Life sciences companies are moving to the cloud with more urgency than ever, yet compliance requirements still pose a barrier to many IT and Quality teams.
Learn how you can accelerate the migration of your GxP regulated workload to Azure with USDM’s Cloud Assurance prepackaged solutions built on life sciences best practices. We will discuss a complete GxP compliant framework that can scale as your business needs evolve and keep you continuously compliant.
The discussion included:
- How you can accelerate the migration of your regulated workload to Azure with USDM’s Cloud Assurance
- Benefits of moving GxP workflows to a cloud-based global infrastructure
- Lessons learned from hundreds of USDM Cloud Assurance migrations
- Delivery model designed to address SaaS (business applications), PaaS (cloud services), and IaaS (global infrastructure)
Dave Meyers, National Director of Life Sciences, Microsoft
Vishal Sharma, Vice President of Digital Trust and Transformation, USDM Life Sciences
In this webinar we’ll discuss how you can accelerate the migration of your regulated workload to Azure with USDM’s Cloud Assurance. This transcript has been edited and condensed for clarity
Introduction and Presenters
Microsoft for Life Sciences
Digital Transformation Trends
Existing GxP Solutions for Public Cloud
USDM’s Cloud Assurance
Regulated Workloads in the Cloud
Azure Assurance Architecture
FDA Outlook on Cloud Compliance
Lessons in Cloud Assurance
Introduction and Presenters
Host: Welcome to Accelerate Your Journey to the Cloud: Move Your GxP Regulated Workloads to Microsoft Azure, one in a series of webinars by Health Impact Live sponsored by Microsoft. My name is Megan Antonelli, CEO of Health Impact, and I’ll be moderating the session which features top thinkers and moving your GxP regulated workload to the cloud.
We are excited to welcome Dave Meyers, National Director of Life Sciences at Microsoft, and Vishal Sharma, VP of Digital Trust and Transformation at USDM Life Sciences.
Today we are excited to bring you top thinkers in cloud technology. At Health Impact, we expect our audience to do a little work, so I’m going to assume you’ve read our distinguished speakers’ bios. I will highlight that Dave Meyers began his career with Microsoft in 1997 and is now the national director of life sciences at Microsoft. He has an extensive background in health IT policy. He was directly involved in the national policy and technical dialogue on the ARRA/HITECH Acts, the Affordable Care Act, and worked directly with CMS on the MITA development.
In addition, we have Vishal Sharma. He is the VP of digital trust and transformation at USDM Life Sciences. He has more than 20 years of experience in life sciences, providing consulting services in the areas of digital transformation and cloud adoption. Before USDM, Vishal was a consultant focused on agile best practices to optimize enterprise analytics and provide business growth insights.
Today we’ll be running through the challenges and trends in life sciences; how you can accelerate the migration of your regulated workload to Azure with USDM’s Cloud Assurance; delivery model designed to address SaaS (business applications), PaaS (cloud services), and IaaS (global infrastructure); benefits of moving GxP workflows to the cloud-based global infrastructure; the FDA outlook on cloud compliance; and lessons learned from hundreds of USDM Cloud Assurance migrations; then we’ll have time for Q&A at the end.
Dave Meyers: Thank you, Megan, and thank you to Health Impact Live for hosting this webinar today, and our colleagues at USDM for joining us, and thank you to the audience for taking time out of your day and spending it with us, which we hope will be informative and actionable in terms of accelerating your journey to the cloud.
As we get into the agenda today, I wanted to point out our mission at Microsoft and talk a little bit about what we’re doing in health and life sciences. Our mission is bold; it is to empower every person and every organization on the planet to achieve more and arguably, at times, healthcare and life sciences have been a little bit behind in the digital transformation journey. It’s not for a lack of trying. It’s a highly regulated industry, there are business model distortions on the healthcare side, and obviously patient care and outcomes and safety are of the utmost importance.
We have additional challenge and additional motivation around our mission in healthcare and that is to empower our customers and partners to make healthcare more personal, effective, and affordable. We take that mission seriously.
