GxP Data Integrity for Cloud Apps: Part -1


About GxP requirements and its importance

 GxP is a general abbreviation for the “Good Practice” quality guidelines and regulations. The “G” stands for Good “x” stands for various fields, including the pharmaceutical, life- sciences, agricultural, clinical, laboratory, manufacturing and food industries.

GxP is a set of regulations and quality guidelines formulated to ensure the safety of life sciences products while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. The GxP standards were established by the US Food and Drug Administration (FDA) for a range of compliance related activities. The purpose of the guidelines is to ensure that the regulated organizations comply with the standard processes of various functions.

The guidelines mainly focus on the following areas:

  • Traceability – ensuring that the development history of the product can be reverse
  • Accountability – Identifying the contribution of every individual involved in the development process.
  • Data Integrity – Ensuring the reliability of

Data Integrity plays a very vital role in GxP requirements. Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, processes, or retrieves data. According to the ALCOA principle, the data should have the following five qualities to maintain data integrity:

  • Each piece of data should be attributed to the person who generated it.
  • Legible
  • Contemporaneous
  • Original
  • Accurate

Significance of Cloud Service

The “cloud” refers to servers that are accessed over the Internet, and the software and databases that run on those servers. Cloud servers are located in data centers all over the world. By using cloud computing, users and companies do not have to manage physical servers themselves or run software applications on their own machines.

The cloud enables users to access the same files and applications from almost any device, because the computing and storage takes place on servers in a data center, instead of locally on the user device. This is why a user can log into their Instagram account on a new phone after their old phone breaks and still find their old account in place, with all their photos, videos, and conversation history. It works the same way with cloud email providers like Gmail or Microsoft Office 365, and with cloud storage providers like Dropbox or Google Drive.

For businesses, switching to cloud computing reduces significant IT costs (operating and capital expenditures) and overhead: for instance, they no longer need to update and maintain their own servers, as the cloud vendor will carry out the same. This especially makes an impact for small businesses that may not have been able to afford their own internal infrastructure but can outsource their infrastructure needs affordably via the cloud. It addresses the need of increasing demand for system availability and redundancy, an explosive growth in data volume, and the growing use of apps and other mobile interfaces in the professional workspace. More specifically, by adopting the cloud in a manufacturing context, bulky line terminals can be replaced and every device potentially becomes a process control interface, allowing real-time access to quality and production data anywhere at any time.

Cloud computing is possible because of a technology called virtualization. Virtualization allows for the creation of a simulated, digital-only “virtual” computer that behaves as if it were a physical computer with its own hardware. The technical term for such a computer is virtual machine. When properly implemented, virtual machines on the same host machine are sandboxed from one another, so they don’t interact with each other at all, and the files and applications from one virtual machine aren’t visible to the other virtual machines even though they’re on the same physical machine.

Virtual machines also make more efficient use of the hardware hosting them. By running many virtual machines at once, one server becomes many servers, and a data center becomes a whole host of data centers, able to serve many organizations. Thus, cloud providers can offer the use of their servers to far more customers at once than they would be able to otherwise, and they can do so at a low cost.

Even if individual servers go down, cloud servers in general should be always online and always available. Cloud vendors generally back up their services on multiple machines and across multiple regions.

Users access cloud services either through a browser or through an app, connecting to the cloud over the Internet – that is, through many interconnected networks – regardless of what device they’re using.

Types of Cloud Service Models

The following are the types of Cloud Service Models

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

1.        Infrastructure as a Service (IaaS)

 IaaS is the most comprehensive and flexible type of cloud service available. An IaaS provider manages the physical end of the infrastructure (servers, data storage space, etc) in a data center, but allows customers to fully customize those virtualized resources to suit their specific needs. With IaaS, the customer can purchase, install, configure, and manage any software they need to use, including things like operating systems, middleware, applications, business analytics, and development tools. Highly scalable, companies only pay for the infrastructure they use, allowing them to scale their computing needs as needed without having to build out additional capacity.

IaaS eliminates the capital expense of building up in-house infrastructure. It is an option for small companies and start-ups that do not have the resources to purchase the hardware and software needed to create their own network internally. It also takes the day-to-day burdens of managing computing infrastructure off the hands of IT departments, freeing them to focus on core business drivers instead of troubleshooting. Since the IaaS provider continuously updates their system with the latest software and update patches, it’s easier to get new programs and applications up and running. IaaS provides the latest in security protections and usually offers services like disaster recovery to go along with their uptime reliability SLAs.

Examples: Amazon Web Services (AWS), Microsoft Azure, Cisco Metacloud, Google Compute Engine (GCE).

2.        Platform as a Service (IaaS)

PaaS provides the framework needed to build, test, deploy, manage, and update software products. It utilizes the same basic infrastructure as IaaS, but it also includes the operating systems, middleware, development tools, and database management systems needed to create software applications.

PaaS is extremely helpful for any company that develops software and web-based applications. Many of the tools needed to develop for multiple platforms (computers, mobile devices, browsers, etc) can be quite expensive. By using PaaS, customers can access the development tools they need, when they need them, without having to purchase them outright. Since the platform is accessible over the internet, remote development teams can all access the same assets to speed up product development. Most PaaS tools provide extensive pre-coded applications built into the platform, which can greatly reduce coding time and help companies get their products to market faster.

