As a regulatory affairs professional, being responsible for drug submissions is an exciting task, but it also comes with many dimensions of complexity and pressure. Recently a new technological trend, „cloud“ or „software as a service“, is creating more questions and the potential for confusion. A cloud software might have a lot of benefits, but is it really safe to load my documents and other content into a cloud based software? This is an appropriate question and one way to answer it is by conducting the following four step analysis:
- List the potential risks.
- Rate the risk level with the company’s situation.
- Compare the risk ranking result with the risks of an in-house implementation.
- List and rank the benefits.
Let’s start with creating a simple list of the most commonly perceived risks of cloud
A – Losing documents and data in the cloud due to system problems.
B – Unauthorized people accessing eCTDs and other confidential information.
C – Low system performance due to potentially slow internet connection.
D – Inability to access the system if internet connection is unstable.
E – Difficulty to properly validate a cloud based installation.
F – Too expensive.
G – Time consuming vs. an on premise system.
H – Difficult to integrate many internal systems (i.e. SAP, LIMS etc.).
The next step is to rank the risks and to select the most critical ones. The risk profile
will differ based upon the size of the organization. It will also depend on the size and
capacity of the internal quality assurance, validation and IT departments. It will further
be impacted by how widely distributed the organization is. The number of external
partners who contribute to the work must also be considered (i.e. consultants for
pharmacovigilance tasks, regulatory consultants, clinical research organizations,
At this stage, three to five significant risks that are relevant for the company should have
been identified. These risks should now be analyzed and discussed in detail. For
example, for the validation risk, the validation strategy of a cloud technology vendor
should be compared and analyzed with the validation strategy of an on-premise vendor.
For the risk of data loss, it should be analyzed how the data is secured by the cloud
vendor vs. the on-premise option. What is the backup strategy? What are the guarantees? This must be compared with internal IT data security policies.
At this point, the relevant risks have been identified, evaluated and ranked which provides a good risk overview.
The final step is to identify, compare and rank the benefits relevant to the company’s specific situation. A cloud based solution is typically provided as full service package
including software updates that do not create additional work within the company. How does this compare with updates for a software that has been installed on-premise? How does the total cost of ownership compare for both options? How easily can access to the system be given to external partners? How much of validation tasks can be outsourced to the software provider?
Once Step 4 is completed, a good analytical framework has been created to answer the question of whether a cloud based eCTD software is the right choice for an organization.
Since a cloud based solution might be a new and unknown technology option for an organization, more time must be dedicated to understanding and analyzing this option
when it is compared to the well known on-premise software option.
My final recommendation: Take the time to understand and analyze a cloud based software solution and then capture the best benefit package.