Microsoft for Life Sciences
Dave Meyers: I want to talk about how we apply that in life sciences. Microsoft for Life Sciences is focused around these three pillars [Accelerate Scientific Innovation, Enhance Workforce Experience, and Build Operational Agility]. This is how we deliver on that mission statement. The first is to accelerate scientific innovation and when you think about the advent of the cloud and the next-generation devices or edge computing, that has really unlocked many new opportunities for innovation that wouldn’t have even been possible a few years ago. There are a lot of theoretical applications that are now possible because of cloud computing. As we look at those applications across the value chain in life sciences, we’re seeing applications of artificial intelligence (AI), machine learning, natural language processing, vision computing, machine reading of reports and study results, genomics and other -omics, immunomics sequencing, RNA sequencing, DNA sequencing; these massive, massive workloads that would not really be possible without the cloud. Simulations of molecules and using real-world data to develop synthetic control arms for clinical trials, connected labs, virtual labs; all of those exciting advancements under the Accelerating Scientific Innovation pillar.
Under the pillar of Enhance Workforce Experience, you want to enable your people, your organization to be more productive and collaborative, particularly across organizational boundaries. We’ve seen recently with COVID, more and more this level of cooperation and collaboration across organizations. The ability to be productive and connected at any time, anywhere, remotely in a trusted and secure environment is critically important these days.
The last pillar, Build Operational Agility, is things like enabling the factory of the future and Industry 4.0 kinds of scenarios with Internet of Things (IOT) supported sensors and connected systems supporting agile and flexible manufacturing environments in your physical plant and facilities and in this emerging rash of contract relationships, contract manufacturing, that we’re seeing in recent weeks and months. Again, all of that without sacrificing compliance.
Challenges in Life Sciences
Dave Meyers: We recognize there are significant challenges in life sciences. For one thing recently, we’ve all had to modify our plans and roadmaps to deal with a pandemic; something that none of us in our lifetimes have dealt with at this scale. We’ve seen a halting of clinical trials, shifting of work to home and remote locations, and shutting down certain operations. It’s been a really challenging time for sure. As I mentioned earlier, this has always been a highly regulated, complicated environment and that continues. Now more than ever, we need the flexibility and scale of the cloud as we go from responding to COVID, to recovering from COVID to eventually re-imagining or reemerging on the other side. So the challenges, both new and historical, are there and we’re trying to address those head-on.
Digital Transformation Trends
Dave Meyers: A couple of other points on some of the mega trends that we’re seeing around digital transformation in life sciences. We’ve seen a lot happening with business models and business relationships operating in a much more collaborative environment and it might be worth taking a moment to point out, with the COVID-19 pandemic, it’s gratifying to see the life sciences industry emerge as one of the heroes of this pandemic. I think we’ve seen levels of cooperation, collaboration, data sharing, and research sharing that we’ve never seen before. It’s been a great experience and a lot of those trends and new operating models have to be implemented in our systems, so it’s important that we have the agility to support these new business models and collaborations and rapidly provision new systems that might cross organizational boundaries and support the interoperability of data sharing between organizations.
I talked a little bit already about the shift that we’ve seen in workplace technology; being connected to collaborate and be productive from anywhere on any device.
Around cyber threats and the increasingly complex regulatory environment, we are continuing to develop an increasing amount of regulatory content to support R&D and eventually commercialization of drugs. As we look at the shift, the journey to the cloud, one of the things to note is that in that cloud environment, it’s a shared responsibility to comply with those regulatory requirements. When your applications are on-premise and you own them, 100% of the risk is on you. But moving storage and compute and applications and other workloads to the cloud, it becomes a shared model; you’re able to leverage the investment that Microsoft and our partners make to ensure a proper controls, procedures, and safeguards are in place over your data and computing systems. You can benefit from the multiple layers of security and governance and operational practices that you get from the cloud. So at least portions of that shared responsibility are no longer a burden for you.
What is the biggest challenge your organization is facing?
