A Ǫuick start Guide for Successful Cloud Migration of Global Pharmacovigilance (GPV) IT Applications

In the ever-evolving regulatory landscape of Global Pharmacovigilance (GPV) operations to ensure patient safety for a pharmaceutical company, the decision to migrate GPV specific IT applications to a cloud-based infrastructure is a pivotal strategy for organizations seeking to enhance agility, reduce costs, and embrace transformative technologies. Cloud migration offers a pathway to a more flexible, scalable, and innovative IT infrastructure which is also easily compatible with new age Artificial Intelligence (AI) & Machine Learning (ML) platforms.

This journey to the cloud-based setup is not without its challenges and a well-thought- out plan is paramount to success. This article aims to serve as a compass for Clinical Safety & Pharmacovigilance teams who are looking to seamlessly migrate their GPV-IT applications on to cloud. We will delve into the key considerations, recommendations, and crucial steps that will pave the way for a successful cloud migration.

Need for Cloud Migration

The journey to set up a cloud-based operations starts with identifying the need for change. Migrating to Cloud offers numerous advantages not only from Infrastructure operations perspective but will also enhance the scalability of GPV IT applications (like Safety Databases, Signaling solutions, etc.). Few basic questions that need an evaluation are:

• How the Cloud operations will be beneficial for GPV operations?
• How will they impact the GPV technology roadmap?
• How will it help the objective of being a globally compliant organization as per Global Health Authority requirements?
• Which Cloud Service Provider (CSP) aligns with my organization’s future technology roadmap/strategy to ensure an efficient intra-company integration with other existing applications?
• Which cloud model deployment model (public, private or hybrid) is the best fit considering residency requirements, regulatory needs, scalability, and cost- effectiveness

A major driver for identifying the need is also the calculation of Return-On-Investment (ROI) from GPV system maintenance perspective. Migration to cloud will have its own effort requirements which should also be part of the organization’s ROI analysis as well.
 
Cloud migration strategy should consider the regulatory requirements, Geography location criteria (e.g. Europe as a strict General Data Protection Regulation (GDPR) requirement which may need especial arrangements), local/global security & privacy consideration.

Overall need for cloud migration should focus on the improvisation such as data accessibility, global technology integration, scalability, cost reduction, and disaster recovery capabilities.

Plan Cloud Migration Planning

The future state of GPV operations will rely heavily on how the cloud infrastructure is managed. Organizations may opt for a Software-as-a-service (SaaS) model OR can also opt to have an in- house team manage the applications & dependent cloud infrastructure. A hybrid setup which is a combination of SaaS & internally managed IT cloud applications is also a possibility. However, the network communications between SaaS & internal clouds needs a robust set-up to ensure reliant interactions. A well-defined strategy finalized post evaluation of the existing state of GPV IT applications, infrastructure & data will effectively manage potential challenges and risks of a Cloud migration. This strategic plan will also be the driver for your Post Go-Live maintenance activities.

Needless to highlight that a robust project plan which is tracked & controlled by strong program managers is critically important for success. A cloud migration project plan should at least focus on the following:

• Risk assessments & regulatory compliance adherence at each step of migration.
• Internal organizational policy adherence in case there is a geographical change of location.
• Ensure Data Integrity is maintained to support the desired business operations.
• If opting for a hybrid operational model, Infrastructure integration should support information exchange in multiple formats with both in-house & outside applications.
• Comprehensive platform qualification & validation of applications as per the requirements.
• Security & vulnerability management during the migration. Strategy for Post Go-Live operations.
• Ensuring business continuity through Cloud High Availability & Disaster Recovery setups.
• Once the cloud migration is completed & Post migration business operations have been successfully established, decommissioning of your old infrastructure and application should also be part of the plan.

Apart from a robust project plan, Strong & proactive communication is also essential. Cloud migration will involve collaboration with multiple teams & hence collaboration with multiple stakeholders is needed to ensure success.

Data Migration & PV Application Refactoring

GPV applications generally exchange Product Safety data outside of the organization with Global Health Authorities, Licensed Partners, Clinical Research Organizations (CROs), etc. in predefined formats like Individual Case Safety Report (ICSR) R2 or R3. Hence, Data migration strategy will be critical to meet the Organizational compliance goals. Need for Data migration will also be governed by the need to perpetually maintain the data. Sometimes, data might not be needed for daily operational needs, but needs to be maintained for future references. Data migration strategy should be formulated to involve data cleansing, transformation, and validation to enhance operations currently managed through PV applications. Another critical driver for Data migration is the location of existing data center & the new target cloud data center.

Validation requirements, application setup changes & modification of company policies (both internal & external) would be driven by the location where the data for GPV Application is stored.

Organizations may need to revisit the existing policies to safeguard the data exchange as per the regional privacy requirements (For e.g.: Exchanging the patient safety information from and outside of Europe may need to adhere to

(1) GDPR regulations &
(2) The guidance from European Medicine Agency (EMA)). Cloud migration can be formalized through multiple ways:

“As-Is” Migration Approach

This is commonly also referred to as a ‘Lift & Shift’ approach, where the existing setup of GPV applications is re-installed on a cloud-based infrastructure with a copy of underlying data from the previous infrastructure. This normally will involve a lot of technology-related operations for data migration and application installation. This approach has almost no impact on existing business operations. All applications will continue to operate nearly the same manner as they were prior to cloud based operations. This approach does not need a lot of investment & has a quick turnaround too. Most of the time this approach is followed by a second wave of business process re-engineering, where the existing operation processes are further tuned to benefit from existing cloud capabilities.

