Deploying Validated (GxP) Systems in the Cloud
Pharmaceutical and medical device companies often have to process sensitive and regulated workloads while remaining compliant with good laboratory, clinical and manufacturing Practices (GxP). This article deals with some of the challenges and considerations that could enable these companies to move validated workloads to the cloud without any compliance risks.
GxP systems are governed by SDLC regulations like 21 CFR part 11 (or 820) in the US, Annex 11 and 93/42/EEC in the EU and their other global equivalents. The intent of these controls is to ensure that data input, validation and integrity is trustworthy, as it is used in the delivery of medical care, safety of medicinal products and to make decisions about the safety and efficacy of medical devices.
Cloud based GxP systems unless part of a private cloud are typically based external to a customer network and would always involve software defined infrastructure (virtual servers, firewalls, load balancers). This necessitates the adherence to a security planning standard like NIST 800-13 or other regulatory guidance e.g. FDA’s Content of premarket submissions for management of cyber security in medical devices. It is important to note that these standards are not offered by cloud providers but generally via their partner network members. If the solution is being implemented in house new IT skills are necessary. If however the system is being implemented via a third party vendor it is the customer’s responsibility to identify the standard needed and if the vendor has expertise and previous experience in such implementations.
GxP system validation consist of process validation (human, equipment or instruments), software validation (application and data) and software infrastructure qualification in case of cloud solutions. Traditionally validation activities were manual and at a point in time. With this paradigm shift to cloud organizations need to update their validation practices to include the automated infrastructure model. For example many API based validation tools like RunScope are available and are being used to qualify system templates. API based systems can also integrate with change control systems like Remedy and ServiceNow to provide full integration with iterative software deployments and GxP quality approvals.
Data from GxP systems is used to submit filings and registration documents to regulatory bodies. These authorities frequently audit organizations and expect them to comply with ever changing industry and regional legislation. In order to ensure a successful audit regulatory affairs professionals in an organization should have complete visibility to the number of users, their physical location, data locality requirements and material change (or discontinuation) to the cloud service.
GxP customers would typically need to modify their audit log types, format and retention guidelines in order to accommodate the volume and breadth of data captured by a cloud hosted system. On most occasions programmatically generated logs far exceed the volume of logs needed but retention periods might necessitate moving these logs to an alternate location if it offers any cost savings. It is also necessary to ensure that the logs generated are in a format consumable by auditors.
Major cloud providers lead the industry in providing management frameworks that exceed the quality, security and trust standards for Pharma or health science companies. They also offer products that conform to more than one service levels. It is up to the implementation parties to choose an SLA that conforms to their solution architecture. In the absence of an out of the box offering the architecture may need to be modified to account for this gap.
Cloud based systems in general require additional skills especially in the area of validation and security. For GxP systems it is critical that employees or vendors undergo a formal qualification or certification before embarking on any implementation. This is especially true if a niche GxP service is being implemented and a managed service supplier is implementing or supporting the solution on customer’s behalf.
Contrary to popular believe, moving a validated workload to the cloud can be easily accomplished if few procedural adaptations described above are considered. Organizations that recognize this and adapt their GxP policies to leverage this transition to the cloud are poised to become industry leaders.