Cloud Computing in Pharma – the next frontier?
In the last 15 years, “Cloud Computing” has revolutionized many areas of our lives and many businesses around us. From how we store our photos and music, to how we pay our bills and buy our groceries, without The Cloud the ease and convenience of doing these tasks would not be possible.
With the latest market analysis concluding that public Cloud computing usage is growing by 50% annually, it begs the question as to why the Pharmaceutical Community has been so slow to embrace this new technology. Whilst at home we think nothing of buying “Pay as you go” storage services and other such products, in our working environment using The Cloud seems quite literally, a “Pie in the sky” idea.
Are the fears of compliance holding the community back from embracing innovation in this arena, and if so are these fears justified? Could a different approach to how Computer System Validation activities are executed mean that our regulated industry is then able to realise the benefits that Cloud computing could bring?
What exactly is the Cloud?
Cloud computing in itself is an evolving term. The National Institute of Science and Technology define it as this:
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
Graphic design: Sam Johnston
…….or put more simply, Cloud Computing is when your data is stored remotely to you, but can be accessed at any time, from anywhere, and with any device that you so choose. Your programs can be set up and configured with the minimum of fuss, and then accessed and used as and when you need them.
Further reading: NIST Cloud Computing Program
So what are the benefits of using the Cloud?
Cost reduction and savings
Significant savings can be realised from embracing Cloud based software and infrastructure, both within the IT divisions and in the wider business sectors as a whole. The Infrastructures, platforms and servers are developed, owned and maintained by the Cloud provider. This means that the Pharma organisation not only eliminates the upfront capex costs, but also the ongoing maintenance and development costs necessary to support all of their systems. Some estimate that cloud based software can cost 50% less than traditional software applications, over a 10 year period.
An additional bonus is that these saved funds can be invested into the organisation‘s core business, thus facilitating greater innovation, growth and profitability. For a comparison to other industries, a recent study of thirteen hundred companies in the UK and US found that 62% of surveyed respondents stated that cloud computing enabled organisations to invest more money back into their businesses, with the average increase in their profits being 22%
Further reading Forbes: Making Cloud Computing Pay
“Constant change” can be dealt with more easily when Cloud computing is utilised. In our industry, the innovation cycles are getting faster, and pharma companies have to adapt to changes at an ever-faster rate – new compliance requirements, new technologies and new laws (e.g. serialisation requirements) are just some changes that must be embraced and delivered very quickly.
Under the traditional IT architecture, delivering these changes requires huge projects with big teams of people and a great deal of effort. By using Cloud computing, the new initiatives can be delivered by the cloud provider in very short time frames.
Moving to Cloud computing can also aid the collaboration between departments without your business, and suppliers and distributors out with. Not only can your business processes be streamlined and simplified, but communication and decisions can be taken that much quicker.
Cloud computing facilitates pharma organisations to evolve and innovate at a level like never before. One area of interest currently is in the field of “Big Data Analytics”. Big Data Analytics is the process of examining large data sets, to uncover hidden patterns, unknown correlations, and other useful business information. Cloud computing not only stream lines how a company stores and handles its data, but also provides the means for the data analysis to take place, with the results being available almost immediately. Organisations using data in this way state they are then able to use the information for cost reduction initiatives, faster decision making and insights into new products and services.
Cloud computing allows businesses to expand and adapt quickly and easily. As the IT infrastructure is already in place, when new facilities and services are needed these can be introduced in a very efficient manner. By bolting on to the existing infrastructure, automatic alignment of key business processes is a further advantage, allowing for greater consistency and continuity in key business activities.
Cloud computing enables you to get your IT solutions up and running at a speed like never before. From tasks as diverse as the IT requirements all being in place for a brand new site, through to the introduction and roll out of global IT programs, tasks that previously could take months and years to execute can now be delivered in days or weeks.
At a user level, the speed of implementing changes can also be delivered quickly and easily. From having the ability to get a new employee set up and working to your IT systems within minutes, through to the latest versions of software appearing on all users devices automatically, Cloud computing allows you to gain the instant benefits our changing work environment demands that just could not be realised with traditional IT computing.
There is no doubt – Cloud Computing is on the advance. The benefits that it offers means that, sooner or later, every company, pharmaceutical manufacturers included, will have to embrace it in order to remain competitive.
Why Pharma should embrace this new frontier
While Pharma have been slow to come on board, there are pioneers within the industry that are already reaping the benefits.