- Shift in IT strategy or roadmap: 22%
- Regulatory challenges/highly regulated environment: 27%
- Cybersecurity/risk of cyber threat: 21%
- Scale and flexibility of technology stack: 5%
- Time vs. cost pressures/resource challenges: 23%
Existing GxP Solutions for Public Cloud
Dave Meyers: We know the current operating model and regulatory environment for life sciences has its origins in on-premise single systems, somewhat of a simpler environment, and that’s when most of the regulations were developed and guidance produced. The rate of change has accelerated. There’s a pretty significant migration to cloud environments. The benefits, the agility, the scale, the platform for innovation is a no brainer. It’s pushing on some of the requirements that we have from our legacy models, thinking of computer systems validation (CSV) and the approaches that are encoded in our regulatory systems to newer models like computer software assurance (CSA) and where the direction is going for continuous validation and the newer, more flexible compliance environment.
Microsoft + USDM Life Sciences
Dave Meyers: I’ll introduce USDM and the partnership we have with them. We’re super excited to be working with them for all of the reasons I just mentioned. We’ve recently formalized our partnership with them and worked with them to develop a new offering. They also have a portfolio of offerings that they’ve had in market for the last 20 years, but we’re really excited about their new offering called USDM’s Cloud Assurance for Microsoft Azure. We’re able to bring together our technology stack, our industry leading cloud platform with their deep expertise in compliance and cloud assurance. It’s our goal, together with USDM, to make your journey to the cloud easier and faster, and get that time to value accelerated for you. With that, I’ll turn it over to Vishal Sharma.
USDM’s Cloud Assurance
Vishal Sharma: Thank you all for your time today. My name is Vishal Sharma and I lead the digital transformation group at USDM. I would like to take the next few minutes and talk about USDM’s Cloud Assurance as an offering. As Dave stated, some of the challenges, some of the opportunities, some of the things that’s happening all around us in general, in the life sciences.
Our goal from the inception to bring this type of innovative solution in the marketplace was to create a package offering for Microsoft platforms to help all life sciences customers accelerate their journey for regulated workloads, moving into the cloud. We believe this innovative solution and approach will bring our collective learnings, having been in this industry for the last 20 years or so, and some of the accelerators that we built over the last 20 years, to expedite your journey to the cloud, so that you can take advantage of some of the things that Dave outlined, some of the innovation happening all over the place. We wanted to expedite that journey. And as Dave also stated, some of the challenges looking at the CSV in general—where it came from and what it was originally designed for versus the pace of innovation that cloud brings some of the emerging technology brings—keeping up with that piece.
We wanted to be part of that team to bring this type of innovative solution into the marketplace that not only helps you bring something in the initial state of compliance, but allows you to maintain that continuous state of compliance. Obviously we wanted to come up with something that addresses the tech stack that Dave was talking about with Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). It has to be scalable and flexible as your business grows; you should be able to grow with it.
If you think about the life sciences industry in general and the very wide spectrum—whether you are in early discovery, R&D, clinical, manufacturing, post-market—whichever spectrum you fit in, compliance is always considered as a barrier. We wanted to change that paradigm and make it more of an enabler so that you can adopt some of these cloud services—emerging technology, artificial intelligence, machine learning—to speed up your innovation and get your product faster to the marketplace.
The other thing we have done when contemplating this solution, we wanted to make sure that we seek advice from our early adopters. We managed to work with some of our customers to seek their guidance, learn from that, and bring it as part of this package solution that can benefit the larger customer base within the life sciences industry.
This solution is designed for existing Microsoft life sciences customers who are already using some of the cloud services and leveraging the cloud and what it has to offer. It is also designed for new customers in the planning phase or thinking about moving some of the workload from their on-prem or hybrid to the public cloud; in this case, Microsoft Azure.
Regulated Workloads in the Cloud
Vishal Sharma: Let’s take a moment and think about what that typical journey looks like from the regulated workload in the cloud perspective. As I said, the industry in general is pretty wide and pretty broad. Depending on where you fall within that spectrum, different organizations fall under a different maturity state. Early on, some are trying out some of the cloud services, so there is awareness and training is happening. Some are doing proof of concept. Some have already gone a little bit further down the road, they started approving some of the workload and started experimenting with it. But some are really getting into a kind of medium level of complexity, where they started leveraging computer software assurance more than traditional computer system validation. And they started leveraging more and more the automation side of it.
