Each enterprise system in pharma and healthcare needs to be validated and controlled as per GxP guidelines such as 21 CFR Part 210, 211, 11. These guidelines require healthcare companies to provide documented evidence on the assurance and validation procedures carried out on their various systems to regulatory bodies such as FDA on a regular basis.

The validation of cloud platforms must be done at several levels – system level, application level and infrastructure level.

These activities must therefore be planned, specified, built/ configured, verified against the specification, and ultimately reported. By adopting a holistic approach, healthcare companies can ensure that the various pieces of their cloud platform consistently meet quality benchmarks and are compliant to regulatory standards. A holistic validation strategy will enable companies to save time and cost, while also preserving data integrity and ensuring a stable, scalable cloud environment.

Who Does What in the Cloud Services Ecosystem

Why is Cloud Validation Essential?

Regulatory Compliance: There is a need to qualify the infrastructure and validate the applications hosted over the cloud to achieve compliance.

Scalability: Scaling up or scaling down the computing resources with ever-changing industry demands is very important.

Security: It is vital to ensure that security features are enabled and validated to protect the data on the private cloud.

Cloud vendor’s responsibilities include providing the basic infrastructures (hardware, networking, storage, servers and the virtualization) and making sure that the infrastructure is up and running for various environments like Development, Test/QA, Pre-Production and Production. Though Cloud vendors provide the infrastructure and perform certain tests, it will not be sufficient to meet FDA compliance.

Platform vendor ensures Middleware and data are configured/built and applications are running seamlessly just above the operating systems.

System Integrators (SI) vendors customize the platform or applications, qualify the infrastructure and validate the applications hosted over the cloud. They also make sure that the applications over infrastructure cloud is functioning as per the business need of customer.

It is at the system integration stage that the cloud gets validated thoroughly as per regulatory standards.

An Efficient Approach to Qualifying Cloud Infrastructure and Application

Since there are several players involved in the cloud services ecosystem, the challenge currently is that the roles and responsibilities of these various players are not clearly defined.

As a result, several important steps in the validation process are not carried out which can po-tentially result in major regulatory non-compliance.

An effective validation approach calls for clearly defined boundaries between the various stakeholders to ensure that all the steps are carried out in a smooth and methodical manner. 

Define Cloud

Classification of the system based on GxP systems should be the first step in the validation process. The classification should be based on these categories:

•  Infrastructure software as Category 1. Most of the cloud-related software (eg: AWS etc.,) belong to this category
•  Non-configured software as Category3 
• Configured software as Category4 
• Custom software as Category 5

Authoring the hardware and software specification should be a combined responsibility between cloud vendor and platform/application vendor. The cloud qualifi- cation of the data center and hardware are to meet the hardware and software specifications. The configuration management of the software applications, tools, and Operating System (OS) images are critical and should be a shared responsibility between cloud vendor and SI. 

The qualification plan strategizes and controls the qualification of infrastructure provided by cloud vendor. This should list the entire set of infrastructure-related deliverables with RACI matrix which shows the responsibility of each stakeholder towards the infrastructure qualification. On the other hand, separate Validation Master Plan should be created to control the validation of the application installed on the cloud.

Qualify Cloud

Using the hardware and software specification, the Installation Qualification Protocol which contains the checklist of hardware and software installation scripts can be developed. The IQ execution to qualify the installation should be conducted. Qualification summary report will list the entire installations of scripts and the execution status to ensure that the qualification is achieved as per the qualification plan.

Define Application

After the qualification of infrastructure, SI team should create the User Requirements Specification (URS) and Architecture Design as part of the Define Application Phase. System description and the validation strategy should be well-documented in Validation Master Plan. Also, schedule, list of validation deliverables, RACI matrix, and handover approach should be documented in the Validation Master Plan.

Validate & Deploy

Application IQ, OQ and PQ should be conducted against the specifications and the objective evidences to fulfil the FDA requirement should be captured. A review to ensure that the evidences are sufficient, neat and legible should be carried out. Trace Matrix should be updated right from Define Application phase till Deploy to make sure that the traceability is maintained all across.

Validation summary report sign-off will allow the system go-live. And, at this point, we should have the post Go-Live Standard Operating Procedures (SOP) in place to maintain the validated state of the applications hosted over the cloud.

Key Benefits of the Approach

•  Compliance to regulatory standards, leading to quicker time to market 
•  Well-defined boundaries between various stakeholders to meet validation end goals 
• Complete validation of both, cloud infrastructure and applications
•  Effective and secure access to the application and personal data for patients 
• Post launch, maintenance of thoroughly validated cloud systems via very well-defined SOPs. This enables such systems to be audit-ready on all occasions

Hosting an application on cloud in a regulated environment is a complex, multi-vendor engagement. Using a holistic approach, cloud vendors and companies can ensure they are meeting all their validation requirements with respect to GAMP5 and the validation package is developed and executed seamlessly.

Documents and Artifacts Produced as Part of Validation

These are the typical sets of documentations required to be compliant with the FDA requirements for Infrastructure Qualification and Application Validation.

Deliverables list for infrastructure qualification

• Qualification Plan
• Hardware and Software Specifi- cation (URS etc)
• IQ Protocol, IQ Hardware Checklist and IQ Scripts, IQ Summary Report
• Configuration Management – for Patch Upgrade Installation
• Qualification Summary Report

Deliverables list for application validation

•  Regulatory Classification of System as GAMP5
• User Requirements Specification
•  Functional Risk Assessment
•  Validation Master Plan
• Architecture and Design
• System Testing – Operational Qualification
•  UAT – Performance Qualification
•  Validation Summary Report
• Traceability Matrix
•  Post-go-live Standard Operating Procedures on
•  Incident/Change Management
•  Release Management
•  Application Monitoring and Performance
•  Disaster Recovery o Business Continuity Management
  

Subhash Joshi is a Principal Consultant for healthcare at Wipro’s EngineeringNXT Services division. He has over 20 years of experience in Medical Devices, Pharma and Hi-Tech Industries. Currently, his focus is on driving Wipro’s engineering services business in the pharmaceutical industry.

Arivu Arockia Rajesh has about 11 years of experience in the healthcare Industry. He had predominantly worked for various large pharma customers as a Quality Practitioner, Validation Lead, and Documentation Consultant. Rajesh’s current assignment involves validation consultancy for a major North American pharmaceutical conglomerate.