Cloud computing, because of its strategic and operational advantages, is being adopted with increasing regularity by the life sciences industry. Cloud computing enables regulated organizations to use global platform solutions for data management and analysis, and presents an opportunity to more efficiently meet regulatory obligations. At Google, we understand the needs, constraints, and considerations that our life sciences customers experience with respect to migrating their workloads to the cloud. In this paper, we will describe how Google Cloud supports customers interested in utilizing the cloud to build a GxP-aligned IT environment. This includes our approach to managing quality, security and compliance for Google Cloud, and Google’s organizational and technical controls to protect customer data.
What is Google Cloud?
Google Cloud is a suite of cloud services broadly categorized in infrastructure, platform, and software solutions. Alongside those services, Google Cloud offers a range of tools from smart analytics to artificial intelligence capabilities. At its core, Google Cloud consists of a set of physical assets, such as computers and hard disk drives, and virtual resources, such as virtual machines (VMs), that are contained in Google’s data centers around the globe. Each data center location is in a region. Regions are available in Asia, Australia, Europe, North America, and South America. Each region is a collection of zones, which are isolated from each other within the region. This distribution of resources provides several benefits, including redundancy in case of failure and reduced latency by locating resources closer to clients.
In cloud computing, what you might be used to thinking of as software and hardware products, become services. These services provide access to the underlying resources. The list of available Google Cloud services is long, and it keeps growing. When you develop your website or application on Google Cloud, you can mix and match these services into combinations that provide the infrastructure or solution you need, and then add your code to enable the scenarios you want to build.
What is GxP?
In the life sciences industry, GxP is an abbreviation referencing the various "good practice" regulations and guidelines that apply to medical products. The "x" variable in GxP covers a wide range of processes utilized in the development, manufacturing, and distribution of regulated products. Particular GxP criteria can be found in government agency regulations and guidance (e.g., Federal Food, Drug, and Cosmetic Act) as well as industry best-practice frameworks. Though GxP may cover any number of specified topics, for regulatory oversight purposes, agencies have almost uniformly adopted requirements related to product manufacturing processes, documentation procedures, staff qualifications and training, and distribution/storage. For life science organizations doing business in the U.S., GxP requirements can generally be found in the Code of Federal Regulations (“CFR”) .1
These requirements include, but are not limited to:
Quality System Regulation (QSR): 21 CFR Part 820, applicable to medical devices
Good Laboratory Practice (GLP): 21 CFR Part 58, applicable to nonclinical laboratory studies
Good Clinical Practice (GCP): Includes multiple regulations and guidance applicable to scientific studies2
Good Distribution Practice (GDP): Encompasses various provisions and guidelines addressed in 21 CFR Parts 211 and 820, including those related to handling, storage, and installation
GxPs were developed to ensure that medical products such as drugs, devices, and biologics are safe, meet their intended use, and adhere to quality procedures throughout the manufacturing and distribution process. This whitepaper focuses on the GxP-related topics most relevant to life science organizations, and in particular on how Google Cloud can be utilized by organizations as an element of their GxP compliance systems.
How might customers leverage cloud services in GxP Systems?
Our life sciences customers, many of whom are subject to GxP requirements, utilize Google Cloud in ways that not only help to achieve compliance, but also result in differentiated capabilities, technological advancements, and organizational efficiencies. A few representative examples include:
A contract research organization (CRO) uses a cloud-based project management platform hosted on Google Cloud to share trial-related information with sponsors.
Since this type of customer is managing a clinical trial, they are subject to good clinical practices and certain requirements aimed at protecting patients. The size of clinical trials can vary greatly, with some trials only requiring the use of a few regional sites, while others may necessitate data from thousands of patients across dozens of sites globally. With Google Cloud services, users can build any number of customized applications and solutions to fit their needs. For example, by using an online workflow to onboard and track patients, a CRO could potentially eliminate the need to maintain and audit paper records physically located at each site. Google Cloud services may also help to improve compliance with clinical trial procedures by providing real-time feedback to the CRO about how sites are complying with applicable protocols. Additionally, maintaining trial data information on the cloud allows for access to the data anywhere and at any time by the appropriate teams, with greater control over user access requirements than traditional paper files.
A life sciences manufacturer uses a cloud-hosted interactive voice response platform to manage customer copay card requests.
Depending on how the platform is collecting information, the process may be subject to good pharmacovigilance, or safety reporting practices (GPvP). If the system is hosted in the cloud, the customer will have to consider how the infrastructure was qualified or determined to meet requirements. The organization may also be subject to controls that ensure that the GxP records, in this case call notes, are protected appropriately. FDA’s electronic record requirements at 21 CFR Part 11 provide that any changes to data stored in electronic systems are recorded and attributable to an appropriate individual. In this paper, we outline how Google Cloud can help customers meet these requirements.
How does Google Cloud help customers comply with GxP requirements?
