As a regulatory affairs professional, being responsible for drug submissions is an exciting task, but it also comes with many dimensions of complexity and pressure. Recently a new technological trend, „cloud“ or „software as a service“, is creating more questions and the potential for confusion. A cloud software might have a lot of benefits, but is it really safe to load my documents and other content into a cloud based software? This is an appropriate question and one way to answer it is by conducting the following four step analysis:

  1. List the potential risks.
  2. Rate the risk level with the company’s situation.
  3. Compare the risk ranking result with the risks of an in-house implementation.
  4. List and rank the benefits.

Step 1.
Let’s start with creating a simple list of the most commonly perceived risks of cloud
based computing:
A – Losing documents and data in the cloud due to system problems.
B – Unauthorized people accessing eCTDs and other confidential information.
C – Low system performance due to potentially slow internet connection.
D – Inability to access the system if internet connection is unstable.
E – Difficulty to properly validate a cloud based installation.
F – Too expensive.
G – Time consuming vs. an on premise system.
H – Difficult to integrate many internal systems (i.e. SAP, LIMS etc.).

Step 2.
The next step is to rank the risks and to select the most critical ones. The risk profile will differ based upon the size of the organization. It will also depend on the size and capacity of the internal quality assurance, validation and IT departments. It will further be impacted by how widely distributed the organization is. The number of external partners who contribute to the work must also be considered (i.e. consultants for pharmacovigilance tasks, regulatory consultants, clinical research organizations,
contract manufacturers).

Step 3.
At this stage, three to five significant risks that are relevant for the company should have been identified. These risks should now be analyzed and discussed in detail. For example, for the validation risk, the validation strategy of a cloud technology vendor should be compared and analyzed with the validation strategy of an on-premise vendor. For the risk of data loss, it should be analyzed how the data is secured by the cloud vendor vs. the on-premise option. What is the backup strategy? What are the guarantees? This must be compared with internal IT data security policies. At this point, the relevant risks have been identified, evaluated and ranked which provides a good risk overview.

Step 4.
The final step is to identify, compare and rank the benefits relevant to the company’s specific situation. A cloud based solution is typically provided as full service package including software updates that do not create additional work within the company. How does this compare with updates for a software that has been installed on-premise? How does the total cost of ownership compare for both options? How easily can access to the system be given to external partners? How much of validation tasks can be outsourced to the software provider? Once Step 4 is completed, a good analytical framework has been created to answer the question of whether a cloud based eCTD software is the right choice for an organization.
Since a cloud based solution might be a new and unknown technology option for an organization, more time must be dedicated to understanding and analyzing this option when it is compared to the well known on-premise software option.

Our final recommendation: Take the time to understand and analyze a cloud based software solution and then capture the best benefit package.