You are on page 1of 14

Compliance and the Cloud

Guiding principles and architecture for addressing Life Science compliance in the cloud

Life Sciences Industry Unit


Microsoft Corporation
June 2012

ii

Legal Disclaimers
The information contained in this document represents the current view of Microsoft Corporation on
the issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
2012 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Office 2010, Microsoft SharePoint 2010, Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Microsoft Rights Management Services, Active Directory, Active Directory
Federation Services, Windows Server 2008 R2, Windows 7, Windows Vista, Windows XP, Microsoft
Windows, Microsoft Forefront Identity Manager, Microsoft Visual Studio are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.

iii

Contents
Legal Disclaimers .......................................................................................................................................... iii
Introduction .................................................................................................................................................. 1
Introduction to the Cloud ............................................................................................................................. 2
Cloud Apps across the Value Chain............................................................................................................... 6
Drug Discovery .......................................................................................................................................... 6
Clinical Trials and Regulatory Affairs......................................................................................................... 6
Can the Cloud be Qualified? .......................................................................... Error! Bookmark not defined.
Qualification in the Cloud ............................................................................................................................. 8
Summary ....................................................................................................................................................... 9

iv

Introduction
As cloud applications and platforms become increasingly prevalent, the areas in which they can be
utilized become more widespread. This is no different in the Life Sciences industry, where cloud apps
were originally focused on individual capabilities such as EDC (Electronic Data Capture) in the Clinical
Trials space, High Performance Computing in the Cloud used for Drug Discovery and others. For those
applications where regulatory compliance (GxP or 21 CFR Part 11) were required, each app, each
platform, each data center was individually qualified and then individually validated to the appropriate
regulation.
Now that the cloud is everywhere, is the industry going to individually qualify and validate each of the
building blocks? Over time, wouldnt that make the cloud less compelling?
The approach for compliance in the cloud needs to be different. If done correctly, Compliance in the
Cloud can be far more efficient than any other means for providing compliant apps. Instead of
qualifying each building block, the cloud vendor qualifies the platform once, to many standards and
many certifications. The cloud vendor then provides those qualifications to any customers who need to
validate their applications on the cloud vendors platform.
Qualify the platform once. The qualification documentation is provided to the customer and becomes
part of the validation documentation for any customer who needs it.
The implementing party, a customer or partner, validates the application to the appropriate regulations
and uses the qualification documentation as input into that process.
That is the approach Microsoft is taking: Microsoft qualifies the platform, the customer (or partner)
validates the app.
Regardless if you are considering Platform as a Service, Infrastructure as a Service, or Software as a
Service, thinking of putting your application on Azure, or enabling your business with CRM Online or
Office 365, Microsofts approach is to provide documentation and certifications across a wide range of
standards that may then serve to enable customers and partners validated applications.
Your mileage may vary. Each customers QA department has a different view of the necessary
qualification documentation to support validated apps. In addition, each application has different risks
associated with it. For example, a cloud based clinical trial portal carries a different level of risk than a
back-office payroll application and is thus validated to a different level. In turn, Microsoft works with
each case as necessary to provide what Microsoft feels is the appropriate level of documentation based
on previous customer needs.
This whitepaper will consider various approaches to the cloud, how life science organizations are using
the cloud across the value chain and what levels of qualification documentation Microsoft provides to
customers in regulatory environments.

Introduction to the Cloud


There are many different definitions of The Cloud, as many different definitions as there are
implementations. Rather than define what the cloud is, why not look at what the cloud does the
promise of the cloud - and allow any architecture that delivers that to fit under the cloud umbrella.
What the cloud delivers is information and communication technology as a service. Whether
deployed using an entitys own resources (internally or externally hosted), or shared with other entities
in a multi-tenant environment, the promise of the cloud is on-demand, scalable, flexible, self-service,
pay as you go access to data storage, processing and sharing.
In general, most people agree on three categories of cloud, depending on the service that is
consumed, and the level of control that an organizations IT want:

Infrastructure as a Service (IaaS)


Platform as a Service (PaaS)
Software as a Service (SaaS)

Software as a Service (SaaS)


In Life Sciences, the Software as a Service (SaaS)
model has been around for quite a while.
Examples of this model in Life Sciences include
clinical trials EDC software. Examples in the
consumer space are e-mail applications such as
Hotmail. Both types of software are provided
completely hosted, completely managed, so that
the customer need not worry about servers or
storage capacity or infrastructure management.
Examples of Software as a Service include software in such categories as:

Business Productivity, Email, and Collaboration Services, such as Microsoft Office 365
CRM and XRM services, such as is found in Microsoft Dynamics CRM Online
Electronic Data Capture (EDC) in Clinical Trials, such as you can get from BioClinica
Regulated Document Management services, such as you can get from NextDocs or Qumas
Clinical Trial Portal, such as you can get from iLink, ePharmaSolutions or NextDocs
Consumer focused applications, such as Hotmail or XBox Live.
o Note that XBox and Kinect with XBox Live have been used in clinical situations already,
from allowing physicians access to X-Rays without having to leave the OR, check the XRay, then scrub back into surgery. Or even in clinical trials run by large academic
research institutions that are measuring range of motion over time in Alzheimers
patients.
2

This application category is quite mature in Life Sciences with many companies having adopted SaaS
platforms, in effect outsourcing those applications to 3rd party vendors.

