GxP Compliance on AWS
Good Laboratory Practices, Good Clinical Practices, and Good Manufacturing Practices (“GxP”) Compliance on AWS solution enables a secure and highly available infrastructure aligned the requirements of life science organizations for validated and controlled workloads. Customers will benefit from improved user experience, reduced cost, improved security, and the agility of a GxP aligned AWS Cloud.
What's New
Benefits of GxP Compliance on AWS
When considering a large-scale migration to the cloud, many organizations begin with extensive planning and assessment that require an investment of significant time and resources. The GxP Compliance on AWS solution expedites cloud migration by focusing on specific AWS applications which establish the environment needed to maintain compliance and enable customers to improve user experience, reduce cost, improve security, and enhance agility of a GxP compliance-aligned AWS Cloud environment.
Reduce time to provision, configure, and test a GxP compliance-aligned infrastructure on AWS to maintain a continuously validated state. Automate creation of an Installation Qualification (IQ/OQ) report. A 30-40% reduction in qualification times for moving regulated workloads to the AWS Cloud is typical.
Inherit global security and compliance controls with dedicated hosts/instances for patient data and tools to encrypt data at rest or in motion. Encrypt at-scale to comply with local data privacy laws such as PCI DSS, SOC, FedRAMP, NIST, ISO, HIPAA, and HITRUST.
Enable continuous monitoring and alerting with centralized audit/logging capabilities for applications running on GxP compliant infrastructure. Leverage automated traceability with real-time audit view and risk management.
Organizations deploying GxP Compliance on AWS
Specializing in the discovery and development of small molecules, Idorsia parlays aggressive R&D into business success by taking advantage of its broad portfolio of medicines, experienced team, and high-performing research center. AWS-automated deployment and testing capabilities help Idorsia ensure GxP compliance by executing regulated tasks
“The Idorsia infrastructure was built with two goals in mind: first—quality and GxP regulation compliance, and second—our future ability to expand in capacity and scale. AWS technologies help us work smarter, be more agile, and take advantage of innovation."
Joseph Bejjani, Chief Information Officer, Idorsia
“The Idorsia infrastructure was built with two goals in mind: first—quality and GxP regulation compliance, and second—our future ability to expand in capacity and scale. AWS technologies help us work smarter, be more agile, and take advantage of innovation."
Joseph Bejjani, Chief Information Officer - Idorsia
Learn how AWS helped Moderna validate its GxP compliance much more easily than would have been possible in an on-premises data center. “It’s incredibly valuable to be able to work with AWS personnel who not only know the technology but also have strong regulatory experience and really understand our industry.” (Dave Johnson, director of informatics at Moderna Therapeutics)
The TraceLink Life Sciences Cloud helps life sciences companies and their partners fight drug counterfeiting and diversion. The solution safeguards product quality and ensures compliance with global track-and-trace regulations—including GxP—through complete drug traceability from ingredient to patient.TraceLink chose the AWS Cloud to support its TraceLink Life Sciences Cloud solution using the AWS GxP Compliance program to help ensures compliance for its customers throughout the global life sciences supply network.
Waters Corporation builds, sells, and services specialty scientific-measurement instruments and software for laboratory-dependent organizations that operate in highly regulated industries. By deploying Empower Cloud on AWS, Waters is able to help its customers take advantage of the flexibility and cost-effectiveness of cloud computing—not only for scientific research but also to meet GxP requirements.
Bigfinite (now aizon) provides simple products for analyzing complex industrial processes in the biotech and pharmaceutical industries. Its solution addresses the entire supply chain, from research and development to dispensing drugs to patients, and enables more sophisticated control over manufacturing processes.
Core Informatics provides lab informatics solutions—including Laboratory Information Management Systems (LIMS)—to biopharma, genomics, and other life sciences organizations. Core Informatics wanted to build a standardized platform for deploying GxP-validated customer workloads and turned to AWS to meet customer demands at scale.
