Real-World Evidence on AWS: Post-Market Surveillance

Introduction: The RWE Imperative

The randomised controlled trial remains the gold standard for efficacy evidence — but it has fundamental limitations. RCTs enrol highly selected patient populations, run for years, and are poorly suited to detecting rare long-term adverse events. Real-World Evidence bridges this gap by mining the vast health data generated in routine clinical practice.

In Europe, the regulatory pressure to develop RWE capabilities is now structural: EU MDR Article 83-86 mandates proactive PMS systems as part of a manufacturer's quality management system; Class III medical devices require annual Periodic Safety Update Reports (PSURs); and the EMA has published updated guidance on RWE methodology for regulatory decision-making. For pharmaceutical companies, GVP Module VIII on PSURs and Module VI on safety reporting create parallel obligations under pharmacovigilance law.

The datasets required for robust RWE programmes — millions of patient records, longitudinal claims data, device performance metrics — exceed the capacity of traditional on-premises environments. AWS provides the scalability, FHIR compliance, and privacy-engineering tools that these programmes demand.

Key Concepts: RWE, FHIR, and Post-Market Surveillance

Real-World Data (RWD)

Health data collected in routine care settings rather than in controlled research environments. Sources include electronic health records (EHR), health insurance claims, patient registries, wearable devices, and pharmacy dispensing records. RWD is the raw material for RWE analysis.

Real-World Evidence (RWE)

Clinical evidence derived from analysis of RWD. RWE can support regulatory decisions on effectiveness and safety, health technology assessment (HTA) submissions, and post-market label modifications. The EMA and FDA have both published frameworks defining acceptable uses of RWE in regulatory submissions.

Post-Market Surveillance (PMS)

Systematic monitoring of a medical device or medicine after market authorisation to detect safety signals, monitor performance, and update benefit-risk assessments. For medical devices, EU MDR Articles 83-86 and Annex XIV define PMS obligations. For medicines, EMA GVP guidelines define pharmacovigilance requirements.

FHIR (Fast Healthcare Interoperability Resources)

HL7 standard for the exchange and integration of healthcare data. FHIR R4 is the current global standard, defining resources such as Patient, Observation, Condition, MedicationStatement, and Procedure. Amazon HealthLake natively stores and serves FHIR R4 resources, enabling standardised data exchange across healthcare organisations.

PMCF (Post-Market Clinical Follow-up)

Structured clinical monitoring activity following market authorisation for medical devices, required by EU MDR Annex XIV Part B. PMCF activities include systematic literature review, registry data analysis, and dedicated PMCF studies. Results must be documented in PMCF plans and PMCF evaluation reports.

AWS Clean Rooms

AWS service enabling privacy-preserving collaborative analysis. Multiple parties can run joint analyses on their combined datasets without exposing raw data to each other. Results are returned only as aggregates, with configurable minimum group sizes and differential privacy options. Purpose-built for multi-party healthcare research.

Amazon HealthLake

AWS service for storing, transforming, and querying FHIR R4 health data at scale. Provides a fully managed FHIR API, integrated NLP analysis for medical text, and analytics capabilities via Athena and QuickSight. Enables interoperable health data pipelines without managing FHIR server infrastructure.

Regulatory Framework: EU MDR, IVDR, and Pharmacovigilance

Understanding the regulatory obligations that drive RWE requirements is essential for designing appropriate AWS architectures.

EU MDR Post-Market Surveillance

EU MDR (Regulation 2017/745) fundamentally changed PMS requirements for medical device manufacturers. Article 83 requires a proactive PMS system integrated into the QMS. Article 85 mandates annual PSURs for Class IIa/b and III devices. Annex XIV Part B defines PMCF requirements — systematic collection of clinical data in the post-market phase. These requirements cannot be met with manual, spreadsheet-based approaches at scale.

EMA GVP Guidelines

For medicines, the EMA's Good Pharmacovigilance Practice (GVP) guidelines define the pharmacovigilance system requirements. GVP Module VI (Management and Reporting of Adverse Reactions) and Module VIII (PSUR) are most relevant for RWE-based monitoring. The EMA's 2023 revision of PSUR guidance explicitly acknowledges RWE as an acceptable data source for safety updates.

