In this changing economy, business viability should be carefully taken into consideration when selecting a cloud computing vendor. It is possible that your cloud computing vendor may become acquired by a larger company, as witnessed by several recent deals in the cloud computing space. It is also possible that your vendor could go out of business. Under these circumstances, how would you retrieve your data and documentation? In what form would your data be returned?

Taking into consideration business viability of a vendor, make sure that the terms of the SLA are understood. The customer should have clear ownership of the data under any circumstance. The customer should request that the code of the software application be placed in escrow. Having the code in escrow will ensure that the application will be available in the event of a vendor’s bankruptcy or acquisition. If the cloud vendor is required to return the data, find out the form in which the data will be returned.

Because electronic document and data location is outside the four walls of the company, it is important that the customer knows the location of the data center(s). Since cloud computing allows data to become virtualized or moved and stored anywhere in the cloud, customers should know the location of their data. Is the data center in the United States or in a foreign country?  It is important for the company to know who “owns” the data. Find out if your data can be held “hostage” by the vendor if there is a dispute over the terms of the agreement. Finally, is the cloud computing environment shared? If so, what is being done to segregate the data?

 

Electronic document and data location in a public cloud poses a level of security risk. Ask the vendor for the exact location of the server. Knowing where the data will be located will help to understand the facility. Perform an audit prior to signing a contract. Ask for appropriate certifications and validation documentation. 

 

Find out how the data is being segregated within the public cloud. Each client should have its own secure database if servers are multi-tenant. Multi-tenancy refers to software architecture where the software runs on a server, serving multiple clients or tenants.  

 

Finally, in order to prevent your cloud vendor from withholding data and information, ask for a provision in the Service Level Agreement (SLA) stating that the data belongs to the customer at all times. This will prevent the customer from being denied accessibility to company-owned data and documentation when issues or conflicts occur between the vendor and the customer.

The customer is ultimately responsible when being investigated by a regulatory authority. The customer must ensure that their cloud computing vendor is qualified and certified. Is the hosting site SAS70 Type II compliant? SAS 70 is defined by Statement on Auditing Standards No. 70: Service Organizations. It is an auditing certification issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) and serves as a way to provide guidance to auditors when assessing internal controls of the service organization.

 

The cloud computing vendor should understand regulatory compliance and regulatory affairs and have a firm understanding of the current regulations for electronic records and electronic signatures (21 CFR Part 11). Without a basic understanding of compliance and regulations, the customer may be held responsible for the vendor’s inadequacies that are discovered during an inspection or audit. 

 

A good place to start when evaluating the regulatory compliance of the cloud computing vendor is to ask for transparency. Ask for certifications and documentation. Ask to review an audit report. Ask the SaaS vendors what steps they have taken to develop their application in compliance with 21 CFR Part 11 Requirements. Ask for training records for the vendor’s system administrators. Ask your cloud computing vendor for validation documentation. If the cloud computing vendor understands regulatory compliance, then it should be willing to provide the necessary information for an auditor to make informed decisions regarding the cloud computing vendor’s compliance. 

For many life science companies, their “crown jewels” or intellectual property is the essence of their company. Companies in the start-up mode are not generating revenue and many of their key licensing deals are driven by their ownership of intellectual property. If key information is lost, stolen, or breached, it could be devastating to a company. Key information may include manufacturing materials and processes, clinical data, and other research data. Cloud computing could present risk to the security and protection of intellectual property for life science companies if proper steps are not taken to ensure the security of the SaaS application that is run in the cloud. Access to information in the cloud must be well-controlled. End-users that select weak passwords could place an entire company’s documents and information at risk. Finally, access to information could be affected when users get locked out of an account at a very inconvenient time, such as during a presentation or during a major regulatory submission. 

 

The intellectual property for life science companies must not be compromised. To protect this valuable asset, companies may opt for a private cloud instead of a public cloud. A “public cloud” exists when the servers, infrastructure, platform, and applications are hosted off-site by a third party, such as a large data center. A “private cloud” offers the same resources but is located within the four walls of the company. A private cloud will offer the same benefits of cloud computing, but with physical security provided by the company. In the event that a user is locked out whether utilizing a private or public cloud model, the company should know who controls access. Access should be controlled by an administrator within the company for a quick turn-around. The company administration must protect access by controlling and maintaining password complexity. Security for life science companies relying on cloud computing can only be as strong as the weakest password. 

