IaaS: The benefits of moving to the cloud

validated infrastrucure

By Nicola Brady

Infrastructure as a Service (IaaS) is cloud computing where computer system infrastructure is provisioned, managed and maintained by a third party external to the business.  IaaS can be used for hosting your company infrastructure, website or application hosting, and can provide incredible computing power for data analysis within minutes of provisioning.

One of the most significant benefits that IaaS offers is scalability.   In other words, IaaS can easily adapt and adjust to changing business needs, as well as budget.  The subscription style service model associated with IaaS ensures that you only pay for what you need.  This means that there is no redundant capacity for the subscribing company and where capacity expansion or reduction is necessary to meet the business needs, the subscription fee is adjusted accordingly.

Another key benefit is that the IaaS provider takes ownership for the maintenance of all physical hardware associated with the infrastructure.  This represents a significant time and cost saving for the subscribing company.  Furthermore, the expertise required for the management of the infrastructure is with the IaaS provider such that the subscribing company doesn’t need to have in-house infrastructure experts.

IaaS offers companies increased flexibility.  Companies subscribing to IaaS offerings can access systems where and when they need to with many IaaS systems capable of remote accessibility.

Providing 99.99% SLA and 365X24X7 support.  If at any time, hardware associated with the infrastructure fails, your environment will be built in a “High-Availability” configuration meaning the outage will not affect the running of your business. The IaaS provider provisions the replacement of the faulty components.

Utilising IaaS is a fundamentally different approach to the old ways of physical in-house infrastructure, and it is not without its challenges. Particular challenges exist for life science companies, for example, where qualified infrastructure is a requirement.  However, the many benefits are clear and companies that are taking the leap and embracing this new technology are reaping the rewards. 

Taking Flight On-site: an Interview with a QA Engineer

Taking Flight On-site: an Interview with a QA Engineer

Photo Credit of Silvia Paola Lai

 

QA (Quality Assurance) Engineer Mairane Costa details one of her first experiences at Life Sciences customer site, what was involved, and what she learned from the process.

What was your job there?

I was QA (Quality Assurance) Engineer, reviewing technical documentation and authoring documentation for small scale equipment. It was a 3 month placement and a very enjoyable challenge as I hadn’t worked on small scale equipment before even though I had been trained to work on all aspects of the validation  lifecycle. It was a great experience!

What do you enjoy most about your job?

We had a great team; everyone was supportive of one other. I have a great opportunity to learn a bit of everything. Working on-site gives the opportunity to closely follow and understand the process in a live environment.

What was the most difficult phase?

The first two weeks. The environment was a new experience for me, but as I already said, I had a great opportunity to work with a wonderful and experienced team. Also, I was well trained by the Odyssey VC Team.

Do you recommend this experience to other engineers?

For sure. We learn much more when we work on-site. It is an opportunity to work with different professionals and be exposed to different experiences.

What is the purpose of going on-site?

The purpose is to have access to the necessary documentation. Also the project had very tight timelines which meant that site presence was a must.

Is your job checking and controlling the procedure in place?

Yes. My job was to verify and review technical documentation to ensure it meets company and regulatory standards before moving to the next step or closing it.

What can happen if you find something that is not correct?

Because I was working on-site, I was close to the person who was involved in the technical documentation. If I found an issue, I could personally ask this person to address my comments and make the appropriate corrections according to the standards and given the tight timeframe this ensured that the review cycle was very efficient.

So, you should be a really precise person?

I am a precise person. I am a very organised person; I have a daily routine; it helps me to feel more in control of my time. I need to be precise, to prioritize what is important, and classify an order. Also, I need to pay attention to all the details. Life sometimes gets out of our plans; I need to be ready for changes prior to it happening.

Was that your first experience on-site?

I was a Physiotherapist before; it helped me grow so much professionally.  I learned a lot from my time as a Physiotherapist and I could develop different skills. Also, during my time as a student, I worked for a multinational corporation in the petroleum industry. Basically, I was responsible for processing receipts and shipments of equipment to support the IT team.

Even though I was doing well, one day I decided to follow my heart and try something different.  Then I was back to college in Ireland doing my second degree. I learned all about the lifecycle of medical devices. One of my subjects was about regulatory standards and quality procedures; since then I felt that it was what I wanted to do, no doubt about it. This year I completed my postgraduate in Quality Management and Lean Systems. I am currently a Black Belt in Lean Systems.

Why did you choose this path?

I liked it and I am very happy that I have chosen the right path for my skills.

What skills have you gained?

The importance of teamwork. You always have something to teach and share, and it’s great interacting with others who have different experiences. Life is learning and the sharing of experiences.

Do you have any advice for people going on-site for the first time?

Be energic and enthusiastic. Do not be afraid to ask questions.

Would you like to work on another project?

Yes, I am looking forward to working on my next project. I am hungry for knowledge. I am gaining a lot of experience, and I want to keep building that up.

