GxP considerations for large scale migrations Part -1

Introduction

When Health Care and Life Sciences (HCLS) customers transition to the AWS Cloud, they often have questions about Good x Practice (GxP) compliance during and after the migration. In this blog series, we will explore a typical HCLS customer’s migration and modernization journey. Throughout the process, we will share best practices related to GxP compliance at each step. These best practices will help you speed up your migration and modernization efforts while ensuring that GxP compliance remains a priority.

We will discuss important considerations such as good documentation, automation, tooling, and more through the AWS three-phase migration framework– Assess, Mobilize, and Migrate & Modernize. The first part of the series will focus on handling GxP in the Assess phase of migration.

AWS migration framework

Migrating hundreds or thousands of workloads requires coordination and implementation across multiple disciplines and teams. AWS approaches large-scale migrations in three phases: Assess, Mobilize, and Migrate & Modernize see figure 1 below. Each phase builds on the previous one, setting the foundation for accelerated migration at scale during the migration phase.

• The assess phase, the first step in the large-scale migration process, is a critical stage. It involves assessment and discovery, selecting a migration strategy, creating a business case, and gauging readiness. The Migration Readiness Assessment (MRA) is a process of gaining insights into how far along an organization is in their cloud journey, understanding their current cloud-readiness strengths and weaknesses, and building an action plan to close identified gaps. Part of the MRA will uncover the security and compliance regulations in the Security and Governance perspectives of AWS Cloud Adoption Framework (CAF): Business, Governance, People, Platform, Operations and Security. It establishes an understanding of the customer’s compliance programs, such as HIPAA or GxP, to guide the scope of initial briefings and workshops, the initial business case, and the activities required during the following phases.

• The mobilize phase is about building early momentum. In this phase, you create a foundation landing zone, define an operating model, and leverage a cloud center of excellence.

• Next, you migrate and modernize your workloads at scale.

Finally, the migration and modernization journey does not end with the completion of the migration. It is crucial to focus on continuous operation and optimization. This structured, phased approach has proven to be effective for most of our customers, ensuring a smooth and successful migration and modernization journey.

Figure 1 – The three phases of migration with recommended activities per phase

GxP

Good x Practice (GxP) compliant workloads typically account for at least 40% of the application portfolio based on our analysis of several customer’s application inventories/CMDBs. Understanding how GxP requirements apply in the cloud is essential. GxP should be covered as a topic in the early briefings and workshops, establishing how GxP compliance can be achieved along with the impact it may have on existing customer IT operations and Quality Management Systems (QMS).

Conducting a thorough Quality Management Assessment is essential to gauge the compatibility of your current QMS with cloud operations. This evaluation should consider if your QMS aligns with traditional guidance such as the ISPE GAMP IT Infrastructure Control and Compliance good practice guide, and whether it might impede the transition to cloud. A revised QMS should incorporate new cloud best practices.

Some customers may be tempted to exclude GxP workloads from their migration plan in order to avoid GxP regulations. Doing so can delay the process, reduce the benefits of migrating to the cloud for the core business, and lead to additional costs later on due to retrospective qualification. It is important to understand that there is no technical difference between migrating a GxP and non-GxP workload. The same tools and best practices should be applied to all workloads. The likely difference lies in your internal processes, SOPs, and documentation practices, making this an ideal time to assess the impact of cloud adoption on your existing QMS.

Before starting a large-scale migration, it is crucial to assess your organization’s readiness and review your application portfolio. This preparatory phase is important for building a strong business case that includes the appropriate key performance indicators (KPIs) and metrics. It also helps to ensure that key stakeholders and leadership are aligned with the business goals of the migration.

GxP in the assess phase

During the assess phase you will go through the following five activities.

1. Assessment and discovery.
2. Migration strategy selection.
3. Business case development.
4. Total cost of ownership (TCO) analysis.
5. Migration Readiness Assessment.

The assess phase is crucial for GxP compliance because it allows you to evaluate your organization’s readiness for migration, including assessing compliance considerations and ensuring that the migration strategy aligns with GxP requirements. Here is how the assess phase contributes to GxP compliance.

1. Assessment and discovery – During this activity, you identify and catalog your existing GxP applications, infrastructure, and dependencies. This step is essential for understanding the scope of your GxP systems and their specific compliance requirements. This activity should involve the following steps.

