The short version: Moving GxP workloads to the public cloud doesn't mean trading away compliance. The questions below, answered live during USDM's webinar, cover how to approach multi-cloud, validation, SDLC and Agile delivery, RPA versus AI, and how to leverage SaaS vendor documentation. The thread running through every answer: start with your intended use, keep Quality and IT aligned, and build continuous compliance into the pipeline rather than bolting it on after the fact.
These questions were asked during the How to Maximize Your GxP Use of the Public Cloud webinar
Multi-Cloud and the Unify Public Cloud Methodology
How do you handle multi-cloud environments?
A multi-cloud environment could be all private, all public, or a combination of both. Using a multi-cloud environment, you can distribute your cloud computing among different providers because they each have their own skillset, but you still reduce the risk of downtime.
USDM’s Unify Public Cloud (UPC) methodology is tech agnostic and starts with your intended use. We leverage this for your framework whether it's a single cloud or a multi-cloud environment.
Start with intended use, not the tool. UPC is deliberately technology agnostic. Whether you land on a single cloud, multi-cloud, or hybrid model, the methodology anchors on what the system is for and where you are in your cloud journey — so compliance decisions follow the workload, not the vendor.
Is the Unify Public Cloud solution in the public cloud, a private cloud, or is it a hybrid?
UPC is focused on the public cloud, but it can be used across all options. If you have a multi-cloud solution that includes public, private, or hybrid, it's tool agnostic.
How does USDM work with vendors and partners like Microsoft, Google, and AWS in terms of the services provided?
USDM works with top-quality cloud vendors. Unify Public Cloud was developed in a partnership with Microsoft, but the methodology applies across all clouds. Life sciences customers need continuous compliance; regardless of the vendor you choose, USDM keeps you compliant across your tech stack. Sustaining that posture over time is exactly what USDM Cloud Assurance is built to do.
Applying the Methodology to GxP Validation
Do you apply this methodology to GxP validation? Have you deployed this methodology at a large enterprise company?
Yes, we apply this methodology to your cloud projects and validation activities. We look at your system holistically to ensure alignment between Quality and IT, and business owners and user groups, then we keep you continuously compliant. A risk-based computer software assurance (CSA) approach lets us focus testing effort where it actually reduces patient and data risk.
Read this case study to learn how USDM deployed this methodology at a global pharmaceutical company.
We look at your system holistically to ensure alignment between Quality and IT, and business owners and user groups — then we keep you continuously compliant.
Data Readiness Before Migration
How do we go about cleaning up our data and getting it in order before migrating it?
As the saying goes, “garbage in, garbage out,” so you want to make sure your data is cleaned up before you migrate it. You can’t do cool stuff with advanced analytics if you’re using bad data. Migration is also the right moment to confirm that the controls behind data integrity in life sciences — attributable, legible, contemporaneous, original, and accurate records — carry forward into the new environment.
Can you apply this methodology to applications running on platforms in the cloud (for example, Salesforce)?
Yes. With Azure, AWS, and GCP, you can host multi-faceted platform applications on an infrastructure. But there are also native clouds, for example Salesforce runs on the Salesforce Cloud, but we can take this same approach. It starts with identifying your intended use and where you are in your cloud journey. We have detailed frameworks that are tailored to your needs.
SDLC, DevOps, and Agile Delivery
Does Unify Public Cloud integrate with SDLC?
Yes. From the beginning of the process, we are evaluating your processes, including your software development lifecycle: Do you manage it, who are your vendors, and what are their SDLCs? We hit the key points to keep you continuously compliant so when releases come out, we know that testing was done and we can leverage vendor audits.
How do you operate where products and apps use an Agile methodology?
Our DevOps framework delivers continuous integration and continuous development of your process and enables the software delivery pipeline. USDM’s UPC solution ensures continuous validation and compliance.
The framework provides DevOps best practice configuration to fully manage your private code repository and automate workflows with verification and validation embedded in your process. The result is a GxP compliant software delivery pipeline with automated compliance and security, allowing you to increase the quality and frequency of your deployments to meet customer and business needs.