We are keenly aware because, depending on where you fall within that maturity state, we realize not all workloads are going to move at once. So the adoption framework that you’re going to follow, is going to follow a slightly different route depending on where you fall within that maturity state.
But the one thing we recognize, even though you have a cloud-first, or you already are all-in for moving that workload, not everything is going to move at once, so there has to be some structured journey map charted out for you based on your business priority so that you can move along that path.
The other thing we wanted to make sure while moving into this journey, your internal compliance team learn and gain that experience by taking increasingly complex projects and moving those workloads into the cloud as well. And obviously since the paradigm is changing, especially if you’re going from on-prem to cloud, some of the policies, some of the procedures, some of the training, they must be modernized to address some of the cloud infrastructure. For example, all of a sudden we start talking about infrastructure as a code, as opposed to installing hardware and installing the software. So the paradigm is shifting, and we’re going to talk about some of those aspects as I move through the presentation.
Life Sciences Challenges
Vishal Sharma: Dave highlighted on a very high level, being a life sciences organization and some of the challenges we face, and this was reflected by the poll question that we just looked at. We operate under a highly regulated environment, so anytime we introduce an innovative solution—in this case, the package offering that we are talking about, USDM’s Cloud Assurance for Azure—we have to make sure it can help you accelerate your deployment of your regulated workload on Microsoft Azure. As I said, not only achieving that initial state of compliance, but provides you the framework for that continuous state of compliance. So you have the GxP control of what cloud services, what infrastructure, what Software-as-a-Service that you are leveraging within that platform.
The other thing we wanted to make sure we address was the question of flexibility and scalability. The reason is very critical depending on the cloud adoption, the journey map we were talking about. Everyone has a slightly different journey map, and we want to make sure the model that we come up with is flexible enough so that it can move with your speed with your prioritization, and it has to be based on the life sciences best practices from ground up so that compliance doesn’t become more of an afterthought, but more of a part of your design. That’s the reason we felt having a predefined package approach to it allowed us to address the flexibility and the scalability question pretty nicely.
The third thing that we were looking at is a time and cost perspective. It’s not only delivering the cloud compliance and reducing the risk; how are we going to do something and what’s going to allow us to speed up this whole thing? That’s where having an organization like USDM and their deep experience in this regulatory environment comes in; we wanted to build on it and we wanted to build the accelerator we are going to talk about, bring that domain knowledge and expertise, and be able to package this so that it can be offered to life sciences organizations at a very competitive price.
USDM’s Cloud Assurance Solution: Services, Accelerators, Deliverables
Vishal Sharma: What is the USDM’s Cloud Assurance solution all about? If you look at it from the solution perspective, there are three core components with the underpinning of this continuous cloud compliance. These are equal components: services, accelerators, and deliverables.
Under services, some of the things that are highlighted are to ensure these are the services elements that are going to be available for you as part of the package. That allows you to look at vendor audit and vendor certification, to prove someone like Microsoft has a robust quality management system. There is a qualification to prove your infrastructure functionality is built and performs for compliance from the ground up by design, not as an afterthought. I talked about this instantiation qualification; the whole paradigm is shifting. If you recall the old days where you had to buy a whole bunch of servers, install a whole bunch of software, and then maintain all that software that is installed on that hardware. Those days were more of an installation qualification. Now what happens is cloud makes that very easy to use. You click on a button, whether you spin up one server or thousands of servers, it instantaneously happens. Now it’s more infrastructure as a code. We had to come up with a model that allows us to do that configuration qualification rather than traditional computer system installation and qualification.
We also wanted to look at qualification to prove all the services functionality available through cloud services, and those are built and perform for compliance as well. I’ll give you some examples especially for Microsoft Azure. We wanted to make sure all access management is part of this package, like your active directory or Azure AD, all of API management are covered, something like DevOps are covered. Since we are moving more and more workload in terms of data workload, we wanted to make sure the Data Lake is covered. Some of the SAS applications are covered as well.
