By Oisín Curran, CEO at Compliant Cloud and Odyssey VC

Almost every conversation we have with customers these days, regardless of whether they are in the regulated Life Science sector or not, have a clear IT strategy driven from senior management that is ‘cloud first’. In many cases these are throw-away statements made by management functions who perceive the move to cloud as the silver bullet for managing the IT and data challenges that lie in front of them.

Moving to cloud can be perceived to eliminate some of the basic problems of traditional on-premise installs such as (and not limited to of course!) the following;

Datacentre build & maintenance is too costly. We don’t want to own datacentres anymore – We want to focus on our core business of making product X or delivering service Y We need to cut our headcount. Buying XaaS can reduce headcount and operating costs We need to cut our operating costs for application ownership Reduce the number of SLA’s with 3rd party Vendors

While the above makes sense of course, senior management should be aware that moving to the cloud creates new costs, headcount challenges and of course, in the case of Life Sciences, introduces potentially significant risks. Gartner© in their Hype Cycle for Software[1] as a Service state that SaaS can be a challenge in that ‘IT operational challenges, risks, support service model, and gaps in controls stand in the way of enterprises fully exploiting the potential of SaaS.’. Businesses should define a cloud service strategy that fits the overarching company business strategy before making any IT decisions related to XaaS as a result of these unknowns.

Life Science organisations have to pay particular attention to the introduction of new and untested risks by moving to the cloud and that is evident in the fact that regulatory bodies can only consider XaaS as an ‘Outsourced Activity’ and comes under the associated regulations governing same. The regulatory expectations are clear in these cases and mandate the following (specific focus on Eudralex);

1. There must be written contracts:

a. With clear responsibilities, communication processes, technical aspects including who undertakes each step of the outsourced activity

2. The Contract giver must:

a. Include control and review of any outsourced activities in their quality system

b. Include control and review of any outsourced activities in their quality system

c. Monitor and review performance of contract acceptor

3. The Contract Acceptor must:

a. Be able to carry out the outsourced activity satisfactorily

b. Not subcontract to a third party without prior approval

c. Not make unauthorised changes

d. Be available for inspection

1. Looking for validated XaaS creates a significant supply & demand pressure on existing compliance service providers

a. Software vendors generally do not have an expertise in compliance. By pushing this responsibility onto them there are likely to be shortfalls in the quality and compliance side of the delivery. Gartner © notes[1] that regulated companies should

i. Beware of vendors that claim to have a validated environment

ii. Partner only with companies that are transparent, open for audits, and committed to compliance

2. An ISO certification is not evidence of a Life Science Quality Management System (QMS)

a. Remember the regulators consider this an outsourced activity so the regulated company must ensure the ability of the vendor to deliver the service in line with regulatory expectations.

b. This requires the vendor to have a clear and demonstrable QMS and also requires critically a level of integration with the customer QMS processes. This highlights the Gartner © recommendations to partner only with those providers with a demonstrated expertise in this vertical

3. Risk is a subjective term – Make sure you’re clear with your supplier

a. Remember the regulatory focus on Data Integrity. This requires a clear understanding of the risks to data integrity from the XaaS vendor and should be a guiding principal in their application design

b. Change management should have a clear callout of risk to data integrity e.g. ALCOA+ risks and not just reference business risk e.g. up-time and availability.

All considered we are at a very exciting time in the evolution of cloud-based services in the Life Sciences sector. We are seeing more and more cloud-native application options that bring significant operational benefits in terms of cost, data mobility and integration. At the end of the day, suppliers in the Life Science vertical need to be hyper sensitive to the regulated business need to ensure Patient Safety, Product Quality & Data Integrity. By aligning ourselves with the business drivers of the regulated business we are best placed to play our part in delivering tomorrows health solutions.

[1] [1] Hype Cycle for Software as a Service, 2018, Published: 31 July 2018 ID: G0036079