Periodic Review for outsourced cloud-based computerised systems, applications and infrastructure

Periodic Review for outsourced cloud-based computerised systems, applications and infrastructure

By Nicola Brady

Periodic review of computerised systems is a regulatory requirement.  EU GMP Eudralex Vol. 4 Annex 11 states, “Computerised systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports.”  This regulatory requirement applies to both validated computerised systems and qualified infrastructure.  The periodic review process ensures that a system remains compliant with applicable regulations, is fit for its intended use and satisfies company policies and procedures.  There are no exceptions for the performance of periodic reviews, however the frequency, scope and depth may differ dependent on the system under evaluation and this should be determined using a risk-based approach. 

Periodic review is often considered a challenging exercise as it requires a detailed, comprehensive, holistic review of all elements pertaining to a computerised system or computer infrastructure for a defined period at a defined frequency.  This review represents an even bigger challenge when computerised system, applications or infrastructure are outsourced and in particular when they are outsourced to the cloud. 

The primary requirements for periodic review are the same whether the computerised system or infrastructure is located in-house or outsourced to a service provider.  The table below summarises the particular challenges associated with outsourced cloud-based applications and infrastructure when it comes to periodic review:

The end goal of the periodic review exercise is to establish a clear understanding relating to the current state of the computerised system or infrastructure to conclude that it remains in a compliant, validated (or qualified) state.  So, what is the best way to assure this if you are utilising outsourced cloud-based applications or infrastructure? Well, it is imperative that there is a clear understanding of the controls that are the responsibility of the subscriber versus those that have been delegated to the provider.  Where controls are being delegated, the subscriber should ensure they are assessed and accepted and reflective of how they are currently managed.  A contract should be established between both parties with clear details in relation to the service provision, responsibilities and controls including but not limited to commitment to supporting activities relating to periodic review.  The contract should also establish the supplier support required for regulatory inspections, where applicable. 

A comprehensive contract between the outsourced cloud-based application or infrastructure provider and the subscriber, where all required elements are clearly established and endorsed, will help the subscriber satisfy their periodic review requirements and assure the maintenance of the computer system or infrastructure in a compliant, validated (or qualified) state.

 

An Interview with a CSV Engineer

Customer Software Validation (CSV) Engineer Siobhan Ryan tells us about her journey from horticulture to working with Odyssey VC and Compliant Cloud.

Computerised System Validation (CSV) Engineer Siobhan Ryan tells us about her journey from horticulture to working with Odyssey VC and Compliant Cloud.

During the economic downturn I was made redundant with very
little prospect of being reemployed in my line of work, which at that time was
in the horticultural industry, I thought seriously about my options and decided
to return to college as a full-time mature student in 2014.  I always had
an interest in computers and chose this to begin my new career.  In May
2018, I finished college at TU Dublin, Tallaght with a BSc. hons Degree in
Computing & IT Management.  As part of my degree I studied modules
such as IT Governance, Risk Management, ITIL, and COBIT 5.  I knew
instantly when studying these modules that I had a natural understanding of
their importance, enthusiasm to learn more and a genuine interest in finding a
career in those subject areas. 

I with started with Odyssey VC on the graduate training programme in August 2018.  I haven’t been at Odyssey VC for very long but it is amazing to be part of the Odyssey VC family.  I use the term family to describe the whole team because there is such an unwavering sense of acceptance, friendship, comradery and respect for each and every person right from the get go.  Life experiences, individual skillsets and an in-depth knowledge of the industry is immediately obvious and a pleasure to work alongside such an enthusiastic and successful team.  I had no idea I would find my dream job so quickly and in my locality. 

Before I started at Odyssey VC I had no real experience or knowledge of the Pharmaceutical Industry and its regulations although I had previous work experience in the financial sector.  As part of the graduate programme full training is provided in which I felt much at ease and even though it was new material, it had a sense of familiarity.  Training is provided by the industry’s leading subject matter experts at Odyssey VC which ensures you are learning the most current insights into what is happening in industry now and future trends. 

I am now working on a client project in the pharmaceutical
industry. It’s exciting to be working on live projects and putting the training
into practice.  

My journey with Odyssey VC and Compliant Cloud has been a fantastic learning experience to date and an adventure that I hope to continue on for a long time to come.

Moving to the cloud – Regulated Companies business drivers and challenges for regulated applications and Data

Compliant Cloud

By  Oisín Curran, CEO at Compliant Cloud  and  Odyssey VC

Almost every conversation we have with customers these days, regardless of whether they are in the regulated Life Science sector or not, have a clear IT strategy driven from senior management that is ‘cloud first’. In many cases these are throw-away statements made by management functions who perceive the move to cloud as the silver bullet for managing the IT and data challenges that lie in front of them.

Moving to cloud can be perceived to eliminate some of the basic problems of traditional on-premise installs such as (and not limited to of course!) the following;

  1. Datacentre build & maintenance is too costly. We don’t want to own datacentres anymore – We want to focus on our core business of making product X or delivering service Y
  2. We need to cut our headcount. Buying XaaS can reduce headcount and operating costs
  3. We need to cut our operating costs for application ownership
  4. Reduce the number of SLA’s with 3rd party Vendors

IT operational challenges, risks, support service model, and gaps in controls stand in the way of enterprises fully exploiting the potential of SaaS.’.