We wanted to package a mechanism that allows you to look at from the qualification what I like to call the intended use of configuration, as well as the intended use of workflows, because that’s where your business processes are changing the workflow, the model is changing, the way we work because of this whole pandemic situation is changing because you are collaborating outside of your four walls; you are bringing more partners, more suppliers. We wanted to make sure there is a mechanism built into it that allows you to do that intended use.
The accelerators are where we bring—being an exclusively life sciences focused organization that has deep experience on both domain and the regulatory aspect—we wanted to make sure we build on it. USDM’s Cloud Assurance allows us to keep any piece of services or software in a continuous state of compliance.
We also wanted to make sure we bring impact assessment, and some of you are familiar with this high-level risk assessment. We wanted to bring that element that’s going to help us speed up your cloud adoption, so we wanted to make sure those accelerators are part of this package as well. Also modernizing procedures and controls that are geared toward public cloud infrastructure rather than just a traditional computer system validation, we wanted to bring that element into it. And anytime you bring a new innovative solution, there change management right underneath it, so we wanted to make sure that change management is geared toward the system and the services in a public cloud domain.
For the qualification package, if you think about the validation framework activity associated with it, all those are built as an accelerator so that you don’t have to reinvent the wheel every time you want to bring new cloud services or new cloud applications. The framework is already packaged for you.
Deliverables. Every time we engage with a customer, the very first thing we have to ensure as part of that engagement, we produce what we like to call the defensible set of deliverables. Knock on wood, if you get audited, you should be able to defend those and not have to worry about whether you are in compliance or not. We take that burden off your hands and make it part of the package offering. Same thing with the Assurance Report and the certification that I talked about.
Beneath these three core pillars, there is a Continuous Cloud Compliance piece. All of these fit into our continuous cloud compliance framework. Not only do you achieve your initial state of compliance, but this program allows you to maintain your IaaS, PaaS, and SaaS in a continuous state of compliance.
Azure Assurance Architecture
Vishal Sharma: Here is what the Assurance Architecture for Azure looks like; this is the system view of the architecture. I’m going to follow left to right and from the bottom up. In the middle, there are different color codes. Yellow represents the managed layer from Microsoft Azure perspective. That’s where you find your global data centers, the physical hardware that often you don’t see because it’s a hidden layer, and then there is a virtual layer. That’s where all of your foundational services on the cloud side come in.
Then there is a layer represented by two different sets of blues, the light blue and the dark blue.
Those fall under customer responsibility. That’s where you start interacting with the infrastructure. You build your access management, your security, your cloud provisioning, your own infrastructure on how you’re going to create your VPC, and that kind of stuff. Higher up is where you start building your own business’s specific infrastructure. You start commissioning services and rolling out your business applications.
On the left-hand side, that’s where we wanted to package some of these elements for you so that you don’t have to deal with them one at a time. This package takes care of your access management, your API management, your change management, your DevOps, your Data Lake, your SharePoint. In some cases, if you have Microsoft 365, we can assess and include that as part of the package.
On the right-hand side, that’s where you saw the package solution when I was talking about all the services, all the accelerators, all the deliverables. We wanted to make sure every tech stack layer was addressed through services, accelerators, and deliverables so that every layer of the tech stack is in full compliance in the initial state as well as a continuous state of compliance.
Azure Assurance Architecture: Phase 1–3
Vishal Sharma: We looked at it from a certain architecture perspective. When you start working with USDM, this is what I call Assurance Architecture, which is more of a process view. Try to visualize how that engagement is going to roll out. Every client engagement starts with what we call the three-step process: alignment assessment, and implementation.
During alignment, we look at the Vendor Assurance Report and the vendor certification. The FDA guideline coming soon will take us from a very traditional way of doing computer system validation to more of an assurance area. That allows us to look at what Microsoft already does in terms of assurance and build on it rather than duplicate that effort. During that alignment, we’ll look at every client thing and what they already have. We try to understand their intended use. We look at what they already have in place in terms of how they operate today. What are the standard operating procedures? What methodology do they follow? From a development perspective, you’re going to be hearing a lot more about Software-as-a-Medical Device (SaaMD). Software is getting built in to pretty much every device. How is that going to change the landscape? We look at it from that perspective.