Case Management for Regulatory Affairs encompasses the so-called regulatory “big picture.” An electronic document management component must be directly tied into an electronic regulatory publishing system. In order to fix a non-existent or broken electronic document management system, it is important to follow the suggestions outlined below. 

 

It is ideal for an Electronic Document Management system to be easily accessible over the Internet. A Web-based document management system suits this need best. 

 

The Electronic Document Management system should have appropriate permissions established so that all people can access PDF versions of the information at all times. This will save time when people need access to information for review purposes, without having to go to their IT department to request permission to access certain folders. Giving access to PDF versions of the document will ensure that the native version cannot be modified or deleted. If access to the native (Word) version is necessary, make this access easy to ensure workflow continuity. Delays in accessing information translate into delays in product commercialization.

 

Interfacing well with an electronic submission publishing system is a necessity. A well-suited solution will have the Electronic Document Management System built directly into the Electronic Submission System for seamless integration. This makes system upgrades easier and devoid of hassle. Having one central repository for all submission documents will ensure that information flowing to and from the Regulatory Agency will be well organized and properly controlled.

 

As electronic document management systems continue to evolve, it is becoming considerably important to have the right metadata included in the electronic document management system. This is necessary to ensure high quality electronic submissions and to appropriately manage the existing document management system. 

 

There are industry standards available—for example, the EDM Reference Model—that have been established by the Drug Information Association Special Area Interest Committee (DIA EDM SIAC). 

 

A good solution to ensure that the appropriate metadata is captured in the electronic document management system is purchasing a system that ensures compliance with the reference model or that can guarantee that the documents in the system will have the appropriate metadata for managing both the documents and the electronic submissions.  

 

Much of the information that is submitted to the Regulatory Agency is re-used throughout the product lifecycle. As mentioned earlier, if the information in this content is wrong, then errors will perpetuate, creating confusion with Agency reviewers that result in product commercialization delays. The best way to manage content re-use is to set aside a place in the electronic document management system for “clips” of information. These “clips” can be versioned over time and made available with the most updated information. Once the clips are stored in an appropriate location and adequately maintained and versioned, they can be copied and pasted into other document parts. This saves the technical writer time, and the organization saves money and resources because information that goes into documents can be easily and accurately re-used and re-purposed in all submission documents. 

The challenges caused by current electronic document management systems translate to risk for the organization. The risk factors include loss of time and resources, penalties from the Regulatory Agency for missed deadlines, and delays in commercialization that result in lost revenue. 

 

It is astounding to consider the amount of time required for a Regulatory Affairs person to 1) find the correct document 2) track down the correct version and 3) compare the document to the previous filings so as to ensure that there will be no discrepancies with the information the Regulatory Agency has on file. The time lost ranges from hundreds to thousands of FTE hours and consulting fees that could be more wisely spent on developing a sound regulatory strategy and efficiently obtaining information for regulatory submissions. Furthermore, selecting the wrong electronic document management system prior to choosing an electronic submission vendor could translate to higher costs with the electronic submission vendor, or result in a total overhaul of the existing document management system because it is not properly configured for electronic submissions. 

 

Spending valuable time pulling content together for a Regulatory Submission is necessary. Omitting a thorough review of the documents will lead to information that is submitted to the Regulatory Agency with inaccuracies, inconsistencies, and missing data or information. These discrepancies lead to loss of credibility for the organization. Furthermore, the penalties received for missed filing deadlines can be serious. Missed deadlines result in fines and the lack of compliance will draw attention to the company, which ultimately affects publicly traded companies in terms of the value of their stock.  

 

Delays in commercialization result in millions in lost revenue. Delays in commercialization occur when inconsistent, missing or poorly formatted information is sent to the Regulatory Agency. This occurs with both paper and electronic submission formats, as a result of the content being poorly managed and versioned. The result of poorly managed content could mean review delays that cost a company time and revenue. 

Challenges with electronic document management systems are that no such system exists at all in the company. Other problems with existing systems are poor configuration and bad metadata, poor interface with submission publishing systems, and content re-use that is not appropriately managed. 

 

Most would agree that Windows Explorer does not provide content management, yet many companies that do not utilize electronic document management systems rely on Explorer to store their most valuable asset: documentation. In addition to an extreme lack of control, the main problems with Explorer are inappropriate levels of access and shadow files.

