‘Have you heard of CSV?’ part 6. CSV and the Cloud.

By now the readers of the CSV-series blogs probably know relatively well what CSV stands for, its’ significance to the life sciences industry and its’ relation to risk assessments, suppliers of computerized systems and audits. In the last few years, a new way of computing has attracted life sciences companies, one that most of us use often for online data storage or for our email needs. This type of computing is called ‘Cloud computing’, also known as ‘the Cloud’ and it is evident that life sciences companies have increasingly started to embrace it. There is plenty of information available that describes what the Cloud is and how it is utilized in general. In this article we briefly introduce the Cloud and we examine its relationship with Computerized System Validation (CSV) in the life sciences industry. We follow the guidance given by the four points below:

• Brief synopsis of the Cloud
• The Cloud in life sciences
• CSV and the Cloud
• Path to address the risks

References [1], [2], [3], [4], [5] may help the reader (i.e. professionals associated with the life sciences, IT and CSV experts, and other interested parties) catch-up on earlier concepts and CSV-related terminology.

Cloud service models, deployment models, benefits, risks

The term ‘Cloud’ or ‘Cloud computing’ refers to a distinct IT environment that is designed to provision IT resources and services remotely or out-sourced in comparison to the traditional model in which the IT resources and services are provisioned from ‘in-house’ and within a conventional IT organization. According to the US Food and Drug Administration (FDA), “Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the internet”.

The Cloud offers its users a variety of service models (Fig.2) and different deployment models (Fig.3), thereby allowing the Cloud users to choose the best options according to their business, compliance and regulatory requirements. The Cloud IT resources are provisioned by companies known as Cloud Service Providers (CSPs). As we can imagine, using the Cloud yields numerous benefits but also may entail serious risks for the Cloud users, all of which need to be carefully considered when an organization decides to make the transition from an IT environment located ‘on premises’ to an outsourced ‘Cloud-based’ IT environment. In the life sciences industry, although the CSP cares for the data residing in the Cloud, it is ultimately the responsibility of the customer (i.e. the Cloud user, the GxP-regulated company) to ensure that any data residing in the Cloud complies with the applicable regulations.

CSV
Cloud Computing

Figure 1. Cloud computing – The Cloud.

 

CSV
Cloud Service Models

Figure 2. Cloud service models. Figure obtained from [6]. The important thing to see in this figure is that in the SaaS model, the Cloud vendor or CSP manages all the IT resources, compared to the traditional on-premises IT model, where the GxP-regulated firm (i.e. the customer) manages all the IT resources (IaaS: Infrastructure as a Service, PaaS: Platform as a Service, SaaS: Software as a Service).

 

CSV
Cloud Deployment Models

Figure 3. Cloud deployment models are characterized by ownership, access, size, sensitivity of data hosted in the Cloud environment, and ways of provisioning and managing IT resources. Reference [19] describes the Cloud deployment models in detail.

 

CSV
General benefits and risks of Cloud computing

Figure 4. General benefits and risks of Cloud computing. Each Cloud service and deployment model holds its own benefits and risks. Key message from this figure is to choose the right service and model according to User requirements.

A very good description of the Cloud and its properties is described in [7]. Wikipedia also offers some description of the origins and evolution of the Cloud [8].

 

The Cloud in life sciences

The use of Cloud computing in many industries is nowadays becoming increasingly commonplace [20], [21]. However, it is generally suggested that the life sciences industry is lagging in the widespread use and implementation of the Cloud, especially in the GxP (Good x = manufacturing, laboratory, distribution Practices) area.

But why is it so difficult to adopt such a promising and widely well-received technological development, such as Cloud computing into the ranks of the GxP world in the life sciences?

One possible answer is the current lack of pharma industry regulations and data transfer agreements that should specifically apply to Cloud computing. Apart from some attempts by the GAMP community and the EU GMP (Annex 11) to provide some guidance on the compliance implications regarding the Cloud, to this day the FDA, or any other regulatory body for that matter, has not provided a clear, standardized set of regulations or instructions regarding the use of Cloud computing in the area of GxP in the life sciences. The Cloud Special Interest Group (SIG) within the GAMP community appears to be leading the efforts and is currently in the process of generating relevant guidelines that should help interested parties. The goal is to facilitate the standardization of regulatory requirements surrounding implementation of the Cloud in the GxP area. [9].

A second possibility is because of the strict regulations on data integrity (confidentiality, privacy, availability, security). The life sciences industry is still focusing more on the risks of the Cloud rather than on its benefits. In other words, due to the sensitivity of the data and its potential effects on patient safety and privacy, life sciences companies choose to be extremely cautious and conservative in adopting Cloud computing for GxP purposes.

Another possible reason is that the pharma industry has been genuinely taken aback from implementing Cloud computing in GxP areas. This is mainly due to the daily reports of cyberattacks, the apparent failed instances where IT security has failed, and the countless data breaches that impact companies and governments around us worldwide [10] and [11].

