Moving to the cloud is not an easy decision for any organization, and it is harder still for those that handle sensitive data. It is, therefore, no surprise that it is a particularly difficult chal- lenge for life sciences companies with high levels of regulatory obligations. The GAMP Cloud Computing Special Interest Group set out to explore the practicalities involved when contemplating such a move. The conclusions are presented in the article “Challenges for Regulated Life Sciences Companies within the IaaS.”* We caught up with one of its authors, Anders Vidstrup, Senior IT Quality SME at NNIT, for an introduction to some of the key factors to be considered.
Cloud computing continues to evolve, and it is worth contemplating the scope that is under review and how this scope alters the level of control that is transferred.
In traditional IT, a company controls every- thing in-house: applications, data, middleware, operating system, virtualization, servers, storage, and networking. However, once the company moves to a model like Infrastructure as a Service (IaaS), the control of virtualiza- tion, servers, storage, and networking is in the hands of the IaaS provider. If the company moves to Platform as a Service (PaaS), the provider takes over runtime, middleware, and the operating system as well. By the time you reach Software as a Service (SaaS), the pro- vider controls even more, up to and including the application and associated data.
However, this doesn’t mean that the life science company is handing over the entire responsibility and control.
Even as the level of control changes, regulated entities, like life science companies, need to remain accountable for integrity and compliance. This means they need to feel confident that while they may have delegated responsibilities for the day-to-day manage- ment, and in some cases handling of data, there is sufficient transparency and trust in the service provider’s process.
In such an environment, success comes from understanding the workload that is the sub- ject of the proposed transfer, and matching it to the capability of the service provider. Three key questions are critical at this stage:
Data sensitivity is the first question. Often, the conclusion is that only if the data is of low to medium sensitivity is it suitable for cloud. The five-stage risk assessment framework in accordance with GAMP 5 principles provides additional guidance. Once the proposed workload is better understood, the associated quality requirements will guide the selection of the service provider.
Service quality needs to be assessed through a lens that encompasses several parameters. Broadly speaking, these parameters comprise their total position in regard to the life sciences sector in particular, with specific references to ISO-based standards, as well as industry-specific expectations.
Three categories emerge: “life sciences targeted,” “life sciences aware,” and “life sciences aware (low).”
Engaging cloud service providers should not be seen as a novel exercise. Regulated firms have a wealth of experience from other service engagements that can be leveraged.
The contract and the contract development process will be the most effective means for managing the relationship. This process will include specifying deliverables and provider commitments held in the Statement of Work (SOW). The translation of this SOW into a Service Level Agreement (SLA) creates the basis of the operational measures of the service.
While the move to the cloud for regulated firms has unique challenges, by understanding the workload, profiling service providers, and leveraging best practices, risks can be mitigated.
“Challenges for Regulated Life Sciences Companies within the IaaS,” by Robert Streit and Anders Vidstrup, members of the GAMP Cloud Computing Special Interest Group. The article is published in Pharmaceutical Engineering, September/October 2014 VOL. 34, NO. 5. ©Copyright ISPE 2014.