The Cloud is a term that is used to describe an environment where IT systems are run outside an organization’s own on-premise IT infrastructure and firewall. Provisioned by large and small organizations who specialize in areas like cheap storage, fast computing power and data analytics, the Cloud is of particular interest because it can reduce the overall cost of running systems due to the economies of scale available, and because in many cases, the Cloud can be more secure than traditional on-premise environments.
Now, there are some that still feel that the Cloud is not secure, but this concern typically comes down to how the word is used — a “private cloud” is very different to a “public cloud”, especially when you consider security and what is shared over the internet. In practice, private clouds should be viewed as having similar, if not better, security than on-premise IT infrastructure.
However, when it comes to manufacturing systems being run in the Cloud, there are a couple of aspects that have been sticking points for many organizations. One is around where the data is stored due to government regulation and the second is around systems validation. Data storage location may or may not be a true issue, but the majority of the big cloud providers like Amazon, Microsoft and Google are now able to provide guarantees that data is stored within a given region or data center — eliminating this objection and they are also building data centers in new regions all the time e.g. Amazon building its Frankfurt data centers to support the German market.
But, how do you validate a cloud solution? How can you conduct IQ, OQ and PQ on an environment that you can’t actually easily see? How do you integrate on-premise instrumentation and systems with cloud systems securely? How do you know when to revalidate when the infrastructure a system is running on is upgraded automatically, often without you knowing?
These are real concerns and ones that are not so easily rebutted as the locale ones. They require deeper knowledge and management of cloud environments — but they are still answerable.
Validation itself is not a difficult concept — following a set of defined processes and safeguards to ensure a system runs according to design. It is the huge number of variables that can affect a software system, once it is validated, that make it tricky. Q: What are those variables? A: They are all the things that can possibly alter the way the software behaves, such as the computer hardware, the operating system, the software setup, the integrations with other systems etc.
Why is this an issue? Because the validated software is being used to make very important decisions and any change in its behavior could have serious implications. So, ensuring validated systems remain validated is the top priority. This is therefore the last hurdle that needs to be addressed — how do you, in a cloud environment, ensure that a validated software system remains validated given that you do not have control of the IT infrastructure in the same way as you so in an on-premise environment?
Many of the process-related aspects of validated systems management can be accomplished in a cloud environment — security and access to hardware are fastidiously enforced. If they are not, the outcomes could be disastrous. Some of the major cloud providers have hundreds of thousands of customers’ environments running in their data centers, many of which belong to the world’s most significant organizations.
Other barriers raised include how the on-premise software is connected with the cloud software in a secure manner.
Finally, the updates to the software that the cloud systems run on need to be controlled and only updated when required or on an agreed schedule. This will remove one of the biggest worries regulated and validated organizations have of “the sand moving under their feet”. This will incur more cost, as the cloud providers want to update and upgrade their infrastructure on their terms to keep their businesses lean and mean — but this is at odds with the validation concept as it currently stands.
With the right management, the cloud can be used for validated systems — a critical component for a manufacturing context. So, why aren’t seeing a fast uptake?
It is most likely due to the time it takes for organizations and markets to change and adopt new technology. Small organizations do not have the budgets and man power to invest in exploring all the options and issues implied with a move to the Cloud, so it will be down to the big players to sort out the “gotchas” and issues first. This will then enable the medium and smaller players to learn and adopt best practices from their larger counterparts.
There are still “unknowns” and potential issues with the use of the Cloud in a regulated manufacturing context, but, given the benefits of lower total cost of ownership and greater security, I think the stage is set for a large migration of validated manufacturing software systems over the next few years.
Paul Denny-Gouldson is Vice President of Strategic Solutions at IDBS.