As an industry-leading cloud service provider, Google Cloud helps life science organizations comply with the FDA’s electronic records requirements under 21 CFR Part 11 and its global equivalents.3 Google Cloud’s administrative, physical, and technical controls help our life science customers meet their quality and security objectives. In addition to the underlying infrastructure and operations managed by Google, Google Cloud products also provide capabilities which make it easier for our customers to meet applicable GxP requirements by managing their GxP recordkeeping obligations in the cloud. Google is committed to protecting its customer information and undergoes routine audits by independent third parties to verify compliance with numerous globally recognized security and data privacy standards. In fact, Forrester Research recognized Google Cloud as a Leader for Public Cloud Native Security for our security capabilities and features and as a Leader for Data Security Portfolio for our security product offerings.
In this paper we will describe the different measures that Google Cloud takes to help customers align with GxP requirements, and also explain how life science organizations can use Google Cloud offerings in a manner that complies with the various quality and security requirements applicable to regulated industry. While references to — and details of — regulatory standards and guidance are provided as a framework for discussion, they do not constitute legal advice for pharmaceutical organizations nor for any other entities.
Shared Responsibility Model
While the responsibility for GxP compliance ultimately lies with our life science customers, our shared responsibility model helps customers allocate resources more effectively by reducing the amount of effort needed to develop and maintain an IT environment. The model helps to alleviate some of the administrative and technical burdens faced by our customers, as our tools assist with the efficient management and control of system components that organizations subject to GxP requirements often rely upon. It also shifts a portion of the cost of security to Google Cloud, and may lower the cost of GxP compliance. As this illustrative, but not definitive, graphic shows, Google is generally responsible for securing our infrastructure and customers are responsible for securing their data. The specific responsibilities vary according to whether a customer is taking advantage of IaaS-like services on Google Cloud such as Compute Engine, PaaS-like services such as App Engine, or SaaS-like services such as Google Workspace. We help customers with their portion of responsibility by providing best practices, templates, products, and solutions.
Life science organizations can take advantage of Google Cloud products and services to streamline product development, execute and track quality manufacturing processes, and enable a robust software development lifecycle as part of compliance with FDA and other global regulatory requirements. Through significant investment in the quality and security of our services, we have made it easier for life science customers to demonstrate compliance with regulatory requirements. In securing our systems and protecting them against threats, we enable software developers to benefit from our technologies and practices while mitigating risk to patients and users of their products.
4.0 Additional Resources
As you continue on your journey to build GxP aligned devices, equipment, systems or applications, we invite you to take advantage of the resources listed below.
|Google Cloud||Google Workspace|
|Learn Why Other Organizations are Choosing Google Cloud||Why Google Cloud?||Why Google Workspace|
|Learn More About Our Services||Google Cloud Solutions||Google Workspace Learning Center|
|Learn More About Our Pricing||Google Cloud Pricing||Google Workspace Solution|
|Try Google Cloud For Free||GCP Free Tier||Google Workspace Free Trial|
|Call Our Knowledge Center||844-613-7589||855-312-7191|
|Have Questions Regarding Security, Privacy or Compliance?||Contact our experts at firstname.lastname@example.org|
|Get Google On Your Team||Fill out this form or call 844-613-7589||Fill out this form or call 855-312-7191|
|Train Your Team||Google Cloud Training||Google Workspace Training|
|Quickstarts - Deploy your first solution in 10 minutes or less||Getting Started With GCP||Google Workspace Quick Start Guide|
|Frequently Asked Questions||GCP FAQs||Google Workspace FAQs|
|Customer Technical Support||Contact our Google Cloud Support Center|
This whitepaper applies to Google Cloud products described at cloud.google.com. The content contained herein is correct as of May 2020 and represents the status quo as of the time it was written. Google's security policies and systems may change going forward, as we continually improve protection for our customers.
1. While the scope of this paper does not include an exhaustive international search for all applicable GxPs, it is generally true that regulatory agencies globally require medical products to be developed and manufactured in accordance with good practices. Such practices can be found directly in government regulations, guidance documents, and issued international standards.
2. See Food and Drug Administration, Regulations: Good Clinical Practice and Clinical Trials, https://www.fda.gov/science-research/clinical-trials-and-human-subject-protection/regulations-good-clinical-practice-and-clinical-trials.
3. See Food and Drug Administration, (2019, May 7) Part 11, Electronic Records; Electronic Signatures - Scope and Application, Retrieved from https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application
4. 21 CFR Part 11: Electronic Records: Electronic Signatures.
5. Please note that while the entirety 21 CFR Part 11 technically remains in effect, FDA is currently exercising enforcement over certain requirements provided in these regulations. The agency has issued guidance that clarifies which requirements FDA is actively enforcing, a link to which can be found at FN 4. Life science customers should independently evaluate which requirements might apply to their record-keeping systems.
6. NIST defines validation as: “Confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled.” (see NIST SP 800-160 [Superseded] (ISO 9000)).
7. NIST defines qualifying as: "Process of demonstrating whether an entity is capable of fulfilling specified requirements." (see NIST SP 800-160 [Superseded] (ISO/IEC/IEEE 12207:2017)). Retrieved from https://csrc.nist.gov/Glossary/Term/qualification
8. FDA’s Current Good Manufacturing Practice regulations applicable to pharmaceutical products can be found at 21 CFR Parts 210 & 211; and the Quality System requirements applicable to medical devices are provided at 21 CFR Part 820.
11. See 21 CFR § 820.22.