Platform as a Service (PaaS)


Platform as a Service (PaaS) compared to SaaS is relatively new to the industry and is best represented
by the Windows Azure platform. With Platform as a Service, the vendor is essentially providing an
operating system and database services in the Cloud, on which the customer can deploy applications
theyve written or can utilize applications that a partner has written and to which they can subscribe.
Examples of applications using PaaS include:

NCBI Blast which has been ported by Microsoft and NIH to the Windows Azure platform
Other discovery focused applications such as are available from TeraDiscoveries, which takes an
Inverse Design methodology that utilizes high performance computing in addition to their
unique algorithms.
Umthunzi, which provides a Safety Surveillance application that runs on Windows Azure.
Numira BioSciences which provides imaging study software that also runs on Windows Azure

This PaaS segment is quickly growing as well. The interesting part of PaaS is that were seeing a number
of PaaS vendors who are utilizing the new Metro User Interface, even going so far as to have Windows 8
interfaces to their back end applications and data storage. While none of the vendors listed above fall
into that category, it is interesting to note that this movement exists.
Many companies consider PaaS when they think about the HPC and scalability components that are
provided in PaaS architectures, especially as they develop applications, and even more so those
applications focused in the drug discovery phase of the value chain.

Infrastructure as a Service
Infrastructure as a Service (IaaS) in most implementations enables companies to load virtual machines
onto cloud infrastructure and was perhaps the first category of cloud computing to be widely accepted
by Life Science companies.

Public, Private and Hybrid Cloud


Whether its IaaS, PaaS or SaaS, there are also choices to be made regarding the mode of deployment of
cloud services. Depending on their comfort level with cloud vendors, security and compliance risks,
concerns over sovereignty over data, or even a desire to build on investments already made,
organizations can choose to deploy in one of the following ways:

Private cloud, where you or a partner controls your own separate infrastructure using cloud
enabled products (on-premises or hosted by a third party).
Public cloud where the platform is managed for you in Microsofts data centers.
Hybrid cloud where you have a mix of the two.

Microsoft is investing heavily in the concept of the hybrid cloud. In this case, it is not just about having
capabilities in public or private, but it is about bridging the two together, about taking advantage of the
commonalities between the public and private approaches to the cloud. These commonalities include
identity, virtualization, management and application development and are what makes the Microsoft
platform very unique.
The Microsoft public cloud is characterized by platforms and applications such as Office 365, Dynamics
CRM Online, Windows Intune and Windows Azure.

The Microsoft private cloud is characterized by Microsoft Office, Microsoft Dynamics, SQL Service,
System Center and Windows Server, and Hyper-V.
As Life Science companies move from solely IaaS and SaaS implementations, the trend for many of our
largest Pharmaceutical, Biotechnology and Medical Device customers appears to be moving toward the
Hybrid Cloud of both public and private cloud technologies.

Cloud Apps across the Value Chain


When one considers the value chain of a typical life science company, one tends to think of Drug and
Device Discovery, Clinical Trials and Regulatory Affairs, Sales and Marketing, and Manufacturing and
Supply Chain. And when you consider each segment you think of the focus areas that characterize each
segment. Those focus areas, those challenges provide opportunity for cloud-based applications.

As mentioned before, the clinical trials and regulatory affairs area represented one of the largest
implementation areas for cloud technology. But now, with the advent of Platform as a Service, were
seeing a greater amount of uptake in the drug discovery segment than in the other areas.

Drug Discovery
Applications that rely on High Performance Computing are rapidly being moved into the Public Cloud.
As mentioned previously, we have seen applications varying from algorithms available from the National
Institutes for Health (NIH) in the US to apps like that available from TeraDiscoveries that enables novel
methods for drug discovery. What both of these examples have in common is the need for a rapid
scale-up in the number of nodes used, as well as the ability to run parallel algorithms across those
nodes.
Applications residing on a PaaS infrastructure in a Public Cloud are especially suited to these types of
applications. The infrastructure enables customers to configure many nodes for their computations,
without needing to build out huge HPC clusters in their own data centers.

Clinical Trials and Regulatory Affairs


While SaaS applications in clinical trials have been around quite a while as discussed earlier, there is a
nascent move towards PaaS applications also residing in the public cloud.
Examples of PaaS applications in the public cloud include apps aimed at Safety Surveillance and similar
workloads. Umthunzi is a company that is providing just such services and has seen interest in the
applications they offer that reside in the Windows Azure platform.

