Skip Ribbon Commands
Skip to main content
< BACK

Steering IaaS adoption through regulatory thresholds

​Moving to the cloud is not an easy decision for any organization, and it is harder still for those that handle sensitive data. It is, therefore, no surprise that it is a particularly difficult chal- lenge for life sciences companies with high levels of regulatory obligations. The GAMP Cloud Computing Special Interest Group set out to explore the practicalities involved when contemplating such a move. The conclusions are presented in the article “Challenges for Regulated Life Sciences Companies within the IaaS.”* We caught up with one of its authors, Anders Vidstrup, Senior IT Quality SME at NNIT, for an introduction to some of the key factors to be considered.

Determining scope and its impact on control span

Cloud computing continues to evolve, and it is worth contemplating the scope that is under review and how this scope alters the level of control that is transferred.

In traditional IT, a company controls every- thing in-house: applications, data, middleware, operating system, virtualization, servers, storage, and networking. However, once the company moves to a model like Infrastructure as a Service (IaaS), the control of virtualiza- tion, servers, storage, and networking is in the hands of the IaaS provider. If the company moves to Platform as a Service (PaaS), the provider takes over runtime, middleware, and the operating system as well. By the time you reach Software as a Service (SaaS), the pro- vider controls even more, up to and including the application and associated data.

However, this doesn’t mean that the life science company is handing over the entire responsibility and control.

The art of delegation

Even as the level of control changes, regulated entities, like life science companies, need to remain accountable for integrity and compliance. This means they need to feel confident that while they may have delegated responsibilities for the day-to-day manage- ment, and in some cases handling of data, there is sufficient transparency and trust in the service provider’s process.

In such an environment, success comes from understanding the workload that is the sub- ject of the proposed transfer, and matching it to the capability of the service provider. Three key questions are critical at this stage:

  1. Whether data is sensitive;
  2. Whether there is a highly variable load;  and
  3. Whether it is relatively easy to integrate with what’s already there.

Data sensitivity is the first question. Often, the conclusion is that only if the data is of low to medium sensitivity is it suitable for cloud. The five-stage risk assessment framework in accordance with GAMP 5 principles provides additional guidance. Once the proposed workload is better understood, the associated quality requirements will guide the selection of the service provider.

Quality in context

Service quality needs to be assessed through a lens that encompasses several parameters. Broadly speaking, these parameters comprise their total position in regard to the life sciences sector in particular, with specific references to ISO-based standards, as well as industry-specific expectations.

Three categories emerge: “life sciences targeted,” “life sciences aware,” and “life sciences aware (low).”

  • “Life sciences targeted” providers are able to provide private cloud, IaaS, PaaS, and some SaaS that will be compliant with regulations for regulated life sciences com- panies. They will use good documentation practices, in line with the infrastructure good practice guide, and will be able to demon- strate that their IaaS solution is suitable and well-documented. They will also be able to support customer-specific requirements, such as a change agreement, required for compliance. They will allow on-site audits  by customers to prove compliance.
  • “Life sciences aware” providers are unlikely to be able to provide the same degree of quality of documentation practices or customized support. There will be some basic qualification support available, and they are likely to permit on-site audits, although they may charge a fee.
  • “Life sciences aware (low)” providers will provide only IaaS with some limited PaaS, and will not be able to provide the docu- mentation support at all. However, they could be the right solution for low-risk business activities, which is where the assessment of the sensitivity of the data comes into play.

Leveraging best practices

Engaging cloud service providers should not be seen as a novel exercise. Regulated firms have a wealth of experience from other service engagements that can be leveraged.

The contract and the contract development process will be the most effective means for managing the relationship. This process will include specifying deliverables and provider commitments held in the Statement of Work (SOW). The translation of this SOW into a Service Level Agreement (SLA) creates the basis of the operational measures of the service.

While the move to the cloud for regulated firms has unique challenges, by understanding the workload, profiling service providers, and leveraging best practices, risks can be mitigated.

*References:

“Challenges for Regulated Life Sciences Companies within the IaaS,” by Robert Streit and Anders Vidstrup, members of the GAMP Cloud Computing Special Interest Group. The article is published in Pharmaceutical Engineering, September/October 2014 VOL. 34, NO. 5. ©Copyright ISPE 2014.

 

 

 

 

 

 

NNIT here+45 7024 ​4242nnitcontact@nnit.com ​​​​​​​​​​​​https://dk.linkedin.com/company/nnitNNIT here

 

 

Shaping the standards for cloud solutions in GxPhttps://www.nnit.com/OfferingsAndArticles/Pages/Shaping-the-standards-for-cloud-solutions-in-GxP.aspxShaping the standards for cloud solutions in GxP
NNIT Enterprise Hybrid Cloud for life scienceshttps://www.nnit.com/Life-Sciences/gxp-outsourcing/Pages/gxp-cloud.aspxNNIT Enterprise Hybrid Cloud for life sciences
How to get started with Data Managementhttps://www.nnit.com/OfferingsAndArticles/Pages/How-to-get-started-with-Data-Management.aspxHow to get started with Data Management
Simplifying Data Management and Achieve Agility While Remaining Complianthttps://www.nnit.com/OfferingsAndArticles/Pages/Simplifying-Data-Management-and-Achieve-Agility-While-Remaining-Compliant.aspxSimplifying Data Management and Achieve Agility While Remaining Compliant
NNIT positioned as a Major Contender by Everest Grouphttps://www.nnit.com/OfferingsAndArticles/Pages/NNIT-Everest-Group.aspxNNIT positioned as a Major Contender by Everest Group
A future in the sky – Managing digital transformation through outsourcing and cloud serviceshttps://www.nnit.com/OfferingsAndArticles/Pages/a-future-in-the-sky-.aspxA future in the sky – Managing digital transformation through outsourcing and cloud services
How Enterprise Hybrid Cloud enhances life sciences’ ability to competehttps://www.nnit.com/OfferingsAndArticles/Pages/ehc-enhances-ls-ability-to-compete.aspxHow Enterprise Hybrid Cloud enhances life sciences’ ability to compete
Easy access to the GxP compliant cloudhttps://www.nnit.com/OfferingsAndArticles/Pages/ehc-life-sciences.aspxEasy access to the GxP compliant cloud
Cloud control for life science IT companieshttps://www.nnit.com/OfferingsAndArticles/Pages/NNIT_Cloud_control_for_LS_IT_companies_article.aspxCloud control for life science IT companies
In safe handshttps://www.nnit.com/OfferingsAndArticles/Pages/Article_World_Pharmaceutical_Frontiers.aspxIn safe hands