Compliant Framework for Cloud-Based Innovation in Pharma & MedTech

The cloud is an accelerator of innovation across nearly every industry. In fact, one McKinsey and Company study found that an incredible 75% of the cloud’s predicted value comes from boosting innovation. 

Manufacturers of drugs and medical devices are only too aware of the potential benefits of harnessing cloud-based technologies: 

• Rapid development, testing, and go-to-market times of new products
• Increased scalability 
• Reduced hardware and associated maintenance costs
• Access to new business models (e.g. outcome-based pricing and pay-per-use)

But cloud providers are not medical device or pharmaceutical companies and didn’t develop their services to be an exact fit for the industry (or its specific requirements). That means when it comes to actually using the cloud for innovation, many pharma and medtech businesses hit an obstacle: a lack of knowledge or guidance on how to maintain regulatory compliance. 

This has cast doubt over when, how, and if the usage of cloud technology within the industry is even possible. 

And that’s a big problem. Overcoming key issues facing the industry requires the development of such innovative solutions. Such issues include: the rising complexity of developing healthcare solutions due to increased personalisation requirements, and the growing demand for connected, data-driven products.

This is especially true when it comes to post-market monitoring in a value-based model of care, or virtual trial setting. In such situations, data is constantly fed back to the solution provider to be analysed in near real-time. The solution provider then uses this feedback loop for continuous product or service improvement.

Taken together, it’s clear that businesses need clarity and guidance on how to leverage cloud-based technologies in a way that also ensures regulatory compliance. 

Working in partnership, Zühlke and the regulatory experts at the Johner Institut have developed a new framework for that very purpose. Our collective insight is presented in our Medical Clouds: A Case for Continuous Validation in Medtech & Pharma whitepaper – which you can read here. 

Below, we explore the key challenges the framework overcomes, provide an overview of how it works, and explain how qualification and validation of cloud-based infrastructures and software can be achieved. 
 

The key challenges the framework addresses

Manufacturers of medical or pharmaceutical products are required to ensure their products, production facilities, and processes adhere to rigorous verification and validation checks. This includes any applications used within their manufacturing or development processes. 

So how does a business access the advantages of the cloud, such as rapid deployment of new products or upgrades, whilst meeting these requirements? 

First, they need to develop a deeper understanding of data integrity, system ownership, and verification and validation processes. 

From there, a reimagination of current verification and validation processes is needed. Regulatory compliance must no longer be seen as a linear journey – where comprehensive test protocols are established, and an on-premises product makes a one way trip from being ‘non compliant’ to ‘compliant’. 

Instead, regulatory compliance must be seen as a state that can only be maintained with continuous validation. In the framework we outline, cloud-based products are constantly validated and verified against a stringent set of criteria which is set by the medical product or service provider. 

An overview of the framework 

The framework covers all stages of medical device and drug development: concept design,  project, go-live / maintenance, and retirement.  We zoom into each of these phases in detail in the whitepaper but for the purposes of this blog post, we provide an overview of the framework as a whole.

The framework is rooted in critical thinking and risk-based considerations which enable businesses to apply a series of controls. These controls include supplier management activities, and automated and manual validation tasks. 

The controls ensure compliance in two key areas: validation of the cloud technology as infrastructure, and of how medical products or solutions behave in the cloud. 

When combined, these allow for a state of continuous validation of cloud-based systems. 

Validating the cloud as infrastructure is achieved by continuously monitoring and evaluating changes to the system. This requires implementation of regular assessments of cloud-based systems based on their criticality and risks. This is performed in tandem with leveraging supplier management activities which include demanding required certifications and the performance of audits.

The validation of how medical products or solutions behave in the cloud is covered below. 
 

The role of automation

In the proposed framework, some key processes typically performed manually (at great cost) are automated. Automation ensures that verification at this frequency is not only possible but also doesn't become a financial blackhole for businesses. 

Key processes that are appropriate for automation cover areas in which changes to the cloud infrastructure are most likely to occur or cause significant impact – for example, patient critical applications. 

Using carefully targeted automated testing methods also affords increased ROI on quality assurance (QA) processes more generally. This is because it can be supervised by a lean QA team, thereby enabling the wider team to focus on more sensitive features.

Automation alone isn’t enough, of course. The strength of the framework lies in the combination of increased knowledge (of data integrity, system ownership, and verification and validation processes), critical thinking, and automated testing in carefully selected areas. 

The result? Businesses can ensure their product or service is consistently working as required, requirements remain fulfilled, and risks are continuously mitigated for. 

How the automated validation process works 

1. Evolving regulatory requirements are considered and incorporated into verification and development processes (as explained above).
2. Teams identify requirements of the cloud-application and evaluate which of them represent risk and therefore need continuous verification and validation (this is the most important phase).
3. Test cases are created based on these requirements. 
4. This test plan is then actioned – by manual and automated test runners, as appropriate.
5. These tests are performed against the product that lives in the cloud (and can be triggered automatically based on a series of variables – where appropriate).
6. The test runner then reports the results to a technical file and or logs it in the QM system for auditing processes. 

This is because the framework creates an automated ‘border check’ between the product and the third-party cloud services it uses. This ensures the leveraged cloud technology remains firmly within the regulatory parameters the medical product manufacturer has established. 

This reduces the strain on quality leads who otherwise would have to shoulder the responsibility of ensuring regulatory compliance. By keeping a record of the results, quality teams also have peace of mind that they can evidence a robust due diligence process. 

How does it stack up against current regulations?

When assessing the effectiveness of this framework, regulations and standards concerning medical devices should be considered from three perspectives:

1. Cloud-based solutions as part of the medical device
2. Cloud-based solutions as part of the infrastructure to support medical devices
3. General legal requirements on data usage, cyber-security and critical infrastructure

In the whitepaper, we deep dive into the relevant regulations from both the EU and the US. We explain how these regulations influenced the design of the framework and highlight the key areas that businesses need to be aware of when working with cloud-based innovation. 

Fundamentally, it’s important to note that current interpretations of the EU or the US regulations do not prohibit the use of cloud-based infrastructure or applications in medtech or pharma. 

Validation of software and qualification of infrastructure has always been a regulatory requirement. The FDA’s regulatory requirements and guidance documents dealing with software validation and electronic records, have been key drivers for the adoption of software and validation for medical companies over recent years. 

The FDA has also launched multiple strategic initiatives to help pharma and medtech businesses manage the regulation of new technologies when developing products and solutions. However, at present these documents do not deal with cloud-based technology directly. 

This means the industry needs two things: 

1. Guidance on how to leverage cloud within current regulations.
2. A robust and practical framework for how this will be achieved at a technical level. 

The proposed framework is successful precisely because it satisfies these two needs. It provides guidance and an interpretation of current regulations to give businesses the reassurance to move forward. And it offers a technical solution for how it can be actioned. 

The risk based approach also means it is adaptable as it deals with rigorous critical thinking to identify and mitigate potential risk.

Conclusion

With a practical framework for compliant usage of cloud-based technologies, pharma and medtech businesses of all sizes can innovate with confidence, speed, and agility. 

But this will only be possible when the framework is combined with deeper understanding of data integrity, system ownership and verification and validation processes. 

By building an approach based on critical thinking, validation planning, trust-building supplier monitoring, and a combination of manual and automated validation tasks, businesses can enable a state of continuous validation of cloud-based systems – and reap the rewards. 

To get the full details of the framework, read our Medical Cloud whitepaper. It includes a detailed breakdown of the relevant regulations, practical advice on implementing it, and an in depth look at the technical considerations.