In order to comply with the GxP-requirements, environmental conditions need to be monitored and documented along the entire supply chain of pharmaceutical products. Since we see more cloud solutions being used for this purpose, the question comes up if this approach is the right one. This whitepaper discussed different cloud models and their risks and benefits. In addition it provides a checklist for the use of cloud-monitoring in GxP-applications.
Over the last couple of years, acceptance for cloud computing and cloud hosting has rapidly grown for business applications across different industries. This is due to obvious advantages, such as:
Yet today some concerns remain around lock-in effects and resulting dependencies on the solution provider, security concerns or delegation of control.
When you add GxP compliance to the list of concerns, you have a unique situation with unique data environments. As pharmaceutical and life science industries also move to the cloud, for the above-mentioned advantages, it’s important to consider how it affects this specialized industry. Are cloud-based infrastructure, platforms and software in the cloud compliant and in line with data integrity requirements? This article will provide the answers, with a special focus on environmental monitoring solutions for the pharmaceutical, life science, biotech and health care industries.
GxP regulated companies have a long list of global requirements for using, storing and communicating data. FDA 21 CFR Part 11, EU General Data Protection Regulation (GDPR), Data Integrity regulations from many countries… just to name a few. To stay within the regulatory lines, it’s important you understand the pros and cons of cloud solutions for your pharmaceutical business. This article will lay out all the facts related to cloud services in a GxP monitoring environment and corresponding measures to ensure compliance.
Before we start the discussion of specific considerations regarding cloud-based GxP-compliant environmental monitoring solutions, let's briefly clarify different models of cloud services. Usually, three cloud models are differentiated, which differ from traditional on-premises hosting by the parts that are outsourced:
Illustration 1: Differences in cloud models 
Infrastructure as a Service (IaaS) is the cloud model where the client takes most responsibility: he runs the applications and database on his own operating system and middleware which operate o virtualized servers from the cloud provider. IaaS is beneficial for large organizations that wish to have complete control over their applications and software infrastructures, but are fine with having the hardware operated by a specialized provider or are looking to only purchase what is actually consumed or needed (e.g. they want to benefit from dynamic assignment of processing power or storage for applications with varying requirements over the time). A good example could be a life-science company who wants to host semi-critical applications on an IaaS: benefit from the outsourcing but still keeping tight control.
Platform as a Service (PaaS) gives more responsibility to the cloud provider since the virtualized servers also include the operating system as well as middleware. PaaS can provide great speed and flexibility to the entire process for companies who want to run their own application on a “turn-key environment”. A good example could be a pharmaceutical company operating their own office application on a PaaS of a large cloud provider like Amazon Web Service or Microsoft Azure.
Software as a Service (SaaS), also known as cloud application services, represents the largest cloud market. SaaS delivers (business) applications that are typically accessed directly via the web browser and do not require any downloads or installations on the client side.
Besides the different cloud models described above, varying by the components that are outsourced, there are also different models of how those outsourced cloud resources are deployed:
Today, cloud computing is a major trend and revenues are exploding. Interesting enough, financial services/banking/insurance, industrial manufacturing and telecommunication services belong to those industries with the greatest number of cloud applications per business function . This illustrates nicely, that today also (or even predominantly) industries with high requirement levels in regards to compliance and safety are using cloud computing services.
Knowing the different types and resources of cloud computing, the following section elaborates the right set-up for a GxP monitoring solution's specific requirements:
The monitoring solution including the database must be validated. A computerized system validation (CSV) is the documented process of assuring that a computerized system does exactly what it is designed to do in a consistent and reproducible manner. It basically means, that requirements must be documented, validation and test plans written, risks evaluated in a written risk assessment, functionalities tested and documented according to the test plan and finally a validation report issued summarizing all validation efforts. An IaaS or PaaS solution could be the right approach for users who are fine with validating the cloud infrastructure provider and managing software installation and maintenance by themselves. For users who do not want to deal with those issues or do not have an experienced IT department at hand, a SaaS approach could be the right solution: providing the additional advantage of only having one cloud solution provider instead of having to deal with the software vendor and the cloud infrastructure provider.
Mainly cost are relevant for the decision between the options Public, Private or Hybrid Cloud: how many organizations are carrying the various cost blocks?
The following picture shows the various cost blocks in the various cloud models as a schematic illustration. It shows nicely, that mainly small installations benefit from the public cloud model since the user benefits from the lack of fixed cost blocks. This cost benefit is reduced with larger installations of several hundred or thousand measuring points.
