Presenta<on to EMA GCP IWG. Cloud Services - A Framework for Adop<on in the Regulated Life Sciences Industry. Agenda item

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  1  

Presenta<on  to  EMA  GCP  IWG  

 

Cloud  Services  -­‐    

A  Framework  for  Adop<on  in  the  

Regulated  Life  Sciences  Industry    

 

30  November  2015  

 

Tony  Hewer  -­‐  Senior  Quality  &  

Regulatory  Affairs  Director,  

Medidata  Solu<ons  Inc  

 

Stephen  Bamford  –  EU  Events  

Director,  PhUSE  

Formed  in  2004  

>6000  members  worldwide  

Not-­‐for-­‐profit  organiza<on  

Cross-­‐industry  WGs  

Stakeholders  with  FDA,  EMA  &  PMDA  

phuse.eu  

Agenda  

• 

_History  

• 

_{Topic  Background}  

• 

_{Your  ques<ons}  

• 

_{Where  we’re  at  with  our  framework}  

• 

_{Next  steps}  

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  3  

Background  

• 

_{Q3-­‐2013:  PhUSE  engaged  by  PRISME}  

• 

_{2013/2014:  Team  forma<on,  brainstorming,}  

case-­‐studies  -­‐>  framework  concept  

• 

_{Q1-­‐2014:  Test  concept;  CSS  in  MD}  

• 

_{2014/2015:  Team  consolida<on,  framework}  

content  refinement  

• 

_{Q4-­‐2015:  New  “published”  framework}  

• 

_{>2015:  Itera<ve  development}  

Issues  (?)  iden<fied  

• 

NOT  technology  

• 

Evolu<on  of  approaches,  terminology,  understanding,  jargon  

• 

A  percep<on  of  diversified  controls,  roles  and  responsibili<es  –  

client,  supplier,  sub-­‐suppliers  à  more  complex  “IT  supply  chains”  

• 

Absence  of  standards  [applicable  for  GxP]  

• 

SIMT  apps  

• 

QMS  fitness  for  purpose  

• 

Brings  long-­‐standing  issues  to  the  fore…privacy,  legacy  

architectures,  [truly]  interna<onalized  solu<ons  

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  5  

Framework  Tenets  

• 

_{Living  framework  document  –  wiki-­‐like}  

• 

Technology  has  –  and  will  –  change  rapidly;  

Life  Science  companies  changing  too;  synergy!  

• 

Bake  in  flexibility  and  technology-­‐neutrality  to  

processes  –  get  things  right  at  policy  level  

• 

_{Leverage  NIST  and  ISO  –  no  need  to  reinvent}  

• 

_{Embrace  cloud  to  stay/become  innova<ve  in}  

         Background  –  Technology  Evolu<on  

W

HY

 

2000-­‐2010  

2010-­‐2020  

1990-­‐2000  

1980-­‐1990  

W

HE

RE

 

Dedicated  

On  Prem  

Hosted  /  

_Portals  

Apps  

HO

 

Specialists  

Key    

All  

Everyone  

MAI

N

FRAME

 E

RA  

CL

IE

N

T/

SE

RV

ER  

ERA  

IN

TE

RN

ET

 E

RA  

CL

O

U

D

 E

RA  

Need  

Speed  

Convenience  

Produc<vity  

Computerized  Systems  Used    

in  Clinical  Inves7ga7ons  

21CFRpart11  

Annex  11  

General  Principles  of  SoBware  Valida7on;  Final  

Guidance  for  Industry  and  FDA  Staff  

CGMP  Applicability  To    

Hardware  and  SoBware  

Electronic  Source  Data  in    

Clinical  Inves7ga7ons  

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  7  

Stylized  EDC/CTMS  (etc)  Cloud  setup  

7  

SaaS  –  Web  Apps  

Facili<es  

Networks  

Compute  &  Data  Storage  

Hypervisor  -­‐  V  

OS’s  

Solu<on  Stack  

Mul<ple,  connected,  resilient  

SaaS/PaaS  –  configurable  recipes  

PaaS  –  standardized/programmable  

IaaS  –  standardized/programmable  

IaaS  –  commodi<zed  

IaaS  –  commodi<zed  

Internet  

“Users”  

