At USDM Life Sciences (USDM), we are committed to supporting life science organizations, enabling them to accelerate innovation and maximize productivity. USDM recently announced that we are now managing the continuous GxP compliance efforts for nearly 100 life sciences companies on our Cloud Assurance Platform. Cloud Assurance is a managed subscription service delivering end-to-end GxP cloud compliance from implementation through ongoing validation maintenance of new system releases.
Cloud Assurance provides customers a harmonized, continuous compliance experience across all their cloud vendors. We have worked hard to become the leading experts in cloud transformation for regulated companies over the last few years. Throughout this process, we have found that many of the same challenges and missteps continue to arise. In this post, we will share a few valuable lessons from our collective experiences to help guide life sciences companies as they examine their future IT system needs and consider moving to the cloud.
How does Cloud Assurance work?
Our Cloud Assurance platform is a managed subscription service delivering end-to-end GxP cloud compliance. There are four distinct phases to Cloud Assurance: Vendor Audit, Implementation and Validation, Continuous Compliance and Compliant Platform. For the purpose of this blog, we will be covering the first three phases.
Vendor Selection & Vendor Audit
All too often, the primary consideration for selecting a cloud vendor is cost. While we recognize this is a very important factor and often has little flexibility, the old saying remains true – you get what you pay for
. With that in mind, it’s important to acknowledge that ensuring a vendor has well-documented, meaningful, and leverageable requirements is far more important to consider than cost.
Specifically, it is crucial to ensure the requirements include useable traceability to testing for Operational Qualification (OQ) replacement. Traceable vendor testing of requirements can provide the foundation for your own validation; it is a definite precursor to knowing that the vendor has a quality system in place and that they understand the needs of life sciences customers. Experienced, quality vendors will have these requirements, which will likely increase the upfront costs to their service. However, the benefits that these foundational requirements provide in the validation and maintenance phases will greatly reduce the risk mitigation effort all the way though system operation. Furthermore, by leveraging these requirements, you will ultimately drive efficiency and avoid rework, which could be even more costly in the long run.
Another challenge that customers regularly face is not knowing the right questions to ask potential vendors upfront. We often see that customers simply don’t know what they don’t know
, and therefore don’t ask the questions that would allow them to properly assess a vendor’s capabilities. When assessing vendors, it is important to question the service and product quality, qualification of infrastructure, and especially how the vendor manages future updates and releases. For example, a clear and concise question regarding the precise nature of a vendor’s release strategy is critical:
- How often are changes made?
- Is it a set schedule?
- Does it fit with your maintenance capabilities (daily changes are harder to maintain than quarterly changes)?
- Is there a customer specific testing environment provided to life sciences?
- Are the release notes clear and easy to understand as to the risk and relevant item?
Vendors that lack significant cGxP experience may not provide all the elements needed to maintain change control in a cGxP landscape. For example, a vendor must provision the testing environments to all critical cGxP end-users of the vendor’s application to properly perform their own testing and change management. Many times, the vendor is only thinking about their internal use cases and not the customer specific intended use.
Implementation & Validation
During the second phase, validation of the system, we typically see multiple teams in play when dealing with isolated, fragmented IT systems. As customers transform their IT systems and move to the cloud, processes and workflows need to be aligned and complimentary in the new collaborative cloud environment. This often creates challenges for gathering requirements, as different teams tend to have differing processes, opinions, and even inconsistent operational mandates within the same company.
The key to overcoming this all-too-common challenge is developing a clear cloud strategy that also has a game plan for how
to drive adoption of these changes. Drawing on over a decade of experience in cloud systems implementation in the life sciences industry, the recommendations we make are specifically designed to help you select the right team members based on their influence, knowledge, skillset, and receptiveness to new methodologies and technologies to ensure success.
We have helped hundreds of organizations bring together the right team, made up of people with the appropriate knowledge and passion to embrace the new collaborative cloud environment. Educating and aligning stakeholders along the way is not simply about changes to technology, but also shifting mindsets and cultures to create the most productive and efficient outcomes possible. Our USDM staff of regulatory and technology experts bridge the gap between quality compliance and IT innovation to make sure the right people have a seat at the table and collaborate to optimize business operations.
Continuous Compliance Maintenance
The third phase of Cloud Assurance, compliance maintenance, involves taking the system that has achieved a compliant state, both from a regulatory and corporate standard, and keeping the system compliant as changes are introduced, be it voluntarily or driven by a vendor release cycle.
The most common misstep we see repeatedly is the customer underestimating the effort it takes from a time and manpower perspective to maintain compliance. If the vendor is selected appropriately and the system is documented and tested correctly in the validation process, then the maintenance phase can leverage those efforts significantly. Cloud Assurance takes care of the analysis of the changes including; the requirements creation, risk derivation, creation of appropriate tests, and execution of those tests in the customer’s unique test environment.
In many cases, the customer has initially opted to carry out the testing of new releases themselves, only to come back and request retrospective validation from us because critical elements of testing new releases were missed, compromising their compliant state. This meant that the customer was not in control of their system and the changes being made to it, creating burdensome risk to the business. Our proven error discovery and automated testing best-practice can uncover and correct potential cGxP problems far more quickly than an internal approach.
We’ve also seen inundated IT teams that prefer to hand off the complete management of cloud change control from start to finish, including approval routing to internal stakeholders, so they can focus on innovation and faster implementation of new product features. USDM can also manage your entire change management process.
The business decisions to be made in establishing appropriate levels of control for cloud vendor selection, qualification, validation, and maintenance are commensurate with the risk associated with the usage of each system. The closer a system is to the production of cGxP data and the end-product, the higher the potential risk as there are fewer gates to ensure appropriate risk mitigation.
At USDM, we know that the key to risk mitigation with cloud compliance is to develop a cloud strategy encompassing specific elements for each phase of the process from the very onset. We also know that your cloud strategy needs to be created with the appropriate flexibility and coverage to accommodate the nuances of the three types of cloud vendor services available: Software as a Service (SaaS), Infrastructure as a Service (IaaS), or Platform as a Service (PaaS). With 20+ years in regulatory compliance, thousands of cGxP projects delivered, and nearly 100 ongoing Cloud Assurance subscriptions managed, we know the requirements, we know the right questions to ask, and we know how to ensure a continuous state of compliance for your systems so you can get back to your real job – bringing quality products to market faster.
About the Author
David is an accomplished Life Sciences Regulatory and IS Compliance Professional with extensive hands-on and leadership experience in the Pharmaceutical, Medical Device, Biotech and Blood Management Industries, specifically in the fields of; Computer Systems Validation, Risk Management, Issue Investigation – Root Cause Analysis and Remediation, Quality Assurance, Software Development Lifecycle, Lean IS Compliance Enhancement Initiatives, Business Analysis, Product Lifecycle Management and Systems/Process analysis with Compliance Roadmap development.
He is an acknowledged expert on a wide range of regulatory predicate rules and guidance including:
- 21 CFR Parts: 11, 203, 210, 211, 801, 803, 820 and 821.
- ICH Q7
- GAMP 5
Over the past decade, David’s engagements have been increasingly aligned with the validation of Cloud Systems and Applications, including both standard and custom solutions for Patient Case Management, Sample Management and Tracking, Content Management and Collaboration, Adverse Event Case Assignment Systems and MHRA Dispositioning systems coming under 21CFR Parts 203 (PMDA) and Part 11.