Then we do a broad health check. What do you have in your technical landscape? We look at it from a procedural standpoint and the technical configuration standpoint, which allows us to do a procedural and technical assessment, then we provide you with the assessment report. Once you provide your approval, we make recommendations for procedural changes to comply with this dynamic nature of the public cloud. When we get your approval for the technical configuration, we can start updating your standard operating procedures.
In some cases, we help our customers implement those configurations. In every customer engagement we make sure that we are driving the value. Underneath the alignment, assessment, and implementation, information is feeding into our Cloud Assurance program that allows us to maintain your IaaS, PaaS, or SaaS in a continuous state of compliance.
Azure Assurance Architecture Phase 4+
Vishal Sharma: Azure DevOps and Azure AD are the cloud infrastructure. The landscape covers SharePoint, for example, and then you have a DevOps framework that allows you to build GxP compliant software, and then you have access management as a Data Lake. That is our starting package, but we’ll be introducing more services as we move through this journey,
This follows the qualification plan I was talking about. It covers your system requirements and configuration specifications, and that allows us to get the approval to execute on it. Sometimes we leverage automation, piggyback on what Microsoft already does, and provide additional automation where it will add value.
Once we get your approval, that becomes your qualification report, then you are released for production use without having to worry about whether you’re maintaining cloud compliance.
Toward the end of that engagement, if you are ready to move other regulated workloads into the cloud, we help you assess that and create a roadmap for you. All of this fits into the Cloud Assurance program.
USDM’s Cloud Assurance Advantages
Vishal Sharma: The question is, why build such a thing? Why is this needed? If you recall the talk about acceleration to the cloud and the changing nature of the workplace and the ability to leverage cloud for high-end computing or high-end data analytics, these are leveraging artificial intelligence and machine learning in a variety of areas. Whether it is drug discovery, detecting something on your x-rays, or other use cases. Our idea from inception was to make compliance in a public cloud infrastructure an enabler so that you can expedite your journey to the cloud.
The very first thing we wanted to focus on was continuous cloud compliance and take that burden off your hands, reduce the compliance risks, achieve that continuous state of compliance, and keep building your compliance knowledge as you take on more complex projects and move more regulated workloads into the public cloud.
To accelerate that journey, we needed something very structured that you can map out based on your business priorities and strategic initiative. The prepackaged solution still fast-tracks your innovation and allows you to focus on core business rather than having to worry about the technology, the infrastructure, and the compliance aspect of it. We also tossed on the flexible adoption model, and scalability is the key.
But in the end, none of this matters if it doesn’t help you realize the business value. That’s where the core focus was for this solution; we wanted to truly speed up that deployment and adoption for Azure and Microsoft business applications. And it has to be cost effective; that’s the reason the bundled solution package offering makes sense.
We wanted to make sure we were building something that allows you to focus on what I like to call the value-creating activities, rather than focusing on value-consuming activities. So that was the core of it as part of the package offering.
AI Chatbots to Support GxP Content for Clinical Trails
Vishal Sharma: I talked about this concept and why we wanted to build something like this; but what are the values, what are the benefits? In the very early days when we were contemplating this solution, we wanted to make sure the idea had merit and a true value for our customer base. We worked with one of the largest pharmaceutical companies and collaborated with them very early on. We wanted to solve a problem.
The situation: The company had a well-defined SDLC and CSV, but they were not designed for a public cloud, so they were not geared toward Azure DevOps. There were no standard SOPs defined for that. Infrastructure—in this case, Azure and DevOps in particular—was qualified in the beginning for non-GxP type of intended use, not for GxP type of intended use. The challenge given to the team was to figure out how we can leverage the DevOps framework for the non-GxP type of application for GxP? They wanted to create this intelligent agent that could assist all the folks within the clinical trial area who can extract information from the GxP system and the non-GxP system through the same virtual agent.
That challenge was proposed to the internal team and we were very privileged to collaborate with them in the early stage to solve that problem.