Various  apps  of  various  architecture  

_SaaS  

&  

PaaS  

IaaS  

G1  

G4/5  

G1/5  

G4/5  

G1/3  

G1  

G1  

4  Key  Roles  

• 

Cloud  Service  Customer:  In  the  context  of  GxP,  these  are  generally  the  organiza<ons  or  

en<<es  that  purchase/use  the  cloud  services  to  support  their  GxP-­‐regulated  ac<vi<es.  They    

are  generally  billed  for  the  cloud  services  they  consume,  and  depending  on  the  services  

requested  (IaaS,  PaaS,  SaaS),  their  ac<vi<es,  use  cases  and  GxP  requirements  may  vary.    

• 

Cloud  Service  Provider:  Organiza<ons  or  en<<es  responsible  for  providing  cloud  services  to  

customers.    The  ac<vi<es  that  the  cloud  providers  perform  will  vary  depending  on  their  

par<cular  service  offerings  and  can  include  building,  deploying,  opera<ng  and  maintaining  

the  cloud  apps,  infrastructure  and  associated  service  layers.    

• 

Cloud  Service  Broker:  These  are  the  organiza<ons  or  en<<es  that  manage  the  configura<on,  

delivery  and  use  of  cloud  services  on  behalf  of  the  cloud  customer.    For  example,  cloud  

managers  may  perform  infrastructure  change  control  ac<vi<es  on  the  infrastructure  built  

using  general  purpose,  commercial  cloud  services.    

• 

Cloud  Auditor:    A  cloud  auditor  is  a  party  that  is  qualified  to  conduct  assessments  of  the  

cloud  provider  and  the  cloud  infrastructure  underlying  the  IaaS,  PaaS,  SaaS  services.    The  

auditor  may  be  an  independent  third  party  such  as  a  third  party  assessment  organiza<on  

(3PAO)  or  can  also  be  a  member  of  the  consumer,  provider  or  manager  organiza<on.  

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  9  

Cloud  “Supply  Chains”  

Cloud  Service  Customer  

Cloud  Service  Provider  (PaaS/SaaS)  

Cloud  Service  Provider  (IaaS)  

Cloud  Service  Broker  

Cloud  Service  Auditor  

Cloud  Service  Provider  (IaaS)  

Cloud  Service  Provider  (PaaS/SaaS)  

Cloud  Service  Broker  

Cloud  “Supply  Chains”  

Cloud  Service  Customer  

Cloud  Service  Provider  (PaaS/SaaS)  

Cloud  Service  Provider  (IaaS)  

Cloud  Service  Broker  

Cloud  Service  Auditor  

Cloud  Service  Provider  (IaaS)  

Cloud  Service  Provider  (PaaS/SaaS)  

Cloud  Service  Broker  

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  11  

Cloud  “Supply  Chains”  

Cloud  Service  Customer  

Cloud  Service  Provider  (PaaS/SaaS)  

Cloud  Service  Provider  (IaaS)  

Cloud  Service  Broker  

Cloud  Service  Auditor  

Cloud  Service  Provider  (IaaS)  

Cloud  Service  Provider  (PaaS/SaaS)  

Cloud  Service  Broker  

Ques<ons  posed  -­‐  1  

1.  Who  owns  the  data  when  stored  on  vendor’s  servers?      

–

 

Fundamentally,  the  Cloud  Service  Customer.  

2.  What  is  the  autude  to  server  farms  loca<on  and  sharing  of  par<<oned  

server  with  other  clients?    

–

 

Loca<ons  are  various.    Data  storage  is,  typically,  detached  from  compute  

servers.    Clients/studies  are  logically  segmented.  

