CLOUD COMPUTING FOR REGULATED "GXP" ENVIRONMENTS - PART ll
Managing the complexity of cloud-based solutions
In the previous sections, the structure and the particularities of cloud-based solutions have been briefly presented. So far the questions related to the geographic location of cloud infrastructures have not been yet discussed.
The basic principle of cloud computing is to behave like a "black box". The services are available for the regulated user without needing to know where data and application are effectively stored and operated. Because cloud service providers behave like insurance companies, very often they use and rely on external cloud service providers for increasing the service availability and for offsite backup.
This combination of services - service to the user and back-office services - makes the technical evaluation of offered solutions as well as the audit of cloud service providers more difficult. Petabytes of storage capacity, computational power, and network bandwidth are sold and bought as needed, like in a stock exchange. The location - yesterday audited by the regulated user - can be already obsolete tomorrow because data and (virtual) servers are hosted at another place, country, or continent. Several troubles in the past showed that suddenly the backup infrastructure hosted by an external provider is finally located at the other side of the street.
Since the regulated user remains responsible and accountable for its data and the compliance state of its applications, it is its responsibility to manage accurately its service providers. Supplier management starts with a supplier audit. It is obvious that cloud service providers cannot be audited like an API manufacturer. New approaches for auditing IT service providers are necessary, requiring:
- IT technology knowledge
- IT security knowledge
- Knowledge of current IT certifications (in-scope, out-of-scope, controls)
- Legal knowledge
- GxP and CSV knowledge.
Without "insider" know-how - i.e. IT infrastructure knowhow - a meaningful audit of a cloud solution, including availability, security, maintainability, and business continuity aspects is effectively impossible. Regardless of the used technology and of the provider's competence, the devil remains in the details. It could be a good idea to have a sound knowledge on the current IT certifications and to understand the corresponding certification processes (self-assessment, third part audit, …) in order to avoid audit redundancies. Knowing and understanding the specific certification area would make possible to focus the audit on areas of interest which are not directly covered by the certification.
One of the particularities of cloud solutions is the complex network of responsibility, especially if the cloud service provider relies on external third-party cloud providers (offsite backup, redundancy). It seems pretty impossible to master such complex interdependencies without a knowledgeable lawyer. Likewise the definition of contracts and service level agreements (SLA) should be performed diligently, including on a legal level. If limitations and constraints are required by the regulated user, those have to be defined precisely without giving any space for interpretation. Such limitations could be related to the location of the datacentres. Constraints could be established in terms of control by the regulated user as well as information duty from the service provider to the regulated user. Everything is possible as long as it is clearly required and adequately stipulated.
Especially because cloud infrastructures are evolving rapidly, it is necessary to increase the frequency of follow-up and routine audits. It is a good idea to formalise such needs in the contract and SLA.
The growing complexity of the technology represents a real challenge for the auditors and multiple subject matter expertise is required to ensure the validity of IT service provider audits.
Regulatory and legal impacts
Even if the various players of the healthcare sector are used to dealing with regulatory requirements, the deployment of cloud-based solutions increases dramatically the complexity of the applicable legal and regulatory framework.
On the GxP side, Annex 11 to the European GMP Guide (see [2]) defines clearly the expected responsibilities and level of control for computerised systems involved by GMP activities. By extension, these requirements should be applied to systems involved in the other regulated GxP processes such as clinical, distribution, laboratory, and vigilance processes. Additionally, local GxP regulations (e.g. [3]) may require that the batch documentation has to be retained within locations4 specified in the GMP license.
More complex is the legal situation. During the last 12 years, different states around the world developed a complex legal framework for fighting against:
- Terrorism
- Violation of intellectual property
- Counterfeiting
- Etc.
In many countries, the Internet is accused as the vector and dissemination carrier of illegal and/or dangerous information and content. The question is not to approve or to reject such a view but to understand its impact on the way how data privacy is currently considered.
European companies are used to observe data privacy laws and directives on national and on European level (see [4]). Even if such regulatory framework is not perfect, multiple legal protection mechanisms exist for ensuring a limited but a real respect for data privacy.
Since 2001, the USA is governed amongst others by the Patriot Act (see [5]). Initially elaborated for helping intelligence agencies to fight against terrorism, its enforcement throughout the last 10 years makes data privacy at the least challenging, but in fact impossible. One of the major concerns is related to the fact that stored records and data have to be handed over to US authorities on demand without a court order and without the data owner being told. Many discussions outside of USA show that companies as well as lawyers and associations defending data privacy are deeply concerned with this rule. Not only European countries but also Canada shares this general concern.
USA-based cloud service providers tried to provide some guaranties regarding data privacy, for example by relying on subsidiaries based outside of USA and by avoiding providing services using datacentres located in the USA. Unfortunately, this approach has been rejected by US authorities, arguing that the Patriot Act applies as soon as an organisation has subsidiary located in the USA.
The consequence for organisations taking care of data privacy is to avoid the use of cloud services provided or supported (including in case of offsite backup and business continuity) by companies based in the USA.
It is interesting to notice, based on recent discussions with US cloud professionals, that many of the US companies providing cloud services are not aware about this privacy concern of non-US customers.
In several European countries, the number of projects for building "pure European" cloud should be considered as an answer to the Patriot Act, so improving the support of data privacy.
Last but not least, it should not be forgotten that some countries do not recognize intellectual property rules. Enforcement of data privacy and intellectual property based on non-disclosure agreements is not possible since the national law does not support it. Again, it is a good idea to avoid cloud services provided by companies based in such countries.
Innovative approach to IT Infrastructure compliance
Whatever are the concerns regarding the use of cloud-based solutions, cloud computing brings some innovations to consider in IT infrastructure management, compliance, and control.
