Building Automation System Vs. Continuous Monitoring System: Can you Segregate GxP Applications for Validation?
I recently attended a Vaisala webinar and I have a question concerning Building Management Systems (BMS) and Continuous Monitoring Systems (CMS). We have a BMS and a while ago we decided to use some of the latent functionality of the system as an environmental monitoring system for our facilities. These facilities comply with GLP, GMP and ISO 17025 so validation is necessary.
Unfortunately, we have had little help from our BMS supplier concerning compliance issues, which has left us in the dark on some compliance issues. Specifically, we need help understanding if we must validate the whole system? As you can imagine, it is a huge system that controls many things and the monitoring of regulated areas is a small part of its functionality.
So, our first question is: Can we separate the regulated activity from the non-regulated even though it is a single system? I presume that, even if we are able to validate only the regulated applications, the system as a whole would be subject to change control; we would have to assess the impact of all changes, not just those that directly affect the regulated functions.
In hindsight, we would have probably recommended a separate CMS from a recognized supplier such as Vaisala, but we must work with what we have. I am still trying to get information on validation and compliance from the BMS supplier, but I have a sneaking suspicion that this is a GAMP Category 5 (Custom) system with all the trouble and strife that this causes. Can you give us your thoughts on this?
I glad the webinar was useful and stimulated some good questions! We give seminars globally on validation, monitoring and one of the topics we cover during the 1-day event is the pitfalls of using a BMS to do the job of a CMS.
Now… to your questions. You seem to have really thought the issue out. I agree with your analysis and think you are asking the right questions. However, I would ask you to reconsider your assumption that it is too late to change the course of events. Let me explain why.
I am certain that the cost of a new Continuous Monitoring System (including validation) will cost less than validating your BMS to serve as a CMS, simply due to the impact of the custom programming that is inherent in BMS systems. Using your BMS as a CMS will have a higher initial cost, AND will give you a system with less functionality because BMS is not designed for monitoring. This design difference creates gaps that often in increased risks in terms of non-compliance and lost product.
Luckily, we can achieve some degree of precision in estimating the cost of a CMS that functions in parallel to your BMS to ensure compliance and safeguarding critical product in GxP applications. Then, you can take that amount and compare it to the costs of performing validations on those GxP areas that are currently being monitored by your BMS. It’s a simple comparison to make and will provide you with a clear rationale for the most cost-effective means of achieving compliance in monitored environments.
This is something I’ve seen many times: administrators love the idea of “Single System” simplicity. It’s so tempting to try to find one solution that can do everything. But for many reasons, it is an illusion. A compliant, low-risk, low-cost, simple (not complex) single system “BMS as CMS” is as real as leprechauns, unicorns, and the Loch Ness monster.
The only time BMS as CMS makes sense is when the installation is a large enough scale (and well segregated) that the savings from the economy of scale outweigh the deficiencies of the solution. Note, the deficiencies never go away, they just begin to look smaller when compared to the savings that are expected from the single system solution. Personally, I think the deficiencies (such as inherent compliance risks) are too great to ever be “outweighed” by any amount of financial savings.
If you must use the BMS as a CMS, the only way to make it manageable to segregate the GMP part as much as possible. Segregation removes as many of the non-GMP parts of the system from the GMP section. In your email, you already suggest this with your ideas on separation. If you can, the cleanest way to segregate is to split the signal at the sensor itself (or as close as you can manage) and send the sensor signal that to a separate server without going through the layers of field controllers (and their problematic custom programming). This level of segregation may not be possible for a variety of technical and budgetary reasons, as it requires an additional server, which may also additional licenses, etc., that eats away at the money your administrators are trying to save by using the BMS as a CMS. You can still segregate at other levels (such as a geographic segregation).
Segregation is the only way to reduce the validation load and reduce the cost of GMP maintenance (such as change control, SOPs, training, etc.). Again, I am not sure that I’ve told you anything new here. You seem to have a good grasp of the situation.
Please let me know if I can be of any further assistance!