3.  What  considera<ons  are  given  to  data  protec<on  in  the  countries  where  

servers  may  be  located?  

–

 

Hot  topic  re.  Safe  Harbor  invalida<on.  

–

 

Addressable  via  Cloud  Service  Customer/Broker/Provider  contracts.  

4.  How  should  the  cloud  data  be  protected  from  unauthorised  access?  

–

 

Security  controls  and  access  regimes  by  Cloud  Service  Customers,  Broker  and  

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  13  

Ques<ons  posed  -­‐  2  

5.  What  considera<on  is  given  to  back  up  and  restora<on?    What  are  the  

minimum  expecta<ons  for  this?  

–

 

Cloud  Service  Providers  are  highly  geared  to  provide  for  data  resilience  to  

support  the  requirements  of  [other]  Cloud  Service  Providers,  Cloud  Service  

Brokers  and  Cloud  Service  Customers.  

6.  What  are  essen<al  components  for  considera<on  in  contracts  with  a  

cloud  service  provider?    

–

 

Data  ownership  

–

 

Clarity  of  roles  and  responsibili<es

 

–

 

Ongoing,  opera<onal  due-­‐diligence  by  Cloud  Service  Customer/Broker  of  

Cloud  Service  Brokers/Providers  along  supply  chain.  

–

 

SLAs.  

Ques<ons  posed  -­‐  3  

7.  What  risks  do  you  believe  there  are  in  using  cloud?  

–

 

See  earlier  slide;  not  technology  –  more  about  mindset  and  QS  robustness  and  

fitness.  

8.  How  is  it  guaranteed  that  documents  and  data  stored  in  the  cloud  are  

archived  and  ready  for  inspec<on  for  at  least  25  years  aver  the  end  of  

the  clinical  trial  (as  required  by  ar<cle  58  of  the  European  Clinical  Trial  

Regula<on)?    

–

 

Focus  must  be  on  con<nued  informa<on  accessibility  and  durability.      

–

 

Cloud  Service  Providers  can  facilitate.    

9.  How  can  

sponsors

 audit  cloud  solu<ons?

 

–

 

Define  and  “audit”  along  the  supply  chain.  

10.  What  

about  change  control?  

–

 

Obviously  important;  change  tends  to  increase  down  the  technology  stack.    

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  15  

Our  Framework  

• 

Presently  formed  as  a  “guidance  document”  

• 

Focused  on  

– 

“cloud”  as  a  technology  evolu<on  

• 

What’ll  be  the  next  era  –  IoT?  

– 

IaaS,  PaaS  and  SaaS  construct  

– 

Customer/Broker/Provider/Audit  construct  

– 

Facilita<ng  compliance  with  GxP  predicate  rules  etc  

– 

States  of  control  

• 

A  vehicle  for  changing  approaches  around  

– 

Organiza<on  and  En<ty  Interac7ons  

– 

QS’s  

Our  Framework  

• 

Acknowledgements      

• 

Background/Introduc<on      

• 

Execu<ve  Summary      

• 

Cloud  Services  –  An  Introduc<on  

– 

Essen<al  Characteris<cs  of  Cloud  Services  

– 

Cloud  Service  Models  in  the  Tradi<onal  

GxP  Computerized  System  Context  

– 

IT  Supply  Chain  in  the  Cloud  Era  

• 

GxP  Considera<ons  for  Cloud  Service  

Customers  and  Cloud  Service  Brokers  

– 

SDLC  Policy  -­‐  Cloud  Specific  Guidance  

– 

Supplier  Management  Policies  

– 

Informa<on  Risk  Management,  Privacy  

and  Data  Protec<on  Policies  

– 

Cloud  Security  

• 

Glossary  

• 

Appendices  

– 

Quality  Responsibili<es  Matrix  

– 

Quality  Agreement  Considera<ons  

– 

System  Security  Plan  Example  

• 

References  

1

Cloud

Serv

ices

A Framework for Ado ption in th e Regula ted Life Sc iences In dustry Last Upda te: 13 -Oct-2015 This docu ment has been develop ed by the Pharmac eutical Us er Softwar e Exchan ge (PhUSE ) Working G roup on C loud Adop tion and is subject to ongoing co nsultation and feed back from all relevant s takeholders . You may submit com ments and suggestions regarding

