Cloud Adoption as enabler for Digital Transformation in the Regulated Industry

Show video

So, hello everybody. Thanks for joining  me in this webinar today thanks. For joining   the NEXT Normal event. So I'm Danilo Maruccia and I work for PQE. PQE is a consultancy company for the   regulated GxP industry and so I've been working  for this company since the very foundation in 98',   and above all you know the different topics,  of CSB, so computer system validation in the field   of pharma and medical device. I'm leading  the department for digital governance and   therefore today, I would be bringing you through  these presentation which deals with the adoption   of cloud in the pharmaceutical  and medical devices environment. So let's get started, so we'll be  talking about how in the recent years   the adoption of cloud by the regulated industry  went through different phases, initially. So 

then we will be looking at how the pandemic  has pushed us fostering. The adoption of   cloud in the GxP industry. then we'll be going  through analyzing some regulatory implications   when adopting cloud technology in the  GxP industry and finally we will be   analyzing what is the approach to be  taken when adopting cloud technologies. So first of all, we have seen  during the last two years that   the pandemic has really pushed the regulated  GxP industry to transition, to digitalization.  

Basically pandemic has finally convinced  the organization that the digitalization is   something urgent and cannot be delayed further.  And in a way the companies were forced to do   things or to accept work practices that  they were in not easy to imagine   only two years ago. So just as an example,  you know working from home which was actually   well accepted, but it's not just the fact of  working remotely, these implied also adopting   very revolutionary ways of, for example  signing documentation or even interacting   with the GxP critical systems and records for  taking decisions. So in general we have seen  

really a broad adoption right, very very fast-paced  adoption of the new technologies, that easily you   know brings us to really consider, how actually  something that in the past, in the recent past   years ago was considered abnormal, to become you  know suddenly very normal and accepted. And   I would like also to bring a bit of historical  perspective. This is very much my experience   in the pharma industry. So I started to have  interest in the cloud adoption by the regulated  

industry around 2013. And at that time you  know had contacts with some IT managers, trying   to evaluate some cloud solutions for non-GxP applications and processes. And since then I was   really wondering for several years afterwards, why  this was taking so such a long time, so it   was a very slow process. There was a lot of talk, I  was visiting international conferences but really  

you know nothing was happening in the most of the  cases. The reasons for this very slow adoption   is that probably we can name some of those reasons  for sure there is the consideration that  this type of industry is very regulated one, right.  So there's a, there's a lot of strict regulations   around the adoption of cloud technology, in  general new technologies. Therefore also   some concerns about how to approach validation and  qualification with this new technology. There   have been a lot of concerns around security and  data breaches, you know the fact of not having data   under the roof and you know just data located  somewhere else. Also the fear of   espionage and activism in most cases it's about  very valuable data you know, around patents   and research data and so on, and so on. What we have seen lately, there was a drudging,  

I mean pandemic played a role, but on top of  that we have seen also from the point of view   of regulators. There was a more and  more a favorable position towards digitalization.   And also these came along with an improvement  of aspects of security when adopting the cloud.   Just as an example of adoption of cloud  you know, I'm bringing two examples here or say,   it's an example translated temporarily, so  you know in 2013 there were discussions in FDA   whether to embrace clown, right. And there was an  internal discussion and reflections whether this   could be a feasible, you know transition and  you know on the right side you can see how   FDA themselves, they have adopted for example  an application for pharmacovigilance, which is   based fully on on cloud and multi-tenant cloud. And  so you see how in this you know, in this case we   have like, you know seven eight years of  time lapse to go from initial reflection to a   full adoption. And this has been the path of many  companies out there. So let's have a look at some   regulatory implications when adopting cloud  technology. First of all, the GxP industry  

is very much looking at integrity of data,  so integrity of data and protection of   data and has been really the whole topic of the  latest six years at least. They are important to   guarantee quality of medicines and also  the quality of the the decisions that are taken   along the way in the entire process and so  therefore they the integrity at the end is also   instrumental to protect patient safety, so  it's all about you know the the ultimate goal   of the data integrity. And just to give an  example, I've only inserted two examples here of   some regulatory bodies that have mentioned  cloud computing and what are the requirements out   there. You know to make sure that any company  that is under GxP is really looking at these  

hot points whenever you know, they are  transitioning to. A cloud solution which can be   in the form of SAS, pass or IAS, so whatever  is the delivery model. So here you can see   what are you know the aspects that any  company needs to take into account right. So  

physical location can be relevant, think about  GDPR, then think about organizational changes   and you know the need of having a technical  agreement in place, a proper arrangements for   backup and restoration of systems, as well  as business continuity arrangements. And   in any case the practice of doing audits right,  to make sure that it is the right service for   the departures. And this is from UK MHRA right. That's a guidance about that integrity.   This one is from FDA. right. So it's on  pretty much the same sort of recommendations   and this is a guidance from 2017, there are  many others out there, you know. So due to the   short time today I cannot really give a  complete presentation of regulatory aspects.  

