It’s a Friday afternoon. Quarter’s end. Your V.P. of Regulatory Affairs calls your office bellowing something about not being able to process the latest submission data- can’t access the system. Then more calls start coming in from the clinical department, Project Management, even off-site contractors, all complaining about the same thing. “The system is not available, I can’t access anything!”
A quick look and you see the thunderheads for yourself. Your data system has crashed. At this point you don’t know the cause. Could it be a hardware failure? Power? Natural Disaster? Or perhaps the ever-dreaded hack, denial of service (DoD)?
First things first, get the system up and running ASAP.
A Simpler (and More Effective) Way to Recover from a Disaster
Until recently, the only way to ensure a quick (relatively…) recovery was to duplicate all of your systems and implement a complex disaster recovery plan. Both of these require significant investments in equipment, software, and infrastructure, which is why many in the industry are beginning to look to the Cloud. Cloud-based systems have greatly advanced system recovery and business continuity in the face of an outage. Because cloud systems are hosted virtually, there’s no need to worry about the types of disastrous scenarios that disrupt on-premise services. If an Ethernet cable is cut, cloud-based systems are totally unaffected. If Internet service goes down, communication can be re-routed.
Simply put, recovery and continuity become a non-issue.
A cloud solution can be a very good architecture to pursue for recovery, and can provide other benefits as well. But what are the concerns?
A simple way to think of the cloud and architecture options:
The diagram may be an oversimplification, but the image above does a good job of illustrating the three options that a company has to consider when evaluating a cloud- based solution: public, private, or a hybrid approach. Each approach has its advantages and disadvantages, inclusive of validation considerations.
Underneath this, decisions around utilizing a cloud for Infrastructure (IaaS), Platform (PaaS) or Software (SaaS) or all of the above, is another consideration that may add confusion.
The Scary “V” Word
Validation – but what is the impact here? The main things to keep in mind are data (record) integrity, data availability, and data retention. And there is not a whole lot of difference in validation considerations between a traditional in-house validation and a hosted one. As in most cases, the devil is in the details.
Formal agreements (legal contracts) need to be in place to include clear statements of responsibility around the installation (set up) configuration, maintenance, availability, change control and backup/restore. An on-site audit should always be performed to aid in identifying and mitigating risk as well as directing your validation testing approach.
But a validation approach should cover the above items along with a clear and documented understanding of how patches and upgrades are applied along with schedules, and include a detailed exit plan should that need ever arise.
“Fine, should I do it?”
At the end of the day, there are many benefits to adopting a cloud approach. Savings in infrastructure, licensing and support costs are all obvious advantages, as is a much less likely disaster scenario. Secondarily, staying current with platform and application versions becomes easier, assuming your plan is well defined. Devices to access the system/data also become less of a concern and can help pave the way for the fast growing “BYOD” (bring your own device) approach.
But there is no silver bullet – some risks to keep in mind when making the determination to move to the Cloud are things such as vendor outages, limited control and flexibility. For example how and when upgrades and bug fixes get applied. Another consideration is implicit dependency, or “vendor lock-in”. But perhaps the most concerning is data security and privacy, and increased vulnerability to an internet attack. All these variables can be minimized with a well-thought-out master plan/agreement between you and your vendor.
June 10, 2015
If you are like the majority of those who have worked in the biotechnology and pharmaceutical industry for at least the last five years, your company has been part of a merger, acquisition or some...
April 9, 2014
Next week I’ll be in San Francisco conducting an ISPE training class on Risk Based Approach to GxP Process Control Systems. Attendees will include employees from a variety of regulated life cycle...
December 15, 2014
My last blog focused on the industry trends concerning cleaning validation verification. Through a quick poll we found that out of twenty-three respondents, approximately fifty (50) percent are doing...