US: (888) 231-0816

Lessons in Cloud Assurance

Data in the Cloud Can Be 21 CFR Part 11 Compliant

USDM shares valuable lessons to help you examine your future IT system needs and embrace the opportunities afforded by moving deeper into the cloud.

At USDM, we enable life sciences companies to accelerate innovation and maximize productivity. More than 200 life sciences companies rely on USDM Cloud AssuranceTM, our managed service that offloads your cloud vendor management and maintenance of system updates, patches, and changes.

Cloud Assurance provides you with a harmonized, continuous compliance experience across all of your cloud vendors. Our best practices, accelerators, and automation significantly decrease your implementation, validation, and maintenance effort, which makes it a value realization for one system or all of your systems.

We have worked hard to become the leading expert in cloud transformation for regulated companies and, throughout this process, we have found that many of the same challenges and missteps continue to arise. In this blog post, we will share a few valuable lessons to help you examine your future IT system needs and embrace the opportunities afforded by moving deeper into the cloud.

How Does Cloud Assurance Work?

There are three distinct phases of the Cloud Assurance subscription service: vendor audit/qualification, implementation and validation, and continuous compliance.

Vendor Selection and Vendor Audit

All too often, the primary consideration for selecting a cloud vendor is cost. While we recognize this is a very important factor and often has little flexibility, the old saying remains true – you get what you pay for. With that in mind, it is important to acknowledge that ensuring a vendor has well-documented, meaningful, and leverageable requirements is a far more important consideration than cost. Whether you use the computer system validation (CSV) or computer software assurance (CSA) approach, Cloud Assurance delivers.

Specifically, you must ensure that their requirements include useable traceability when testing for operational qualification (OQ) replacement. This can provide the foundation for your own validation; it is a precursor to knowing that the vendor has a quality system in place and that they understand the needs of life sciences customers. Experienced, quality vendors will have these requirements, which will likely increase the upfront costs to their service. However, the benefits that these requirements provide in the validation and maintenance phases will mitigate risk all the way though system operation. Furthermore, you will ultimately drive efficiency and avoid rework, which could be even more costly in the long run.

Another challenge that customers regularly face is not knowing the right questions to ask potential vendors. We often see that customers simply don’t know what they don’t know, and therefore don’t ask the questions that would allow them to properly assess a vendor’s capabilities. When assessing vendors, it is important to question the service and product quality, qualification of infrastructure, and how the vendor manages future updates and releases. Clear and concise questions regarding the precise nature of a vendor’s release strategy are critical. For example:

  • How often are changes made?
  • Are updates made on a set schedule?
  • Do updates fit with your maintenance capabilities? (Daily changes are harder to maintain than quarterly changes.)
  • Is there a customer-specific testing environment for life sciences?
  • Do release notes clearly state the risks associated with each part of the update?

Vendors that lack significant cGxP experience may not provide all of the elements needed to maintain change control in a cGxP landscape. For example, a vendor must provision the testing environments to all cGxP end-users to properly perform their own testing and change management. Often, however, the vendor is only thinking about their internal use cases and not the customer-specific intended use. USDM has a rapidly growing partnership network with solutions that support secure and compliant multi-cloud a data-driven organizations.

Implementation and Validation

During the validation phase, we typically see multiple teams in play when dealing with isolated, fragmented IT systems. As you transform your IT systems and move to the cloud, processes and workflows need to be aligned and complimentary in the new collaborative cloud environment. This often creates challenges for gathering requirements, as various teams have their own processes, opinions, and operational mandates within the same company.

The key to overcoming this all-too-common challenge is developing a clear cloud strategy that also has a game plan for how to drive adoption of these changes. With more than a decade of experience in cloud systems implementation in the life sciences industry, the recommendations we make to ensure your success are designed to help you select the right team members based on their influence, knowledge, skillset, and receptiveness to new methodologies and technologies.

We have helped hundreds of organizations bring together the right team with the appropriate knowledge and passion to embrace the new collaborative cloud environment. Educating and aligning stakeholders along the way is not simply about changes to technology, but also shifting mindsets and cultures to create the most productive and efficient outcomes possible. USDM’s staff of regulatory and technology experts bridge the gap between quality compliance and IT innovation to make sure the right people are collaborating to optimize your business operations for scalability, better configurations, improved workflows, and program management.

Continuous Compliance Maintenance

The third phase of Cloud Assurance takes the system that has achieved a compliant state, both from a regulatory and corporate standard, and keeps it compliant as changes are introduced, be it voluntarily or driven by a vendor release cycle.

In some cases, we work with IT teams that prefer to hand off the complete management of cloud change control from start to finish—including approval routing to internal stakeholders—so they can focus on innovation and faster implementation of new product features. USDM can also manage your entire change management process.

On the other hand, the most common misstep we see is that the customer underestimates the time and manpower it takes to maintain compliance. If the vendor is selected appropriately and the system is documented and tested correctly in the validation process, then the maintenance phase can significantly leverage those efforts. Cloud Assurance takes care of the analysis of the changes, including requirements creation, risk derivation, test creation, and execution of those tests in the customer’s unique test environment.

Related to the misstep of underestimating time and manpower are customers who initially opted to carry out the testing of new releases themselves, only to come back and request retrospective validation from USDM because critical elements of testing new releases were missed, which compromised their compliant state. The customer was not in control of their system and the changes being made to it were creating a burdensome risk to the business! Our proven best practices for error discovery and automated testing can uncover and correct potential cGxP problems far more quickly than an internal approach. Our ongoing maintenance includes vendor release management, impact assessments, updated validation documents, test execution for core releases, analysis, and reporting.


The business decisions for establishing appropriate levels of control for cloud vendor selection, qualification, validation, and maintenance correspond to the risk associated with system use. The closer a system is to the production of cGxP data and the end-product, the higher the potential risk because there are fewer gates to ensure appropriate risk mitigation.

At USDM, we know that the key to cloud compliance risk mitigation is to develop a cloud strategy encompassing each phase of the process from the start. We also know that your cloud strategy must accommodate the nuances of the three types of cloud vendor services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). With more than 20 years in regulatory compliance, thousands of cGxP projects delivered, and over 200 ongoing Cloud Assurance subscriptions managed, we know the requirements, we know the right questions to ask, and we know how to ensure a continuous state of compliance for your systems so you can get back to your real job – bringing quality products to market faster.

About the Author

David Blewitt is an accomplished life sciences regulatory and IS compliance professional with extensive hands-on and leadership experience in the pharmaceutical, medical device, biotech, and blood management industries, specifically in the fields of computer systems validation, risk management, issue investigation, root cause analysis and remediation, quality assurance, software development lifecycle, lean IS compliance enhancement initiatives, business analysis, product lifecycle management, and systems/process analysis with compliance roadmap development.

David is an acknowledged expert on a wide range of regulatory predicate rules and guidance, including 21 CFR Parts: 11, 203, 210, 211, 801, 803, 820 and 821; ICH Q7; and GAMP 5.

Over the last decade, his engagements have been increasingly aligned with the validation of cloud systems and applications, including both standard and custom solutions for patient case management, sample management and tracking, content management and collaboration, adverse event case assignment systems, and MHRA dispositioning systems coming under 21CFR Parts 203 (PMDA) and Part 11.

Related Content:
Whitepaper: Automate Validation Across Your Tech Stack

Explore more on:


There are no comments for this post, be the first one to start the conversation!

Resources that might interest you