One of the most interesting clauses by Annex 11[2] stipulates that internal IT departments should be considered analogous to third-party IT service providers.
This principle should help to bring more fairness by considering internal IT departments. Too often regulated companies tend to require a higher compliance level (increasing the related formalism and effort) by internal department than by external service providers. At the same time, these companies complain about high compliance costs.
Annex 11 should encourage regulated companies to define a commensurate IT compliance framework applicable equally to both internal IT departments as well as to third-party suppliers and service providers.
An observation of the behaviour of regulated companies shows that companies tend to privilege outsourced IT solutions in the case of business critical applications while they rely on their internal IT departments for operating less critical applications.
A consistent and logical decision process should prefer a solution provided by internal resources in case of critical applications. Otherwise, the leak of confidence into the own quality management system and teams could raise a lot of questions, in particular for regulators during inspection.
Within the last 20 years, IT organisations complain about the inadequacy of the "conventional" CSV approach for IT infrastructure. Indeed the rate of change by an IT infrastructure is much higher than by a production facility. However there is no reason for rejecting some levels of control for IT infrastructure supporting GxP-relevant activities.
Maybe the deployment of internal private clouds within the IT infrastructure of regulated companies could represent a way for improving the compliance efficiency and for limiting compliance and operation costs.
The abstraction level induced by a cloud-based approach could be helpful for defining an adequate and efficient change management strategy. Configuration and change management are based on the management of configuration items. The definition of meaningful configuration items with appropriate size, extend, and impact is the key for success and for efficiency.
Too often unluckily defined configuration items complicate the configuration and change management activities and cause high (and unnecessary) costs. The use of internal private cloud should help regulated organisations to formalise efficient IT infrastructure management strategies without jeopardizing the needed compliance level.
A meaningful application of risk-based approach to IT infrastructure compliance taking advantage of cloud computing technology could be one of the answers for limiting the operational costs. Outsourcing is surely not the sole solution for streamlining the costs.
Possible trends
An interesting experience shared by regulated companies that have used cloud-based solutions showed the following life cycle:
1. Application is operated by the internal IT department
2. Application is moved to an external cloud in order to limit the costs
3. Application is operated in an external cloud but …
a. T he level of control needs to be increased
b. Application availability becomes a concern
c. Data availability becomes a concern and cloud-offsite backup (and archiving) are needed
4. C loud offsite backup is organized, using the company IT infrastructure (often for cost or practical reasons)
5. A cost review shows that, for a specific level of availability, operating the application internally would be less expensive than by using an external cloud
6. Application operation is re-insourced.
As usual such life cycle is really dependent on the considered application and of the specific requirements. However, based on the mentioned clause of Annex 11 related to the consideration of internal IT departments, it is necessary to remember that both the compliance level as well as the application performance should not become lower for outsourcing reasons than by internal operation.
Ensuring data integrity, privacy, and confidentiality represent a cost. However missing these requirements could become very expensive, not specifically from a regulatory point of view, but in terms of business capability and of knowledge protection.
Legal requirements in some countries, the lack of protection of intellectual property in other countries, the nonrespect of data privacy and intellectual property by some cloud service providers have to be taken into account by selecting the most appropriate scenario for operating a GxP-relevant application.
Auditing service providers is unavoidable but the scope of such audits requires well knowledgeable subject matter experts (IT, legal, GxP, CSV,…). The audit strategy must be modified to being more suitable to the cloud specifics.
Evaluation of cloud solutions
By evaluating a cloud solution, at least the following criteria must be considered:
1. Needs and constraints, including applicable regulatory and legal requirements
2. Service model: IaaS, PaaS, SaaS
3. Deployment model: private, public, community, hybrid
4. Geographical location: country hosting the cloud infrastructure, country where the provider is located
5. Contract conditions, including business continuity measures and contract exit conditions.
Multiple learned lessons are available on the Internet regarding failed deployments or malfunctions during operation of cloud-based implementation. It is highly recommended to take an attentive look at such information before planning and deploying cloud-based solutions.
Cloud computing is surely a useful tool for helping to master IT infrastructures. However, the way to operate and to use the cloud needs to be clearly and precisely defined, avoiding nebula. Additionally to the use of virtualisation, various open source software projects could help regulated organisations to plan, to implement, and to deploy internally cloud-based solutions in a secure and compliant manner.
Part I of this article was published in the previous issue.
Author:
Yves Samson
... is founder and Director of the consulting firm Kereon AG located in Basle, Switzerland. He has been in computerized system validation since 1992. He is the editor of the French Version of GAMP®4 and GAMP®5 and he translated the PIC/S Guide PI 011 into French.
Source:
[1] National Institute of Standards and Technology, "NIST Special Publication 800-145 - The NIST Definition of Cloud Computing," NIST, Gaithersburg, 2011.
[2] European Medicines Agency, "EudraLex - Volume 4 Good manufacturing practice (GMP) Guidelines - Annex 11 "Computerised Systems"," EMA, London, 2011.
[3] "AMWHV - Verordnung über die Anwendung der Guten Herstellungspraxis bei der Herstellung von Arzneimitteln und Wirkstoffen und über die Anwendung der Guten fachlichen Praxis bei der Herstellung von Produkten menschlicher Herkunft," Bundesministerium der Justiz, 2006 - 2011.
[4] European Parliament and Council, "Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data," Official Journal of the European Commission, Brussels, 1995.
[5] 107th Congress, "H.R.3162 -- Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT ) Act," Library of Congress, Washington DC, 2001.
[6] Z. Whittaker, "Summary: ZDNet's USA PATRIOT Act series," ZDNet, 27 04 2011. [Online]. Available: http://www.zdnet.com/blog/igeneration/summary-zdnets-usa-patriot-act-series/9233.