By all accounts, “Cloud Computing” lowers the total cost of ownership of IT for companies in industries of any type and of any size. In marked contrast to other industries, the Pharmaceutical industry has lagged in adopting cloud computing solutions, retaining costly on-premise solutions or implementing hybrid Cloud solutions which deliver only minimal benefit. Data integrity, among other barriers to implementation, remains the major hurdle for the Pharmaceutical Industry in attempting to adopt Cloud technology.
In 2014 the Food and Drug Administration published an article in the FDA Voice praising how leveraging Cloud Computing allowed the Agency to “continue to protect and promote the public health”. In early 2016, the FDA followed-up by publishing “Guidance on Data Integrity”, which, for the first time, clearly categorized a computer system: “Computer or related systems can refer to computer hardware, software, peripheral 142 devices, networks, cloud infrastructure, operators, and associated documents (e.g., 143 user manuals and standard operating procedures)”.
About the same time the FDA was publishing its “Guidance on Data Integrity”, the Internal society for Pharmaceutical Engineering (ISPE) formed a new GAMP (Good Automation Manufacturing Practices) Special Interest Group with the intent to provide guidance on the usage of Cloud technologies in the regulated (GxP) environments and to help accelerate the adoption of this technology within the industry.
There are 3 main delivery models for Cloud solutions, which can be implemented using virtual online products instead of physical on-site hardware: Infrastructure as a Service (Iaas), Platform as a Service (Paas) or Software as a Service (SaaS). The responsibilities for using any of these delivery models as GxP solutions are comparable to utilizing any traditional on-site IT model and they all apply similarly.
Depending on the used cloud model – Infrastructure as a Service (Iaas), Platform as a Service (Paas) or Software as a Service (SaaS) – the nature of some of these responsibilities, however, might change.
The true benefits of Cloud computing are specialization and focus. Scientific organizations want to focus on science and view IT as necessary to supporting infrastructure. By contrast, vendors focus and specialize exclusively on IT solutions, spreading the development and support costs across their entire customer base.
From the diagram, it is evident that there is a transfer of effort from the scientific organizations onto vendors as the SaaS Cloud delivery model is more fully implemented. SaaS describes a delivery model in which the IT effort is almost completely transferred to the solution vendor and describes the most beneficial end-state for scientific organizations.
Under this well-established model, customers who intend to use Cloud products as part of their GxP systems must assess responsibilities covered by Quality Systems, System Development Life Cycle and Regulatory Affairs areas.
Creation and maintenance of user accounts.
Ensuring personnel have the education, training, and experience to perform their assigned job functions.
Assessment of the ongoing effectiveness of the system security and data integrity controls, and the SDLC.
Ensuring that product specifications conform to specified requirements is a key requirement of GxP controls.
Organizations with GxP requirements need to evaluate and select their potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements.
Agreements with IT suppliers are important for organizations with GxP systems. This includes documented, clear statements of shared responsibilities and commitments from the IT supplier to notify the organization of material changes to the supplier’s product.
Records & Logs
For each GxP system, life sciences organizations are required to identify the retainable records and logs needed as GxP evidence and to maintain the integrity and availability of the records throughout their retention period.
System Development Life Cycle
Each GxP system must have certain features and a controlled SDLC process for delivering them. The specific features and SDLC controls that apply to each system depend on a variety of factors and are derived from regulations like 21 CFR Parts 11 and 820 in the US, Annex 11 and 93/42/EEC in the EU, and their international equivalents. The overall intent of these regulatory guidelines is to ensure that the GxP system fulfills its intended use and that the data is trustworthy and reliable.
GxP systems need to be developed following documented procedures that ensure the systems meet their specified requirements. Development activities include: planning, coding, building, configuring, testing, and deployment.
GxP applications need to be validated to ensure that software specifications conform to user-needs requirements, and the software infrastructure that the GxP applications runs on needs to be qualified to ensure that it meets the system requirements for the application.
Developing, conducting, controlling and monitoring GxP systems in production operations is important to ensure that they continue to conform to specifications. When end-user issues or system deviations occur, organizations with GxP systems also need to maintain a process for responding, correcting and preventing those issues.
With the Cloud, organizations of any size can take advantage of solutions that will minimize the total cost of ownership, ensure pharmaceutical data integrity, and remove the need to plan and procure physical devices and IT infrastructure weeks or months in advance.
Cloud Validation is certainly a challenge, however following FDA and GAMP guidance many organizations are demonstrating that it is possible to utilize the Cloud in GxP regulated environment and thus secure the benefits that this innovative technology offers.