Introduction

By all accounts, “Cloud Computing” lowers the total cost of ownership of IT for companies in industries of any type and of any size.  In marked contrast to other industries, the Pharmaceutical industry has lagged in adopting cloud computing solutions, retaining costly on-premise solutions or implementing hybrid Cloud solutions which deliver only minimal benefit. Data integrity, among other barriers to implementation, remains the major hurdle for the Pharmaceutical Industry in attempting to adopt Cloud technology.

In 2014 the Food and Drug Administration published an article in the FDA Voice praising how leveraging Cloud Computing allowed the Agency to “continue to protect and promote the public health”. In early 2016, the FDA followed-up by publishing “Guidance on Data Integrity”, which, for the first time, clearly categorized a computer system: “Computer or related systems can refer to computer hardware, software, peripheral 142 devices, networks, cloud infrastructure, operators, and associated documents (e.g., 143 user manuals and standard operating procedures)”.

About the same time the FDA was publishing its “Guidance on Data Integrity”, the Internal society for Pharmaceutical Engineering (ISPE) formed a new GAMP (Good Automation Manufacturing Practices) Special Interest Group with the intent to provide guidance on the usage of Cloud technologies in the regulated (GxP) environments and to help accelerate the adoption of this technology within the industry.

Implement a Cloud solution

There are 3 main delivery models for Cloud solutions, which can be implemented using virtual online products instead of physical on-site hardware: Infrastructure as a Service (Iaas), Platform as a Service (Paas) or Software as a Service (SaaS). The responsibilities for using any of these delivery models as GxP solutions are comparable to utilizing any traditional on-site IT model and they all apply similarly.

Depending on the used cloud model – Infrastructure as a Service (Iaas), Platform as a Service (Paas) or Software as a Service (SaaS) – the nature of some of these responsibilities, however, might change.

The true benefits of Cloud computing are specialization and focus.  Scientific organizations want to focus on science and view IT as necessary to supporting infrastructure.  By contrast, vendors focus and specialize exclusively on IT solutions, spreading the development and support costs across their entire customer base.

From the diagram, it is evident that there is a transfer of effort from the scientific organizations onto vendors as the SaaS Cloud delivery model is more fully implemented.  SaaS describes a delivery model in which the IT effort is almost completely transferred to the solution vendor and describes the most beneficial end-state for scientific organizations.

Under this well-established model, customers who intend to use Cloud products as part of their GxP systems must assess responsibilities covered by Quality Systems, System Development Life Cycle and Regulatory Affairs areas.

Management Responsibility

Involves tasks such as creating and managing user accounts within the system, ensuring access controls are appropriately managed and maintained.

Personnel

Focuses on ensuring that all personnel interacting with GxP systems have the necessary qualifications, training, and experience to perform their assigned roles effectively and compliantly.

Audits

Regular assessments conducted to evaluate the effectiveness of security measures, data integrity controls, and overall compliance with regulatory standards. Audits ensure that systems are operating as intended and that any issues are promptly identified and addressed.

Product Assessment

Ensures that all products and components used within GxP systems meet predefined specifications and quality standards. This assessment is crucial to maintaining the integrity and reliability of data generated by these systems.

Supplier Evaluation

Involves assessing and selecting suppliers, contractors, and consultants based on their ability to meet specific GxP requirements. This process ensures that external partners contribute to maintaining compliance and system integrity.

Supplier Agreement

Establishes clear responsibilities and commitments between organizations and their IT suppliers. This includes obligations to notify about any significant changes to IT products or services that could impact GxP operations.

Records & Logs

Identifying and maintaining necessary records and logs as evidence of GxP compliance throughout their required retention periods. This ensures data integrity and traceability for audits and regulatory inspections.

System Development Life Cycle

Each GxP system must have certain features and a controlled SDLC process for delivering them. The specific features and SDLC controls that apply to each system depend on a variety of factors and are derived from regulations like 21 CFR Parts 11 and 820 in the US, Annex 11 and 93/42/EEC in the EU, and their international equivalents. The overall intent of these regulatory guidelines is to ensure that the GxP system fulfills its intended use and that the data is trustworthy and reliable.

Develop

GxP systems need to be developed following documented procedures that ensure the systems meet their specified requirements. Development activities include: planning, coding, building, configuring, testing, and deployment.

Validate

GxP applications need to be validated to ensure that software specifications conform to user-needs requirements, and the software infrastructure that the GxP applications runs on needs to be qualified to ensure that it meets the system requirements for the application.

Operate

Developing, conducting, controlling and monitoring GxP systems in production operations is important to ensure that they continue to conform to specifications. When end-user issues or system deviations occur, organizations with GxP systems also need to maintain a process for responding, correcting and preventing those issues.

• Change Control
• Service Level Agreement (SLA)
• End User Support
• Back and recovery
• Incident Response
• Corrective and Preventive Action (CAPA)

Conclusion

With the Cloud, organizations of any size can take advantage of solutions that will minimize the total cost of ownership, ensure pharmaceutical data integrity, and remove the need to plan and procure physical devices and IT infrastructure weeks or months in advance.

Cloud Validation is certainly a challenge, however following FDA and GAMP guidance many organizations are demonstrating that it is possible to utilize the Cloud in GxP regulated environment and thus secure the benefits that this innovative technology offers.