A fourth possible reason could be the lack of understanding or lack of early adoption, life sciences companies have for Cloud computing models and risks [11].

Finally, it could also be that Cloud Service Providers (CSPs) so far may not appear very ‘excited’ to tailor their Cloud solutions in such a way so as to satisfy the relatively strict regulations of the life sciences industry [6].

On the other hand, we are increasingly seeing that Cloud computing is being implemented in non-GxP areas in the life sciences industry, such as:

Non-GxP area Cloud computing enables improvements in:
Sales activities Customer Relation Management (CRM) applications
Digital marketing Communication between health care practitioners and patients
Social media Advertising and file-sharing
Mobility applications Patients check and monitor their health status or their sports activities
Research & development Collection and availability of large amounts of data; collaboration

Apart from the Cloud’s advertised cost-effectiveness, it is proposed that Cloud computing can/will transform the life sciences industry by improving collaboration, increasing availability of data and by enabling global interactions among pharmaceutical companies [12]. The take-home message is that Cloud computing is here to stay and that the life sciences industry is soon going to adopt it. In the sections below, we shall see how CSV can contribute towards this adoption and what some unresolved/remaining risks are.

CSV and the Cloud

Let us focus on the specifics now and where CSV falls into what we have been discussing so far.

Validation of a GxP application

As we have described in previous CSV blogs, applications and processes must be validated if they are being used in a GxP-regulated environment. Additionally, evidence must be present to show that computerized systems perform as intended according to user and regulatory requirements. In the previous CSV blogs we have discussed how the CSV methodology applies to computerized systems hosted by the organization’s own IT department, which is the traditional, on-premises, IT environment.

Qualification of the IT infrastructure

As the EU Annex 11 states, not only does the GxP application need to be validated, but the IT infrastructure hosting GxP processes and data should be qualified as well [14]. This is also supported by the GAMP 5 guidance [15]. The IT infrastructure that supports the validated GxP application includes the servers, network devices and storage arrangements. Qualification of the IT infrastructure in this context refers to the ability of the IT environment to provide all that is needed from an IT perspective, so applications that are hosted by this environment can perform as intended. So, a qualified IT environment provides the assurance that it is ready to accept or to host GxP data and that it does operate under controlled processes. The IT infrastructure by definition does not get validated, but it gets qualified. The IT infrastructure must show evidence that at least the most basic processes such as security management, change control and others are in a controlled state. Evidence showing that the IT infrastructure is in a controlled state supports the qualified state of the IT infrastructure [16].

The same CSV principles that apply to the traditional IT environment also apply to the infrastructure supported by the Cloud.  So, the key message here is:

  • Applications handling data classified as GxP that are hosted in the Cloud must be validated
  • The Cloud IT infrastructure provided by the CSP must be qualified.

The Cloud IT services must comply with industry regulations and the Cloud itself must be shown to be qualified so it can host GxP information. Implementation of the Cloud needs CSV. Below are the steps to achieve this and helpful references that can be used as guides:

  1. Perform risk assessment (assess business, compliance impact of transitioning to the Cloud, assess Cloud models) – [2] and [3]
  2. Collect user requirements (choose Cloud model and specify requirements) – according to [2]
  3. Select the CSP – [4]
  4. Audit the CSP – [5]
    • Obtain evidence that the Cloud IT infrastructure is qualified (CSP’s responsibility).
    • Request industry-acceptable compliance certificates
  5. Any application containing GxP data that resides on the Cloud must be validated. (GxP-regulated company’s responsibility – customer)
    • Validate the GxP application by generating the necessary validation documents. Can be done according to guidelines described in [2], [17] and [18].
  6. Obtain a good Service Level Agreement (SLA) with the CSP – [4]
  7. Maintain validated state of GxP applications hosted in the Cloud – [2]
  8. Ensure audit-ready state of both GxP applications residing in the Cloud and of the Cloud IT infrastructure – [5]

Correctly applying the CSV methodology can facilitate the utilization of Cloud computing in the life sciences industry. The CSV methodology and its related concepts, which we have described in previous CSV blog posts could be applied to validate a GxP application in the Cloud and to qualify the Cloud as well. This would help to ensure that GxP applications residing in the Cloud meet user requirements and comply with industry regulations.

 

Path to address the risks

As we pointed out earlier in this post, concrete regulations covering the use of Cloud computing in the GxP area are not yet available, hence the risks shown in Figure 4 do remain in most cases.