Some of the concerns that they had initially in DevOps was the lack of enforcement and the sequence of steps to ensure the compliance was built in as part of the design. Approval challenges, a lack of understanding how best to use the DevOps tool for GxP. Those were some of the challenges and we helped address them. Defining the project, they were using Azure stack with the natural language processing tools. We helped them develop the governance structure and the workflows for the GxP use cases that I was talking about. Part of this whole engagement was creating that awareness, education, and bringing some of the best practices from our 20 years in the business to help them create that framework that met all the GxP-related requirements.
We also brought some of the technological aspects where we managed to use electronic signature that allowed them to do multifactor authentication as well. Towards the end, we managed to create this master assurance plan for them that actually addressed GxP, non-GxP, Software-as-a-Medical Device, and had a true differentiation how to do the intended use assessment so that you can say what level of formal testing was needed versus what you can do with informal testing, and what you could leverage on vendor executed testing as well.
This truly made a difference in how they were perceiving public cloud and DevOps in particular, and now they are realizing the value, how they can take something like this from the pilot project to implement it enterprise-wide. Every piece of software follows the same framework and they don’t have to worry about the process being compliant. This project was, I shouldn’t say revolutionary, but had a huge impact on how they thought about leveraging something in a public cloud enterprise-wide without having to worry about compliance and tying in to their business initiative. That’s going to speed up their innovation time and get their product to the market faster.
FDA Outlook on Cloud Compliance
Dave Meyers: I would add to that, I think the DevOps example is a great starting point because it is somewhat limited in scope and it’s a lower risk environment, a less complicated environment to implement this type of compliance framework.
Vishal Sharma: The outlook from the FDA in terms of cloud compliance since they are moving from this traditional computer system validation where you add a whole bunch of documentation, that’s what you started from. Then you started thinking what to test. Then you started introducing a risk-based approach in some capacity, then critical thinking. Are they truly making a difference? Are they really making your product safer? Critical thinking came at the end. Now the paradigm is shifting to have more critical thinking up front. You are looking at product and safety first and applying a true risk-based approach, then determining what you can leverage from vendor assurance because if something is already tested, why would you want to duplicate that effort? Rather, build on that and bring in more automation, and truly become risk-based so that you can make your product and process—quality, operations, manufacturing—safer than where you started from. The FDA truly believes in it and a guideline is coming out in September, and I believe that’s going to change the paradigm, how we think about cloud compliance in general. I think it’s changing for the good, and it’s going to do a lot of good for the life sciences industry in general, because it’s a safer product, safety is part of the design, your recalls, your returns … it’s going to save lives by making the product and the process safer. So that also validates some of the thinking that we had when we were conceptualizing this product in terms of packaging, what we’re going to offer, and how we’re going to bring that to the marketplace.
Lessons in Cloud Assurance
Vishal Sharma: If you look at USDM, regulatory compliance, the domain, and the technology stack, then cloud compliance is in our DNA; that’s what we have been doing for a long, long time. We wanted to make sure some of the learning that we have done for other cloud platforms and other Software-as-a-Service were brought in when we designed this package. We wanted to make sure those things are included and all of our life sciences customers should be able to leverage those. These are some of the things that are going to look obvious to you, but I just wanted to highlight a few of these. When we move to the public cloud, the tendency is to take a very siloed view: look at one product, one service, one solution. But I view the cloud as a very long-term investment in the technology platform that allows us to do a lot of this good and innovative stuff, whether it’s on the compute side or the storage side or data side or analytic side. You have to look at and plan for that end in mind rather than just focus very narrowly on one piece. Though, from an implementation perspective, you’re going to execute one piece at a time or a few things at a time.
We want to make sure you implement based on life sciences best practices and that’s where our focus was to bring all the collective learnings and best practices we developed, all the accelerators we developed become part of this package. That helps you maximize your ROI and your engagement from a project management perspective, and in general, what I like to call the much broader organization change management. Anytime you introduce new technology, a new process, or a new product, you have to make sure you have the mechanism in place that allows you to adopt, and then you gain wider acceptance of it.
