Find the proven path to your cloud-based future

Moving to the cloud has many benefits - and risks. Yet, in this case, the risk is worth the reward. Learn how to realize the promise of the cloud from our expert, Robert Pettersson.

Benefits & Challenges

Whether Life Science companies are ready or not, most ECM and ERP systems are moving to the cloud. Because of this, companies must rethink the way they manage qualification and validation activities, as well as system operation and maintenance.

To understand the new paradigm, let’s start by looking at the old one. Implementing on-prem systems was often a huge undertaking requiring considerable resources to validate. Updates to these systems were such a large project that they were often only undertaken every few years. While this saved resources for re-validation, the situation unfortunately led to important IT systems becoming out of date, and out of sync with a company’s business requirements.  

Cloud systems, on the other hand, force users to accept frequent patches and upgrades on an ongoing basis. While this paradigm creates a challenge in regard to keeping the IT system in a validated state, it also provides opportunity for the company to adapt its systems so they stay aligned with maturing business needs. Ultimately, systems become more agile and create more value for the organization.

Continuously maintaining the validated state of a cloud IT system is a challenge. But when approached with the right methodologies for qualification, validation, operation, and maintenance, the challenge can be met very successfully.

Maintaining the Validated State

Epista’s approach to maintaining the validated state is to divide the effort into two sets of activities. First are the cloud qualification activities and second are the validation activities. It’s important to understand the separation of these activities and the differences between them.

Qualification of the cloud is dependent on a strong cooperation with the system or platform provider. With an on-prem system, the company was mainly dependent on service providers during system installation. Now, with the cloud, a company will be dependent on its system provider for the duration of its system’s life cycle.

Validation activities cover system configuration and system use, as with on-prem systems. But, because of the forced and frequent system patches and upgrades, these activities must be much more efficient and flexible than in the past.

Let’s address both these issues in more detail.

Cloud Qualification

There’s obviously no hardware on a company’s premises when using a Cloud IT system. That means all operational maintenance activities are addressed by the vendor. Still, the responsibility for compliance rests with the Life Science company.

According to the GAMP Good Practice Guide: IT infrastructure and Control Compliance (Appendix 8: Outsourcing) -

“The regulated company remains responsible for the regulatory compliance of their IT operations regardless of whether they choose to outsource/offshore some of their entire IT infrastructure process to external service provider(s). Compliance oversight and approvals cannot be delegated to the outsource partner”.

This means it’s very important to select a reputable vendor that understands the Life Science industry and the company’s regulatory needs. The vendor must be able to provide the documentation needed to prove to a regulator that the company  is in control. This requires close collaboration.

Regulatory Considerations

Because cloud compliance is a new concept, it is useful to articulate compliance activities in the same manner as the regulators and quality departments are used to, and can understand. This helps convey the message that the company is in control in the cloud just as it was on-prem. Overall regulatory requirements remain the same for the cloud as they do for on-prem IT systems. And in addition, the new element is the necessity to collaborate with an IT solution supplier in a different way.  

Epista recommends conducting an overall risk assessment of the entire cloud system installation, including infrastructure, general system use, IT security, etc. Also, a company should adopt the vendor documentation closely and document its own controls, in addition to documenting how the vendor provides them. Any gaps that are found between the control and governance of the cloud system versus what would have been done for an on-prem system need to be addressed. This is typically done via the service level agreement between a company and the service provider.

Process Recommendations

When updating or choosing a system, Epista recommends using a decision tree like the one below to illustrate a process you can use to stay in control in the cloud. These process descriptions and/or SOPs should be added to your existing IT QMS.

Qualification Plan

The qualification approach should be stated in the qualification plan and will mandate the scope, method, vendor assessment, and, most importantly when it comes to cloud IT systems, the cloud control matrix.

Decision tree process example

The cloud control matrix lists all the requirements defined by the QMS, such as backup/restore requirements, user administration, and more. It compares each requirement in terms of how it would be completed in an on-prem solution versus a cloud approach. It is important to understand that all the requirements are still there, even though someone else is handling some of them.

