GxP Cloud Part 3 of 6: Keeping your Ducks in a Row

GxP Cloud Part 3 of 6: Keeping your Ducks in a Row

As anyone working in an FDA regulated environment understands, if an auditor comes knocking, your house needs to be meticulously clean and presentable.  Letting a cleaning crew take care of everything seems like the easier thing to do on paper, but in forfeiting control of the process and the tools to get things tidied up, there might be some unexpected surprises that will raise some eyebrows upon inspection.  This is why most Life Sciences teams opt to keep control over their infrastructure and applications.  The risk of having another organization own, maintain and manage these items in a way that is not up to code is simply not worth the potential consequences. 

Any infrastructure and related components hosting validated applications must be stood up and maintained on an outlined framework of quality.  For this to be achieved, a number of steps need to be thought out, executed and documented before that infrastructure can be deemed to be in a qualified state to host validated applications.  Most commonly this would include an understanding and adherence to GAMP 5 methodologies. 

In a nutshell, this requires that proper policies and SOP’s be defined to adhere to regulatory guidelines.  For IT employees working on the infrastructure team, training requirements need to be defined and made available.  For all of these items, proper documentation needs to be gathered and supplied to verify that that all infrastructure related polies and SOP’s have been/are currently being adhered to, and anyone whose name is associated with that infrastructure is up to date on all the required, defined training requirements. 

While all of this is manageable (albeit still difficult) if the infrastructure is owned in house, these requirements are difficult to dictate to large hosting providers with little or no Life Sciences focus.  Finding an infrastructure provider that will accommodate these qualification requirements will require a lot of research and often will need customization to their standard arrangements, which can be difficult to negotiate and even more difficult to manage and enforce. 

A vendor should be amenable to adhering to audit reviews, specific change management SOP’s, incident management policies, employee training, infrastructure and network diagram availability and the ability to document and demonstrate that all SOP’s related to the qualification and deployment of their infrastructure have been followed. 

From the vendor’s point of view, a potential customer with these high maintenance requirements does not mesh well with a large scale, large volume hosting model that is structured more around providing a quality, out of the box infrastructure to host a wide variety of low maintenance, low demand customers who are not looking for specific terms and infrastructure policy requirements. 

Unfortunately for Life Sciences teams, this leaves them either unable to come to terms with vendors, or it puts them in a position where managing the relationship and hosting requirements with the vendor so tedious and difficult to own that it offsets the benefits of outsourcing the infrastructure in the first place.  Instead, most teams continue to operate with a complex, high overhead in-house infrastructure and application ownership model. 

Share to: