Cloud Computing: How to Choose the Right Cloud Supplier

Dec 01, 2013
By Spectroscopy Editors
Volume 28, Issue 12

Advice for laboratories and organizations contemplating using cloud computing, including how to select a suitable cloud supplier for a regulated GxP laboratory — in other words, how to separate the clouds from the clods.

The introductory sentence from A Tale of Two Cities, written in the 19th century, summarizes, from a regulatory compliance perspective, the pros and cons of cloud computing in the 21st century (1):

"It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of light, it was the season of darkness, it was the spring of hope, it was the winter of despair."

Cloud computing is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (2). The definition for the noun clod is as follows: a lump of earth or clay; a stupid person (often used as a general term of abuse) (3). There are many service providers and hosting companies available that have good quality facilities and provide high service availability, but few are suitable for a regulated GxP environment. Many service providers that are certified for various standards think they can provide a service for a regulated pharmaceutical company, but few can deliver.

Therefore, the purpose of this column is to provide advice to laboratories and organizations contemplating using the cloud and to provide advice on how to select a suitable cloud supplier for a regulated GxP laboratory — in other words, how to separate the clouds from the clods.


In an earlier column installment (4), McDowall discussed the principles of cloud computing. Samson has published his views on cloud computing in two recent articles (5,6), in which he looked at cloud computing in regulated GxP environments, beginning with the basic elements of the types of service models that can be used: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). He then went on to discuss the management aspects of the cloud, regulatory and legal impacts, and approaches to IT infrastructure compliance.

In a recent article, Stokes discussed the following topics regarding cloud computing (7): differences of the cloud compared with traditional in-house IT services, the models of cloud computing, what cloud computing is not, developing a cloud strategy with monitoring, and management of the service providers. One aspect of cloud computing that is an essential part of this strategy is how to get your data back from the cloud if your organization changes its cloud supplier or brings the application back in house (7).

All three authors agree that there are three basic requirements for IT infrastructure operating in a regulated GxP environment that can be located within an organization, outsourced to a third party, or in the cloud (4–7):

  • IT infrastructure — physical, virtual, and software elements — must be specified and qualified to show that it works as intended and must be kept under change control throughout the operational life. This is to comply with the specific requirements of the European Union Good Manufacturing Practices (EU GMP) Annex 11 that IT infrastructure be qualified (8) and the expectation of the pharmaceutical industry as explained in the Good Automated Manufacturing Practice (GAMP) Good Practice Guide on IT Control and Compliance (9), of which both the authors of this column were contributors.
  • Written procedures must be in place and, when executed, records must show that the activities actually occurred. Records generated in this and the item above must comply with GxP regulations; for example, they must be documented contemporaneously with the activity and allow someone to identify the individual who performed the work and so on.
  • Staff operating the infrastructure must be trained in the principles of GxP compliance, especially in change control. This is very important when the apparent business you are contracting with only has a few employees and subcontracts large parts of the work to third parties. This is an area that is fraught with problems for the unaware. In a previous column installment, McDowall looked at quality agreements for the laboratory (10) and the same principles apply to an agreement with a cloud supplier. This comes under the requirements of EU GMP Chapter 7 on outsourcing (11).

lorem ipsum