Advice for laboratories and organizations contemplating using cloud computing, including how to select a suitable cloud supplier
for a regulated GxP laboratory — in other words, how to separate the clouds from the clods.
The introductory sentence from A Tale of Two Cities, written in the 19th century, summarizes, from a regulatory compliance perspective, the pros and cons of cloud computing in
the 21st century (1):
"It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the
epoch of belief, it was the epoch of incredulity, it was the season of light, it was the season of darkness, it was the spring
of hope, it was the winter of despair."
Cloud computing is defined as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing
resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released
with minimal management effort or service provider interaction (2). The definition for the noun clod is as follows: a lump of earth or clay; a stupid person (often used as a general term of abuse) (3). There are many service
providers and hosting companies available that have good quality facilities and provide high service availability, but few
are suitable for a regulated GxP environment. Many service providers that are certified for various standards think they can
provide a service for a regulated pharmaceutical company, but few can deliver.
Therefore, the purpose of this column is to provide advice to laboratories and organizations contemplating using the cloud
and to provide advice on how to select a suitable cloud supplier for a regulated GxP laboratory — in other words, how to separate
the clouds from the clods.
In an earlier column installment (4), McDowall discussed the principles of cloud computing. Samson has published his views
on cloud computing in two recent articles (5,6), in which he looked at cloud computing in regulated GxP environments, beginning
with the basic elements of the types of service models that can be used: infrastructure as a service (IaaS), platform as a
service (PaaS), and software as a service (SaaS). He then went on to discuss the management aspects of the cloud, regulatory
and legal impacts, and approaches to IT infrastructure compliance.
In a recent article, Stokes discussed the following topics regarding cloud computing (7): differences of the cloud compared
with traditional in-house IT services, the models of cloud computing, what cloud computing is not, developing a cloud strategy
with monitoring, and management of the service providers. One aspect of cloud computing that is an essential part of this
strategy is how to get your data back from the cloud if your organization changes its cloud supplier or brings the application
back in house (7).
All three authors agree that there are three basic requirements for IT infrastructure operating in a regulated GxP environment
that can be located within an organization, outsourced to a third party, or in the cloud (4–7):
- IT infrastructure — physical, virtual, and software elements — must be specified and qualified to show that it works as intended
and must be kept under change control throughout the operational life. This is to comply with the specific requirements of
the European Union Good Manufacturing Practices (EU GMP) Annex 11 that IT infrastructure be qualified (8) and the expectation of the pharmaceutical industry as explained in the Good Automated Manufacturing Practice (GAMP) Good Practice Guide on IT Control and Compliance (9), of which both the authors of this column were contributors.
- Written procedures must be in place and, when executed, records must show that the activities actually occurred. Records generated
in this and the item above must comply with GxP regulations; for example, they must be documented contemporaneously with the
activity and allow someone to identify the individual who performed the work and so on.
- Staff operating the infrastructure must be trained in the principles of GxP compliance, especially in change control. This
is very important when the apparent business you are contracting with only has a few employees and subcontracts large parts
of the work to third parties. This is an area that is fraught with problems for the unaware. In a previous column installment,
McDowall looked at quality agreements for the laboratory (10) and the same principles apply to an agreement with a cloud supplier.
This comes under the requirements of EU GMP Chapter 7 on outsourcing (11).