FDA, Compliance and the Cloud

Cloud based tools have a lot of appeal for small companies and startups: no need for IT infrastructures, servers, IT management, recovery plans, backups and so forth.

The use of cloud tools has always been a bit of a challenge in regulated environments, where the lack of control over the tools seemed to be a no-go.

But if you take a step back and analyse the situation in depth, things may not be as bad as it seems:

1) Cloud systems CAN be compliant. 21 CFR 11.3.b.9 defines them as “Open Systems”, which means that the system is managed externally. So the regulations already account for them.

2) The requirements for Open Systems are the same as for Closed Systems (i.e. applications running on internal servers), plus (ref. 21 CFR 11.30) some additional requirements, mainly around data integrity and security. This should not surprise anyone.

The main problems when seeking compliance with Cloud systems are centred around the fact that the provider is typically a large, not regulated company, which means that they will most likely not accept to be audited and even if they did, they might not look great. In addition, they would not accept any change agreement.

So how can you claim to have the system under control, when the provider gives you no visibility of their processes and can push changes overnight with no prior notice?

Let’s take one more step back, and look at the purpose of 21 CFR 11 and its requirements. This regulation was written to ensure that electronic systems, which manage official records and signatures, are sound and reliable.

Let’s first assume that the system you have selected covers the basic performance requirements, such as controlled electronic signatures, account management and information retention.

A robust validation plan will ensure that the system performs as intended, but only at a point in time.

How can you then make sure that your system will not collapse all of a sudden due to an update controlled by the provider?

1. Backups. Most Cloud systems will allow you to create local backups, in addition to any other backup performed by the provider. This takes care of any possible data loss or corruption. This process must be documented and validated.

A word of caution: You should also have a system recovery process or manual in place for your backups. In other words, if you have backups, then make sure you know what to do with them. It is highly advisable to try it out at least once to ensure that you won’t ruin your backup when something goes wrong.

2. Health check tools. It is not difficult for a competent developer or an IT expert to create automated test routines that check the integrity of your Cloud based system. These routines can literally be run every morning to ensure that the system still performs as intended. You can focus on specific API calls and/or other critical functions e.g. database connections, access to other subsystems. This requires only a minimum insight into the architecture of the Cloud system.

To summarize:

Cloud based systems can successfully be used for regulated activities, even when the provider gives you little or no access to the backend of their system or their internal procedures.

Back