 

Inappropriate access refers to too much or insufficient access. Too much access leads to individuals who access very important documents, accidentally delete documents, or make changes to documents without proper version control. These unintentional changes make it extremely difficult, if not impossible, to find and track content throughout the document’s lifecycle. As some companies are aware of this problem, they may limit access to certain folders. This is also a problem because the limited numbers of people who do have access to certain folders are often not those who need the documents, like Regulatory Affairs. This inevitably leads to delays in Agency submissions. 

Shadow files result when the same document is kept in multiple locations. This happens when one department creates the document and sends the document to two or three other departments for additional information and review. The additional authors and/or reviewers may decide to keep the document in their file system in order to “cover themselves,” if any questions arise over the content that was created or reviewed. This also creates a problem with document ownership and with the final version. Who owns the final version? Where is it kept? Regulatory Affairs may ask for the final and current version of “Document ABC,” and three groups may respond, all with different versions of the same document. This circles back to the main problem of having no document management system, resulting in the lack of version control and version history. With documents stored in multiple repositories, it is difficult to control document versions and version histories. The inability to control documents and to monitor versions adequately over the document lifecycle means that it will be difficult to maintain and control electronic submissions to the Agency.

 

The marketplace is flooded with electronic document management systems, both from large and small vendors, offered on the license model and open source. Without appropriate metadata focused on the end result (i.e., the electronic submission), these systems are just as ineffective as having no system at all. Bad metadata will make it difficult to find documents within the electronic document management system. Finding documents within your electronic document management system is not only important for Agency submissions, but also for inspections, due diligence and other regulatory activities that occur within the organization.

 

Equally contributing to the ineffectiveness of the electronic document management system is a system that does not “talk” to the regulatory publishing system. It is typical for electronic document management systems to be selected without any regard to Regulatory Affairs or the publishing system for electronic submissions. If the electronic document management system is purchased first, this will limit the number of electronic publishing vendors to choose from because not all electronic document management systems will interface well with the electronic publishing system. The end result is higher IT costs because: 1) the only submission vendors that interface with the selected document management system are much more expensive; 2) the entire electronic document management system must be discarded because it is does not interface at all with any of the electronic submission vendors; or 3) the electronic document management system must be completely reworked because it does not have the appropriate metadata needed for electronic submissions.

 

In creating new documents, content is often pulled from other documents as an efficient short-cut to convey relevant information in the new document. However, if this content is not well written and poorly controlled, errors will perpetuate and multiply in the multiple documents intended for regulatory submissions. Because most electronic document management systems do not have provisions for content re-use, information is simply pulled from the most easily accessible source or the most recent document, whether or not it is controlled. If this re-usable content is edited, then the risk is that the new information is not copied consistently into new documents. To an Agency reviewer, this inconsistency detracts from the credibility of the organization because it does not provide a coherent and cohesive regulatory package. An even greater risk is that it may trigger further evaluation, translating to delays in commercialization.

The foundation for good electronic submissions is a solid electronic document management system. In the past, Regulatory Affairs (RA) has typically played a small role in the selection of an EDMS (electronic document management system) vendor, but now that submissions are becoming fully electronic (eCTD), merger and acquisition and partnering activity are on the rise, and FDA oversight is increasing, the EDM system has now become a key driver to successful case management for Regulatory Affairs. 

When it comes to electronic document management, also known as content management, EDM, EDMS, ECM, etc…... the biggest players and decision makers lie within Quality Assurance (QA) and Information Technology (IT), with the final decision resting in the hands of Executive Management. Regulatory Affairs has a very small role in this decision-making process, but it is ultimately responsible for obtaining information from the electronic document management system and filing it with the Regulatory Agency. Much of a company’s success or failure rests in the hands of Regulatory Affairs, in terms of gathering all the appropriate information, compiling it in a way that the Agency can efficiently review it, and being able to respond promptly and accurately to requests from the Agency. An ambiguous or poorly configured electronic document management system can translate into inappropriate or missing information sent to the Agency, missed deadlines for filings or responses to Agency requests, and hours of wasted time searching for the appropriate content for Agency submissions.

 

Why should Regulatory Affairs be part of the decision process for the Electronic Document Management System? The answer: Electronic Submissions. Electronic Submissions are changing the way in which information is transmitted to the Regulatory Agency and subsequently evaluated. Submitting information to the Regulatory Agency in an electronic format means that the content created for the electronic submission must be controlled, concise, consistent and easily retrievable from the electronic document management system from which it originates.