How to mitigate risk in validating a cloud solution?

Hand using laptop with cloud computing diagram

How to mitigate risk in validating a cloud solution?

Companies are eager to implement cloud solutions, so they can cut costs and streamline their business efficiency. However, within pharmaceutical and life science industries, implementing a new system requires special prudence and supervision. Implementing a cloud service in a highly regulated environment comes at a risk which may be mitigated by validation – if performed by an experienced partner with long-term expertise.

Cloud computing is a daily reality for many companies, even outside the IT environment. From simple tools to advanced solutions, businesses use remote, on-demand resources to streamline their operations and maximize their profits. Cloud systems are gaining popularity also in life science and pharmaceutical industries. However, in these areas the adoption of cloud services is somewhat constrained due to high security and compliance standards, which not all cloud suppliers are able to meet.

Cloud applications have plenty of advantages, but they are not completely free from weak points. Their efficiency and reliability depend on many factors and may be verified by means of the Computer Software Validation (CSV) or Software Quality Assurance (SQA). These procedures, with special focus on Supplier Audit and Risk Assessment, serve to ensure that a specific cloud-based solution:

– meets industry and regulatory requirements,

– provides high quality results,

– is well-aligned with business goals of the organization,

– in other words: allows maximum benefits at the lowest possible risk.

Before we delve deeper into this issue, let’s explain the core characteristics of cloud solutions and the advantages they provide for businesses also in the field of pharmaceutics and life science.

Cloud computing: main models, key characteristics

In broad and simple terms, cloud computing is the online delivery of computing services, such as software, analytics, networking, intelligence, databases, storage and servers. This paradigm provides access to flexible resources and enables companies to innovate and scale faster, as well as improve business efficiency and reduce operating costs.

Cloud computing is commonly associated with three acronyms: SaaS, PaaS and IaaS, the first one being the most popular. They refer to three service models, whereby software, platform or infrastructure are provided via cloud – thus eliminating the necessity for implementing more expensive and less efficient in-house solutions.

Cloud computing model is characterized by five essential features:

1) on-demand self-service – meaning consumer can get access to a cloud service at any given time without human interaction with service provider;

2) broad network access – meaning that the service can be accessed from a wide array of devices, i.e. smartphones, tablets, notebooks, PCs or Macs, as well as from a wide range of locations with internet access;

3) resource pooling – meaning cloud solutions providers pool large-scale IT resources to serve multiple users;

4) rapid elasticity – meaning the ability to provide scalable services;

5) measured service – meaning the ability of the cloud system to automatically control and optimize resource use and apply predictive planning.

It’s good to be aware of the above characteristics, as they are the foundation for any type of cloud services.

Lower costs, increased efficiency – hard-to-ignore benefits of cloud solutions

Cloud solutions provide companies with numerous business and operational advantages, notably:

– minimal hardware costs,

– reduced costs of data storage, data processing and IT maintenance,

– increased efficiency and flexibility,

– universal, location-independent access to the resources,

– data safety (protection against data loss) and data security (protection against unauthorized use),

and many more.

No wonder, SaaS solutions are tempting for the companies looking to maximize their efficiency, cut the overheads and lift the profits, especially when they come with the promise of increased data security.

However, transition to a cloud solution is not an easy step for organizations operating in a high risk and highly regulated environment, such as pharmaceutical or life science industries. Especially that cloud services do not come with a guarantee of full compliance and may pose a liability. The principal concern is the dependence on the cloud provider. Possible implications thereof include temporal unavailability of services or loss of data integrity. Some legal issues also may occur, for example with regard to data storage and processing under GDPR.

Validation essentials: Supplier Audit and Risk Assessment

These uncertainties beg the need for expert guidance provided by an experienced external partner. Professional support is all the more essential since companies point to security as their biggest fear when implementing cloud solutions. To mitigate possible risks, any type of SaaS service may be subject to validation, such as CSV and SQA. It is worth stressing that in the case of cloud service the  very same validation procedure applies as in the case of local server systems or applications.

On the other hand, the results of the cloud system validation may be impacted by limited access to the mechanics of the system and its provider’s operations or policies. To ensure maximum transparency and minimize the risk of non-compliance, it is essential to conduct the Supplier Audit and Risk Assessment with utmost care to detail. The specific procedures may differ based on the type of SaaS service but they cover the same core areas.

Foremostly, Supplier Audit must include the verification of supplier’s compliance with quality standards, backup and restore procedures, as well as functional and technical specifications. When assessing the risk we examine the potential risks related to level of trust and control, shared responsibility and quality of deliverables. We also take into consideration relevant internal standards and requirements of the company implementing the cloud solution.

After Supplier Audit and Risk Assessment confirm compliance of the service and its provider with quality standards and client’s internal regulations, we may move on to the next stages of the validation process which include:

– User Requirement Specification

– Validation Plan

– User Acceptance Tests

– Validation Report

– Service Level Agreement

– Operational Support Plan

We can skip the details, as the above items are well-known industry standards. However, from the validation angle, we expand on each of these stages in our webinar available on YouTube https://www.youtube.com/watch?v=44FrG-yI7CQ 

Validation of cloud-based serialization system: a case study

Now, let’s give a brief practical insight into mitigating risk in validating cloud solution on the example of a cloud-based serialization system. We were dealing with two cloud providers – one responsible for the infrastructure and the other for the software – and a sensitive issue of GxP data exchange with external clients.

The main areas of focus in the validation process were as follows:

1) Risk Assessment

2) Supplier Audit

3) Project Documentation

4) Operational Support Plan

The first step laid the basis for the whole validation process. RA process included:

– analysis of the information about intended use of the system,

– determining the type and criticality of the data which would be processed by the system,

– determining the business criticality of the cloud solution and explaining it to the parties involved.

We also had to make clear to our client that the system is externally hosted and it uses cloud computing.

Based on the results of RA, we were able to focus on the right issues when performing the Supplier Audit. Among other activities, we verified the standards applied by the supplier, their internal processes relevant for operability and safety/security of the system, quality of the documentation and the supplier’s awareness of the GxP requirements for pharmaceutical companies. Fortunately, the system offered by the supplier was already validated in accordance with GxP and GAMP5 methodology. This facilitated the whole process, as – after scrutinizing the supplier’s documentation – we were able to use many of the provided documents for the purpose of validation.

We were less lucky in the case of validation of the infrastructure. IaaS supplier was well aware of the requirements and security standards. However, the documentation and operational standards of the company were far from acceptable. We prepared a report with suggested improvements. Unfortunately, the company didn’t choose to comply, which forced us to look for another supplier. This caused a slight delay in the project, but soon enough we were able to find a company that met the requirements, which was confirmed by our audit.

It’s best to mitigate the risk with an experienced partner

The process of verifying cloud system provider and the system itself is not an easy one. It requires expertise and keen understanding of the validation process, stemming from long-term experience. However, for organizations operating in the pharmaceutical and life science industries validation may be necessary precondition for implementing SaaS services.

If you seek further advice on the issue of mitigating risk when implementing cloud solution, don’t hesitate to contact us at validation@ecvalidation.com 

Blog