SHARE:
GxP in the AWS cloud: The compliance and
efficiency benefits of rethinking regulated workloads
2
Highly-regulated corners of the biopharma industry
were initially wary of the cloud. Faced with a lack
of regulatory clarity and possessing understandable
caution, companies stuck with systems they knew.
That is no longer the case. Now, companies know the
Amazon Web Services (AWS) cloud meets their needs
and those of regulators. This shift has unleashed a
model that is enabling companies to achieve more
control with less effort by fundamentally transforming
compliance practices.
The initial reticence of companies to run regulated
workloads in the cloud reflects the importance and
scrutiny of these tasks. Errors in a system handling
unregulated workloads affect the internal operation
of the company. The fallout from such disruption,
while undesirable, is typically isolated. Errors in
a system handling regulated workloads affect the
regulatory status of the company and potentially
patient safety. These are the sorts of issues that have
major, long-term consequences.
Companies commit considerable time and resources
to avoiding such issues. Compliance with the good
laboratory, clinical and manufacturing practices (GxP)
regulators enforce to protect patient safety is central to
these efforts. GxP ensures the integrity, reproducibility
and traceability of data companies generate while
developing, testing and producing drugs.
Each set of good practices is built on a core concept:
If it isn't documented it didn't happen.
Following this maxim necessitates the validation—
and accompanying documentation—of computer
systems to ensure they are accurate, reliable and
consistently perform as intended. The validation
must also show if records have been altered or are
otherwise invalid.
HOW THE CLOUD IMPROVES COMPLIANCE
Today's on-premise GxP systems operate in the
physical realm. Data comes into receiving docks, is
unpacked and moved on to data centers. Companies
can audit the sites and ser vers they use to show
compliance with GxP.
T h e s e m a nu a l c o mp l i a n c e c h e c k s h ap p e n at
dist inc t p oints in t ime. This a l lows a comp any
to show auditors its system was compliant at a
p ar t ic u lar t ime on a cer t ain day. Howe ver, t he
c o mp a ny c a n n o t s h ow c o mp l i a n c e a f t e r t h at
point. A void in the company's knowledge of the
st atus of t he system b eg ins once t he va lidat ion
is p er for me d. The void on ly ends af ter anot her
manua l compliance che ck is p er for me d. In t he
t i m e b e t w e e n c h e c k s , s y s t e m s c a n d r i f t aw ay
f rom t heir compliant st ates unnot ice d.
The problem is compounded by the level of effort
required to manually validate systems. This is a
labor-intensive task. The upshot is increasing the
frequency of point-in-time checks to shorten the
drift window would require more resources.
Cloud GxP systems can fix some of these problems.
The cloud is a virtual, software-defined realm. Code
is the infrastructure. In this realm, companies can
automate and script checks and controls rather than
task employees with periodically validating and
monitoring their systems. The result is a move from