Moving to the cloud – Regulated Companies business drivers and challenges for regulated applications and Data

Compliant Cloud

By  Oisín Curran, CEO at Compliant Cloud  and  Odyssey VC

Almost every conversation we have with customers these days, regardless of whether they are in the regulated Life Science sector or not, have a clear IT strategy driven from senior management that is ‘cloud first’. In many cases these are throw-away statements made by management functions who perceive the move to cloud as the silver bullet for managing the IT and data challenges that lie in front of them.

Moving to cloud can be perceived to eliminate some of the basic problems of traditional on-premise installs such as (and not limited to of course!) the following;

  1. Datacentre build & maintenance is too costly. We don’t want to own datacentres anymore – We want to focus on our core business of making product X or delivering service Y
  2. We need to cut our headcount. Buying XaaS can reduce headcount and operating costs
  3. We need to cut our operating costs for application ownership
  4. Reduce the number of SLA’s with 3rd party Vendors

IT operational challenges, risks, support service model, and gaps in controls stand in the way of enterprises fully exploiting the potential of SaaS.’.

While the above makes sense of course, senior management should be aware that moving to the cloud creates new costs, headcount challenges and of course, in the case of Life Sciences, introduces potentially significant risks. Gartner© in their Hype Cycle for Software[1] as a Service state that SaaS can be a challenge in that ‘IT operational challenges, risks, support service model, and gaps in controls stand in the way of enterprises fully exploiting the potential of SaaS.’. Businesses should define a cloud service strategy that fits the overarching company business strategy before making any IT decisions related to XaaS as a result of these unknowns.

Life Science organisations have to pay particular attention to the introduction of new and untested risks by moving to the cloud and that is evident in the fact that regulatory bodies can only consider XaaS as an ‘Outsourced Activity’ and comes under the associated regulations governing same. The regulatory expectations are clear in these cases and mandate the following (specific focus on Eudralex);

       1.  There must be written contracts:


        a.   With clear responsibilities, communication processes, technical aspects including who undertakes each step of the outsourced activity



       2.    The Contract giver must:

        a.   Include control and review of any outsourced activities in their quality system

        b. Include control and review of any outsourced activities in their quality system

        c.  Monitor and review performance of contract acceptor


        3.      The Contract Acceptor must:

a.     Be able to carry out the outsourced activity satisfactorily

b.     Not subcontract to a third party without prior approval

c.     Not make unauthorised changes

d.   Be available for inspection


  1.      Looking for validated XaaS creates a significant supply & demand pressure on existing compliance service providers

a.      Software vendors generally do not have an expertise in compliance. By pushing this responsibility onto them there are likely to be shortfalls in the quality and compliance side of the delivery. Gartner © notes[1] that regulated companies should

                                                    i.     Beware of vendors that claim to have a validated environment

                                                   ii.     Partner only with companies that are transparent, open for audits, and committed to compliance

        2.      An ISO certification is not evidence of a Life Science Quality Management System (QMS)

a.      Remember the regulators consider this an outsourced activity so the regulated company must ensure the ability of the vendor to deliver the service in line with regulatory expectations.

b.      This requires the vendor to have a clear and demonstrable QMS and also requires critically a level of integration with the customer QMS processes. This highlights the Gartner © recommendations to partner only with those providers with a demonstrated expertise in this vertical

        3.      Risk is a subjective term – Make sure you’re clear with your supplier

a.      Remember the regulatory focus on Data Integrity. This requires a clear understanding of the risks to data integrity from the XaaS vendor and should be a guiding principal in their application design

b.      Change management should have a clear callout of risk to data integrity e.g. ALCOA+ risks and not just reference business risk e.g. up-time and availability.

      All considered we are at a very exciting time in the evolution of cloud-based services in the Life Sciences sector. We are seeing more and more cloud-native  application options that bring significant operational benefits in terms of cost, data mobility and integration. At the end of the day, suppliers in the Life Science vertical need to be hyper sensitive to the regulated business need to ensure Patient Safety, Product Quality & Data Integrity. By aligning ourselves with the business drivers of the regulated business we are best placed to play our part in delivering tomorrows health solutions.

 [1] [1] Hype Cycle for Software as a Service, 2018, Published: 31 July 2018 ID: G0036079

Good Culture Equals Good Data: The Importance of Quality Culture in Assuring Data Integrity

By Nicola Brady

What is a Quality Culture?

A Quality Culture within an organisation can be defined as a culture where everyone is focused on quality. It sounds pretty obvious doesn’t it? But this can be difficult to achieve. 

A Quality Culture within an organisation can be defined as a culture where everyone is focused on quality.
Photo credit of @markusspiske

How do you achieve a Quality Culture?

To achieve a Quality Culture, it must start at the top and filter down to all personnel in all functions, irrespective of their level in the organisation. The leadership team must be committed to the Quality Mandate. They must lead by example and empower their teams to act in accordance with good quality practices. This is only achieved through clear articulation and communication of expectations. The Leadership Team must ensure that expectations are supported by policies and procedures, that individuals have the appropriate skills and are provided the required training to perform in accordance with these expectations.

Processes are fundamental to achieving a successful Quality Culture.  Uniform and robust processes must be in place to ensure consistency and standardisation of work. There should only be one way of doing things – the right way. Having processes in place through procedures, policies and methods ensures continuity and stability. It is important that continuous improvement is also encouraged. If there is a more optimised or streamlined way to do something that is science based and quality centric then personnel should feel empowered to propose alternative approaches and challenge the status quo. 

The next essential element to achieving and maintaining a Quality Culture is Teamwork. Teamwork is vital at all levels of the organisation. Cross functionally, personnel must be able to work together, to share experience and best practices, to learn lessons. Trust is key. Team members must feel that they can trust their colleagues to do the right thing every time and they themselves must be trusted to operate in the same manner.This ties in closely with the final element of a Quality Culture, Code of Conduct. The Code of Conduct for the organisation must be established and appropriately communicated to ensure that personnel at all levels of the organisation understand the importance of conducting themselves in an honest, trustworthy, ethical manner. The Code of Conduct should clarify acceptable behaviours and practices as well as organisation expectations ultimately promoting the Quality Culture. All personnel at all levels of the organisation must observe the established Code of Conduct.

The culture of an organisation directly correlates with the validity and accuracy of the data that it generates. 


The culture of an organisation directly correlates with the validity and accuracy of the data that it generates.  In the  on data integrity (Data Integrity and Compliance with Drug cGMP: Questions and Answers Guidance for Industry (2018)) the following is stated ‘it is the role of management with executive responsibility to create a quality culture where employees understand that data integrity is an organisational core value and employees are encouraged to identify and promptly report data integrity issues’.  An organisation with a poor or immature Quality Culture can often have poor or immature quality practices, whereby issues are not appropriately documented, investigated and remediated.  These organisations inevitably encounter challenges in adhering to and often have poor regulatory inspection records with repeat observations and violations.  Conversely, organisations with a strong Quality Culture perform well with the regulators.  These organisations are not error-free but their quality culture promotes a ‘do the right thing’ ethos when errors and issues arise.This transparency and openness gives the regulators confidence that the organisations data integrity is assured.