Examples: Google App Engine, Microsoft Azure, AWS Elastic Beanstalk, Apache Stratos

3.        Software as a Service (IaaS)

 SaaS is the most familiar form of cloud computing. SaaS is a fully-developed software solution ready for purchase and use over the internet on a subscription basis. The SaaS provider manages the infrastructure, operating systems, middleware, and data necessary to deliver the program, ensuring that the software is available whenever and wherever customers need it. Many SaaS applications run directly through web browsers, eliminating the need for downloads or installations. This greatly reduces software management issues for internal IT teams and allows companies to streamline their operations with hybrid and multi-cloud deployments.

SaaS applications allow companies to get up and running very quickly as well as scale operations rapidly. There’s no need to purchase or deploy the hardware and software used to deliver their business services. Even sophisticated enterprise-level applications, such as customer relationship management (CRM) or enterprise resource planning (ERP) programs, can be easily accessed by the smallest organizations, providing them with tools that allow them to grow their businesses more effectively than ever.

Examples: Cisco WebEx, Google Apps, Microsoft Office 365, Salesforce

Types of Cloud Deployment

Cloud deployment describes the way a cloud platform is implemented, how it is hosted, and who has access to it. All cloud computing deployments operate on the same principle by virtualizing the computing power of servers into segmented, software-driven applications that provide processing and storage capabilities.

1.      Public Cloud

 Certain service providers provide both services and infrastructure, which are shared by all customers. Public clouds typically have massive amounts of available space, which translates into easy scalability. A public cloud is often recommended for software development and collaborative projects. Companies can design their applications to be portable, so that a project that’s tested in the public cloud can be moved to the private cloud for production. Most cloud providers package their computing resources as part of a service. Public cloud examples range from access to a completely virtualized infrastructure that provides little more than raw processing power and storage (Infrastructure as a Service, or IaaS) to specialized software programs that are easy to implement and use (Software as a Service, or SaaS).

Some public cloud examples include those offered by Amazon, Microsoft, or Google.

2.      Private Cloud

Private clouds usually reside behind a firewall and are utilized by a single organization. A completely on-premises cloud may be the preferred solution for businesses with very tight regulatory requirements, though private clouds implemented through a colocation provider are gaining in popularity. Authorized users can access, utilize, and store data in the private cloud from anywhere, just like they could with a public cloud. The difference is that no one else can access or utilize those computing resources.

3.      Hybrid Cloud

Hybrid clouds are the combination of public clouds with private clouds. They are designed to allow the two platforms to interact seamlessly, with data and applications moving smoothly from one to the other. It is the perfect solution for a business or organization who needs a little bit of both options, usually dependent upon industry and size.

4.      Community Cloud

Although not as commonly used as the other three models, community clouds are a collaborative, multi-tenant platform used by several distinct organizations to share the same applications. The users are typically operating within the same industry or field and share common concerns in terms of security, compliance, and performance.

In essence, a community cloud is a private cloud that functions much like a public cloud. The platform itself is managed privately, either in a data center or on-premises. Authorized users are then segmented within that environment. These deployments are commonly used by government agencies, healthcare organizations, financial services firms, and other professional communities.

Significance of GxP application in Cloud Service environment

The traditional IT infrastructure for most clinical, pharmaceuticals and life sciences organizations are not fully capable of meeting their complex and elaborate business challenges. It can take significant, sustained, and largely disruptive investment in new technologies and infrastructure to bring internal systems to the required security, performance, and compliance level.

At the same time, these organizations must do much more than just maintain the ordinary business-as-usual method of working. It must achieve cost reduction and increase productivity and innovation against a situation of continually changing market conditions and regulatory requirements. This is the main reason that organisations choose to implement and adopt cloud hosting as a business strategy.

However, good practice quality guidelines (GxP) environments have their own unique requirements. There are very strict guidelines around application and system usage in key business functions, such as research and development, clinical trials, quality, and manufacturing, set by the FDA and other global regulators.

GxP regulated organizations have to comply a lot of standards and/or regulations for using, storing and communicating data. FDA 21 CFR Part 11, EU General Data Protection Regulation (GDPR), EU Eudralex Annex 11, Data Integrity regulations of many countries, etc. To comply the regulatory standards, it is important to analyse and choose the right kind of cloud solutions for the business whether it is pharma or life-science or clinical or any. This white paper will provide necessary considerations related to cloud services in a GxP monitoring environment and corresponding measures to ensure compliance.

One needs to consider the fact that full control is transferred from the customer’s organization to the Cloud Service Provider (CSP) or cloud vendor. In this setup, the service provider is responsible to not only maintain infrastructure, virtual machines, etc., but also manages the application and the database where your critical data resides. The regulated organization will not have direct and full access to software and hardware but only have functional access to the SaaS application via web browser or in certain cases additionally to specific interfaces (API) only.

(To be continued in Part – 2)

In Part 1, we have understood the basic concepts of GxP requirements and Cloud implementation of computerised systems

In Part 2, we shall look into the strategies to be adopted by Organisations implementing cloud systems to comply with GxP requirements