Are Your Cloud Computing Systems Compliant and Validated?

posted on November 20th 2014 in Data Talk with 0 Comments /

70442f0d3c1a0cdf2d2104b8cf21a60d_f323

In a recent blog post my colleague Sam Anwar, our VP of Engineering, shared that life sciences companies have an opportunity to accelerate adoption of cloud computing and software-as-a-service (SaaS) IT models to accelerate new product development, improve patient outcomes, and enable expansion into new markets, all while reducing costs and creating a more agile operating model.

Increasingly our clients are engaging external partners to provide cloud IT services and SaaS implementations. We have seen a significant increase in questions and requests from our clients to help them ensure these services and implementations are meeting Food and Drug Administration (FDA) requirements.

Sam’s post shared four primary challenges to overcome when using partners for cloud-computing and SaaS IT models including:

  • Physical security of the data center
  • Logical security
  • Shared network and computing resources
  • Customizable disaster recovery and business continuity plans

An equally important area to evaluate is how cloud IT and SaaS providers ensure their systems are validated. I’m so glad that sponsors are thinking about FDA requirements, because regulatory requirements do not change because the technology has changed. A number of regulations and guidance documents through the years have set the foundation for managing systems.

FDA guidance on cloud computing and data management systems

The life sciences industry is expecting guidance from FDA on the use of cloud computing environments along with data center management in early 2015. It is expected that the FDA will require documentation on the infrastructure itself, and the FDA will be expecting more than just system validation testing for these environments. Sponsors should expect the FDA will be looking to understand what the use of cloud computing means in terms of its on data security and data integrity.

Evaluating partners

There are several important areas to evaluate when assessing your external partners including:

Vendor audit

  • Verify that your partners are qualified to provide cloud-based or SaaS services, including employee qualifications, appropriate number of qualified personnel, and documented processes
  • Ensure a defined change control process is documented
  • Confirm that a validation strategy is in place and is followed

Risk assessment

  • Are there any known issues that could prevent use of this vendor? If so, outline a mitigation plan for any known risks.

User acceptance testing (UAT)

  • Ensure your partner has appropriate UAT to ensure the software meets the goals of its intended use

21 CFR Part 11 considerations (especially electronic records, electronic signatures, and security)

  • Does your partner understand what should be considered and what is the impact if there are gaps in expectations?

Service level agreements

  • Clearly communicate your expectations for availability and support
  • Evaluate how is your partner performing

Maintaining compliance

As an auditor, one of the questions I always look to answer when auditing partners that provide cloud-computing and SaaS services is, “how do you ensure your system remains in a validated state?” This becomes even more critical in a cloud computing environment where vendors typically upgrade the system on their schedule.

A critical area is to ensure your partners have a controlled process to manage each release. As a sponsor strive for open communication with your partners about upgrades. Ask for specific details on the upgrade and complete an assessment of what testing activities need to be done for each release. Work with your partners to establish an upgrade schedule, so that you aren’t continuously evaluating software upgrades and performing validation activities.

Additionally, many of these systems are implemented using a multi-tenant architecture. It is important to know that if one client reports an issue the vendor must update the other clients sharing this architecture about the issue and when it is resolved. Ensure your partners have processes in place to notify clients when these issues arise.

Join the conversation! What are your challenges in ensuring your cloud-computing and SaaS implementations remain compliant and validated?

about the author: ecs

Please let us know your thoughts...