Life science industries generally face several challenges in adopting to the technological advances considering the regulatory impacts and tedious processes involved. But with the alluring benefits provided by cloud based solutions and the need to globalize R&D, moving to cloud has become the “New Normal”. Though adoption of cloud, means the vendor would qualify, maintain and administer the services, it does not spare the end user from their ultimate responsibility to ensure that the applications in cloud are validated and comply with the regulations, in which in turn is complete only with the qualification of underlying infrastructure.

Wondering how to formulate an approach to qualify cloud infrastructure? Here it is:

Vendor Assessment:

A thorough selection process and ongoing oversight about the following is required to determine the supplier quality and reliability and there by the extent of qualification:

• Their capability to deliver the service as per your requirements
• The level of compliance with different regulatory requirements and standards to be followed
• Presence of quality management system and procedural controls to ensure confidentiality, integrity and availability

Determine Qualification Scope and Infrastructure Layer

• List down all the infrastructure components
• Identify those having an impact on current industry’s regulations and business operations at your organization and this will serve as the major input to the risk assessment process
• Each infrastructure component identified in scope for qualification can be categorized based on the GAMP 5 Categorization of Hardware and Software and also into subsequent infrastructure layers depending on the function or service they provide.
• The Qualification activities to be performed will differ for each such layer.

Perform Risk Assessment

• On determining the scope, a documented risk assessment must be conducted, to identify the possible risks associated with each infrastructure component, likelihood of its occurrence and its impact to business
• Any possible threats to data privacy and data security must be considered and evaluated
• Qualification activities must be tightly controlled in such a way to minimize those risks

Let us consider a server for instance, the results of risk assessment would be as follows:

Qualification Deliverables

The qualification deliverables required in general include the following:

• Risk Assessment Report
• Qualification Plan
• Design Specification
• Qualification Protocol
• Qualification Summary Results

Plan Qualification Activities and level of qualification
Considering the components in scope, layer to which they belong to, the results of the risk assessment and reliability of the supplier, a qualification plan must be formulated detailing the level of qualification required followed by the creation of qualification deliverables.

Infrastructure Layers

Here is a comprehensive checklist listing down the points to be verified when qualifying cloud infrastructure, and qualify any solution of your choice with it!

Confused about which deliverable is applicable for which infrastructure layer, who should take responsibility for which activities? Don’t worry, we’ve got it covered for you!

Take a quick glance at these helpers-
Deliverables Matrix for Infrastructure Layers
RACI Matrix for Qualification Activities and Deliverables