There is a tendency to underestimate the effort it takes to keep that initial state of compliance, but a continuous state of compliance. We wanted to make sure all life sciences customers can leverage our learning so that compliance comes at a very low cost point and it’s very flexible.
The USDM Strategy Framework
Vishal Sharma: This is where we are in the journey with Microsoft and Dave touched on it. We are in the early stages of our partnership with Microsoft, and we have a bigger vision today. We are starting with the technology and compliance, and that’s the reason we are introducing this Unified Public Cloud for Azure. But as we move through in our journey, we wanted to make sure more cloud services, more business processes, we want to build on it so that consuming any one of these services from Microsoft Azure should be lower risk. You don’t have to worry from the compliance burden perspective, and it’s very easy for you to consume it.
Eventually, our goal is to get the real-time insight that has a true impact on the high-impact business outcomes by leveraging the data and analytics, artificial intelligence, and machine learning we talked about, and we should be able to operationalize that. That’s where Microsoft big vision is as well, to help life sciences customers to leverage innovative technology and make it easier to consume without having to worry about the compliance piece of it.
Q: You talked a bit about your client and the process through that; how they used it, are they using everything, how long did it take them to get fully implemented, and were there any surprises or lessons learned?
A: (Vishal Sharma) There are three parts to it. Initially, because Microsoft Azure was already in place, they were qualified for non-GxP use cases. The idea was to use that same framework for efficiency, but they were having some challenges for GxP use cases. That’s what we wanted to focus on because that’s where we saw the value of scaling enterprise-wide.
We focused on that, making sure they were using the entire development framework from writing user stories, to that epic and turning that into test cases, and leveraging all Azure DevOps from a repo to automation testing and results and giving them the Azure board for how they are moving through the process and bringing all the business-side approval.
Anytime you write a quality test plan, you want to make sure your stakeholders are aware of it and they provide you appropriate approval before we move to part into the process. We wanted to make sure the technical aspect, the business aspect, the quality and QA aspect were brought into the same efficient workflow as part of the Azure DevOps, so that they don’t have to go outside of that framework to seek additional approval.
In my opinion, that actually made a huge different in terms of not only gaining efficiency—that was the key—but they didn’t have to worry about compliance because every signature, every data lineage, electronic signature were all part of that efficient workflow. And I believe that made it huge difference.
From the lessons learned, I think we were contemplating how much automation we can bring as part of the first phase of the project. There were two sides to it. One side wanted to go fully automated. The second side wanted to go a little bit incremental. We took a hybrid approach. In hindsight, if we have a mature organization, we should move more and more to automation because that reduces errors dramatically, and that makes the workflow very efficient.
Hopefully, as we engage with more life sciences customers and different scenarios, we can bring some of those learnings and help guide that process with automation leveraging, the accelerator that I was talking about. I think that’s going to be helpful.
Q: Is the Azure cloud platform General Data Protection Regulation (GDPR) compliant? How are data localization requirements met?
A: (Vishal Sharma) This happens to be one of the European countries where you have the strictest GDPR. For data residency and data storage, Microsoft does all of these by design in some of their offerings, so some layer of compliance is already built in.
As part of this project, we ensured anything added on top of it from a framework perspective, these are covered; how data was communicated and transmitted was covered with all the security that was needed. We added the compliance framework to ensure all those layers that the data moves through are part of that compliance framework. To answer that question, we went through all those layers to ensure they were compliant as part of that overall framework.
(Dave Meyers) I’ll add a couple of points. As Vishal mentioned, GDPR is a European regulation, but Microsoft has implemented it globally. That’s our minimum bar globally. For data localization, we’ve got over 100 data center physical locations worldwide with availability in 140 countries. We have the best coverage. We’ve got excellent coverage for data sovereignty.
Q: Do USDM implementation services support both GxP and ISO 27001 compliance out of the box?
A: (Vishal Sharma) As part of the package, anytime we bring any innovative solutions, GxP control is part of the design. Since we have an entire practice around regulatory compliance, we help customers with the ISO certification guidelines and compliance. Those are all part of the design when we bring something to the marketplace.