As Bristol Myers Squibb (BMS) was assessing its options for SAP S/4HANA transformation, it needed a way to streamline compliance with GxP and other regulatory requirements. This video looks at how BMS uses AWS CloudFormation to create a consistent, scalable, and repeatable compliance process so it can focus on its broader SAP transformation.
Featured use cases
Click for a technical deep dive on the architecture, best practices, and deployment options.
-
IQ automation on AWS
Even though the underlying building blocks of a GxP compliant infrastructure may be qualified, application development teams still need to validate their applications, including performing installation qualifications (IQ) as part of their normal Computer Systems Validation (CSV) activities in order to demonstrate the application specific combination of infrastructure building blocks was deployed and is functioning as expected. The IQ Automation on AWS use case automates this validation process.
Click to view a reference architecture, details of the workflow, and related resources.
What does this solution do?
While the use of Continuous Integration/Continuous Delivery (CI/CD) and automated testing tools has been available for some time, fully automated deployment of infrastructure and execution of the Installation Qualification (IQ) step is now available. The architecture below provides a reference design for automating testing that shows that the installation and configuration of software and hardware is correct.
Assuming the IQ step completes successfully, the automation can continue to the automation of Operational Qualification (OQ) and Performance Qualification (PQ).
Detailed process flow:
- Trigger Automatic IQOQ Report Tool: IQOQ Report Tool can be triggered in multiple ways depending on application’s requirement or customer’s preference. To trigger the creation of IQOQ Reporting tool the customer passes the details of the AWS Account - Account ID, Environment (dev/test/prod) and Region name that needs to be qualified. In addition, customers can also pass the Application ID, which is a unique identifier for set of AWS resources specified in AWS Tags, when triggering the IQOQ Reporting Tool. These parameters can either be passed through the API Gateway or by uploading an excel file in an Amazon Simple Storage Service (Amazon S3) bucket.
The IQOQ Report tool would then generate a report corresponding to the Account ID, Environment, Region and Application ID Tags that are passed when triggering it.
- The IQOQ Report tool passes the Account ID, Environment, Region and Application ID to a Resource Collector AWS Lambda function that retrieves the AWS Metadata corresponding to the parameters passed. The lambda function must have a cross account role enabled for the corresponding Account ID, Environment & Region for it to retrieve metadata parameters of different AWS resources.
If the AWS resources identified are provisioned through an AWS CloudFormation Stack, then the Resource Collector Lambda function also captures the “drift” i.e., any change in current stack configuration to the one specified in the template that was used to create or update the stack.
- The metadata of different AWS resources and the CloudFormation Drift is stored in the S3 Bucket as raw JSON output by the Resource Collector Lambda function.
- The storage of JSON output in the previous step in the S3 Bucket triggers a Report Generator Lambda function. This lambda function reads the “Actual” values of metadata of AWS Resources as captured by the Resource Collector Lambda function as well as the “Expected” values from an Amazon DynamoDB IQOQ table that is maintained by the compliance team. If resources are provisioned through CloudFormation Stack, then the “Drift” captured by the Resource Collector Lambda function can also serve as the source of “Expected” and “Actual” values (with “Actual” values being the current stack configuration and “Expected” values being the stack configuration that was used to initially provision the AWS resources).
- The Report Generator Lambda function then creates an IQOQ PDF report and stores it in S3 Bucket. This IQOQ PDF report contains the following:
* Application Information for which IQOQ report is generated
* Build Specifications (IQ) of the AWS Resources
* Post Build Specifications (OQ) of the AWS Resources
* IQOQ Table that details “Pass/Fail” results when Expected Values of IQ & OQ AWS Resources matches/do not match with Actual Values
* Summary Table that details number of Pass/Fail IQ & OQ results
- Successful generation of IQOQ Report trigger an Amazon SNS notification that sends an email to the compliance team detailing the location of IQOQ Report and instructions on how to download it.
- The IQOQ report can also be read by AWS Glue and queried by Amazon Athena in order to populate a real-time Amazon QuickSight dashboard. This dashboard summarizes the Installation and Operation Qualification Status for various resources.
