Mike Irene, Vice President, IT Delivery,
PRA Health Sciences
A: When implementing cloud computing within a CRO, regulatory compliance, security, contractual commitments and service level expectations must be addressed within an increasingly complex technology landscape. CROs must adequately navigate and manage across a large number of providers, hosting facilities, and operating models. Considerations such as perimeter security, encryption and data privacy play a prominent role as information potentially becomes more vulnerable within public and private cloud topologies. Systems comply with local regulations and customers often stipulate specific countries where data must reside. When implementing cloud infrastructure, common data center services such as monitoring, backup, disaster recovery, and identity management must have coverage capable of supporting existing service level agreements. Existing Standard Operating Procedures (SOPs) and Work Instructions (WIs) need review and amendment as applicable to appropriately reference new cloud computing processes. Finally, product licensing restrictions and project accounting methods should be assessed to ensure all commercial considerations of cloud computing are fully understood.
Paul Labas, Director, IT Compliance and CSV,
IPS-Integrated Project Services, LLC
A: From sharing personal photos on Amazon Web Services to complex computations within NASA’s Nebula Cloud Computing Platform, there are certain concerns that are common to cloud computing models in every industry.Data protection, systems availability, adequate disaster recovery, network speeds and systems performance, change control — all of these considerations must be identified and addressed within every cloud service. In addition to the above, CROs and their clients are tasked with meeting complex regulations relevant to the use of computerized systems and electronic data within life sciences industries. These unique challenges include compliance with such regulations as FDA 21 CFR Part 11, computerized systems validation, vendor and sub-vendor management, long-term data retention and availability, etc. It is the system users and data owners, not the cloud services providers, who are ultimately responsible for regulatory compliance and data integrity. However, a compliant cloud ecosystem can only be established and maintained through definition, communication, documentation and fulfillment of specific responsibilities by all key players — regulated client organizations, CROs and the cloud providers.
Ramesh Subramanian, Ph.D., VP, Strategic Marketing and Global
Head, Business Development, Piramal Discovery Solutions
A: Challenges for installing cloud-based solutions include the time that is required to implement such a change, and potential reluctance from the client’s end. Customers may prefer traditional options of using emails, password-protected mechanisms, server-based tools, local proxy, etc. Generally clients feel that time-tested formats are more reliable, considering the fact that such business documents are very crucial, and they prefer having control of such tools for safekeeping, transfer and IP protection. For some, the comfort and convenience of using time-tested, existing models overrides the potential benefits of moving to new cloud systems. At times, IT policies at the clients’ end could be a hindrance — they usually have restrictions and aren’t flexible enough to provide access to cloud-based tools to their employees working on projects. This increases the turnaround time and lowers ease of use.
We at Piramal, though, have been fortunate enough to be engaged with customers who are willing to implement cloud computing and are proactive enough to initiate such system-level changes. We have been supporting companies globally with our development and manufacturing sites across regions connected to secure clouds. Once initiated by the client, our site teams promptly align themselves with the client’s cloud-based systems and use them regularly for regulatory needs and project planning purposes.
Justin Schroeder, Executive Director of Marketing, Business
Development & Design, PCI Pharma Services
A: As with any solution, security and risk management is paramount. Once the decision has been made to utilize a secure and robust cloud solution, much of the challenge can be the interactivity with various ERP systems, company-specific processes and industry vernacular. Each company or node in the supply chain operates differently, so sometimes applications can really take on a life of their own in the process of integrating supply chains. For example, a third-party cloud application developer may have already executed integration with your particular brand of EPR system, but in actuality the use of that ERP system from one company to another may vary considerably and be much more complex for integration, causing considerable scope creep and additional product development. Ensuring that there are enough resources and ownership from all parties in the execution of the integration is a critical step for success, so that all parties experience a seamless cloud solution integration.
Simon Lane, Vice President, Information Technology,
Altasciences Clinical Research
A: The challenges with cloud computing are closely related to the advantages it offers. It offers flexibility and agility, but these have still to be tempered by the traditional CRO requirements of data integrity and control. There may be a tendency to create a parallel IT, or to forgo the IT group completely due to the apparent simplicity of the offerings, but this could be a mistake. While the traditional IT group may not always be adapted to the cloud computing world, there are still some fundamentals that are required: security (confidentiality), interoperability and availability. These features or basics are readily available in most cloud offerings, but thought and process still have to be applied to the implementation of these essentials, and unfortunately — because of the ease of the initial setup of a SaaS offering — these are often overlooked until much later when they have become problematic. The challenge with cloud computing is therefore to ensure that the requisite discipline in structure and usage is maintained as it would be for a legacy application. The backend development may have been completed for the CRO, but the requirement for operational discipline has not gone away.
Ralf Liedke, IT Director Germany, Aesica
A: CDMOs need to evaluate the risk around their intellectual property that cloud computing imposes and ensure the security of the IP of their customers. Qualification and validation activities also need to be reviewed to ensure that they remain compliant. Within this, evaluation of both supplier and host is important, and solution suppliers need to be auditable. Cybersecurity is also vital to protect against external system attacks. Cloud computing does also increase demands on certain IT infrastructure; for example, there may be a requirement to enhance certain elements such as bandwidth if not already sufficient. Finally, disaster strategies will need to be reworked to incorporate cloud solutions, which will require more than just backup/restore procedures for internal servers. Redundancy of connection lines needs to be built in, as well as additional network availability to external sources.
Stefan Peterli, Ph.D., Vice President of Strategic Business
Development, Minafin S.P.R.L.
A: From a regulatory compliance point of view, we need to have access to our archived data 10 years back. Depending on the cloud partner, this can become difficult in the case of switching to a different host or when we would like to internalize the data.
For solutions such as Office 365, which is being gradually phased in, we experience bandwidth problems using the online application and local files. We therefore prefer to install the heavy client for every user locally to avoid too much dependence on a wide bandwidth.
When we use hosting in the cloud, we insist on servers located in Europe. In fact, for mail and domain controllers we use a private cloud solution located in France.