GAMP: Cloud Computing Solutions & Providers Assessment & Management
The GAMP® CoP promotes the innovative use of automation and computer technology by applying a science- and risk-based approach that safeguards patient safety, product quality, and data integrity throughout the product life cycle. One significant area with great opportunities for innovation and business benefit is cloud computing. There is an inevitable move towards using some elements of cloud computing for some GxP applications, and that this will certainly increase. The GAMP Cloud Special Interest Group (SIG) has already published valuable guidance, and is developing more. The life science quality assurance and compliance community must define and advocate realistic approaches that encourage innovation as well as safeguard quality and compliance, or will risk losing credibility and influence, and may ultimately end up being ignored or bypassed. Approaches to assessment and management of technology service providers must be flexible, practical, and pragmatic, and insisting on physical audits of all providers, regardless of type of service or level of risk, is unrealistic. The three key elements of regulated company management of technology service providers are:
- Appropriate risk assessments (taking into account the nature of the process, the data, and in the case of cloud-based solutions, the service model and deployment model)
- Supplier/provider assessments of the primary provider and the proposed solution (including their management of sub-suppliers)
- Agreements/Contracts/SLAs in place to establish the controls that are managed by the service provider
It is also unrealistic to insist that any service providers perform traditional and cumbersome paper-based qualification activities, rather than encouraging them to apply effective IT good practices supported by appropriate and modern tools and technologies.
Some of the following factors are still confusing the discussions in the industry: the term “cloud” is used as though it is one homogeneous thing, without consideration that SaaS, PaaS, and IaaS are very different, for instance, and that deployment models vary. Also, some things described informally as cloud are not really cloud, if you recognize generally accepted definitions of the essential characteristics of cloud, and are really just flavours of outsourcing. Cloud (meeting the definition of the essential characteristics) may currently be less relevant or helpful for many critical GxP situations, where the essential characteristics are not the key factors or benefits, but there will certainly be a move, based on financial and IT strategy considerations to depend more and more on external resources and service provision, rather than invest in fixed internal assets.
The move may be even more compelling for smaller or rapidly growing organizations. What is likely to happen in the future will be a further blurring of the boundaries between what is internal and external, and that a generally acceptable set of practices will gradually evolve or fall into place (probably primarily based around the three key elements mentioned above). These developments are here to stay and will accelerate, and life science companies have to find some strategies and ways forward to manage the quality risks (and compliance risks), because of the technological and financial pressures to fall in line with other industries, to gain the technological and business advantages, to cut time to market, and to be cost effective.
The GAMP CoP Cloud SIG has already published useful and pragmatic information on cloud computing, including GAMP Cloud articles and Concept Papers. Titles include:
- Evolution of the Cloud: A Risk-Based Perspective on Leveraging PaaS within a Regulated Life Sciences Company
- SaaS in a Regulated Environment – The Impact of Multi-tenancy and Subcontracting
- Using SaaS in a Regulated Environment – A Life Cycle Approach to Risk Management