Illustration 2: Cost blocks in different cloud models
In a GxP-environment, data must be immutable. Again the main concern is data integrity (assuring that data is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring and available over its entire life-cycle [4,5]) and ultimately patient safety. Translated to a (cloud) monitoring solution, this means:
Conclusion: Given the argumentation outlined above, it is hardly surprising that we see more and more monitoring solutions for GxP-critical applications offered as SaaS in a Public Cloud. This choice offers maximum quality (minimal risks) and at the same time minimal cost to achieve those targets. Many suppliers will offer single-tenant SaaS in a Private Cloud as an alternative at significantly higher costs. The following chapters will therefore focus on these two options to deliver a GxP-compliant monitoring solution via the Cloud.
In this section we will elaborate on the risks of the chosen set-up (Public Cloud SaaS (shared instance for several tenants) or Private Cloud SaaS (single-tenant instance exclusively for one organization)) related to a GxP-compliant monitoring solution and meaningful mitigation strategies that you should require your service provider to guarantee.
1 The SOC 2 report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls .
If done right, cloud-based monitoring solutions allow for benefits like cost efficiency, scalability, convenience (no hardware and software maintenance), highly professional backup and recovery strategies etc. for companies that need to comply with GxP regulations. Regarding validation and qualification needs, the same requirements applies to cloud services as to self-operated systems. This means that documentation is king and shared responsibilities regarding documentation needs to be clearly defined in the service level agreement. Also, critical processes like change management process, data backup and retention to ensure business continuity or long-term archiving must be defined as part of the service level agreement.
In addition, we recommend that you require your service provider to accept on-site audits by his customers, where you will be granted access to further, more detailed documentation. Having all this defined and the comprehensive but manageable set of documents made available by the service provider will not only provide customers operating in a GxP environment with the required support and security, but will also help to frame and establish a strong partnership between the cloud service provider and the customer. A strong partnership is probably the most important success factor to achieve the required level of compliance and "audit fitness" for the client, who always remains responsible for the safety of his patients.
To read more about ELPRO’s Cloud solution for laboratories, pharmacies and facilities that is easy to install, out of the box, learn more about ELPRO Cloud here.
It’s natural to have a lot of questions when “outsourcing” your data. However, is it really outsourcing? Who owns the data yet? Does the SaaS provider back-up your data and ensure data recovery? Does the provider accept on-site audits? Download the complete Checklist to get started with Cloud.
The article was first published in the German magazine TechnoPharm9, Nr. 3, 144-153 (2019).
Philipp Osl is Head of Product Management at ELPRO Global. He is an experienced Product Manager with a demonstrated history of working in the software as well as mechanical/industrial engineering industry in businesses and research institutes. Philipp’s proven skills spread across Innovation Management, Business Process Management and Entrepreneurship. Philipp holds degrees in Economics and Computer Science from Vienna University of Technology, and a Doctorate in Business Innovation from University of St. Gallen.
Bob Lucchesi is the Vice President of Global Regulatory Compliance, Quality Assurance and Auditing at USDM Life Sciences. His expertise extends to several USDM Life Sciences practice areas, including Enterprise Quality Management, Enterprise Content Management, Quality Management Systems, and Governance, Risk and Compliance.
Bob offers over 30 years of experience in quality assurance and regulatory compliance in pharmaceuticals, biotech, medical device, engineering and nuclear industries. Among his many accomplishments, Bob gives presentations on a variety of compliance and regulatory subjects worldwide, including the ASTM: E2500 model for validation and a variety of life science auditing topics spanning data integrity to GxP Compliance for IT.
Bob has led global audit teams for Quality, mock FDA, policies and procedures, Part 11, NIST, supplier-vendor (internal, external, sterile, non-sterile, manufacturing, logistics), mock recalls, IT Vendors, and major life sciences assessments. Bob is also an expert in risk-based validation methodologies, GAMP, enterprise content management, data and content migrations as well as overall pharmaceutical and medical device regulatory issues.
In his spare time, Bob loves sports and playing bass in a rock cover band on the East Coast, USA.
 SaaS vs PaaS vs IaaS: What’s The Difference and How To Choose, by Stephen Watts, 22.Sep.2017,
 Community-Cloud, Margaret Rouse, last updated February 2012,
 Differences in Cloud Adoption Across Global Industries, by TATA consultancy services, undatiert,
 Ensuring Data Integrity Through ALCOA, Grant South, 29.Apr.2016,
 CSV Considerations Around Data Integrity, Kelly Jordan, 03.Mar.2016,
 Archivierung elektronischer Daten im GxP-Umfeld
 Data Archiving, Definition on TechTarget, last updated November 2018,
 SOC 2 (Service Organization Control 2), Margaret Rouse, last updated April 2012,