Blockchain GAMP5 10

by Vito La Melia, Controlling Manager & PMO Associate Partner & Giorgia Romano, CSV and Data Integrity Senior Consultant @PQE GROUP

ABSTRACT

Blockchain technology is omnipresent. While it may not be directly associated with the pharmaceutical industry, its potential for supporting GxP processes cannot be overlooked. Blockchain, known for its decentralized and distributed nature, employs elements such as cryptography, consensus, smart contracts, and replication to capture and secure data from multiple participants in a network. Acting as a decentralized and immutable ledger, blockchain records transactions in blocks linked together through cryptography. It can serve as a distributed database and the ultimate source of truth for the entire system. Various types of blockchains exist, including public, consortium, and permissioned or private blockchains, each offering different levels of accessibility and control. This technology operates on different layers, with Layer 1 (L1) constituting the foundational chain and Layer 2 (L2) solutions enhancing scalability and transaction processing. This article delves into the intersection of blockchain technology and the pharmaceutical industry, highlighting the importance of comprehending the application and intended use of blockchain to adopt a risk-based approach. 

Blockchain GAMP5 10_Site Banner

Blockchain is rapidly advancing, but what is its real power and innovation? Let's start from the beginning. Blockchain can be considered as a distributed computing system that uses a decentralized infrastructure to capture and secure data from multiple participants within a defined network by leveraging a combination of different elements (such as cryptography, consensus, smart contracts, and replication). While this topic can be seen as something that is very far from the pharmaceutical industry, considerations can be made to analyze how this kind of technology can support GxP processes because, even if pharma companies decide not to apply this decentralized system, some of their suppliers may. 

To better understand this kind of connection between pharma and blockchain, the first thing that needs to be done is to understand the definition and related intended use of this application to better fit a specific risk-based approach. 

A blockchain is a decentralized, distributed and public digital ledger (DTL) that is used to record transactions across many computers in a way that allows records to not be altered retroactively. Indeed, a blockchain is able to maintain an ordered list of transactions, called blocks, which occur between members of a network. These blocks cannot be altered and are linked using cryptography; each block contains a cryptographic hash of the previous block, a timestamp, and transaction data.

2_Blockchain GAMP5 10

 

In this way, blockchain can be considered as a distributed database, designed to store a ledger of transactions, each one being only a few bytes of information. When transactions become too large, latency is introduced into the blockchain. 

Nevertheless, blockchain is not intended to be a data store, but data contained wherein or the log of transactions captured may be critical to the organization’s application. Consequently, since blockchains are designed to maintain permanent records, the concepts of data retention and retrieval allow ISPE GAMP® to be applied. 

It is important to understand the intended use of the application of blockchain so that a risk-based approach can be applied. 

1. It could be considered a network layer, which may be compared to an infrastructure (low risk). 

2. It could be considered a customized software, since some blockchains can leverage smart contracts. When these interact with each other, blockchains can become capable of complex business logic depending on business processes in a criticality-related way (high risk). 

It is useful to understand how smart contracts work, because they are used within blockchain networks to automate actions based on defined quantitative variables that the contract monitors. Smart contracts are pieces of logic of business rules that can be deployed on a blockchain. They act as an “account” where transactions can be sent when certain conditions are met. They can generate “events,” which are typically another transaction. An analogy is the familiar logic trees within PLC programming. Smart contracts should be assessed as part of the overall system life cycle of the blockchain network or application, and should be used to review the integrity, security and integration of the inputs and outputs of the smart-contract logic. 

The blockchain will likely serve as the connector of multiple sources of data, and will, in many cases, become the source of truth for which data represents the current state of the overall system. However, blockchains are not generally the source of origin for new data other than identifiers accounts and timestamps. In these cases, data quality controls should be in place to keep the data recorded in the blockchain in sync with data generated in the source of origin. Data mapping and checks of ALCOA+ requirements can help to identify deficiencies. The blockchain may provide evidence of which account(s) signed a transaction on the network, but the organization may need to understand which other organization(s) control that account, implying the need for a registry or some form of verified credentials. 

The appendix 10 of the GAMP® 5  focuses on large-scale public blockchain implementations that are sufficiently decentralized and not controlled by a small group of entities because they potentially could be used for multiple use cases, both GxP and non-GxP. But it is important to know that there are three types of blockchain:

  • Public blockchain or permission-less is a network in which anyone can participate without restrictions. Most types of cryptocurrencies run on a public blockchain that is governed by rules or consensus algorithms.

  • Consortium blockchain is a network where the consensus process (mining process) is closely controlled by a preselected set of nodes or by a preselected number of stakeholders. 

  • Permissioned or private blockchain allows organizations to set controls on who can access blockchain data. Only users who are granted permissions can access specific sets of data. 

3_Blockchain GAMP5 10

In blockchain, it is important to a make a distinction between two terms of layer 1 (L1) and layer 2 (L2). 

While L1 refers to the fundamental, base-level chain in a network, it provides the most essential services to a network, such as recording transactions on the public ledger and ensuring adequate security (e.g. Bitcoin, Cardano, Ethereum). 

The primary goal of any blockchain is to optimize decentralization, security, and scalability. However, this balance is difficult to strike, and this is why the concept of achieving all three is called the blockchain trilemma. 

Instead, Layer 2 solutions are platforms that generally improve the functions (usually scalability) of Layer 1 technology. L2 is typically built on top of L1 chains, and often require users to transfer their assets from the main chain to the L2 chain through a bridge. Layer 2 solutions can be their own blockchains, while borrowing the security of their dedicated L1 network. L2 process transactions occur outside of the L1 network (“off-chain”) and communicate those transactions to the L1 chain which finalizes them. This allows for more rapid transaction processing and reduces fees for users. 

1_Blockchain GAMP5 10

Another core of blockchain functionality is Cryptography. It is both how we secure transactions (using public and private keys) and is a part of how to ensure that only authorized individuals can view certain information about transactions. One of the most utilized tools in cryptography is hashing, in which an algorithm generates a unique identifier for just about anything digital. For example, a hash of the letters “ISPE” using an SHA-256 algorithm looks like this: 

E7AE003CF0974DEC21E4BB10C0EB3ECD1BC389471C8CDA83798AA825C51C04B9 

Hashing is one-way encryption; if you have only this hash there is no way to understand what it means. Most hashes are very sensitive; even a minor change in the original input produces an entire change set of the hash. For example, the hash of “ISPe” using the same SHA-256 algorithm, would be: 481A9F91046AEF67E2D2407C05C3E6EEC52894108794324A2B2A1DBF0CBBB880 

In public blockchain, the inclusion of new data in the blockchain is done collaboratively by all participating nodes in the network. Their incentive to process specific transactions on behalf of others is the transaction fee; this value can also be called “gas” and refers to fees paid by users to compensate for the expense of energy required to process and validate transactions on the blockchain. These fees must be transferred at the time of record creation, otherwise it is not possible to deploy and interact with smart contracts on the network. 

  • Fees are typically in correlation to the amount of data in a transaction. 
  • To increase throughput and reduce transaction fees, Layer 2 solutions are often deployed. 
  • The value of the cryptocurrency held by the addresses can fluctuate wildly, and there may be accounting and tax implications. 

Blockchain has shown its potential for transforming traditional industry with its key characteristics: decentralization, distributed, trusted and auditability. Nowadays, blockchain based applications are springing up and there are plans to conduct in-depth investigations on blockchain-based applications in the future. 

Want to know more?

PQE Group can support your business to apply blockchain technology components to assure data integrity and compliance. 

Get access to cutting edge solutions while persuading transparency and traceability. 


Connect with us            Quality Compliance Page