I was reading this article in Slashdot over the weekend: “Big Surprise: Cloud Computing Still Surfing Big Hype Wave”. While referring to the hype cycle graph, it goes on to state: “In Gartner’s estimation, cloud computing has entered the Trough of Disillusionment stage of the Hype Cycle… Even as its hype fades, though, cloud computing can look further along the curve to the Slope of Enlightenment—when businesses discover the true utility of the technology, without the confusing hype and buzzwords—and then the Plateau of Productivity, where it can join predictive analytics as technologies people use without chattering incessantly about it on Twitter. Gartner believes that cloud computing and private cloud computing will reach their plateau of productivity in 2 to 5 years, while hybrid cloud computing will take closer to 5 to 10 years. At that point, the inflated expectations—and the screaming hype—should be a thing of the past.”
Cloud solutions are new to PLM – and there are a number of cloud PLM solutions in the market now. While the proponents have talked about improving the ROI of PLM, by reducing the implementation and maintenance cost, I do not find much being discussed in details about the possible risks. I am not a “cloud hater” but I think manufacturers need to think of the implications deeply before moving their PLM system into the cloud. It is important to note that cloud computing can refer to several different service types, including Application/Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The risks and benefits associated with each model will differ and so will the key considerations in contracting for this type of service. I will cover 5 risks here with focus on PLM and Application/Software as a Service (SaaS). From the NIST Definition of Cloud Computing, Software as a Service (SaaS) implies that “The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings”. So what are these risks?
1. Cloud Uptime
I think the biggest concern would be system uptime. How much would the business suffer if the system uptime deviated considerably from the agreed SLA’s? If you are one of those who needed to blog “Life of our patients is at stake – I am desperately asking you to contact” during the Amazon EC2 outage in 2011, then you need to think about service interruption seriously. While outages of mission critical applications are nearly never excusable and undoubtedly hurting to business, I think the biggest learning from outages of EC2 /Azure etc seems to be the lack of real-time response and qualified explanations. A privately hosted system would have unscheduled downtime too, but in that case the organization’s IT staff would have much more be in command of in resolving it. What options would a cloud PLM vendor offer to offset any such business disruption? How much would it add up in additional costs? It is off course to be expected that when moving from a system with guaranteed availability of 90% (with downtime of 36.5 days/year) to one with 99% availability (with downtime of 3.65 days/year) or with 99.9% availability (with downtime of 8.76 hours/year) costs would naturally increase. Would such costs be in line with expected savings of going live with PLM in the cloud?
2. Enterprise Application Integration
A few months back I had written about this topic: “Cloud Based PLM and Enterprise Application Integration” where I wrote “PLM being an upstream enterprise application (design usually preceding manufacturing/sales/procurement/service) needs to draw upon several collaborating systems…Typical application integration scenarios which are routinely met would include: CAx and Office Suite Integration, Legacy System Integration, and MRP/ERP Integration.” The current bunch of cloud based PLM systems seem to be lacking in addressing this aspect.
Apart from this, another crucial aspect to be evaluated is the ability to effectively manage complex, multi-CAD data. The system must be capable of integrating the BOM and enabling multidisciplinary 2D/3D visualization of such heterogeneous/multi-CAD data in a single product structure and make it easier for design teams to find, reuse, and synchronize accurate data with their MCAD/ECAD tools.
3.Vendor Lock-In/ Data Porting
Customers switching PLM platforms due to shifting business needs is not uncommon – Such migrations need tools, procedures, standard data formats and services interfaces that promise data and service portability. In case of cloud PLM if there is a need to migrate from one provider to another or migrate data and services back to an in-house IT environment then such options needs to be validated. A few months ago Stephen Porter in his “Zero Wait-State” blog wrote about the harrowing experience one of his client went through when migrating from a Cloud based PLM system thereby highlighting the fact that cloud providers may have an incentive to prevent (directly or indirectly) the portability of their customers services and data. Hence it would be prudent to know certain things in advance and if possible in the form of a formal agreement:
→ How to get data back if you stop subscription,
→ Availability of API calls to read (and thereby ‘export’) that data,
→ Any extra costs associated with exporting data (specially heavy CAD data),
→ Availability of data sanitization procedures (a.k.a True Wiping, Secure erase etc.) after the client is no longer a tenant etc.
→ Is there a guaranteed minimum download speed of data?
4. Legal/Regulatory Risks
Over the past couple of years PLM vendors have substantially enhanced their regulatory compliance capabilities (ITAR, RoHS, WEEE, ELV or FDA 21 CFR Part 820). I worked for a medical devices manufacturer and know complying with some of the regulations is a tough task. Hence there are certain areas customers would need to pay attention to when appraising contract clauses for cloud PLM services (though on a case by case basis):
→ Where will the data be physically located? Would access control to technical data be based on user citizenship, physical location etc so as not to violate any ITAR or EAR restrictions? This is important from jurisdiction perspective over data protection and ownership and for law enforcement access.
→ Can the provider make available a full audit detailing technical data exports to satisfy regulatory compliance reporting requirements?
→ If the provider patches the system for software defects or upgrades it to the new release, can the customers in some way validate it in lines with FDA guidance on software validation and avoid 483s and/or Warning Letters
5. Supplier Stability
Some time back IndustryWeek in an article “Understanding Risk: Avoiding Supply Chain Disruption” noted “A supply chain disruption can cost a manufacturer up to $5 million, irreparably harm a brand and drive customers straight to the door of a competitor.” Cloud PLM is still an emerging market – and as with an emerging market, supplier consolidation and business casualties (like bankruptcies) can happen. Acquisition of the cloud provider could amplify the chances of a strategic shift and may put non-binding agreements at jeopardy while supplier collapse like the company ceasing to exist has the potential to nullify any signed contracts. So what happens to the vital IP in the cloud PLM system in such cases? Source code and data backup escrow might offer some solace thought it is not likely to be the silver bullet.
An old Chinese proverb says “One cannot refuse to eat just because there is a chance of being choked” – likewise the above are risks – With appropriate risk management strategy in place they surely can be contained.