Anyway you can have an idea from this list  of regulatory requirements how strong remains   the attention of regulators towards, you know the technology whenever   you go for a cloud-based solution. So then  summarizing we can say the data integrity   requirements remain the same, nothing changes  you know. So the expectations    from the regulatory side is basically  the same as before. So no matter if you are,   you know outsourcing or adopting some cloud-based  solutions. and um and now as before the ultimate   responsibility for patient safety, product quality  and that integrity remain with the company, so   the GxP company. You may have obviously a change  in the you know responsibilities around some,  

say fundamental processes obviously, when you  are outsourcing to a cloud, then in this case you   basically you are not doing by yourself disaster  recovery, but somebody else is providing a   solution for you right. So therefore you need  to analyze how several aspects and processes   are being adapted to the new situation. And so  in general we may conclude that whenever   we adopt cloud computing as a regulated  organization. We have the duty to transmit  

specific requirements. Because what you can find  out there is that in most cases you know the cloud   providers are very say, general purpose providers.  So therefore they may not be always aware of the   type of specific controls that are required by  regulated industry. As well as they may be not so   keen introducing the required documentation and  in some cases they are not ready to receive   audits, from you know the regulated companies. And in general security is for sure a topic that   needs to be um taken into account very seriously.  And therefore you know when asked so,   what a company, what a regular company should do when deciding to go for the cloud.  

Well we suggest, you know they there should  be a control transition, meaning that the company   should clarify, very clearly what are first of all  regulatory requirements depending on the specific   process or application that they're  going to you know, take from the cloud. And therefore the suggestion is that they should  lay down a strategy so a cloud adoption   strategy to, you know basically analyze  what are all the requirements, what should be   the relationship to the vendors and vendors  assessment. Last but not least they should   think about setting up quality agreements on top  of technical agreements or SLS right, but also   quality agreements. Then they need to discuss,  topics of how the practice of qualifying   and validating applications is going to be  changing, right. And in general revise all the   operational models which means organizations  and standard operating procedures in new roles   that are going to be created in the company.  So just to put this in

diagram which is explaining what I was mentioning before, that's a path,   so that's a pathway compliant cloud. There are  several steps that are really you know a   suggestion from our end, which means obviously  the adoption of cloud we recognize that, you know a   necessary steps nowadays. It's a sort of  business in parity, right. And actually it   is also you know contributing to you know, speed  up processes is allowing to work with big data,   is really facilitating to have cooperation  between the, you know several geographical remote   sites especially in in clinical trials,  for example. So therefore in any case  

the cloud adoption is an enabler, right. For  many aspects. But nevertheless that should be   a clear path to make sure that all the regulatory  requirements are being transmitted, for the portion   that is interesting, the vendor right. And  then actually we're getting from the vendor, the   necessary documentation, the necessary awareness  and whatever. This is not in place, we need to   contribute and try to build you know, really a  an understanding of you know the needs of the   company. And so we mentioned then outed vendors  to the vendor, so the audit can be customized  

not depending on the nature of the service.  Depending we are auditing a SAAS vendor   or even we are, you know doing some PASS sort of  contract with the vendor. You know depending very   much on the deployment model, we may customize a  checklist, right. To investigate aspects of data  

management or software development life cycle,  in general security and infrastructure aspects.   Security and cyber security, which is you know  a necessary step to go through nowadays. And the   complexity sometimes show, it is really um going  through several layers, right. So this picture is   trying to represent how the requirements from the regular authorities are being   pushed to the company and then through, you know a  SLA to the for example SAAS provider, right. That   in many cases, being in this case a public  multi-tenant for example. So to provision has in  

the most cases a cloud vendors, a cloud there  is another entity so typically we have AWS or   Microsoft Azure that are providing the lower layer  infrastructure. And so we need really to clarify   how our you know provider is transmitting, right.  The requirements with the cloud vendors, so are   they doing any evaluation, are they doing audits  themselves, right. So and that's pretty much  

quite a complex situation that can be different  from time to time. And this is you know also   completing a bit the view of understanding how  complex can be a situation where basically you   are the regret the company, up there. So responsible  for the data right and user authorizations that   integrity, authentication mechanism and such  things and then you have, somebody who is   responsible for the security in the cloud. So we're  talking about data, network traffic and in general   platform and application, identity and access  management, right. Down to the operating system   layer. And as we said before, there is a third  provider. So the provider that is responsible for   the low-level equipment and technologies, which  is really the virtualization platforms down there.  

And they are responsible for the security of the  cloud, okay. So this is really a very, I would say   interesting view of how these responsibilities  are being put in relation and this should be   clear right, to any regulated company. We have mentioned contractual agreements,   actually this is a must, this is a requirement.  We are mentioning here a couple of  

pieces of regulations, so whenever you outsource  you need to have in place, contract agreements   between the regulated users of the company and  the cloud provider, so the contracted agreement   is not just you know SLA, so technical KPIs. But  you need to insert also and transmit properly   what are the elements of you know, regulations  they are being passed on to the cloud vendor,   right. In terms of quality, in terms of processes,  in terms of compliance and that's something that   it is really recommended to have and should  be very clear. So getting to the conclusion of  

of this today's presentation. So we may say that  the adoption of cloud-based services in the GxP   environment, is a wise choice among several choice,  if there are other choices, that can be compared.   And it's the only way of making the best of  technologies like artificial intelligence and   capability of analyzing big data and taking  advantage of the hyper connectivity of IOT or IIOT, so industrial in the field  of industry, right and production. So, then   we have recommended that the cloud  service need to be analyzed, with respect to   risk for the patient safety product  quality and data integrity. And cloud service   providers need to be instructed and prepared  in case of you know, audits and inspection to   be cooperative, right and to be helping the  company. And didn't take the elements   must be part of the contract agreements, between  the company and the cloud provider and   in any case we think that due to the variety  of the scenarios and technologies out there,   I think a company may really take decision based  on risk and choose the best deployment model   for the specific need, in the specific application.  um just to close out this presentation. So thank  

you very much for your attention. And  thank you Dario, it's all yours.

2021-10-05

Show video