Skip to main content

Understanding Serialization and the Cloud

By August 10, 2016March 2nd, 2021DSCSA, Serialization

It’s an understatement to say that technology moves faster than regulatory bodies. Case in point: Title 21 of the Code of Federal Regulations, Part 11 – more commonly known as 21 CFR Part 11.

Published in 1997 by the FDA, 21 CFR Part 11 defined what was expected of electronic records and electronic signatures in order to ensure they were trustworthy, reliable, and equivalent to paper records. Of course, this was only a few years into the digital revolution. Since then the software industry has advanced in ways never dreamed of at the time, both in terms of new technologies and how they’re delivered.

Part 11 in the Age of the Cloud: It’s Complicated

Beginning in the 1970s and through most of the 90s, software was sold as licenses and installed right in a customer’s physical location. But by the late 90’s, hosting became the rage, allowing the vendor to deliver the application through a data center. Then, fast forward to the mid-2000s and Salesforce.com changes everything again by delivering software as a service (SaaS) – aka, through the “cloud.” Since then, software providers – with or without Current Good Manufacturing Practice (CGMP) functions – have raced to release cloud versions of their applications.

With so much progress in so brief a time period, how has Part 11 held up?

Part 11 requires Computer System Validation (CSV) to qualify a computer system. Traditionally there are three parts to the CSV process: installation qualification, operational qualification, and performance qualification (IQ, OQ, and PQ). When software is installed and exists on-premises, the qualification process is straight forward. The validation process for hosted software follows a similar process, since the only difference is the location of the server.

But validating on the cloud? That’s a different story – a complicated story.

Two Ways of Looking at the Cloud

To explain why, we first need to describe the two kinds of clouds – one of which plays well with Part 11 validation, and one of which does not.

  1. Single-tenant cloud: A software vendor configures a cloud environment for just one client. All the necessary services (like installation and testing) and components (like a server, operating system, related applications, and storage) are assigned only to that client’s personal cloud. Because everything is dedicated to one client and held in one place, validating for Part 11 and meeting the requirement can be performed in a way similar to that of the hosted software.
  2. Multi-tenant cloud: A software vendor provides a shared environment used by multiple clients. A prime example is Amazon Web Services (AWS), where applications run on massive data centers and processing power and storage are scaled through an algorithm that allows any server in the server farm to provide extra capacity. It’s a great service, but it also prevents the vendor from knowing precisely which server is running any one application or storing any particular set of data.

Vendors that provide single-tenant cloud offerings typically provide installation qualification as a service to clients who require Part 11 compliance. But multi-tenant cloud vendors can’t do that. AWS explains it this way: “…customers using AWS Products in GxP systems are fully responsible for all software validation and infrastructure qualification activities within their AWS account. Since AWS does not develop or manage applications on behalf of customers, nor does AWS provision or configure customer-specific infrastructure, AWS cannot perform GxP validation or qualification activities on behalf of customers. AWS is responsible for ensuring AWS Products conform to AWS product specifications, SLAs and commercial IT standards, and GxP customers are responsible for validating the GxP systems they build with AWS Products.”

With cloud adoption becoming the norm, this validation gap is causing serious problems for many pharmaceutical companies – one that won’t get resolved until the industry’s regulatory bodies step up and offer a solution.

Solving the Cloud Validation Issue – a First Step?  

In Aril 2016 – 19 years after offering up Part 11 guidance – the FDA at long last mentioned the cloud in its Data Integrity and Compliance with CGMP – Guidance for Industry document. The guidance states that, “Computer or related systems can refer to computer hardware, software, peripheral 142 devices, networks, cloud infrastructure, operators, and associated documents.” It goes on to explain, “The guidance outlines FDA’s current thinking regarding the narrow scope and application of part 11 pending FDA’s reexamination of part 11 as it applies to all FDA-regulated products.”

I – and many others – welcome an open dialog between the FDA and our industry about deeper guidance on the validation of cloud applications. But it’s unlikely to happen fast enough, because the industry is on a rapid pace toward adopting serialization solutions, and some of them are in the cloud.

Serializing in the Cloud? Do Your Homework  

Choosing the right vendor as your serialization partner is critical to your serialization success. And if cloud services are part of your serialization efforts, then vendor selection is even more important, because your road to FDA compliance becomes trickier. The good news is that technology companies in the serialization space offer a variety of options: on-premise applications, single-tenant cloud, and multi-tenant cloud. The bad news is that you may end in a compliance limbo if chose unwisely, fail to ask the right questions up front, or manage the relationship poorly.

I’ve talked to a number of pharma companies that acquired software for the 2015 DSCSA requirement, thought they were covered, but had difficult or terrible implementation and validation processes. As we move toward the 2017 DSCSA deadline, many in the industry are worried about repeating those bad experiences.

At LSPediA, we help clients select mission-critical vendors for serialization, ERP, warehouse, EDI, and EPCIS solutions based on a matrix of requirements, including compliance, functionality, usability, and cost. Our vendor selection services have helped many companies find effective, high quality, compliant, yet affordable solutions.

LSPediA Advisory Services: Access to Our Experience, Every Step of the Way

Vendor selection is part of our Advisory Services suite, which gives you access to our deep experience and track record of successfully managing serialization implementation for manufacturers and distributors large and small. Services start from as little as $1000 a month for the advisory package, which can be upgraded to the Serialization Toolkit package that is tailored to your needs.

If you’re searching for a serialization solution and have concerns about the cloud, I recommend a conversation with us today. Our insights will surprise you, and benefit your company.

 

About LSPediA

LSPediA helps pharmaceutical manufacturers and distributors plan, design, and implement processes and solution to meet serialization global regulations, DSCSA requirements, and future track-and-trace mandates. Our services include serialization gap analysis, strategic planning, solution architecture, vendor selection, line execution, CMO management, supplier management, implementation, and more.

We value long-term relationships and work with our clients’ internal teams to properly define roadmaps, create architectures, and implement systems that align to vital business goals, ultimately helping them derive maximum value from their investments, both now and well into the future.