- In case of any error in IQOQ Report Tool functionality, an Amazon SNS notification is send to Cloud Operations Team detailing the error and possible debugging steps.
Ask an expert
Have a more technical question and need to speak to someone with expertise? Send an email to an AWS expert to get your questions answered.Related content
TECHNICAL BLOG
Automating the Installation Qualification (IQ) Step to Expedite GxP Compliance
GxP compliance has been a part of the life sciences industry for many years and heavily influences how HCLS customers need to deliver computer systems as part of their quality management system. One key point is the need to qualify and validate computer systems. The process to create and execute a validation plan has traditionally been manual and labor-intensive. In this post, we propose an approach that can automate one of the first components of a validation plan – the Installation Qualification (IQ).
TECHNICAL WHITEPAPER
GxP Systems on AWS Technical Whitepaper
This whitepaper provides information on how AWS approaches GxP-related compliance and security and provides customers guidance on using AWS Products in the context of GxP. The content has been developed based on experience with and feedback from AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS Products in their validated GxP systems.
- Trigger Automatic IQOQ Report Tool: IQOQ Report Tool can be triggered in multiple ways depending on application’s requirement or customer’s preference. To trigger the creation of IQOQ Reporting tool the customer passes the details of the AWS Account - Account ID, Environment (dev/test/prod) and Region name that needs to be qualified. In addition, customers can also pass the Application ID, which is a unique identifier for set of AWS resources specified in AWS Tags, when triggering the IQOQ Reporting Tool. These parameters can either be passed through the API Gateway or by uploading an excel file in an Amazon Simple Storage Service (Amazon S3) bucket.
-
Achieving continuous GxP compliance using automated enforcement framework
This use case covers a reference architecture for achieving GxP compliance and automated paths to enforcing compliance.
Click to view a reference architecture, details of the workflow, and related resources.
What does this solution do?
The following diagram depicts an architecture that you can use to build a system to automate the continuous validation of your GxP controls.
Detailed process flow:
Account Provisioning
- A1 – Infra team provisions new AWS functional account and is attached in AWS Organization Unit (OU). AWS CodePipeline triggers deployment of set of enforcement policies to the Functional Account provisioned ensuring Allow-listed services and associated enforcement are boot strapped before release to end users to ensure compliance. Each enforcement policy creates/ transforms into a CloudWatch Event and Lambda function.
- AL1 - DevOps teams develop, test and deploy Application Programmable Interfaces(APIs) which are invoked from individual Cloud custodian enforcements from Functional Accounts.
- AL2 – DevOps teams Develop, test and deploy enforcement policies to Functional Accounts.
Service Enablement
- S1 – Infra team and/ or Account Owners can enable Allow-listed services on any particular Functional Account through self-service control plane User Interface (UI).
- S2 - Application Load Balancer exposes an endpoint backed by service Enabler API Lambda function.
- S3 - Service Enabler API Lambda- Enables and disables an AWS Service on a Functional Account. This will also enable/ disable AWS service specific enforcements in target Functional account and records the enforcement metadata in DynamoDB datastore.
Enforcements Definition
- R1 - Enforcement definitions stored in a DynamoDB datastore are retrieved, displayed on control plane UI powered by AWS Amplify Dashboard. The Dashboard provides hierarchical view of account to service, Service to enforcement control mapping.
State of Compliance
- E1 - Enforcement policies CloudWatch Event monitors the enforcement policy changes on each service on a periodic or event-based trigger. When enforcement policies are violated, enforcement lambda take proactive or reactive actions (Alerts) on each service to keep it in compliant state.
- E2 - Enforcement event logs from all Functional accounts are shipped to centralized log bucket.
- E3 - The enforcement event logs are transformed into meaning insights using Glue, Athena and QuickSight.
- E4 – Infra teams can monitor state-of-compliance Insights from Enforcement Compliance dashboard near real-time .
