Tuesday, June 16, 2015

Pointers for running a Regulated Pharma System in the Public Cloud

Article Source:

As the Cloud becomes increasingly ubiquitous, the areas in which they can be adopted also becomes more widespread.  Regulated industries are not immune to this. Soon we will all have to figure out how to run our workloads in the Cloud while maintaining our compliance and privacy posture. If we go back in time and look at each application that had a service regulated (GxP or 21 CFR Part 11 ) workload each piece of the software, platform, server, storage, network, even the data center was individually qualified and then individually validated to the appropriate regulation.
 The Application should be validated; IT infrastructure should be qualified. (EU GMP Annex 11, 2011)
Cloud is everywhere, so are we going to individually qualify and validate each building block? Certainly that seems like job security, but wouldn’t that make the cloud less compelling, and in some case unusable?

So who should do what for a GXp hosted application?

If you have data privacy needs these should be tested as part of the validation test and formally documented and quality still needs to be addressed.

Platform Qualification documents are still needed when a regulated / validated application is hosted in a cloud environment “

You also have to realize that the current concepts of computer system validation (CSV) do not work well, e.g how does one perform an installation qualification (IQ) in the cloud when one does not know the serial number of the machine on which the software will be installed, nor in some cases its location. So we must pay attention to the purpose of the IQ , not to the implementation of the IQ  and by extension, we must consider the purpose of CSV, not just its current practice. Any task carried out in the regulated domain should have at least the attributes i.e (Repeatability, Ability to Audit & Non-repudiation) whether paper-based or computer-based in house or in the cloud.

The idea is to controlling your data, and who can access it and what they do (and did to it…) upon accessed.

The approach for compliance in the cloud needs to be different. If done correctly, compliance in the cloud can be far more efficient than any other means for providing complaint applications. Instead of worrying about qualifying each building block, the cloud vendor qualifies the platform once, to many standards and many certifications.  Most of the Tier-1 cloud vendors provide these qualifications to any customer who needs to run a validated application on the cloud vendor’s platform. At least that is the approach many of the Cloud providers are taking.  The provider qualifies the platform; the customer (or partner) validates the application.
Whether you are considering Infrastructure Services i.e (AWS, Microsoft Azure, Google compute, Digital Ocean, Platform as a Service (AWS - Machine Learning MI, AWS RDS…), software as a service, thinking of putting your applications on Amazon Web Service, Azure or simply enabling your business with CRM (Veeva) , Office365 or google analytic, most providers offer detailed documentation and certifications across a wide range of standards.
This enables their regulated customer and partners to run validated applications.

Your situation may vary, as each customers QA has a different viewpoint of necessary qualifications and documentation to support a validated application. It is certainly no longer a question if one can qualify and/or validate their application to run in a cloud. It will come down to your Quality and Compliance process, and to what extend we can amend IQ/PQ/OQ to support distinct system categories running in cloud. For example, a clinical trail portal has different levels of risk then back-office HRMS applications and is thus validated to a different level. ONE-SIZE-FITS-ALL doesn’t works. One needs to understand the unique nature and risk profile of each application and then determine what is appropriate. It may have been convenient or perhaps a standard approach for traditional data-center delivered resources, but one needs to rethink some of those measures and practices that were adopted. Now that you are considering running them in a cloud each system would need to be evaluated for its validation posture.
Various approached have been documented and talked about as it relates to running sensitive workloads in the Cloud, how life science organizations are using the Cloud across the value chain (Clinical Information System, Patient Data Archive, Patient Population Risk / Pattern Assessment, Genomic, and more…) and what levels of qualification documentation vendors must provide to customers in regulatory environments. This article considers some basic and fundamental approach to the Cloud.

Security is Everyone Business:
Although security, by far remains the biggest concern, it can also be viewed as an enabler. However, one can’t build security services with the same develop and operate mindset that we have been using for decades. As we move into the cyber security era, machine-learning more pervasive techniques needs to be considered… (There could be an entire article on this…)

"Design security in the context of the Cloud”.

Suggested Approach:

Regulated or non-regulated, it is apparent that at the end of the day one needs assurance as to who has access and what they did with that state i.e ( Data/system). We also need to have traceability and repeatability by which you can audit/report and resolve issues that are prudent to any software development lifecycle. ( Suggested Model below )

Regulatory considerations for the use of cloud computing will depend on the services you consume. Not all services are created equally to satisfy compliance requirements

Rethink Operation Capabilities:
Your operation will be different, Tower Concept will not work nor can it scale to the ever-increasing demands. Consider adopting capabilities that can provide the appropriate assurance and governance to operate your Cloud services and at the same time promote agility and time to delivery service.
Image Source: 8kmiles.com


  • Codify your Infrastructure
  • Pre-Qualify your environment prior to loading GxP workloads
  • Build pre-validated images for Cloud usage
  • Adopt a version control & release methodology
  • Automate your stack as much as you can
  • Automate your testing
  • Test, test and test before you start to move workloads
  • To maximize effectiveness and minimize risk (and ultimately cost), security and privacy must be considered from the outset of any Cloud implementation not after implementation and deployment
  • Cloud providers (Iaas and Paas) are generally not aware of a specific sectors security, privacy and regulatory needs of your sector, so design in the context of your organization
  • Adopt V-Model by Design (http://en.wikipedia.org/wiki/V-Model_(software_development))

No comments:

Need Consulting help ?


Email *

Message *

All posts, comments, views expressed in this blog are my own and does not represent the positions or views of my past, present or future employers. The intention of this blog is to share my experience and views. Content is subject to change without any notice. While I would do my best to quote the original author or copyright owners wherever I reference them, if you find any of the content / images violating copyright, please let me know and I will act upon it immediately. Lastly, I encourage you to share the content of this blog in general with other online communities for non-commercial and educational purposes.