Sales and Marketing


Another segment of the value chain where companies are using SaaS and PaaS apps is in Sales and
Marketing. There are a number of vendors that are utilizing the SaaS approach to sales and marketing,
but there are an increasing number of vendors and customers who are matching their SaaS platforms
that run the traditional CRM with PaaS platforms that run deep analytics and business intelligence that
is then delivered to the consumer either through web browsers or other PaaS specific front end services
or a hybrid model that crunches the number in a PaaS service and then delivers the data into the
traditional SaaS front end.
Some examples: Microsoft Dynamics CRM Online is both a Platform as a Service (PaaS) application as
well as a Software as a Service (SaaS) application. In this instance, customers are utilizing the SaaS
capabilities for tracking visits to individual doctors, for tracking the interaction with the doctor and etc.
Pretty straightforward SaaS capabilities that rival those of any cloud CRM vendor.
What is new though is the XRM capabilities that now make Dynamics CRM Online extensible, doing
extensive workflow, integrating with other applications, and etc that make Dynamics CRM Online a good
choice for applications that would like to integrate with their CTMS, or their Investigator Recruitment, or
their prescribing history data. All of this integration and number crunching is due to the Extended,
Configurable and Programmable capabilities in Microsoft Dynamics CRM Online. This make it both a
SaaS offering as well as a PaaS offering that can solve many needs in the Sales & Marketing Space.

Manufacturing and Supply Chain


One would think that since the manufacturing plants devices are so local that the computing power
must be local as well. Nothing is further from the truth. As with all the segments so far, the
Manufacturing & Supply Chain segment started out by heavily virtualizing their servers to gain
significant economies of scale, they moved forward by implementing hybrid clouds with some parts local
and some services in the cloud.
But now as the various platforms have become more mature, so has the implementations even within
Manufacturing and Supply Chain. Consider the following:

Microsoft has announced that our Dynamics AX product, aimed at large pharma subsidiaries as
well as Tier 2 and Tier 3 Life Science companies, will soon be available as a Cloud Service.
Customers like Eli Lilly have gone on record stating their movement towards IaaS, PaaS and SaaS
across their value chain, including manufacturing.
Vendors are jumping on board the bandwagon as well, with a number of Manufacturing and
Supply Chain vendors having proofs of concepts underway that will demonstrate the viability of
their applications running in the Microsoft Cloud

Qualification, Validation, Certification which is right?


A frequently asked question is Has your cloud offering been certified by the FDA?. The answer, of
course, is that the FDA doesnt certify cloud applications. What the FDA does do is look at
7

implementations of hardware and software by regulated companies to determine if they are compliant
with the necessary regulations. The application vendors themselves are not responsible for compliance,
but simply for providing documentation to the customer.
Another question that is frequently encountered is Is the cloud validated? Again, the answer is that
cloud vendors do not provide validated applications, but rather provide applications that are qualified
through standard IQ and OQ approaches that are well documented.
Of course, the implementing company is responsible for validating their application against the guiding
regulations and standards. In the Life Science industry, those include GxP and 21 CFR Part 11.
And so the question remains, can the cloud be qualified? Can applications in the cloud demonstrate a
Software Quality Assurance (SQA) approach? Can applications or platforms in the cloud provide
documentation against such standards as SAS70 Type II, ISO27001 or even FISMA?
The answer to those questions is a resounding Yes!

Qualification in the Cloud


Microsoft provides documentation for these standards in a number of ways.
The first method is through documentation of development practices. There are any number of books
on the market that detail Microsofts software development practices that are adopted across the
company. A good example of these books is the Security Development Lifecycle by Michael Howard
and Steve Lipner, two engineers in Microsofts Trustworthy Computing team.
This approach also includes whitepapers on the topic of Microsoft and the V-Model. This whitepaper
takes Microsofts standard development methodology and translates it into Life Sciences terminology by
mapping it to the industry accepted V-Model. Another whitepaper along these lines is a document
that discusses how to configure SharePoint 2010 for 21 CFR Part 11 and compliance with those
regulations pertaining to the FDA, and goes step by step in how companies can utilize the SharePoint
platform to manage regulated content.
Microsoft also provides direct documentation and certifications across a number of standards and for a
variety of regulations. These include, but are not limited to (as of this writing):

SAS 70 Type II
ISO27001, ISO 27002
FISMA
HIPAA w/ BAA

For each of these, Microsoft will provide proof of qualification as required by each customer.
It is important to restate, Microsofts approach is to qualify the platform and to provide those
certificates or pieces of documentation to each customer as needed. The customer then validates their
application or use of the service against the regulations for which they are responsible.
8

The vendor qualifies (SQA) and the customer validates (against regulations): a guiding principle that can
help drive the behavior of cloud vendors and customers alike.

Summary
And so you can see from Microsofts Point-of-View on the Cloud that there are three components:

Infrastructure as a Service
Platform as a Service
Software as a Service

And each of these and combinations of them can be implemented in three ways:

Public Cloud
Private Cloud
Hybrid Cloud

More importantly, weve demonstrated examples where this approach can be utilized across the value
chain, with demonstrated case studies in each segment:

We hope that by taking this approach, youve been able to see the expansiveness of our implementation
and vision while also seeing the relevance of the approach to the business problems you need to solve.

10

You might also like