How AWS Partner Medidata Solutions Approaches GxP Compliance in the Cloud

Special thanks to Jordin Green, Global Head of Industry Marketing & Global Healthcare and Global Life Sciences Marketing Lead, AWS and Gretchen Murphy, PR Manager at Medidata Solutions.

AWS Life Science Competency Partner Medidata Solutions is a leading SaaS company solely focused on helping life sciences companies conduct faster, safer, less expensive, and more insightful clinical research. Medidata Solutions’s cloud technology platform uses AWS to power clinical trials for more than 600 life sciences customers. Medidata Solutions has been very successful at educating their customers on the benefits of using AWS commercial-off-the-shelf (COTS) services as an underlying platform within their GxP SaaS solutions. Given the highly regulated nature of clinical trials and the confidential patient data that is collected, it is essential for Medidata Solutions and its customers to be GxP compliant.

GxP requirements apply to organizations that make regulated food and medical products such as pharmaceuticals, medical devices, and mobile medical applications.  GxP is a general term for Good (Something) Practice.  The “x” simply represents a variable. For example, GCP is an acronym for Good Clinical Practice, a set of standards for clinical trials.

Medidata Solutions – and its customers – consider AWS services COTS, and therefore the GxP controls are relatively detached from the actual AWS service components. For Medidata Solutions, the majority of its procedures used for app design, development, testing etc., stayed consistent when using AWS services.

Medidata Solution’s clients assess cloud-based software that operates with AWS services in much the same way as on-premises software built on top of COTS operating systems, databases, and storage hardware.

The company has found that the majority of GxP clients tend to focus their validation of necessary controls at the software and logical layers of the stack (i.e., the customer responsibility portion of the AWS Shared Responsibility security model). However, for those determined sponsors that did dive deep into how the AWS services were being leveraged, it became clear that the resilience provided by the use of AWS Availability Zones (AZs) and AWS services, such as Amazon Simple Storage Service (Amazon S3), demonstrated a clear benefit for the availability and durability of Medidata’s clinical cloud platform.  Customer discussions about validating AWS services often shifted conversations from, for example, backup to availability. This alteration in viewpoint is a major step forward in GxP systems since it establishes that GxP systems built with AWS services can be architected for high availability and continue operating even if a single system component or AWS service is temporarily unavailable.

Now that members of the APN, such as Medidata Solutions, have shown customers these enhanced architectures, sponsors of GxP systems have started to demand these systems from all their clients. Since customer obsession and customer trust are core leadership principals of the Amazonian team culture, we wanted to provide more guidance for sponsors that need guidance in making quality assessments of systems they chose to build on AWS. To meet this customer need, AWS created three key enablers for building and moving GxP systems onto AWS:

1. AWS’s ISO 9001 certification directly supports customers who develop, migrate and operate their quality-controlled IT systems on the AWS Cloud. Under a Non-Disclosure Agreement (NDA), customers and partners can leverage these compliance reports as evidence to validate their own ISO 9001 programs.
2. AWS Quality Manual, available upon request, is for AWS customers who have a Non-Disclosure Agreement and are in the process of performing a supplier assessment of AWS’s quality and security management controls
3. In cooperation with Lachman Consultants, a multidisciplinary team of highly experienced FDA and pharmaceutical industry experts, we’ve developed and published a new whitepaper, “Considerations for Using AWS Products in GxP Systems”

Tony Hewer, Senior Director of Quality & Regulatory affairs at Medidata Solutions tells us, “These items have positioned Medidata Solutions extremely well in the eyes of our customers. The materials are very insightful and enable us to put a very large check in the box that confirms we’ve performed the quality activity.”

To learn more about how your company can work with AWS to build or consult on GxP compliant workloads, be sure to check out the AWS Compliance page and watch a previously recorded webinar on Next Generation GxP Systems in the Cloud.

For those that want to dive into the details of starting a GxP partner practice on AWS, make sure to watch the APN Webcast series on the APN Portal.

• Overview – An overview of GxP compliance on AWS
• Quality Systems – Management responsibility, personnel, audits, purchasing, and recordkeeping.
• System Development Life Cycle – Development, validation, and operations.
• Regulatory Affairs – Regulatory submissions, health authority inspections, and personal data privacy controls for research participants.