Cloud Adoption as enabler for Digital Transformation in the Regulated Industry
So, hello everybody. Thanks for joining me in this webinar today thanks. For joining the NEXT Normal event. So I'm Danilo Maruccia and I work for PQE. PQE is a consultancy company for the regulated GxP industry and so I've been working for this company since the very foundation in 98', and above all you know the different topics, of CSB, so computer system validation in the field of pharma and medical device. I'm leading the department for digital governance and therefore today, I would be bringing you through these presentation which deals with the adoption of cloud in the pharmaceutical and medical devices environment. So let's get started, so we'll be talking about how in the recent years the adoption of cloud by the regulated industry went through different phases, initially. So
then we will be looking at how the pandemic has pushed us fostering. The adoption of cloud in the GxP industry. then we'll be going through analyzing some regulatory implications when adopting cloud technology in the GxP industry and finally we will be analyzing what is the approach to be taken when adopting cloud technologies. So first of all, we have seen during the last two years that the pandemic has really pushed the regulated GxP industry to transition, to digitalization.
Basically pandemic has finally convinced the organization that the digitalization is something urgent and cannot be delayed further. And in a way the companies were forced to do things or to accept work practices that they were in not easy to imagine only two years ago. So just as an example, you know working from home which was actually well accepted, but it's not just the fact of working remotely, these implied also adopting very revolutionary ways of, for example signing documentation or even interacting with the GxP critical systems and records for taking decisions. So in general we have seen
really a broad adoption right, very very fast-paced adoption of the new technologies, that easily you know brings us to really consider, how actually something that in the past, in the recent past years ago was considered abnormal, to become you know suddenly very normal and accepted. And I would like also to bring a bit of historical perspective. This is very much my experience in the pharma industry. So I started to have interest in the cloud adoption by the regulated
industry around 2013. And at that time you know had contacts with some IT managers, trying to evaluate some cloud solutions for non-GxP applications and processes. And since then I was really wondering for several years afterwards, why this was taking so such a long time, so it was a very slow process. There was a lot of talk, I was visiting international conferences but really
you know nothing was happening in the most of the cases. The reasons for this very slow adoption is that probably we can name some of those reasons for sure there is the consideration that this type of industry is very regulated one, right. So there's a, there's a lot of strict regulations around the adoption of cloud technology, in general new technologies. Therefore also some concerns about how to approach validation and qualification with this new technology. There have been a lot of concerns around security and data breaches, you know the fact of not having data under the roof and you know just data located somewhere else. Also the fear of espionage and activism in most cases it's about very valuable data you know, around patents and research data and so on, and so on. What we have seen lately, there was a drudging,
I mean pandemic played a role, but on top of that we have seen also from the point of view of regulators. There was a more and more a favorable position towards digitalization. And also these came along with an improvement of aspects of security when adopting the cloud. Just as an example of adoption of cloud you know, I'm bringing two examples here or say, it's an example translated temporarily, so you know in 2013 there were discussions in FDA whether to embrace clown, right. And there was an internal discussion and reflections whether this could be a feasible, you know transition and you know on the right side you can see how FDA themselves, they have adopted for example an application for pharmacovigilance, which is based fully on on cloud and multi-tenant cloud. And so you see how in this you know, in this case we have like, you know seven eight years of time lapse to go from initial reflection to a full adoption. And this has been the path of many companies out there. So let's have a look at some regulatory implications when adopting cloud technology. First of all, the GxP industry
is very much looking at integrity of data, so integrity of data and protection of data and has been really the whole topic of the latest six years at least. They are important to guarantee quality of medicines and also the quality of the the decisions that are taken along the way in the entire process and so therefore they the integrity at the end is also instrumental to protect patient safety, so it's all about you know the the ultimate goal of the data integrity. And just to give an example, I've only inserted two examples here of some regulatory bodies that have mentioned cloud computing and what are the requirements out there. You know to make sure that any company that is under GxP is really looking at these
hot points whenever you know, they are transitioning to. A cloud solution which can be in the form of SAS, pass or IAS, so whatever is the delivery model. So here you can see what are you know the aspects that any company needs to take into account right. So
physical location can be relevant, think about GDPR, then think about organizational changes and you know the need of having a technical agreement in place, a proper arrangements for backup and restoration of systems, as well as business continuity arrangements. And in any case the practice of doing audits right, to make sure that it is the right service for the departures. And this is from UK MHRA right. That's a guidance about that integrity. This one is from FDA. right. So it's on pretty much the same sort of recommendations and this is a guidance from 2017, there are many others out there, you know. So due to the short time today I cannot really give a complete presentation of regulatory aspects.