In order to address and potentially solve these risks, it would be advantageous to look carefully from three different points of view (user, CSP, regulator). Presently, the general FDA regulations could be used as guidance, but more work should be done before the widespread implementation of Cloud computing is used for GxP purposes. The following are some approaches to mitigate the risks associated with adoption of the Cloud in the GxP area:

  • From the User’s perspective
    • Perform appropriate risk assessment on choosing the most appropriate Cloud computing service model and deployment model (see Figures 2 and 3).
    • Identify and communicate user requirements clearly to the CSP.
    • Ensure thorough validation approach for GxP applications residing in the Cloud.
    • Ensure that the Cloud infrastructure is qualified to host GxP data.
  • From the CSP’s perspective
    • Improve security and cybersecurity controls for data access, data protection (VPN, encryption, multi-layered defence), data storage, retention, backup, retrieval.
    • Assure integrity of the data residing in the Cloud.
    • The CSPs need to understand, accept and enforce the life science industry’s requirements onto their Cloud solutions. Their life science customers are going to appreciate this.
    • CSPs must be willing to be audited by life sciences companies and possibly also by life sciences regulators – as we saw in previous blogs for suppliers of computerized systems [4],[5].
  • From the Regulator’s perspective
    • Life sciences industry regulations that apply to the use of Cloud computing need to be communicated clearly to Cloud users and to CSPs by the relevant regulatory agencies.
    • Geographical considerations and different country privacy laws regarding the protection of GxP data need to be clarified.

 

Conclusion

In this post we presented a brief description of the characteristics of Cloud computing and examined some of the possible reasons Cloud computing is slow to be adopted by the life sciences companies for GxP purposes. We also described how applying the CSV methodology can enable the utilization of Cloud computing in the GxP area. Lastly, we highlighted the three different angles that must be considered in order to address and potentially solve the risks associated with the utilization of the Cloud in the GxP area. Cloud computing is a promising technological development with numerous potential advantages, but it is also one that needs to be carefully harnessed. Mutual understanding of requirements between users (life science companies), cloud service providers (CSP) and regulators (FDA, etc.) needs to be improved in order for Cloud computing to be adopted into the regulated operations of life sciences organizations.

Never miss an update by following us and subscribing to our monthly newsletter!

References (links)

  1. Have you heard of CSV? Do you want to learn more about it? 09 Mar 2015.
  2. Have you heard of CSV? Part2. Do you want to learn even more about it? 24 Apr 2015.
  3. Have you heard of CSV? Part 3. The risk-based approach in CSV. 17 Jun 2015.
  4. Have you heard of CSV? Part 4. Suppliers of Computerized Systems in CSV. 06 Aug 2015.
  5. Have you heard of CSV? Part 5. Audits in CSV. 09 Nov 2015.
  6. Cloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity. By the GAMP Cloud Computing Special Interest Group (SIG). Pharmaceutical Engineering January/February 2014, Vol.34. No.1.
  7. http://whatiscloud.com/
  8. https://en.wikipedia.org/wiki/Cloud_computing
  9. GAMP Americas Celebrates 15th Birthday. Pharmaceutical Engineering October 2015, Volume 35, Number 5.
  10. IT Governance blog home. http://www.itgovernance.co.uk/blog/
  11. Compliant Cloud Computing – Managing the Risks. By David Stokes. Pharmaceutical Engineering July/August 2013, Vol.33, No.4.
  12. Cloud computing changes the game. By Accenture Life Sciences, 2013. https://www.accenture.com/t20150523T061907__w__/us-en/_acnmedia/Accenture/Conversion-Assets/Microsites/Documents3/Accenture-Insight-Life-Sciences-Cloud-Computing.pdf
  13. How to grow revenue and increase competitiveness through digital transformation. By Canopy, an ATOS company. https://canopy-cloud.com/sites/default/files/ressource/canopy_digitaltransformation.pdf
  14. European Commission Volume 4. Good Manufacturing Practice Medicinal Products for Human and Veterinary Use. Annex 11: Computerized Systems. 2011. http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf
  15. GAMP5: A Risk-based approach to Compliant GxP Computerized Systems. ISPE 2008
  16. GAMP® Good Practice Guide: IT infrastructure Control and Compliance, September 2005. Published by ISPE GAMP.
  17. Validation of Applications in a Cloud. By Ivan Soto. Journal of validation Technology, IVT. April 1, 2015. http://www.ivtnetwork.com/article/validation-applications-cloud
  18. The 5 Stages of Qualifying & Validating a Virtual Environment. Journal of validation Technology, IVT. February 21, 2014. http://www.ivtnetwork.com/article/5-stages-qualifying-validating-virtual-environment
  19. Cloud deployment models. http://whatiscloud.com/cloud_deployment_models/index
  20. Cloud adoption. http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2015-state-cloud-survey
  21. Cloud adoption across industries. https://www.gartner.com/doc/2027216
Ilias Christodoulopoulos

Ilias Christodoulopoulos

LinkeIn link: http://ch.linkedin.com/in/iliaschristodoulopoulos
Ilias Christodoulopoulos
Summary
‘Have you heard of CSV?’ part 6. CSV and the Cloud.
Article Name
‘Have you heard of CSV?’ part 6. CSV and the Cloud.
Description
CSV stands for, its’ significance to the life sciences industry and its’ relation to risk assessments, suppliers of computerized systems and audits.
Author
Publisher Name
Atos Consulting CH
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *