In a previous blog we talked about how small to medium sized businesses were readily adopting Cloud Informatics Systems (LIMS, ELN, SDMS) while large businesses were moving more slowly in this direction. We did not discuss whether businesses in regulated industries, with their needs to validate their informatics systems, are able to adopt cloud based informatics systems. The short answer is yes! Regulated companies can utilize and validate cloud informatics systems, however, how you approach validating these systems and who performs the validation activities will differ from Computer Systems Validation (CSV) for client/server and/or PC systems.
Before delving into the ins and outs of cloud informatics system validation, it is important to differentiate between systems running within public versus private clouds. A public cloud is a single or multi-tenant cloud computing environment hosted outside of your firewall, whereas, a private cloud is a single-tenant cloud computing environment hosted within your firewall. You can validate an informatics system in either a public or private cloud but we will be focusing on how to validate a public cloud single tenant informatics system since it can be somewhat less complicated than a multi-tenant public cloud system.
The ultimate goal of your validation effort is to be able to prove to an auditor that the entire system was installed correctly, is being operated correctly, is performing correctly for its intended use to meet the user requirements, and the environment is being properly maintained with all changes being documented and thoroughly tested. Therefore, the validation of your informatics system that’s operating in a GxP/FDA regulated environment, whether in the cloud or not, needs to address:
The main difference between validation of non-cloud and cloud based informatics systems will be who is responsible for documenting and performing the validation activities. For the aspects of the validation not being done by your organization, you will need to perform your due diligence and audit the responsible entity to ensure total compliance. It is of utmost criticality that your validation approach, responsible party matrix, auditing process, and risk analysis be clearly captured within your Validation Master Plan.
One part of your cloud validation effort will be to qualify the infrastructure which includes the hardware and the operating environment that the informatics system will be running on. You will need to determine who is actually providing and supporting these elements. It is possible that the vendor of the single tenant public cloud informatics system is the provider but many will have subcontracted the infrastructure provision and support to a third-party cloud services provider. Assuming the infrastructure is being provided by a third-party cloud services provider (Amazon Web Services, etc.), you will need to ensure that the proper documentation, environment access control, training records, processes and procedures (i.e. backup, disaster recovery, etc.), and proof of testing are in place for the infrastructure. The best way to do this is to perform an audit of this provider to check and verify their documentation, procedures, and records.
Moving on to the validation of the single tenant public cloud informatics software itself, you will need to start, as with any validation effort, with documenting your user requirements. With this in hand and with knowledge of the informatics system, a risk-based assessment should be performed to determine what the breadth and depth of testing will be required. It is possible that the single tenant public cloud informatics system will satisfy all your needs with an out-of-the-box system. In this case, you will be able to heavily leverage the Functional Testing (i.e. OQ) that the cloud vendor would have performed. You can easily access this information during the audit that you will need to perform on the cloud informatics vendor. During the audit, you will also need to review and verify their Software Development Life Cycle (SDLC) documentation, training records, as well as their processes and procedures including how they will perform and test any updates.
It is likely that you will need to configure and perhaps even customize the single-tenant public cloud informatics system to satisfy your specific needs. The good news is that with a single-tenant public cloud solution, there should be no impediment for you to adapt the system to fit your needs. If this is the case, Requirements Testing (i.e. PQ) of the appropriate level, as dictated by your risk assessment results and plan, will need to be performed. It will be important to determine whether you or the cloud informatics system provider will be performing the initial validation and who will be performing any incremental validations needed going forward.
Are you currently utilizing a cloud informatics (LIMS, ELN, CDS, SDMS) solution? If so, are you utilizing a single tenant, public cloud system? If you are in a regulated environment, have you properly validated your system? How did you determine and track the responsible parties for all the necessary validation activities? Did you conduct a thorough vendor audit?