The Life Sciences sector can use cloud to better leverage R&D, genomic research, collaboration, open innovation and manufacturing processes. Cloud computing can help cut costs, improve speed and flexibility in service provisioning, leverage distributed infrastructure availability and foster the sharing of innovative ideas.
Cloud Models for the Life Sciences Arena
In the Life Sciences space, as with other industries, cloud adoption is being leveraged within a service-deployment matrix. Enterprises are choosing between Software as a Service (SaaS), Platform as a Service (PaaS), Business Process as a Service (BPaaS), and Infrastructure as a Service (IaaS) in private, community, public, or hybrid deployment modes. Such a matrix enables ubiquitous, convenient and on-demand access to a shared pool of networks, servers, storage, applications, and services.
Implications of US FDA 21 CFR
The chief characteristics of the cloud are its rapid elasticity, resource pooling, on-demand self-service, broad network access, and measured services, which result in less control and, in turn, higher risk for data integrity. These characteristics have a direct impact on regulatory predicate rules governing change management, data integrity, qualified platforms, security, quality, monitoring, and oversight. This makes the pharma industry – a domain governed by stringent rules and regulations – hesitant to embrace cloud computing.
Securing Life Sciences Cloud Applications
The regulations that were applicable prior to the advent of cloud computing will continue to be in force. The requirements laid out by the US Food and Drug Administration’s (FDA’s) Code of Federal Regulations Title 21 (21 CFR) Part 11 or the European Union’s (EU’s) Annex 11 are specific regarding what is needed for data quality, integrity, security, access control, audit trails, encryption, and so on.
The work required to meet the requirements of Sarbanes-Oxley has been captured within Information Technology General Controls (ITGC).
Building a strong internal control program within IT can be accomplished through a risk control matrix (RCM). An RCM will require taking a risk-based approach and detailed planning of controls. It would include both internal and external controls, developed, implemented, and monitored to address the risks that technology introduces. Opting for relevant certifications and following appropriate frameworks would address security controls.
Cloud-based implementation of US FDA 21 CFR Controls
Life Sciences companies aiming to deploy a cloud service must protect intellectual property and demonstrate regulatory compliance in areas such as privacy and reporting. This has become possible in cost-effective ways.
Internal Controls for Cloud Adoption
Internal controls could include developing an RCM. However, it should identify risks and mitigation controls for program access, program development, program change, and infrastructure controls.
External Controls for Cloud Adoption
The external controls could comprise the 21 CFR Part 820 Good Manufacturing Practices (GMP) regulations for medical devices and suppliers, covering:
- Quality audits
- Supplier evaluations
- Ongoing supplier reviews
- Definitions of type and extent of control to be exercised over products, services, suppliers, contractors, and consultants
Ensuring the Ongoing Assessment of Controls
A system of ongoing assessment of the controls that need to be put in place is required as a means to detect changes and to take risk-based decisions. These controls have been effectively captured by FedRAMP and comprise 450 low and moderate controls, and enhancements to secure a cloud service.
Assurance for Life Sciences Applications on the Cloud
Assuring thorough, rigorous, and up-to-date implementation of both internal and external controls is where cloud testing and a risk-based approach to compliance comes in.
Cloud testing in Life Sciences covers product or application testing, which mainly include functional, performance, security, compatibility, usability, stress, and scenario testing; browser and OS compatibility testing; globalization; and accessibility. . Cloud service providers should also consider implementing processes that address de-clouding, that is retracting IT assets from the cloud service.
Starting off by acknowledging the risks involved and then ensuring compliance with regulatory requirements, while taking a risk-based approach to validating computer systems, will result in deploying the right cloud services for strategic business and operational needs.