As cloud computing begins to emerge from the ‘hype’ phase and into the beginning of mainstream adoption, there are often questions around what to look for when selecting document management systems in the cloud.
With a somewhat slow adoption initially, the cloud is beginning to gain traction in the life sciences. However, selecting a cloud-based electronic document management system (EDMS), and vendor should be carefully thought through and not rushed.
In the following article, we will attempt to identify some of the key attributes life science companies should look for when selecting a cloud-based EDMS and vendor. In no particular order…
#1 - 21 CFR Part 11 Compliance
Not all software vendors are created equal in that they each have their own processes and procedures for the provision and management of their cloud environment. Some may host their own environment and others may work with a third party. In all cases, it is imperative to ensure that the underlying cloud environment meets the requirements of 21 CFR Part 11.
This can often be challenging in a cloud environment as the way that cloud infrastructure is provisioned is different in that you are not necessarily able to pin down exact machines that your EDMS environment resides on. You need to picture the cloud as one ‘large machine’ rather than individual machines and ensure that the cloud vendor has properly qualified this ‘large machine’. It’s important to identify which technical and procedural controls the cloud vendor needs to have in place versus which controls would be your responsibility.
Another good starting point would be to look for ISO or SOCs certification’s that have similar control requirements. If the electronic document management service provider is using a third party cloud, then you should expect them to have done this due diligence for you.
#2 - Confidentiality of Information
A cloud environment is multi-tenant by nature in that all clients on the same cloud will share machines and potentially software. In the case of an electronic document management system, it is probable that you will be sharing both hardware and software and so making sure that there are proper security and confidentiality measures in place is key.
The software vendor should be able to explain how they ensure confidentiality of information through logical and even physical security controls. Remember that you also need to meet confidentiality requirements laid down by HIPPA, European directives, and other local confidentiality laws. These laws have specific requirements around where and how nominative data is held. You should see if the vendor has considered these requirements and how they meet them.
#3 - Availability and Performance
You need to evaluate what uptime you require for your environment and how time critical the content that you need to produce or access is. Usually, the higher the availability guaranteed in the vendor’s service level agreement, the higher the cost of the environment. For high-availability requirements, you should look for:
- Geo-redundancy – What happens if one location goes down? Ideally, you want another geographically different cloud location that will automatically take over in this event. Check this with the vendor.
- Disaster Recovery – Alongside geo-redundancy, you want to make sure that there are appropriate policies and procedures in place to govern disaster recovery. You should also verify that the EDMS application can work in redundant environments.
- Performance - How you are planning to use the environment? If you plan to upload and access very large files such as image files, or if you are transferring large volumes of files such as NDAs, you need to make sure that the system has the bandwidth to handle these files.
- Location of Users - You should also think carefully about the location of your users and aim to have cloud environments as close to them as possible. For example, you may experience latency issues if your team is based in the United States and your environment is hosted in Europe.
#4 - Life Science based features and configuration
Configuring an EDMS specifically for life sciences from scratch can be a significant undertaking. There are so many different document types that need to be managed (the average life science company probably handles 500+ different types of documents or content) each with their own attributes, metadata, lifecycle and security requirements. Just defining all of this can take many months if not years. There are reference models such as the DIA EDM Reference Model and DIA TMF reference models that can make this easier.
When looking at cloud-based document management, you should look to see what standard configuration the environment comes with and whether the reference models have been implemented. You also need to look to see if the system has other features that are required for life sciences, such as 21 CFR Part 11 compliant signatures, audit trails, regulatory publishing tools etc. You should evaluate how easy it would be for you to use the system out of the box versus whether and how you can customize the system. Customization in cloud environments can be challenging and costly so finding a system that requires little or no customization should be a key area of focus.
#5 - Ability to integrate
There are multiple systems that need to integrate with an EDMS. These include but are not limited to EDC and CTMS for the provision of metadata values and document status, eCTD for the provision of records and metadata for the building of submissions and business intelligence tools to provide comprehensive cross-system reporting.
When working with a cloud or SaaS-based EDMS, integration may be more challenging. You should ask the software vendor about their experience with integrating with other systems including the systems you are already working with or considering. Sometimes the vendor may be able to provide equivalent replacement systems or may have agreements in place to host and integrate with other third party vendors. In all cases, evaluating a cloud-based EDMS as part of your electronic computer systems ‘Big Picture’ is important to make sure that you achieve proper system integration and avoid data transcription or dislocation.
#6 - Speed of delivery
When working with a cloud or SaaS model, the premise is that you are accessing a document management service based on a system that should already be deployed and validated. Only customizations should really need to be validated, and therefore if you are not customizing the system, you should expect delivery of your environment within weeks rather than months. This is a significant change and advantage on deploying a system in-house which would require that you validate it and typically take longer to deploy.
#7 - Life Science Focused Support
Because the vendor is managing your EDMS environment, you will be very much dependent on their support team to support both your end users and internal administrators.
Evaluating the software vendor’s ability to understand your business context is very important. The vendors support staff should not only understand the system but also the document management context in clinical trials. Look for training and support on-demand in the form of video and online content. This can be extremely helpful to provide users with self-service, punctual help and support.
#8 - Data integrity and recovery
You need to ensure that your data is safe and protected. You should be looking at the controls that the vendor has in place to guarantee the data integrity of your content. Some vendors may employ storage encryption and other data protection techniques. Ensuring that your content can be decrypted in this case is also important.
There should be off-site backups and regular data verifications to ensure integrity and protection.
Finally, there should be a clear process for you to be able to recover your data and content should you no longer wish to use the vendor’s service or if they go out of business. This should include a provision for also providing the audit trail, signature manifestations, and any other data which belongs to you.
#9 - Standard vs Proprietary
There are a multitude of electronic document management system cloud offerings out there. Some are based on standard platforms such as SharePoint, others are completely proprietary and finally, some are a mixture of the two. The more the platform uses a standard EDMS underlying software, the easier it will be to port your EDMS content to another vendor who is also using that same software. If the system is proprietary this is not such an easy task and would require significant content migration efforts.
The Takeaway
No matter the route you chose to take in your quest for compliant document management, there will always be key elements that you need to consider based on your organizations’ needs and current situation.
For sure, the cloud is a viable option and will continue that way as the cloud becomes even more sophisticated, but the key takeaway here however, is that proper due diligence must be done. Accounting for and putting thought into some of the attributes listed above is a great start, but ultimately there are always more things to think about.