How UPC Keeps a Cloud Pipeline GxP Compliant
- Intended use first — define what the system does and the regulatory risk it carries before selecting tools.
- Align Quality and IT — bring Quality, IT, business owners, and user groups to the same view of the system.
- Embed validation in the pipeline — verification and validation live inside CI/CD, not in a separate post-release phase.
- Leverage vendor audits — use audited SDLCs and vendor qualification evidence to avoid re-testing what's already proven.
- Sustain continuous compliance — keep the system in a validated state as releases ship and the cloud evolves.
RPA, AI, and Automation Economics
Please expand on the differences between RPA and AI.
RPA is an automation technology takes the repetitive, time consuming, and non-value added work you hate off your plate. AI can expand automation into new areas to automate complex processes and tasks, allowing AI robots to go beyond execution to "thinking" and enable automation of processes that include uncertainty, high variability, and unstructured data.
What is the cost to build a bot versus the value it generates for an organization?
Bot licensing can be expensive depending on the tools, but if you're saving about 70% of an employee's costs with improved efficiency, then it starts to become economically positive.
Is RPA more for business processes or for automated testing for validation?
RPA is typically for business process automation.
Do you have any experience with optical character recognition (OCR) automation in use cases for GxP systems?
Our first use was DocuSign e-Signature verification where you'll see an image that has the user ID, date, and time of the signature attached to the document. For document validations, we use OCR to verify the sign-in, the time, and the date. Electronic signatures in a GxP context have to satisfy 21 CFR Part 11 controls, so the verification step matters as much as the signature itself.
Leveraging SaaS Vendor Documentation
What is your position on the EMA notice to sponsors and being able to leverage validation documentation from SaaS vendors? How does this fit into your validation process for GxP system such as an EDC system?
EMA allows you to leverage the data from software vendors if you audited the vendor and understand their quality systems and qualification activities. You must see that they’ve done the work that they said they would do and you must have access to it. Several of our vendors are starting to provide this public facing content for their customers. Building that into a repeatable third-party risk management program is what turns a one-off vendor audit into a defensible, ongoing control.
Talk to USDM About Your Cloud Strategy
Whether you're planning a first migration, untangling a multi-cloud estate, or trying to keep validated systems compliant as releases accelerate, USDM can help you do it without slowing down. Contact us to discuss how the Unify Public Cloud methodology applies to your intended use.
FAQ: GxP Workloads in the Public Cloud
What is USDM's Unify Public Cloud (UPC) methodology?
UPC is a technology-agnostic methodology for running regulated workloads in the cloud. It starts with your intended use and where you are in your cloud journey, then applies a tailored framework that works across single-cloud, multi-cloud, and hybrid environments to keep you continuously compliant.
Can I run GxP workloads in a multi-cloud environment?
Yes. A multi-cloud environment can be all private, all public, or a combination. Distributing workloads across providers lets you use each one's strengths while reducing the risk of downtime, and UPC applies whether you choose a single cloud or several.
How does UPC handle validation and SDLC?
UPC evaluates your software development lifecycle and your vendors' SDLCs from the start, then embeds verification and validation directly into the software delivery pipeline. That produces a GxP compliant CI/CD pipeline with automated compliance and security, and lets you leverage vendor audits instead of re-testing proven work.
Can I leverage validation documentation from SaaS vendors?
EMA allows you to leverage data from software vendors if you have audited the vendor, understand their quality systems and qualification activities, and have access to the evidence. Confirming the vendor did the work they committed to is the key requirement.
What's the difference between RPA and AI in GxP automation?
RPA automates repetitive, rule-based, low-value tasks. AI extends automation into more complex work — handling uncertainty, high variability, and unstructured data — by moving beyond execution toward “thinking.” RPA is typically used for business process automation.
Additional Resources
UPC Use Cases
Robotics Process Automation (blog series)
Regulated GxP Workloads in the Public Cloud
Simplifying GxP Compliance in the Cloud