Dieser Blogbeitrag ist nur in englischer Sprache verfügbar. | This blog post is only available in English.
It is a challenging time for many traditional pharmaceutical companies. The competiveness of the market place, the looming loss of patents, ever-increasing international regulatory requirements and pressure to lower the overall cost for healthcare – they all increase the burden and force these companies to find new approaches in order to survive in the industry.
Pharmaceutical companies are today driven to adopt strategies for reducing resources and costs, circumstances that have been tangible in other manufacturing sectors for some time. The expectation from IT departments is that they should support the business challenges and deliver cost-effective solutions without compromising quality, compliance, agility or flexibility.
Cloud computing seems to fulfil the promises of solving these business challenges and life sciences firms increasingly look to it for the universal remedy. However, how well does cloud computing coexist with GxP compliance and regulated environments?
Enter the cloud
So, first, what is cloud computing really? According to the often-cited definition from NIST:
»Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.«
From an IT viewpoint, cloud computing promises extremely fast and flexible solution delivery, on-demand scalability and high-demand business continuity services (i.e., easy backup and archiving).
A more holistic view on cloud computing would also consider advantages like cost benefits, simplified IT processes, increased productivity and employee satisfaction.
The concepts of cloud computing are indeed applicable to most pharmaceutical firms, due to ever-growing datasets, unpredictable traffic patterns, demand for faster response times, reduced time to market, and reducing the capital exposure of »owning« IT.
Since cloud-based offerings commonly are used by many companies within the pharmaceutical industry, chances are high that the development of these systems are done using »good practices«, as the vendors rely on input from all organizations using their services. Through such community-driven development, new functionality quickly becomes available to the organizations. This also makes cloud solutions more of a commodity than on premise applications ever will be. However, it also inevitably implies that companies that decide in favor of a cloud solution need to make do with a common, »one size fits all« solution, in which the provided features only cover maybe 80% of the organization’s actual requirements. Thus, the companies need to adapt an »it is good enough« attitude.
If cloud computing now offers all these benefits, why is the adoption of cloud-based solutions in the regulatory sector then so slow? One obvious reason is the dilemma of innovation vs compliance, boosted by the absence of regulatory guidelines for the cloud. There is also the conservative mindset that is prevalent in the pharmaceutical world, which historically is known to be a risk-adverse culture.
Some quality-related processes used by cloud providers are also »different« from the established internal processes; they can for example be more risk-tolerant than what life science companies are accustomed to.
Life sciences companies that conduct research and development often have a fear of losing control over legacy data and intellectual property. There is human resistance toward this less proven and somewhat unknown territory, in which the pharmaceutical companies may feel that they do no longer have the control they are used to having. This is similar to the opposition that was widespread in the near past, as these companies started moving from paper-based processes to electronic systems.
Once cloud computing comes into play, the roles and responsibilities within the validation process shift. Change management becomes more complex, as people outside of the regulated company now have access to make changes to a validated system.
Looking at the problem from the other side, not all cloud vendors have made sufficient preparations for onboarding regulatory customers. They often have diverse and heterogeneous customer bases, ranging from individual users to large multinational companies. The representation and importance of the pharmaceutical industry within the provider’s customer base is therefore frequently comparably low, which restricts the influence pharmaceutical customers effectively have on the vendor.
Now and then, cloud vendors are unwilling to open up their companies and processes for scrutiny by multiple teams of auditors. If they do allow it, they often do not understand the need for regulated companies to perform individual audits and would rather prefer a common »GxP certification«. However, as of today, there is no officially recognized, standardized GxP certification process for cloud-based systems.
Approaching GxP Compliance in the Cloud
As a prominent cloud vendor points out on its web site:
»There is no GxP certification for a commercial cloud provider such as xyz«
»…offers commercial off-the-shelf (COTS) IT services according to IT quality and security standards such as ISO 27001, ISO 27017, ISO 27018, ISO 9001, NIST 800-53 and many others. GxP-regulated life sciences organizations are responsible for purchasing and using xyz services to develop and operate their GxP systems, and to verify their own GxP compliance.«
Therefore, while the cloud vendors do respect and implement several industry standards and guidelines, it is still the responsibility of the regulated company to verify GxP compliance.
For example, if processes are different at a cloud provider, those responsible for assuring that the processes are sufficient (e.g., internal QA, auditors, and health authorities) need to collaborate with the IT department and the cloud provider to understand the fundamentals. A pharmaceutical company expects from a cloud provider to perform in-depth impact assessments toward product quality and patient safety when the system is changed. Vendors are also expected to establish quality and validation plans during development and operation of the system to assure it is fit for use and can be properly maintained, and that the performance of all activities (development, testing, release etc.) is formally documented.
If a regulated company wishes to pursue the move to cloud-based services, a key factor to success is to evaluate risk thoroughly. Risks can be lurking in several areas, the most important being security:
- Accuracy, reliability, performance, and the ability to discern altered records
- Document encryption, use of digital signatures to ensure record authenticity, integrity and confidentiality
- User Provisioning, Identity and Access Management
- Security Audit Management
- Physical Security
- Protection of data at rest, in transit, and when it is processed
The cloud-specific security risks mainly relate to multi-tenancy and the »shared resources« character of cloud computing (i.e., the same physical infrastructure will often serve many different customers). To some extent, the customer gives up the control of security to the service provider, making it important to assess whether the provider complies with the security requirements.
Other major risks concern reliability of the system:
- Help desk and issue management
- Virtual machine management and interoperability
- Health and availability
- Facility maintenance
- Alerting and monitoring
- Performance details
It is also important to investigate procedures for Disaster Recovery and Business Continuity:
- System backup (frequency and location)
- Clustering and redundancy mechanisms
- Alternate storage and processing sites
- Alternate telecommunication services
The topics visibility and control need to be assessed: which responsibilities does the provider have, which are in the hands of the consumer? How is the system monitored and audited?
Road Map to the Cloud
It is neither feasible nor practical to bring all applications and data to cloud-based alternatives at the same time. Companies should rather look at establishing a clear »roadmap to the cloud« with a specific plan for each concerned component and application. In the first phase, some companies may want to consider »quick wins« or »low-hanging fruit«, e.g., smaller, potentially non-mission-critical applications that are comparably easy to move to the cloud, in order to have timely successful project closure.
Another viable approach is to identify applications with a high cost-saving potential, or applications whose performance would highly benefit from being migrated to the cloud.
Many companies categorize cloud computing as an IT topic and consequently place it within their existing IT departments. Although this seemingly would be the obvious choice, it could lead to less successful cloud migration projects, as it places an additional burden on the existing IT team. Cloud computing also implies learning new technologies and acquiring additional skills, which the existing team members may not yet demonstrate. If companies instead define and create a dedicated team for cloud computing, which has very specific focus and expertise, they will be more agile in moving away from on premise solutions. A separate cloud unit would generally also be keen to automate most of the steps for build and deployment, which can result in a much higher productivity and faster time to market for each application.
This article has attempted to shine some light on common obstacles and pitfalls life sciences companies may encounter on their road to the cloud, and how they can be overcome.
Taking the step to cloud-based solutions is not trivial for regulated companies, having to adhere to regulations and internal quality standards while simultaneously carrying the pressure to maintain cost-efficiency and market edge. However, in the medium term, there will be no alternative route to go.
When considering moving to the cloud, a company can also take intermediate steps. My colleague Daniel Pelke, member of the executive board at fme, shares his thoughts around different ways to make the move to the cloud: Traditional or cloud-native? Why not something in between?
If you have any questions on this topic, please do not hesitate to contact me.