Building Compliant Pharmaceutical Solutions on Appian

– [Jim] Welcome to building
compliant solutions on Appian. Evi Cohen, Omesh Agam, and
myself, Jim Vasconcellos, worked together to maintain
Appian’s capability to meet the compliance needs
of the life sciences industry. Let’s start by reviewing at a high level the key concepts driving
compliance requirements within life sciences. Good practices within select
major functional areas is listed here. Define a quality framework for
how any computerized system or business processes will have to perform in order to comply with
the regulatory requirements of the industry. Some central aspects
are having traceability, being able to reconstruct
the development history of a drug product or medical device and accountability, being able
to resolve who contributed what to the development
and when did that occur. Some key objectives are to ensure patients are being provided effective treatment at the lowest possible risk,
that the industry products will always be created
to fully meet the defined quality metrics, and all
data that impacts safety and quality is fully secured
with detailed audit histories and the required levels of privacy. Regulations come from
various regional authorities, as shown here. They provide guidance while
leaving it to the industry to define processes to meet the guidance. The industry has responded
by forming groups like ICH, to develop process
standards for all to consider. Computerized system validation, CSV, is the area of focus for Appian. As shown here, many roles
must be concerned with and understand the
responsibilities in maintaining GxP compliance. Appian’s proactive approach is driven by our customers’ expectation to provide them with a defensible position. The industry demands it
and one of Appian’s central cultural themes is to simplify all we do for our customers, including
our Cloud validation story. Our approach ensures that traceability and accountability needs are being met, with the level of
transparency that ensures our customers can defend their positions. All the required roles
at Appian are engaged to keep Appian in a state of control that complies with GxP guidance. The FDA guidance on software validation is representative of what
is required globally. Further, the guidance
results in regulations as shown in the green box on the right, which end up requiring
the industry to come up with the processes, defined as validation in the areas listed such
as planning, verification, testing, et cetera, to meet the guidance. In addition to the software, one must look at the entire computerized
system to see what other areas may also require validation,
such as the hardware, equipment attached to the hardware, specialized operating procedures, so the entire system must be evaluated to determine the required
processes to meet validation. For GxP compliant
applications in the Cloud, the validation responsibilities
vary and are shared between the customer and the supplier. On the far left is
infrastructure as a service in which you are just being
supplied the data center and therefore the supplier is responsible for the hardware validation requirements, and the customer is responsible
for everything else. On the far right is software as a service, in which the supplier is
building the applications and the data and maintaining
them and therefore has complete responsibility
for validation. In the middle is what
Appian supplies, which is platform as a service. In this case, we’re supplying
the data center hardware, as well as platform software
that enables the customer to create applications in data, therefore the customers are
responsible for the validation on applications in data,
while Appian is responsible for everything else. Let’s dive a little deeper into validation and discuss the differences
between qualification versus validation. Qualification are the actions that prove that any premises,
systems, items of equipment work correctly and lead
to the expected results. It establishes confidence
the equipment is capable of consistently operating
within established limits and tolerances. It’s generally considered
a subset of your overall validation process. Validation though is
focused on establishing documented evidence that
provides a high degree of assurance that a specific
process or software application will consistently produce a product, meeting its predetermined specifications and quality attributes. The V model shown here is the standard in the industry, accepted for how one can achieve validation at a high level. It is shown here in the
simplest waterfall version. There are agile versions that can work. The goal here is to show
that we as a platform, as a service cloud
provider in that gray band, share responsibilities with
our regulated customers in achieving components of the V model. Data integrity is an important objective within GxP compliant systems. 21 CFR part 11 is U.S. Regulation that defines in detail the
guidance needed in systems to maintain this type of data integrity. Appian as a platform
provides its customers with the tools they
need in order to achieve the states of control to
ensure that the criteria that they have listed here can be met when they validate their systems. Security in the Cloud for GxP applications is a very important topic. Shown here, it is a shared responsibility. Security of the data
center infrastructure, ensuring that it cannot be penetrated is provided by Appian in
cooperation with Amazon Web Services. When we get to the platform operation and the customer’s applications in data, again that’s shared between
Appian and the customer, with noting that customer data is solely the customer’s responsibility,
as Appian is supplying each customer with their own
individual implementation and their data is only accessible by them. Therefore, they are fully responsible for ensuring that they use
Appian’s tools and capabilities to create and isolate
that data effectively. A key objective of
building validated software in a Cloud platform such
as Appian is to move that IT maintenance number
down and allowing you to increase your level
of innovations spent. This is done in validated
applications as you’ve seen by moving responsibilities
to the service provider on the infrastructure
and significant amount of the operational
validation and qualification and allowing you to spend more time building applications in data
that you can meet your needs. Appian has a proven
architecture that can work in the Cloud to meet life
science industry’s GxP compliance needs. This built a significant amount of trust through its many compliance
audits that have been completed and its compliance certifications. The results are that there
are numerous life sciences companies currently using
GxP compliant applications on our Cloud. This is a high level view of
the Appian Cloud architecture. Note that your instance
as a customer is separate from other customers’
instances, and that users can enter either through the web or come through your firewall
via a VPN connection. And again that your data can
be held in the Appian Cloud instance or you can maintain your data behind your own firewall. Now let’s talk about
Appian’s Cloud scalability and reliability. Here’s examples of the
number of rules per hour that can be executed on
various size implementations of Appian. The Cloud large is the
normal size, we go up many sizes larger than that,
depending on your needs. Here’s also an example
of how many processes per hour can be executed
on the various sizes that are available from
Appian in the Cloud. There are some detailed white
papers that you can obtain that talk about our architecture overview and our scalability needs. They can be found at community.appian.com or on the Appian.com website. Globally we are currently
available in 11 Amazon web services regions. Therefore you have the
opportunity to choose which region you want your
Cloud service to be located. Our service organization
is located globally too with offices in the U.S.,
Europe, and Australia. This provides a follow
the sun support model for all our Cloud customers. This is the latest uptime information about Appian Cloud by
month since January 2016. From a Cloud trust perspective,
Appian has been the leader in this space for a long time, and today has the most certifications
across all the major industries and government areas
demonstrating our commitment to ensuring we have one of
the highest trust levels within a Cloud provider. Here are some more
detailed looks at some of our security and compliance
programs that we have in place today. We also have a GxP report
which is an independent assessment done on the Appian Cloud that shows how we achieve our
controls and what the customer requirements are to achieve control to. Within the GxP report there
are a roadmap for controls as well as procedural
and technical controls are identified and we believe
this will be very helpful for auditors to show
how Appian has achieved control in this area. So we’ll turn our attention to security. In order to meet and maintain
the many certifications we have, Appian must implement
and maintain controls such as shown in this list here. Additionally, there are
responsibilities that Appian will do on the Cloud side
as well as the customer will need to do on their side in managing and maintaining their applications. Many of these things the customer does are enabled by what the
platform supplies within its feature set. To supply detailed transparency
on our trust capabilities, Appian has a Cloud Trust
Center at trust.appian.com where one can go to get
information on our certification and request compliance reports. Appian itself runs on Appian Cloud, that includes all the
departments you see here and we rely on it to be
secure in order to meet our needs as it does also
support our development and quality management systems. As we showed earlier, the
big benefit of Appian Cloud is that hopefully one
can change that pie chart to where the innovation
budget goes up significantly and your maintenance budget
goes down significantly because Appian is supplying
those services for you.

Leave a Reply

(*) Required, Your email will not be published