Using cloud-based solutions in a regulated environment

Pharmaceutical manufacturers and other organisations operating under GMP-regulations have been hesitant to adopt cloud-based IT solutions. This is usually because they want to retain their data within their own four wallsGMP-CSV and because of the difficulty in maintaining the validated state of cloud-based software that can be updated without warning by the vendor.

However, there are now number of cloud-based options that GMP-regulated companies should consider.

We’ll discuss these in more detail now.

Cloud-based options

Rather than define what the Cloud “is”, let’s look at what the Cloud “does”.

The Cloud delivers information and communication technology “as a service”, whether deployed using an entity’s own resources (internally or externally hosted), or shared with other entities in a multi-tenant environment. A Cloud-based solution will provide on-demand, scalable, flexible, self-service, pay-as-you-go access to data storage, processing and sharing.

In general, most people agree on three categories of Cloud solutions, depending on the “software service” that is consumed, and the level of control that a company wants:

  • Infrastructure as a Service (IaaS) e.g., HP Cloud, Rackspace
  • Platform as a Service (PaaS) e.g., Heroku, Google App Engine, or OpenShift.
  • Software as a Service (SaaS) e.g., Microsoft Office 365, which allows you to ‘rent’ MS Word, Excel etc for a monthly fee


IaaS and PaaS options do not really represent an issue for most GMP-regulated companies, provided normal vendor assurance programs have been followed and technical agreements are in place to cover crucial GxP impacting elements.  Typically, these are seen as GAMP category 1 software, your current on-premises software is not that different to an IaaS and PaaS situation, the IaaS and PaaS options are just not on your site.

Software-as-a-Service is a GMP risk

The Software as a Service (SaaS) model has been around for quite a while, take for example Hotmail, Facebook or LinkedIn. But in a regulated Life Sciences company, it represents a real risk. Using GAMP 5 thinking, the risk of making (uncontrolled) changes to a Cat 3 to 5 software would send shivers up the spine of most QA professionals. If the SaaS company is making those changes to software that all their customers are using, how would you ever know when changes are made and which version you are currently using?

Managed Software-as-a-Service may be a GMP-compliant option

It is possible to use a Software-as-a-Service application that is hosted on a server that is managed by an industry-knowledgeable provider, rather than being one that is open to all.  Called iSaaS solutions, this option sees the provider taking responsibility for maintenance such as patch releases, with them performing the necessary testing. The provider then alerts their regulated customers of the pending change, prior to releasing it only after sign off by QA, usually all affected parties would need to agree.

Software-as-a-Service eQMS

A great example of an iSaaS system that meets the requirements for use in a GMP-regulated environment is the Quality Management System software iBiqs, created by our Sharepoint partners, QikSolve. Built on MS Sharepoint, hosted on a server managed by QikSolve, iBiqs offers the advantages of a SaaS in terms of continuous improvement and professional IT management, but in a managed way that won’t freak your validation and Quality teams out.

Having assessed and validated iBiqs installations, we are convinced it is a compliant solution. Of course, we get asked “Is SharePoint certified by the FDA or TGA before we buy it?”. The answer is that neither the FDA nor TGA certify any applications. What the regulatory agencies do expect is that the implementation of hardware and software is done in such a way that it’s compliant with the CFRs or other regulations. GAMP 5 provides a useful guidance on how to do this. So, Microsoft cannot certify that the SharePoint application is TGA or FDA compliant by simply providing validation documentation to the company. Usually, a regulated company would need their internal QA, validation and IT departments to work closely with a vendor or a GxP SharePoint Consultant to provide compliance.

Another question we frequently encounter is “Is the cloud validated?” Again, the answer is that iSaaS vendors do not provide validated applications, but rather provide applications that are qualified through standard URS, and other specifications, and IQ, OQ and PQ approaches that are well documented. Of course, the implementing company is responsible for validating their application against the guiding regulations and standards.

Further questions often include:  Can the cloud be qualified? Can applications in the cloud demonstrate compliance with a Software Development Life Cycle (SDLC) or GAMP? Can SharePoint eQMS in the cloud provide the qualification documentation against standards such as IEC 62304 (medical device software validation), ISO27001 or even GAMP 5?

The answer to those questions is a resounding “Yes!