done! We see many companies who do cursory risk assessments that really achieve little more than ticking a box to say they've done a risk assessment, and then proceed to validate every nook and cranny of an application. In many cases, customers miss the intended use completely. As a result, we constantly reinforce a focus on intended use.
The biggest mistake that we see, quite frankly, is what I would call “over compliance”.
What are the unique challenges and risks of gaining compliance for SaaS products?
SaaS products present unique compliance challenges primarily because the regulated company has to trust an outsourced service provider to manage both the infrastructure and the application. So, right out the gate, it's important to understand what a SaaS provider’s underlying infrastructure is. If it's something that they have built in house and are hosting themselves that presents a much higher risk profile than someone who has selected one of the GxP cloud providers or has gone with AWS or Microsoft Azure.
SaaS products present unique compliance challenges primarily because the regulated company has to trust an outsourced service provider to manage both the infrastructure and the application.
When a mainstream IaaS solution has been selected you can feel fairly comfortable about the infrastructure given the various certification programs that those providers subject themselves to. The other challenge is for the legacy product providers who are transitioning to SaaS. They have operated previously as software companies - not service companies - and there is a necessary psychological switch that must be thrown so that they understand that their boundaries are no longer just the software but also the management of service performance, security, etc. We see mixed results there as far as legacy companies making the transition.
For companies that are cloud native who are bringing new tech to the market it's less of an issue. The challenge we see there is more making sure that they understand the compliance constraints that they are facing when they sell into a life science market. We try to help them navigate that so that they can be agile and keep their Continuous Integration / Continuous Deployment (CI/CD) pipeline going while also maintaining a compliant footprint that their regulated customer companies can take advantage of.
What are the benefits of belonging to the Tetra Partner Network?
For us the benefit of being part of the Tetra Partner Network is being in an ecosystem that is just burgeoning with potential. The core TDP product is truly remarkable! We are thrilled to be associated with it to be able to help companies find a GxP friendly pathway within the TDP environment. We feel we can provide great value and benefit in helping TetraScience’s customers and partners unleash the power of the company’s services in more highly regulated spaces.
The core TDP product is truly remarkable! We are thrilled to be associated with it to be able to help companies find a GxP friendly pathway within the TDP environment.
What else would you like to share?
I would recommend that folks who are interested in GXP compliance get their hands on the new International Society of Pharmaceutical Engineers (ISPE) GAMP© 5 manual, 2nd edition. There is a lot in there that is particularly relevant to the procurement of SaaS products and it frees compliance practitioners from a lot of the legacy thinking that unfortunately has sort of crept into our industry. We are rolling it out across our customers now and always happy to chat with anyone who might have questions.