Hi Oliver,

Thanks for commenting and getting this topic back on the 'map'.

Maybe I had to be more specific. But the question is related to ERP systems/ processes that are GxP relevant.

Regs,

Ruud

Hi Ruud,

Probably the biggest obstacle to run a GMP process in a cloud environment is the fact that the provider will patch and upgrade the systerm at pre-defined intervals. With ByD for example, the systems are getting hotfixes every 2 weeks and are upgraded every quarter ...no exceptions! So a company running a process that must be validated (a) doesn't know exactly what was changed and (b) would need to re-validate after every patch or at least after every upgrade. Even though these patches and upgrade procedures are thoroughly tested I don't believe that this will suffice for keeping the system validated.

An option would be to run the system in a private cloud, where the customer can define (within certain limits) when patches and upgardes are applied.

Please keep us posted where your investigations take you!

Oliver

Hi Oliver,

That's of course one of the big discussions about real Cloud Solutions like ByD. But if you look at topics like storing data in the cloud e.g. the serialization area, where you'd like to track and trace the full supply chain.

There are a bunch of questions that need to be answered around data integrity.. Interesting though!

I will post my findings here

Kind regards,

Ruud

Hi Ruud,

I got questions like this a lot lately (especially in the context of serialization), sentences like "These data are too sensitive to store them in the cloud!" or "I won't store my data in the internet where everybody can see them!". These are statements you should really think about! But on the other side.....check out how SAP manages it's Data Center (http://www.sapdatacenter.com). Maybe your data are better protected in SAP's data center than in your own?

And in this context you should also ask yourself not only whether your data in the cloud are protected against unauthorized access but also whether the data will always (!!) be accessible for you (!!). So is authorized access guaranteed for all time at all time? So, ask this:

• Will the cloud company be around in 5 years? If a classic software provider goes out of business, you still own the software. If your cloud provider caves your cloud Solution will be gone.
• Where is the company located and where will your data be stored? Are you actually allowed to store your data at that data center? E.g. person related data of EU employees are not allowed to be stored outside of the EU. Check also which laws apply at these locations. Governments might have access to the data by law, e.g. in case of crime investigations.
• Who is backing the cloud company? Is it publicly traded or private equity and in the latter case who has a share? You don't want to end up running a solution at a provider that is actually controlled by your biggest competitor through a private equity investment.

In general, make sure to familiarize yourself with Cloud Solutions (there is way too much nonsense out there), e.g. by scanning the Cloud Computing Space in SCN ( http://scn.sap.com/community/cloud ). You'll find great content , e.g. the Myth Buster series by ...e.g. http://scn.sap.com/community/cloud/blog/2013/11/13/cloud-myth-busting-myth-5-business-in-the-cloud-i... .

Have fun.

Oliver

Hi Oliver,

Indeed, maybe the mind set must also change. Is it feasible for a SME customer to secure their data, so it can't be tampered with? I wonder...

If regulatory bodies will see Cloud as a phenomenon that is to stay, they will sure demand answers to what  you state above. I think Hybrid and private cloud constructions are even easier to validate then we currently presume, although I'm not familiar with the techniques behind cloud storage, a hard drive is still a hard drive

I think the validation of the Amazon's of this world is feasible, but how do we validate the communication between a Cloud system? As of today it seems that all communications can be tampered with..

Whenever a answer comes to a question, regarding this topic, new questions arise. It's very interesting though!

Thanks for sharing your thoughts!

Kind regs,

Ruud

Hi Ruud,

good question:

....how do we validate the communication between a Cloud system?

... I don't know (its one of the things I try to figure out), so let me ask you this: How do you validate the communication between a supplier's on-premise system and a customer's on-premise system, e.g. via EDI or calling a web-service when the comunication contains a q-certificate or serial numbers that are being communicated to e.g. the Tureky MoH.

In all cases you have communcation going through a cable or via a satellite and that can be tampered with. So is this really a cloud specific issue?

Gosh... I was hoping for some answers and get more and more questions   .....
Oliver

Hi James,

I think if we expand this discussion here, it would be highly appreciated by the members. I've taken a look at USDM's track record and I believe your input could be valuable!

@Oliver, do you agree?

Topics could be:

Use cases in a GxP environment*

• Risk-based approach
• Specific responsibilities of the cloud service provider
• Specific responsibilities of the cloud customer
• Separation of GxP vs. non GxP

Where do the regulatory bodies stand?*

• Inspection Trends EMA – Annex 11
• Inspection Trends FDA
• Inspection Trends other countries

Regs,

Ruud

*Topics from Cloud Computing and Outsourcing in a GxP Environment by ECA

Hi Ruud,

Sorry for interruption.

I recently joined into the world of Life Science, and it was very interesting to read the discussions above.

I was really hoping to read the blog you mentioned, but the link shows an error "document not found".

Would you please repost the blog ?

Thank you.

Yuko