Take the example of backup and restore. This is a requirement for every IT system regardless of whether it is on-prem or cloud. For an on-prem system, the company itself will perform the backup and restore based on specific rules and requirements and can document it has done it correctly. With a cloud system, the vendor is responsible for this activity. How will the company know that the vendor executed the backup/restore at the proper time in the proper way? That’s a gap. To close the gap, the company must define a control to verify the provider performed the activity properly. This control might be a report, provided by the vendor, verifying that the requirement has been completed in the appropriate manner and scope.

For all items in the QMS that are performed by the cloud provider, the organization must determine which controls to implement that verify the provider has performed the activity. These remediation activities should be described in the company’s SLA with the vendor.

The actual execution of the qualification goes through the gap list and secures that all controls and SOPs are established, and that the SLA covers shared activities. Once these activities are verified, the qualification can be considered complete, and the qualification report can be issued.

This is Epista’s approach to cloud qualification and it’s based on same principals and rules we use when approaching on-prem systems. Plus, it goes through requirements and ensures cooperation with cloud vendors to verify all requirements are covered, either through an SLA or another type of control.

Annual Wheel to stay in control during the operational phase

The next step takes place during the operational phase – ensuring continued control of all activities and requirements over time. Epista recommends using an annual wheel.

The annual wheel helps to facilitate full control of system operation and maintenance by keeping track of controls based on their required frequency according to the company’s QMS. The wheel supports the verification of the identified controls and the related SOPs. Subjects covered by an annual wheel could include back-up reports, monthly updates, patch summaries, and vendor activity completion verification.

Annual wheel example

Cloud System Validation

Now that we’ve discussed cloud qualification at length and have good control over the operation and maintenance of the cloud system, let’s turn our attention to system validation. Be aware that although a good system provider can deliver a lot of system documentation, such as their validation package, regulators hold you ultimately responsible for proving your system is in a validated state.

Again, as with the qualification of the cloud system, cloud validation is a question of being close to the system provider. You need to understand the efforts they have already executed, so you don’t waste time on duplication. The general approach is the GAMP5 standard, and the validation plan should include all activities executed by the cloud vendor.

The Release Challenge

Because vendors can force several new releases per year, the crucial difference when it comes to validating cloud systems is the frequency with which you will have to validate the system.  This requires frequent regression testing, especially on your company-specific configuration. For every patch or update, it’s still you that bears responsibility to verify the system is in a validated state.

We recommend you build a process that will take care of every patch and change applied to the system, both large and small. This process must be well institutionalized, so your organization doesn’t get overwhelmed each time there is an update. Handle this during the initial validation phase of the system so the documentation is easy to update.

You’ll get a change report from the vendor. Be sure you understand how this report will be communicated to you as a part of the cloud qualification. Look at this from a GxP and business criticality viewpoint to understand the magnitude of the change on your installation. It may have no impact, for example for a security update. Or the change/update may have a major impact requiring more validation activities, e.g. if the system functionality is considerably changed.

Because of these frequent updates, is important to have this GxP and business criticality evaluation worked into the initial validation approach, so you can enable these changes on a concurrent basis. Your traceability matrix must be assessed in terms of GxP and business criticality and can help you asses the magnitude of the depth of testing needed.  

The Approach

To meet the challenge of frequent changes to the system, Epista recommends the following:

  • As mentioned, build documentation for the initial validation in a way that can be updated easily. And write a process description on how to manage patches as the come.
  • Consider test automation for GxP and business critical processes and functionalities (OQ and PQ) already during the initial validation phase.
  • Build a fence around the different system roles to keep them well controlled.
  • In the process description, institutionalize the risk-based approach to release management and how patches and updates are handled.


The benefits of moving to the cloud are many, from increased flexibility and access to data to simplified IT management. Yet, the risks are also significant. Moving established processes to the cloud requires balancing trade-offs between adapting the processes or the systems. Release cycles create new opportunities, but also force adaptation. Similarly, increased access to data can create enormous value, and new risks.

Epista has helped many companies realize the promise of the cloud while managing its risks. We focus on needs analysis and system selection, implementation management, validation and test automation set-up, and management of release cycles and updates.

Let us know if your company needs help moving to the cloud. By combining our deep experience, proven methodologies, and unique tools, we can help ensure that your transition is a success.

Talk to an expert

Robert Pettersson
Managing Director - Sweden

Explore other articles

Get in touch

We enjoy sharing our knowledge. Get in touch to find out how Epista can add value to your Life Science company.