this document to avid@ nnit.com (And ers Vidstrup, NNIT A/S) and/or thew [email protected] om (Tony He wer, Medida ta Solution s Inc.). Pharmac eutical Us er Softwa re Exchan ge Cloud Ad option Wo rking Gro up

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  17  

Next  Steps  

• 

_{More  socializa<on}  

• 

_{Progress  [Wiki]  publica<on  [by  PhUSE]}  

• 

_{Ongoing,  itera<ve  refinement  and  expansion}  

• 

_{Open  collabora<on/view-­‐sharing}  

• 

_{Deeper  dive  follow-­‐on?}  

Thank  you  for  your  aOenPon  

 

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  19  

Benefits  

• 

_Scalability  

• 

On-­‐demand  usage  -­‐  >  Fixed  cost  reduc<on  

• 

Fault  tolerance  

• 

_{High  availability}  

• 

_{Commodi<za<on  of  compu<ng,  storage  and}  

networking  

• 

Speed  (of  deployment)  

Cloud-­‐based  Systems  in  Drug/Biologic  

Development  

Discovery  

Laboratory  /  

_Safety  

Clinical  /  

_Efficacy  

Manufacturing  

_{+  Distribu<on}  

_Marke<ng  

Post-­‐

GXP-­‐regulated  

>12  years  

Genomics   HPC  

Computa<onal  Chemistry   Lead  Compound  Selec<on  

Transla<onal  sciences   ELN   SDMS   LIMS   DWH  +  Analy<cs   CTMS   EDC/CDMS   Pharmacovigilance   Ethics  Commiyees   DWH  +  Analy<cs   ERP   MES   Supply  Chain   DWH  +  Analy<cs     Website  hos<ng   Social  media   Medical  affairs/PV   CRM   Outcomes  analysis   DWH  +  Analy<cs   GXP  Quality  Systems,  Document  &  Drawing  Management,  eSubmissions,  Recordkeeping  

#PhUSE  

Cloud  Services  -­‐  A  Framework  for  Adop<on  in  the  Regulated  Life  Sciences  Industry    -­‐  Slide  21  

Cloud-­‐based  Systems  +  Medical  Device/App  

Development  

Discovery  

Laboratory    /  

_Feasibility  

_Valida<on  

Clinical  /  

Manufacturing  

_{+  Distribu<on}  

_Marke<ng  

Post-­‐

GXP-­‐regulated  

<2  years  

Mechanism  of  ac<on   CAD  

Computa<on  Fluid   Dynamics   Finite  Element  Analysis  

CAD   ELN   DHF/PLM   Prototyping   Test  Suites   DWH  +  Analy<cs     CAD   CTMS   EDC/CDMS   DHF/PLM   Test  Suites   Ethics  Commiyees   DWH  +  Analy<cs   ERP   MES   DMR/PLM   Supply  Chain   DWH  +  Analy<cs     MDDS   CRM   Social  media   Medical  affairs   Outcomes  Analysis   DWH  +  Analy<cs   Quality  Systems,  Document  &  Drawing  Management,  Configura<on  Management,  eSubmissions,  Recordkeeping  

Human  User  

Interface  

Device  Controller  

Interface  

Instrument  Sensor  

Interface  

Laboratory,  Clinical,  or  Manufacturing  Process  

GxP  Applica<on  

GxP  Data  

Sovware-­‐defined  Infrastructure  

AWS  Account  

Manual  I/O  

Automated  

_I/O  

Automated  

_I/O  

Step  1  

Step  2  

Step  3  

Customers  

AWS