• Inventory GxP systems and applications.
• Identify and catalog all GxP systems, applications, and workloads that must be migrated to the cloud.
• Document the system’s purpose, criticality, and regulatory classification (e.g. GxP Part 11, Annex 11).
• It is crucial to understand the system’s lifecycle stage (development, validation, production, retirement). This knowledge will keep you informed and prepared for the next steps in the migration process.
• Understand the data flows and integrations between GxP systems and other systems.
• Assess the current on-premises infrastructure hosting the GxP systems, including servers, storage, networking, and backup solutions.
• Evaluate each GxP system’s current compliance status, including validation documentation, audit trails, and electronic records management. Identify any gaps or areas requiring remediation or revalidation during the migration process.
• It is important to evaluate the data types and volumes associated with each GxP system, including sensitive or regulated data. This will give you a sense of security and confidence in the migration process.
• Identify any manual processes or custom scripts that may need to be automated or replaced in the cloud environment as a proactive step.

2. Migration strategy selection – When evaluating different migration strategies for your GxP applications, consider the impact on compliance. This activity should involve the following steps.

• Assess the suitability of different migration strategies (rehosting, replatforming, refactoring, or rearchitecting) for each GxP system or application. Consider system complexity, dependencies, data sensitivity, and compliance requirements.
• Analyze the potential impact of each migration strategy on the system’s compliance status and validation efforts. Identify any additional validation activities required for each strategy.
• Ensure each migration strategy includes a robust data migration and validation plan, including tool qualification.
• Ensure that the proposed architecture not only aligns, but upholds GxP compliance requirements and industry best practices.
• Assess the suitability of various AWS services (e.g., Amazon EC2, Amazon Relational Database Service (Amazon RDS), Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), etc.) for hosting and supporting GxP systems. Consider services that can enhance compliance, such as AWS Config, AWS CloudTrail, and Amazon CloudWatch.
• Create a detailed migration roadmap for each GxP system outlining the selected migration strategy, target architecture, and timeline. Prioritize the migration of systems based on criticality, complexity, and dependencies.

3. Business case development – As part of developing the business case, consider the potential benefits of migrating GxP systems to the cloud and aligning stakeholders on the expected benefits and return on investment (ROI). Additional benefits such as improved data integrity, audit trails, and scalability should be considered. These benefits can help justify the migration from a compliance perspective. This activity involves the following steps.

• Identify the key business drivers and objectives for migrating GxP systems to the cloud, such as cost optimization, scalability, agility, or innovation. Align these drivers with the organization’s overall strategic goals and regulatory compliance requirements.
• Identify and assess the potential risks associated with migrating GxP systems to the cloud, such as data security, compliance risks, and operational disruptions.
• Estimate the upfront and ongoing costs of migrating and operating GxP systems in the cloud, including infrastructure, services, and personnel costs. Compare these costs with the current on-premises infrastructure and operational expenses.
• Develop ROI projections over a defined time period (e.g. 3-5 years) to demonstrate the long-term value of the migration.

4. Total Cost of Ownership (TCO) analysis – The TCO analysis should factor in the costs of maintaining GxP compliance in the cloud environment, including any additional validation efforts or specialized services required. It should provide a comprehensive view of the financial implications of migrating GxP systems to the cloud, considering both upfront and ongoing costs.

5. Migration Readiness Assessment – This activity is crucial for assessing your organization’s readiness for migrating GxP systems to the cloud. It involves evaluating your current compliance posture, identifying potential gaps or risks, and developing mitigation strategies. This assessment should cover the following areas.

• Incorporation of cloud best practices into your Quality Management System (QMS).
• Identify any specific requirements or considerations related to data integrity, security, audit trails, and electronic records management.
• Data integrity and security considerations.
• Validation and qualification processes for cloud-based GxP systems.
• Change management and documentation processes.
• Training and organizational readiness for cloud-based GxP systems.
• Identify any gaps or areas that may need to be updated or enhanced to align with cloud operations and GxP compliance requirements.
• Identify potential risks and develop mitigation strategies to ensure the security and integrity of GxP systems in the cloud.

Conclusion

In this blog, we focused on GxP considerations during large-scale migrations to AWS cloud in the healthcare and life sciences industry. We covered the assess phase of the AWS migration framework, which plays a crucial role in setting the stage for GxP compliance. We discussed activities such as assessment and discovery, migration strategy selection, business case development, and total cost of ownership analysis. It’s important to understand the impact of GxP requirements and conduct a thorough Quality Management Assessment. GxP workloads can sometimes have dependencies on non-GxP systems, such as Active Directory. Excluding GxP from the planning process is not an option as this can lead to delays and additional costs. In the next part of this blog series, we will cover handling GxP in the Mobilize phase.

Additional reading:
The GxP Systems on AWS whitepaper provides information on how AWS approaches GxP-related compliance and provides customers guidance on using AWS services in the context of GxP. The content has been developed based on experience with and feedback from AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS services in their validated GxP systems.

About the Authors