Académique Documents
Professionnel Documents
Culture Documents
Guiding principles and architecture for addressing Life Science compliance in the cloud
ii
Legal Disclaimers
The information contained in this document represents the current view of Microsoft Corporation on
the issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
2012 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Office 2010, Microsoft SharePoint 2010, Microsoft Word, Microsoft Excel,
Microsoft PowerPoint, Microsoft Rights Management Services, Active Directory, Active Directory
Federation Services, Windows Server 2008 R2, Windows 7, Windows Vista, Windows XP, Microsoft
Windows, Microsoft Forefront Identity Manager, Microsoft Visual Studio are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
iii
Contents
Legal Disclaimers .......................................................................................................................................... iii
Introduction .................................................................................................................................................. 1
Introduction to the Cloud ............................................................................................................................. 2
Cloud Apps across the Value Chain............................................................................................................... 6
Drug Discovery .......................................................................................................................................... 6
Clinical Trials and Regulatory Affairs......................................................................................................... 6
Can the Cloud be Qualified? .......................................................................... Error! Bookmark not defined.
Qualification in the Cloud ............................................................................................................................. 8
Summary ....................................................................................................................................................... 9
iv
Introduction
As cloud applications and platforms become increasingly prevalent, the areas in which they can be
utilized become more widespread. This is no different in the Life Sciences industry, where cloud apps
were originally focused on individual capabilities such as EDC (Electronic Data Capture) in the Clinical
Trials space, High Performance Computing in the Cloud used for Drug Discovery and others. For those
applications where regulatory compliance (GxP or 21 CFR Part 11) were required, each app, each
platform, each data center was individually qualified and then individually validated to the appropriate
regulation.
Now that the cloud is everywhere, is the industry going to individually qualify and validate each of the
building blocks? Over time, wouldnt that make the cloud less compelling?
The approach for compliance in the cloud needs to be different. If done correctly, Compliance in the
Cloud can be far more efficient than any other means for providing compliant apps. Instead of
qualifying each building block, the cloud vendor qualifies the platform once, to many standards and
many certifications. The cloud vendor then provides those qualifications to any customers who need to
validate their applications on the cloud vendors platform.
Qualify the platform once. The qualification documentation is provided to the customer and becomes
part of the validation documentation for any customer who needs it.
The implementing party, a customer or partner, validates the application to the appropriate regulations
and uses the qualification documentation as input into that process.
That is the approach Microsoft is taking: Microsoft qualifies the platform, the customer (or partner)
validates the app.
Regardless if you are considering Platform as a Service, Infrastructure as a Service, or Software as a
Service, thinking of putting your application on Azure, or enabling your business with CRM Online or
Office 365, Microsofts approach is to provide documentation and certifications across a wide range of
standards that may then serve to enable customers and partners validated applications.
Your mileage may vary. Each customers QA department has a different view of the necessary
qualification documentation to support validated apps. In addition, each application has different risks
associated with it. For example, a cloud based clinical trial portal carries a different level of risk than a
back-office payroll application and is thus validated to a different level. In turn, Microsoft works with
each case as necessary to provide what Microsoft feels is the appropriate level of documentation based
on previous customer needs.
This whitepaper will consider various approaches to the cloud, how life science organizations are using
the cloud across the value chain and what levels of qualification documentation Microsoft provides to
customers in regulatory environments.
Business Productivity, Email, and Collaboration Services, such as Microsoft Office 365
CRM and XRM services, such as is found in Microsoft Dynamics CRM Online
Electronic Data Capture (EDC) in Clinical Trials, such as you can get from BioClinica
Regulated Document Management services, such as you can get from NextDocs or Qumas
Clinical Trial Portal, such as you can get from iLink, ePharmaSolutions or NextDocs
Consumer focused applications, such as Hotmail or XBox Live.
o Note that XBox and Kinect with XBox Live have been used in clinical situations already,
from allowing physicians access to X-Rays without having to leave the OR, check the XRay, then scrub back into surgery. Or even in clinical trials run by large academic
research institutions that are measuring range of motion over time in Alzheimers
patients.
2
This application category is quite mature in Life Sciences with many companies having adopted SaaS
platforms, in effect outsourcing those applications to 3rd party vendors.
NCBI Blast which has been ported by Microsoft and NIH to the Windows Azure platform
Other discovery focused applications such as are available from TeraDiscoveries, which takes an
Inverse Design methodology that utilizes high performance computing in addition to their
unique algorithms.
Umthunzi, which provides a Safety Surveillance application that runs on Windows Azure.
Numira BioSciences which provides imaging study software that also runs on Windows Azure
This PaaS segment is quickly growing as well. The interesting part of PaaS is that were seeing a number
of PaaS vendors who are utilizing the new Metro User Interface, even going so far as to have Windows 8
interfaces to their back end applications and data storage. While none of the vendors listed above fall
into that category, it is interesting to note that this movement exists.