Pfizer have already developed (with Accenture) a cloud based platform for clinical data aggregation and reporting. The platform was designed to improve collaboration with the clinical research organisations Parexel and ICON when managing clinical studies. The service aggregates the critical clinical trial information held by Prexel and ICON, while Pfizer concentrates on analysis of the data, monitoring the progress of the trials and managing relationships with the regulators. Clinical Research Innovation through Shared Clinical Data Warehousing
Cloud Pharmaceuticals use Cloud computing as an integral part of their business. They look to develop new therapies via a design process that combines artificial intelligence and Cloud computing to identify and deliver novel active molecules. They search vast virtual chemical libraries to identify these molecules – the computing power available on the cloud ensures that the results can be obtained quickly. Cloud-based Drug Design and Development
The US Food and Drug Administration (FDA), with AWS, have used Cloud computing to reengineer the process for handling of their Adverse Drug Affects reports. Via utilising AWS cloud, they have been able to quickly turn manual reports into machine readable information with 99.7% accuracy, whilst at the same time reducing costs from $29 per page to $0.25 per page. AWS Case Study: US Food and Drug Administration (FDA)
Novartis are developing approaches for Cloud data and provider management via increased use of Software as a Service (SaaS).
Loss of control and non-compliance: Are these fears justified?
As the many Pharma organisations listed above have demonstrated, Cloud computing can and is being used within the industry. Many other companies, however, are still showing a real reluctance to adopting cloud solutions. Concerns principally fall in two areas – control and security of data, and regulatory compliance fears.
An organisation can feel that its data and processes are no longer secure when the storage and management move to being under the control of the cloud provider. This, combined with cloud providers being reluctant to being audited in the traditional way, can cause the pharma organisations to conclude that the Cloud is not for “Mission” – critical use (and certainly not for GxP).
Under traditional IT set ups, organisations design, procure, install, operate and maintain their systems and software in house. It is understood how these systems must be shown to comply with the regulatory requirements – namely through following the traditional validation approach Gamp 5. Both the organisations and the regulators are comfortable with this approach and it is widely understood what must be demonstrated and documented in order to prove compliance.
In this new world of cloud computing, the pathway to compliance is not as clear. In an industry where the risk of non-compliance cannot be contemplated, it is easy to understand why the uptake of cloud computing has been slow. However, more and more pharma organisations are embracing the challenges and have successfully launched cloud supported initiatives.
So, why are lots of companies daring to take this step in spite of all their concerns? Their experience is that data storage at a reliable Cloud provider (like Amazon, Microsoft, etc.) can be far more secure than data hosted by themselves, on site. And if the right cloud and validation strategies are chosen, the regulatory requirements can be readily met.
Whilst it is common that organisations considering Cloud computing do not have cloud regulatory experts available in house, sources of reference materials are available.
Guidance available for Cloud Computing adoption
The Cloud Security Alliance (CSA) are an organisation that help provide guidance on how Cloud computing can be adopted. They are a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud computing, and to provide education on the uses of Cloud computing to help secure all other forms of computing. They were formed in December 2008 when a coalition of individuals came together, who saw the need to provide objective enterprise user guidance on the adoption and use of Cloud computing
The CSA have a broad remit – to address all aspects of cloud security, including compliance, global security-related legislation and regulation, identity management; and the challenge of monitoring and auditing security across a cloud-based IT supply chain. They are becoming the focal point for security standards globally, aligning multiple, disparate government policies on cloud security and putting forward standards for ratification by international standards bodies.
A key document generated by the CSA is the “security Guidance for Critical Areas of Focus in Cloud Computing”. This guide seeks to provide a stable, secure baseline for cloud operations, providing a practical, actionable road map for managers who want to adopt the cloud paradigm safely and securely.
How to implement IT solutions when Cloud Computing is utilised
Before an organisation makes the move to Cloud computing, they must firstly understand what they are considering moving to the cloud, and what risks (in terms of security, data integrity and IT availability) are present. They then need to assess the options that are available in Cloud computing, in terms of how the cloud will work, and what cloud service to choose.
The following outlines a 5-step approach to implementing Cloud computing:
- Step 1: Identify your assets for Cloud deployment
Organisations need to firstly decide exactly what they want the cloud to host, and the degree of Risk that they are willing to take.
The CSA recommend that an organisation should firstly identify their assets (assets being defined as Data, Applications and processes), and secondly should then understand what data or function are being considered for cloud deployment, and how that data and processes are currently being used.
- Step 2: Evaluate your assets for Cloud deployment
The assets should then be evaluated, in order to roughly estimate how important the asset is and how sensitive the asset is in relation to confidentiality, patient safety, product quality, data integrity and system availability. Once this is understood, an organisation should then ask how this risk changes if the asset moves to being handled by Cloud computing.