Phased Approach

This approach is common for the initiatives where the cloud benefits are first to be evaluated on a smaller set of applications. Organizations may choose to first migrate only a couple of GPV applications and evaluate their operations & interactions with global applications. Once successful, other applications will follow the same approach till all are operational on cloud. It is normally preferred to prioritize the initial migration for the stand-alone applications which supports a part of business operations & have minimal interaction with other applications/business operations. Transforming the business processes along with migration is optional and depends on the end objectives. Coz of the iterative nature of this migration, the risk associated is quite low, effort involved is high and can potentially take longer time to attain the final future state. In case, if the cloud migration does not align with expectations, it is easy to roll-back to the previous setup.

Transform/Upgrade with Migration

Each IT application needs a periodic upgrade or modification to ensure the GPV operational compliance in accordance with evolving global regulatory requirements. Each of these activities has a direct impact on the existing business processes. Hence, it is also a suggested approach to combine the cloud migration activity with your planned upgrade/modifications. This can be merged with both “Phased” and “Lift & Shift” approach. There is also a possibility that combining the application upgrade & cloud migration can result in better overall operational & cost benefits. Sometimes companies prefer to perform an upgrade of their safety database as they move to cloud. Performing an upgrade on existing platform & then migrating to cloud may result in added validation effort/cost as one will need to re-certify the expected operations on cloud. Hence, it is suggested to migrate first and then upgrade/modify.

Validation & Deployment on Cloud

Any Pharmacovigilance system at a broad level comprises of 2 tiers – Application level & the underlying Infrastructure on which application runs. Validating a Pharmacovigilance system is a critical step in ensuring the safety and efficacy of pharmaceutical products. Usually, cloud platform/infrastructure validation is done first & is followed by application’s recertification for operating as per the requirements. It helps organizations meet regulatory obligations, maintain data integrity, and contribute to the overall improvement of drug safety practices.

Usually, companies rely on the standard internal tests conducted by various CSP for platform validation. The functionality requirements of the platform should be tied to the contractual agreements with CSP, if the company is relying heavily on the Out-of-Box functionality of the platform. Companies may also choose to audit the platform development procedure of the CSP to be sure of the services expected to be received in future from a CSP.

Validation of a Pharmacovigilance application involves ensuring that the system is designed, implemented, and maintained in a way that meets regulatory requirements, industry best practices, and organizational needs. Specifically for Cloud migrations, Validation of handshakes between applications on different platforms needs to be planned at early stages of project itself. This is because sometimes, the findings from these may result in changes on the other applications which may not be in original scope of migration. Furthermore, Validation plan should specifically focus on meeting the regional & global data protection regulations if the data migration involves movement of data between continents. Any data migration pertaining to Global Safety Database should always account for notifying the Global Health authorities and certifying that the company’s data exchange gateway is able to exchange information back and forth with required Licensed Partners, Affiliates, CROs & Health Authority gateways. It may also be advantageous to leverage the outcome of Cloud platform to assist with application-level validation activities.

Performance testing (to test response time & scalability) should also be considered at the application level to ensure that the underlying cloud platform is able to provide the necessary resources for application to work as desired.
 
Please note that validation of Global Pharmacovigilance systems should specifically consider testing the application accessibility from different geographic regions, to proactively highlight any network related issues, if any.
For assistance with deployment of applications on cloud, utilize cloud-native services for authentication, authorization, storage, and data processing to gain maximum advantage. Consider Deploying the PV application to the cloud using Infrastructure-as- code (IaC) tools for repeatability and scalability. IaC capabilities will save effort if opting for a phased migration approach. Utilize pre-existing cloud capabilities for application back-up, restoration & disaster recovery to ensure business continuity. Furthermore, Cloud’s auto-scaling and load balancing can also be effectively used to handle variable loads.

Trainings & Post Go-Live monitoring

As they say, “Change is the only constant”, Cloud operations will only result in achieving the desired ROI as envisioned at time of finalizing the strategy to migrate if the operating teams are trained to effectively harness the cloud capabilities both at application & infrastructure level. End user operations will significantly change based on the cloud capabilities and the opted data migration approach. Effective Change management strategies should be devised in advance to ease-in transition for teams.

Technical maintenance teams are recommended to go for certified training of cloud platforms. Monitoring alerts needs to be set up both for security vulnerabilities & cloud resource utilizations to achieve maximum cost benefit with cloud operations. Native cloud capabilities can also be considered for this. It is strongly recommended to conduct periodic reviews of cloud resource utilization needs to ensure efficient cloud expenditure. If one continues to use the GPV applications with same static platform parameters like CPU, RAM, etc., then ROI realization may be difficult. Cloud computing cost is directly linked to the resource usage & it is strongly advisable to tweak these parameters based on the utilization trends of an application. In summary Cloud gives a lot of flexibility in ways of how we use the system.

Using these new flexible options will eventually lead to significant savings on a year-on- year basis along with increased reliability of the system.

With the guidance from this article, pharmaceutical organizations (Big/Small) can embark on a successful cloud migration journey for GPV-IT applications, realizing the full potential of cloud computing while maintaining compliance, data integrity, and operational efficiency.

--Issue 03--