While the above makes sense of course, senior management should be aware that moving to the cloud creates new costs, headcount challenges and of course, in the case of Life Sciences, introduces potentially significant risks. Gartner© in their Hype Cycle for Software[1] as a Service state that SaaS can be a challenge in that ‘IT operational challenges, risks, support service model, and gaps in controls stand in the way of enterprises fully exploiting the potential of SaaS.’. Businesses should define a cloud service strategy that fits the overarching company business strategy before making any IT decisions related to XaaS as a result of these unknowns.

Life Science organisations have to pay particular attention to the introduction of new and untested risks by moving to the cloud and that is evident in the fact that regulatory bodies can only consider XaaS as an ‘Outsourced Activity’ and comes under the associated regulations governing same. The regulatory expectations are clear in these cases and mandate the following (specific focus on Eudralex);

       1.  There must be written contracts:

 

        a.   With clear responsibilities, communication processes, technical aspects including who undertakes each step of the outsourced activity

 

 

       2.    The Contract giver must:

        a.   Include control and review of any outsourced activities in their quality system

        b. Include control and review of any outsourced activities in their quality system

        c.  Monitor and review performance of contract acceptor

 

        3.      The Contract Acceptor must:

a.     Be able to carry out the outsourced activity satisfactorily

b.     Not subcontract to a third party without prior approval

c.     Not make unauthorised changes

d.   Be available for inspection

 

  1.      Looking for validated XaaS creates a significant supply & demand pressure on existing compliance service providers

a.      Software vendors generally do not have an expertise in compliance. By pushing this responsibility onto them there are likely to be shortfalls in the quality and compliance side of the delivery. Gartner © notes[1] that regulated companies should

                                                    i.     Beware of vendors that claim to have a validated environment

                                                   ii.     Partner only with companies that are transparent, open for audits, and committed to compliance

        2.      An ISO certification is not evidence of a Life Science Quality Management System (QMS)

a.      Remember the regulators consider this an outsourced activity so the regulated company must ensure the ability of the vendor to deliver the service in line with regulatory expectations.

b.      This requires the vendor to have a clear and demonstrable QMS and also requires critically a level of integration with the customer QMS processes. This highlights the Gartner © recommendations to partner only with those providers with a demonstrated expertise in this vertical

        3.      Risk is a subjective term – Make sure you’re clear with your supplier

a.      Remember the regulatory focus on Data Integrity. This requires a clear understanding of the risks to data integrity from the XaaS vendor and should be a guiding principal in their application design

b.      Change management should have a clear callout of risk to data integrity e.g. ALCOA+ risks and not just reference business risk e.g. up-time and availability.

      All considered we are at a very exciting time in the evolution of cloud-based services in the Life Sciences sector. We are seeing more and more cloud-native  application options that bring significant operational benefits in terms of cost, data mobility and integration. At the end of the day, suppliers in the Life Science vertical need to be hyper sensitive to the regulated business need to ensure Patient Safety, Product Quality & Data Integrity. By aligning ourselves with the business drivers of the regulated business we are best placed to play our part in delivering tomorrows health solutions.

 [1] [1] Hype Cycle for Software as a Service, 2018, Published: 31 July 2018 ID: G0036079

Kenx Conference Network Infrastructure & Cloud Qualification

Kenx Conference-
Network Infrastructure & Cloud Qualification

Oisín Curran, founder and CEO of Odyssey VC and Stephen Long Senior Network Engineer at Odyssey VC are to speak on Monday June 24th and Tuesday 25th, 2019 at the Kenx Conference (Network Infrastructure & Cloud Qualification) hosted in San Francisco.

The internationally renowned Kenx conference is devoted to spreading content-rich knowledge in the form of exchange events to both U.S. and European destinations, including, Philadelphia, San Diego, Dublin, Ireland and San Francisco!

The Kenx event will be hosting leading representatives in the Life Sciences industry, such as Johnson & Johnson Vision Care. The previous Kenx conference in Dublin in 2018 provided 38 tutorials and benefited from the wealth of knowledge and useful material that was shared by their Validation University. The Odyssey VC team delivered some significant knowledge sharing sessions at that event and continue to contribute to the industry knowledge sharing initiatives such as Kenx events.

Kenx events are designed to share ideas and to provide tools and techniques that will have an instant impact on businesses’ core responsibilities.

The theme for Kenx’s Conference in San Francisco is “Network Infrastructure & Cloud Qualification”, with guest speakers from around the world.

Oisín Curran, who is making the journey from Ireland to San Francisco specifically for this event, is going to speak about “Cloud Computing Regulations and Requirements with the FDA and EU” and he is looking forward to participating at this event: “From my own experience Kenx events are great for bringing together speakers from IT, Engineering, Quality and Life Sciences backgrounds, who together will give us key insights as to how industry wishes to use Network Infrastructure & Cloud Qualification in the future and how industry perspectives lead/lag technology solutions. My own talk at the conference on Monday will focus on being compliant in the cloud for Life Science companies, which is gathering momentum in the Marketplace. It can be perceived as a complicated topic with a lot of questions but thankfully answering these questions is our business! I’m looking forward to working through some of the attendee problem statements and questions.”

Let’s start the journey together!