- Step 3: Map your assets to the various Cloud deployment models
Once your risk requirements and security considerations have been more understood, the various Cloud models should be assessed in turn, to see what fits best with your needs.
There are three types of Cloud computing service models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
The simplest of the service models is Infrastructure as a Service (IaaS). This service is characterised by the vendor providing and managing all the computer hardware– so all the servers, network technology, storage, and data centre space, operating systems and virtualisation.
The next level is Platform as a Service (PaaS) – so providing a service that, as well as providing the infrastructure, also includes the platforms used to design, develop, build and test all the applications.
The fullest service model is Software as a Service (SaaS). This is not only the provision of the infrastructure and the platforms, but also all the specific software that the individual client wants. This service can be provided on demand, as and when required.
- Step 4: Evaluate potential Cloud service models
This step involves you deciding on where the cloud shall operate from, and how much of the service is exclusively used by your organisation, or shared with others.
The most common deployment service models are Public, Private and Hybrid models.
The choice of deployment model to proceed with really boils down to the criticality of your data, combined with the acceptable price point. You may elect to go for a standard business functionality at a reasonable price for example CRM, mail, etc (in the Public Cloud), a solution for the highest security standards (in the Private Cloud) or a combination thereof (in the Hybrid Cloud).
The following table provides an overview of which direction to take:
- Step 5: Map out the potential data flows
Finally, the organisation should map out the data flow between their organisation, the cloud and any customers. In particular, the interfaces between the three areas should be understood, specifically with regards to how data can move in and out of the cloud. This should provide potential exposure points and form the basis of the validation activities.
Validating Cloud Computing, and meeting the compliance requirements
The validation of Cloud solutions is possible and achievable, however the classical V model, as per GAMP5, cannot simply be followed.
The figure below outlines the shift in the areas of responsibility of what the regulated firm manages to what the Cloud vendor manages, when comparing a traditional on site IT set up to a Cloud service model set up. While In the traditional on site IT model it is the company that manages all IT hardware, platforms and software, in the SaaS model it is now the Cloud provider that manages the IT resources of the regulated organisation.
Figure 1: obtained from Cloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity. By the GAMP Cloud Computing Special Interest Group (SIG). Pharmaceutical Engineering January/February 2014, Vol.34. No.1.
This is the partnership that a regulated company and a service provider must prepare!
This shift in ownership of key parts of the IT architecture presents a challenge to the regulated company in demonstrating compliance.
The GAMP Cloud Computing Special Interest Group are a group of representatives of small and large life science companies and cloud service provider SME’s, who are in the process of compiling guidance notes on meeting the compliance requirements in a regulated environment.
They advise that the regulated company must be willing to give up levels of “hands on control” and over-sight to the cloud provider, whilst at the same time remaining accountable for the integrity and compliance of the solution and data. The regulated company must then apply the same good outsourcing and supplier management practices with the cloud vendor that they use to operate with all other outsourcing activities. Finally, the regulated company must recognise that the cloud provider typically approaches quality assurance activities differently from the regulated industry and must adapt accordingly. This adaptation shall include demonstrating how the Cloud vendor’s network, support systems and processes meet what is described in the GAMP Good Practices Guide: IT infrastructure Control and Compliance Guide.
There is no doubt that Cloud Computing offers an opportunity to the Pharmaceutical community to innovate quicker, manage change faster and deliver new medicines to the market. In particular, uptake of “Software as a Service” (SaaS) is growing in an exponential fashion, and offers small organisations the opportunity to get into the game with little to no administrative IT footprint. Applications that are delivered in the cloud and are paid for as a subscription are enabling smaller businesses to enjoy the benefits of enterprise solutions, without having to dedicate specific resources or significant cash flow to a single tool.
Cloud Validation is undoubtedly a challenge, however by approaching Computer System Validation in a different way, organisations are demonstrating that it is possible to utilise the Cloud in our regulated environment and thus reap the benefits that this innovative technology offers. The future really does favour the brave – now is the time for Pharma organisations to rise to the challenge.
Time to define the Cloud strategy for your company!
For further information and expert advice, please contact email@example.com to speak to one of our Cloud computing Subject Matter Experts
“Compliant Implementation of Cloud Solutions”
We will explain how the implementation of a Saas (Cloud) solution can be undertaken to ensure it meets the requirements of the pharmaceutical industry. This will include further guidance on how the Computer System Validation (CSV) aspects must be adapted from the traditional GAMP 5 “V”model, and what the key stages are that must be taken when implementing a cloud solution in your organisation.
If you would like to receive an alert for the next Cloud Solutions article, please register for our newsletter.