Life Sciences

GxP in the AWS Cloud

Issue link:

Contents of this Issue


Page 2 of 4

SHARE: GxP in the AWS cloud: The compliance and efficiency benefits of rethinking regulated workloads 3 manual point-in-time validation to automated near- continuous compliance. This means the voids in compliance knowledge inherent in the old model are truncated. Cloud users can say with far more confidence that their systems are compliant right now. Furthermore, they can present documentation to auditors to support such confidence. Companies running GxP workloads in the cloud achieve this level of traceability while reducing the effort involved. Once created, automated services deliver consistent assessments of the system with minimal input and oversight. To simplify matters further, many of the services are based on pre-built cloud services. MOVING GxP WORKLOADS TO THE CLOUD Merck is among the companies to use pre-built cloud services to help move GxP workloads into the cloud. The Big Pharma started using the cloud for some of its unregulated workloads around five years ago but only started applying the model to parts of its business covered by GxPs two years ago. Merck has increased its use of the cloud to run GxP workloads gradually as it has become more comfortable with the model and more aware of its benefits. The process followed by Merck shows how biopharma companies can move to the cloud and the benefits they can realize. Merck began by creating a security framework. This was the bedrock of Merck's plan. The systems had to be secure. As an AWS user, Merck shared responsibility for security with its vendor. AWS handled the security and quality of the cloud itself, as it does for all customers under its Shared Responsibility Model. Merck took responsibility for the security and quality of what happened in the cloud, exactly as it had when using an on-site datacenter. In addressing its security responsibilities, Merck adopted a safety-first, hands-on approach that mandated manual checks of whether services were enabled and policies met expectations. Merck then assessed what it needed to do to ensure it was prepared for a regulatory inspection. This entailed talking to colleagues working in quality, inspectional readiness, technical posts and other functions to formulate an overall systems assurance strategy. The result was a set of processes to ensure the Merck Managed Cloud meets GxP requirements and the needs of auditors. These processes use AWS services. Every change to the system is logged using AWS CloudTrail. Auditors can view who, what, when and where from for every change. The low cost of cloud storage means companies can keep all logs indefinitely. Other ser vices cover dif ferent aspects of GxP compliance. AWS Config enables Merck to show what its environment was like on any given day in the past. Providing such information to auditors used to require reams of paper. Working in the cloud, users simply scroll back through time. This shows when files were added or removed from storage.

Articles in this issue

Links on this page

view archives of Life Sciences - GxP in the AWS Cloud