- EA1/ EA2 – Policy violations notifications are sent to Account Owners with detailed information on the corrective and preventive actions taken.
Ask an expert
Have a more technical question and need to speak to someone with expertise? Send an email to an AWS expert to get your questions answered.Related content
TECHNICAL WHITEPAPER
GxP Systems on AWS Technical Whitepaper
This whitepaper provides information on how AWS approaches GxP-related compliance and security and provides customers guidance on using AWS Products in the context of GxP. The content has been developed based on experience with and feedback from AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS Products in their validated GxP systems.
TECHNICAL BLOG
Automating GxP compliance in the cloud: Best practices and architecture guidelines
In this blog post, we demonstrate how life sciences customers can automate GxP compliance processes using the AWS cloud. We’ll provide some of the best practices and architecture guidelines for developers, system administrators, and security specialists who want to automate their GxP compliance processes. However, the customer is ultimately responsible for system qualification and validation, including Installation Qualification (IQ), Operational Qualification (OQ) and Performance Qualification (PQ). Customers may use these best practices, design guidelines and automated testing to automate qualification and validation processes.
-
Maintaining regulatory compliance on AWS
This use case covers a common architectural pattern to demonstrate how life sciences customers can automate GxP compliance processes on AWS start to end.
Click to view a reference architecture, details of the workflow, and related resources.
What does this solution do?
The following diagram depicts an architecture that you can use to build a system to automate the validation of your GxP controls. The centerpieces of this system are the AWS Service Catalog and AWS Landing Zone. The AWS Service Catalog provides a single location where life sciences enterprises can centrally manage their catalogs of IT services. Life sciences security administrators can control which AWS services and versions are available, limit the configuration of the available services, and delegate permissions access by developer or by role. AWS Landing Zone is a solution that helps customers more quickly setup a secure multi-account AWS environment based on AWS best practices. It provides a baseline environment with multi-account architecture, identity and access management, governance, data security, network design, and centralized logging that are integral parts of GxP solutions.
Detailed process flow:
- AWS Landing Zone allows the security administrator to automate the set-up of an environment for running secure and scalable workloads. Security admin defines an AWS Service Catalog product (for example, a GxP application) using AWS CloudFormation templates.
- Security admin publishes the template for developers in the AWS Service Catalog. Developers use this framework to further enhance the template based upon the application requirements.
- Developers take the framework and modify applications to further enhance it under Git source control and use AWS CodeCommit to fully manage the private code repository.
- Developer deploys the modified code from CodeCommit to their GxP infrastructure, using AWS Service Catalog to launch the product they need as an AWS CloudFormation stack.
- The stack automatically provisions the necessary AWS resource based on what has been committed to the code repository as specified by the developer.
- AWS Service Catalog is at the center of this architecture, sodevelopers can release their source code without needing to access to any underlying resources or go through security administrators.
- Automate the testing/Installation qualification process using AWS Lambda or Python program and create a test summary/qualification report automatically in an Amazon S3 bucket .
- All individual CloudTrail logs, VPC flow logs, and AWS Config changes are aggregated into a centralized S3 bucket in a separate AWS account.
- The security administrator configures, monitors, and sets up automated alerts on changes and on the health of the stack via Amazon CloudWatch.
- When the stack is changed, change events are recorded and tracked through AWS Config. Out of compliance events are displayed in dashboard.
- To indicate that something may be out of compliance, CloudWatch can initiate alarms based on rules that you design.
- CloudTrail monitors API calls made against the AWS environment.
- The administrator is notified/alerted by CloudWatch Events when something changes that could causethe system to be non-compliant.
- Log Data is queried and converted into a human readable format like CSV using Amazon Athena, for any audit purpose.
- Visualize CloudTrail Logs using Amazon QuickSight.
Ask an expert
Have a more technical question and need to speak to someone with expertise? Send an email to an AWS expert to get your questions answered.Related content
TECHNICAL WHITEPAPER
GxP Systems on AWS Technical Whitepaper
This whitepaper provides information on how AWS approaches GxP-related compliance and security and provides customers guidance on using AWS Products in the context of GxP. The content has been developed based on experience with and feedback from AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS Products in their validated GxP systems.
