Business Continuity and Disaster Recovery in FDA-Regulated Industries

Regulation requires that organizations maintain their data and systems even if a disaster strikes. For example, consider the following sections of 21 CFR Part 11:

• 11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
• 11.10(b) The ability to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency.
• 11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

As you can see from the above, having a disaster recovery business continuity (DRBC) program in place, and tested, is a regulatory requirement. It is indispensable in recovering operations quickly during and after interruptions, and essential for building customer confidence and trust while safeguarding a company’s reputation. During an audit or inspection, the DRBC program can be assessed, with a keen eye on the lookout for a plausible range of scenarios.

Types of disasters

The World Confederation for Physical Therapy (WCPT) categorizes disasters into four areas:

1. Natural: includes immediate and secondary impacts (e.g., a fire, then a flood).
2. Environmental: technological or industrial accidents caused by humans, including forest fires.
3. Complex: authority breakdown (looting, attacks on strategic installations); includes conflicts and war.
4. Pandemic: sudden onset of contagious disease, disrupting services and businesses, brings economic and social costs.

Most companies have addressed natural, environmental, and complex disasters in their DRBC program, but, in our post-COVID world, have they addressed pandemics?  

Digitizing Validation for Operational Efficiency

According to Gartner, “Digitalization is the use of digital technologies to change a business model and provide new revenue and value-producing opportunities; it is the process of moving to a digital business." And digitalization requires that data be digitized; in other words, go paperless. In times of disaster, it’s critical that data be digitized (paperless) in order to achieve digitalization of the DRBC program. There are many reasons why:

1).  Paper-based systems become a problem during a disaster:

• Paper requires physical presence and is therefore high-risk, i.e., easily destroyed, misplaced, or misused. 
• Paper-based backups aren’t secure and could meet the same fate as the originals.
• An entire paper-based process could be disrupted due to disorder in one of the parts of the process.

2). In a pandemic scenario, exposure and contamination control is critical. Again, paper-based systems pose a problem because:

• Paper may be contaminated, requiring costly and laborious decontamination and sanitization.
• Paper requires physical presence at a location (e.g., controlled document repository) to access records.
• Paper-based systems require that documents be brought into clean areas or manufacturing facilities. Physical presence increases the risk of contamination and spread.

3). Digitization improves value by allowing remote capabilities to deliver continuity.

• For computer system validation (CSV), this can be performed and managed 100% remotely.
• Work can be delegated to available resources, worldwide, with follow-the-sun validation, 24/7/365 if required.
• Reviews and approvals can be available online, allowing authorized individuals the ability to work remotely (e.g., from home), efficiently and productively.
• Online real-time collaboration can be made available.
• For cleaning, equipment, and process validation, resources can be limited to the absolute minimum. Reduced traffic reduces potential contamination.

The bottom line: DRBC digitalization relieves organizations and individuals of the burden imposed by paper, while at the same time delivering capabilities above-and-beyond that of manual systems. This is because validation data will be digitized and, therefore, retrievable and accessible. Digitalization of the entire DRBC program keeps business processes contiguous through recovery, with global accessibility.

Adopting a Cloud-First Strategy 

By leveraging cloud computing and having a cloud-first strategy (i.e., organizations prioritize cloud computing as the objective), companies can prepare and protect themselves from virtually any plausible scenario. If there’s a catastrophe at a geographic location, a data center can failover to a dispersed location in milliseconds, unbeknownst to the end user. Fault tolerance can provide assurance during a system failure. Load balancing can distribute work evenly. The system can be highly available for up to five nines (99.999%) or more; in other words, downtime will only be 5.26 minutes per year.

However, it still takes qualified individuals to maintain and manage the infrastructure. Nobody is immune, but there is a difference with cloud computing.

Layers of Defense: The Cloud Computing Differentiator

We hear a lot about Personal Protective Equipment (PPE) which offers layers of defense. The same is true with cloud computing, which you can think of as Personnel Protective Systems (PPS).

Leveraging cloud computing can provide up to three-or-more layers of defense, such as:

• An organization’s personnel resources: with on-premises computing, you basically only have your personnel as the line of defense. In cloud computing, you have more than just your own resources.
• Resources from the software provider: with cloud-based SaaS computing, the software provider is actually providing services in addition to the software. These services augment your existing resources and provide another layer of defense.
• Resources from the hosting facility: cloud hosting providers constantly monitor and secure their cloud infrastructure with their own highly skilled resources. This is in addition to service provider resources and an organization’s own resources.

In the event of a disaster, you can exercise any or all of these options with cloud computing to keep your operations running with minimal downtime in a safe and secure manner, often unnoticeable by end users.

For example, let’s look at the highly secured ValGenesis cloud as a layer of defense and how it promotes a secure cloud infrastructure. Built in accordance with FDA 21 CFR Part 820 while strictly following the requirements of FDA 21 CFR Part 11, EudraLex Annex 11, and the principles of GAMP 5, the ValGenesis VLMS, hosted on the ValGenesis cloud, can instantly scale to meet all your needs, whether you're deploying a single project or a global implementation. Your data remains encrypted in transit and at rest, so it's always protected. If your team isn’t fully staffed, for whatever reason, you may rely upon ValGenesis and its team of professionals to continuously monitor your applications’ performance, user access, detect intrusions and maintain the integrity of your data while you prepare to revert to normal business operations.