Many companies consider PaaS when they think about the HPC and scalability components that are
provided in PaaS architectures, especially as they develop applications, and even more so those
applications focused in the drug discovery phase of the value chain.
Infrastructure as a Service
Infrastructure as a Service (IaaS) in most implementations enables companies to load virtual machines
onto cloud infrastructure and was perhaps the first category of cloud computing to be widely accepted
by Life Science companies.
Private cloud, where you or a partner controls your own separate infrastructure using cloud
enabled products (on-premises or hosted by a third party).
Public cloud where the platform is managed for you in Microsofts data centers.
Hybrid cloud where you have a mix of the two.
Microsoft is investing heavily in the concept of the hybrid cloud. In this case, it is not just about having
capabilities in public or private, but it is about bridging the two together, about taking advantage of the
commonalities between the public and private approaches to the cloud. These commonalities include
identity, virtualization, management and application development and are what makes the Microsoft
platform very unique.
The Microsoft public cloud is characterized by platforms and applications such as Office 365, Dynamics
CRM Online, Windows Intune and Windows Azure.
The Microsoft private cloud is characterized by Microsoft Office, Microsoft Dynamics, SQL Service,
System Center and Windows Server, and Hyper-V.
As Life Science companies move from solely IaaS and SaaS implementations, the trend for many of our
largest Pharmaceutical, Biotechnology and Medical Device customers appears to be moving toward the
Hybrid Cloud of both public and private cloud technologies.
As mentioned before, the clinical trials and regulatory affairs area represented one of the largest
implementation areas for cloud technology. But now, with the advent of Platform as a Service, were
seeing a greater amount of uptake in the drug discovery segment than in the other areas.
Drug Discovery
Applications that rely on High Performance Computing are rapidly being moved into the Public Cloud.
As mentioned previously, we have seen applications varying from algorithms available from the National
Institutes for Health (NIH) in the US to apps like that available from TeraDiscoveries that enables novel
methods for drug discovery. What both of these examples have in common is the need for a rapid
scale-up in the number of nodes used, as well as the ability to run parallel algorithms across those
nodes.
Applications residing on a PaaS infrastructure in a Public Cloud are especially suited to these types of
applications. The infrastructure enables customers to configure many nodes for their computations,
without needing to build out huge HPC clusters in their own data centers.
Microsoft has announced that our Dynamics AX product, aimed at large pharma subsidiaries as
well as Tier 2 and Tier 3 Life Science companies, will soon be available as a Cloud Service.
Customers like Eli Lilly have gone on record stating their movement towards IaaS, PaaS and SaaS
across their value chain, including manufacturing.
Vendors are jumping on board the bandwagon as well, with a number of Manufacturing and
Supply Chain vendors having proofs of concepts underway that will demonstrate the viability of
their applications running in the Microsoft Cloud
implementations of hardware and software by regulated companies to determine if they are compliant
with the necessary regulations. The application vendors themselves are not responsible for compliance,
but simply for providing documentation to the customer.
Another question that is frequently encountered is Is the cloud validated? Again, the answer is that
cloud vendors do not provide validated applications, but rather provide applications that are qualified
through standard IQ and OQ approaches that are well documented.
Of course, the implementing company is responsible for validating their application against the guiding
regulations and standards. In the Life Science industry, those include GxP and 21 CFR Part 11.
And so the question remains, can the cloud be qualified? Can applications in the cloud demonstrate a
Software Quality Assurance (SQA) approach? Can applications or platforms in the cloud provide
documentation against such standards as SAS70 Type II, ISO27001 or even FISMA?
The answer to those questions is a resounding Yes!
SAS 70 Type II
ISO27001, ISO 27002
FISMA
HIPAA w/ BAA
For each of these, Microsoft will provide proof of qualification as required by each customer.
It is important to restate, Microsofts approach is to qualify the platform and to provide those
certificates or pieces of documentation to each customer as needed. The customer then validates their
application or use of the service against the regulations for which they are responsible.
8
The vendor qualifies (SQA) and the customer validates (against regulations): a guiding principle that can
help drive the behavior of cloud vendors and customers alike.
Summary
And so you can see from Microsofts Point-of-View on the Cloud that there are three components:
Infrastructure as a Service
Platform as a Service
Software as a Service
And each of these and combinations of them can be implemented in three ways:
Public Cloud
Private Cloud
Hybrid Cloud
More importantly, weve demonstrated examples where this approach can be utilized across the value
chain, with demonstrated case studies in each segment:
We hope that by taking this approach, youve been able to see the expansiveness of our implementation
and vision while also seeing the relevance of the approach to the business problems you need to solve.
10