TECHNICAL BLOG
Automating GxP compliance in the cloud: Best practices and architecture guidelines
In this blog post, we demonstrate how life sciences customers can automate GxP compliance processes using the AWS cloud. We’ll provide some of the best practices and architecture guidelines for developers, system administrators, and security specialists who want to automate their GxP compliance processes. However, the customer is ultimately responsible for system qualification and validation, including Installation Qualification (IQ), Operational Qualification (OQ) and Performance Qualification (PQ). Customers may use these best practices, design guidelines and automated testing to automate qualification and validation processes.
Resources
See related technical guides, webinars, white papers and much more.
This webinar provides information on how AWS approaches GxP-related compliance and security and provides customers guidance on using AWS Services in the context of GxP. The GxP on AWS solution helps customers start their cloud journey by enabling them to onboard several AWS services which establish the environment needed to maintain compliance.
This blog describes the first step of a process for qualifying AWS services for use as part of GxP workloads, sometimes referred to in the industry as “whitelisting” services. AWS customers with GxP compliance requirements might want to control access to the AWS services their developers use.
This executive summary outlines AWS cloud security and security management best practices, explains how to leverage the AWS Quality Management System for your GxP-regulated products, and details how to track and measure your resources and infrastructure with AWS monitoring.
This blog provides a high-level overview of the GxP on AWS whitepaper, outlining how AWS approaches GxP-related compliance and security essential information and providing guidance on building GxP-regulated systems using AWS services.
This whitepaper provides information on how AWS approaches GxP-related compliance and security and provides customers guidance on using AWS Products in the context of GxP. The content has been developed based on experience with and feedback from AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS Products in their validated GxP systems.
These web pages provide an overview of GxP compliance along with other AWS compliance and security policies.
Partner solutions
Discover the latest partner solutions for healthcare through the AWS Partner Network and AWS Marketplace. See more solutions in the Partner Network or in AWS Marketplace.
ClearDATA Compliance and Security Dashboard simplifies adherence to administrative, physical and technical safeguards. The Dashboard is mapped directly to HIPAA and FDA and GDPR guidelines. Additionally, ClearDATA can help organizations who must adhere and prove their healthcare compliance and GxP processes with automation and reporting from ClearDATA Comply that supports both compliance concerns and evidence for a quality system. ClearDATA Comply Automated Safeguards monitor for non-compliance according to our documented Compliance Reference Architectures, and remediate any documented non-compliance events, bringing a configuration back into a documented compliant state.
8KMiles, now SecureKloud, is a cloud native company with a combination of products, frameworks and services, designed to solve problems around Blockchain, Cloud, Enterprise Security, Decision Engineering and Managed Services.
Metaphactory with Amazon Neptune for Pharma & Life Sciences
metaphacts is a Germany-based company offering products, solutions and services for describing, interchanging and querying graph data, as well as a user-oriented open platform for visualizing and interacting with knowledge graphs. The metaphacts team offers an unmatched experience and know-how around enterprise knowledge graphs for our clients in areas such as business, finance, life science, and cultural heritage.
HealthVerity Census - De-identification and Identity Matching Software
HealthVerity Census in the most accurate means of establishing unique but persistent identity by replacing Personally Identifiable Information with a HealthVerity ID. HVIDs are assigned in the cloud such that disparate datasets become immediately linkable and interoperable at scale for each HVID.
JupiterOne Cyber Asset Management Platform
JupiterOne provides cloud native cyber asset collection, monitoring, security and governance. Automate the continuous collection of cyber asset infrastructure and security configuration data to provide an always up to date, easy to query, system of record for your cyber asset universe.
PerkinElmer Signals Notebook
PerkinElmer Signals Notebook is a multi-disciplinary electronic notebook for efficiently capturing & sharing experimental data as a central communication hub across decentralized organizations.