Anyway you can have an idea from this list of regulatory requirements how strong remains the attention of regulators towards, you know the technology whenever you go for a cloud-based solution. So then summarizing we can say the data integrity requirements remain the same, nothing changes you know. So the expectations from the regulatory side is basically the same as before. So no matter if you are, you know outsourcing or adopting some cloud-based solutions. and um and now as before the ultimate responsibility for patient safety, product quality and that integrity remain with the company, so the GxP company. You may have obviously a change in the you know responsibilities around some,
say fundamental processes obviously, when you are outsourcing to a cloud, then in this case you basically you are not doing by yourself disaster recovery, but somebody else is providing a solution for you right. So therefore you need to analyze how several aspects and processes are being adapted to the new situation. And so in general we may conclude that whenever we adopt cloud computing as a regulated organization. We have the duty to transmit
specific requirements. Because what you can find out there is that in most cases you know the cloud providers are very say, general purpose providers. So therefore they may not be always aware of the type of specific controls that are required by regulated industry. As well as they may be not so keen introducing the required documentation and in some cases they are not ready to receive audits, from you know the regulated companies. And in general security is for sure a topic that needs to be um taken into account very seriously. And therefore you know when asked so, what a company, what a regular company should do when deciding to go for the cloud.
Well we suggest, you know they there should be a control transition, meaning that the company should clarify, very clearly what are first of all regulatory requirements depending on the specific process or application that they're going to you know, take from the cloud. And therefore the suggestion is that they should lay down a strategy so a cloud adoption strategy to, you know basically analyze what are all the requirements, what should be the relationship to the vendors and vendors assessment. Last but not least they should think about setting up quality agreements on top of technical agreements or SLS right, but also quality agreements. Then they need to discuss, topics of how the practice of qualifying and validating applications is going to be changing, right. And in general revise all the operational models which means organizations and standard operating procedures in new roles that are going to be created in the company. So just to put this in
diagram which is explaining what I was mentioning before, that's a path, so that's a pathway compliant cloud. There are several steps that are really you know a suggestion from our end, which means obviously the adoption of cloud we recognize that, you know a necessary steps nowadays. It's a sort of business in parity, right. And actually it is also you know contributing to you know, speed up processes is allowing to work with big data, is really facilitating to have cooperation between the, you know several geographical remote sites especially in in clinical trials, for example. So therefore in any case
the cloud adoption is an enabler, right. For many aspects. But nevertheless that should be a clear path to make sure that all the regulatory requirements are being transmitted, for the portion that is interesting, the vendor right. And then actually we're getting from the vendor, the necessary documentation, the necessary awareness and whatever. This is not in place, we need to contribute and try to build you know, really a an understanding of you know the needs of the company. And so we mentioned then outed vendors to the vendor, so the audit can be customized
not depending on the nature of the service. Depending we are auditing a SAAS vendor or even we are, you know doing some PASS sort of contract with the vendor. You know depending very much on the deployment model, we may customize a checklist, right. To investigate aspects of data
management or software development life cycle, in general security and infrastructure aspects. Security and cyber security, which is you know a necessary step to go through nowadays. And the complexity sometimes show, it is really um going through several layers, right. So this picture is trying to represent how the requirements from the regular authorities are being pushed to the company and then through, you know a SLA to the for example SAAS provider, right. That in many cases, being in this case a public multi-tenant for example. So to provision has in
the most cases a cloud vendors, a cloud there is another entity so typically we have AWS or Microsoft Azure that are providing the lower layer infrastructure. And so we need really to clarify how our you know provider is transmitting, right. The requirements with the cloud vendors, so are they doing any evaluation, are they doing audits themselves, right. So and that's pretty much
quite a complex situation that can be different from time to time. And this is you know also completing a bit the view of understanding how complex can be a situation where basically you are the regret the company, up there. So responsible for the data right and user authorizations that integrity, authentication mechanism and such things and then you have, somebody who is responsible for the security in the cloud. So we're talking about data, network traffic and in general platform and application, identity and access management, right. Down to the operating system layer. And as we said before, there is a third provider. So the provider that is responsible for the low-level equipment and technologies, which is really the virtualization platforms down there.
And they are responsible for the security of the cloud, okay. So this is really a very, I would say interesting view of how these responsibilities are being put in relation and this should be clear right, to any regulated company. We have mentioned contractual agreements, actually this is a must, this is a requirement. We are mentioning here a couple of
pieces of regulations, so whenever you outsource you need to have in place, contract agreements between the regulated users of the company and the cloud provider, so the contracted agreement is not just you know SLA, so technical KPIs. But you need to insert also and transmit properly what are the elements of you know, regulations they are being passed on to the cloud vendor, right. In terms of quality, in terms of processes, in terms of compliance and that's something that it is really recommended to have and should be very clear. So getting to the conclusion of
of this today's presentation. So we may say that the adoption of cloud-based services in the GxP environment, is a wise choice among several choice, if there are other choices, that can be compared. And it's the only way of making the best of technologies like artificial intelligence and capability of analyzing big data and taking advantage of the hyper connectivity of IOT or IIOT, so industrial in the field of industry, right and production. So, then we have recommended that the cloud service need to be analyzed, with respect to risk for the patient safety product quality and data integrity. And cloud service providers need to be instructed and prepared in case of you know, audits and inspection to be cooperative, right and to be helping the company. And didn't take the elements must be part of the contract agreements, between the company and the cloud provider and in any case we think that due to the variety of the scenarios and technologies out there, I think a company may really take decision based on risk and choose the best deployment model for the specific need, in the specific application. um just to close out this presentation. So thank
you very much for your attention. And thank you Dario, it's all yours.