GDPR and Health Data Processing

GDPR Article 9 classifies health data as a special category of personal data requiring explicit legal basis for processing. In the context of RWE research, organisations rely on Article 9(2)(j) (scientific research) combined with appropriate safeguards under Article 89 (pseudonymisation, access controls, research ethics oversight). AWS supports GDPR-compliant health data processing through EU region data residency (eu-central-1, Frankfurt), VPC isolation, and granular access control via Lake Formation.

AWS Architecture for RWE Platforms

A regulatory-grade RWE platform on AWS is structured around four layers:

FHIR Health Data Lake with Amazon HealthLake

HealthLake stores FHIR R4 resources ingested from EHR systems, registries, and claims databases via HL7 FHIR API, AWS DataSync, or AWS Transfer Family. Data from heterogeneous sources is standardised to FHIR R4 using AWS Glue transformation jobs. HealthLake's integrated NLP layer extracts structured medical entities from free-text clinical notes — medication names, diagnoses, procedures — enriching structured data with insights from unstructured documentation.

AWS Clean Rooms: GDPR-Compliant Multi-Party Analysis

The most significant barrier to large-scale RWE studies is privacy: pharmaceutical companies want to analyse insurer claims data; insurers cannot share raw records; and patients must be protected. AWS Clean Rooms resolves this through privacy-by-design architecture.

How Clean Rooms Work

Each collaborating party retains their data in their own AWS account. A Clean Rooms Collaboration is configured with SQL query templates and output controls (minimum aggregation thresholds, column restrictions). Analysts run approved queries against the combined dataset — results are returned only as aggregates. No raw data crosses organisational boundaries. Optional differential privacy adds mathematical privacy guarantees to outputs.

Pharma-Insurer RWE Collaboration

A typical collaboration: a pharmaceutical company provides exposure data (prescription records by product and batch) through Clean Rooms; a statutory health insurer provides outcome data (hospitalisations, procedures, mortality). Joint analyses produce Kaplan-Meier survival curves, hazard ratios, and incidence rates — all without either party seeing the other's raw records. This architecture satisfies GDPR Article 9(2)(j) research exemption and data minimisation obligations.

Enterprise Adoption: A Maturity Framework

RWE programme deployment on AWS typically follows a three-stage maturity progression:

Stage 1: FHIR-Capable Health Data Lake (3-6 months)

A single data source (hospital EHR system) is onboarded to Amazon HealthLake. First FHIR queries for cohort definitions are validated. Access control via Lake Formation is implemented. Objective: proof of concept for a PMCF-supporting data infrastructure, with initial regulatory documentation.

Stage 2: Multi-Source RWE Platform (6-18 months)

Multiple data sources integrated (EHR, claims, registries). AWS Clean Rooms configured for partner collaborations. SageMaker models for automated safety signal screening deployed. First PMCF reports generated from the platform and included in regulatory submissions.

Stage 3: Continuous PMS Monitoring (18+ months)

Fully automated safety monitoring across the product portfolio. PSUR generation via AWS Step Functions pipelines. Real-time vigilance alerting integrated into global pharmacovigilance systems (Argus Safety, ArisG). Regular CSV-aligned validation reviews. Integration with EUDAMED for medical device vigilance reporting.

Storm Reply: RWE Expertise in the DACH Market

Storm Reply is an AWS Premier Consulting Partner in the DACH market with a dedicated Life Science practice. We support pharmaceutical companies and medical device manufacturers from RWE strategy through to production-validated environments. Our integrated approach — AWS architecture, GxP compliance framework, and GDPR documentation — addresses the three distinct workstreams that RWE programmes require.

Our experience across DACH RWE projects consistently shows that the most common failure mode is underestimating GDPR complexity in multi-party studies. Without clear data governance (processing records, DPIAs, data processing agreements), collaboration projects fail on legal grounds before technical work can begin. Storm Reply addresses this by front-loading the governance workstream alongside technical architecture.

Use Cases: RWE on AWS in the DACH Region

Generic Manufacturer: Automated PSUR Generation

A Swiss generics manufacturer with PMS obligations for 80+ active substances was spending 3-4 weeks manually preparing each PSUR. AWS Step Functions orchestrate HealthLake queries, SageMaker signal analysis, and QuickSight report generation. PSUR preparation time reduced to 3 days. Raw data and analysis results are WORM-archived in S3 Object Lock for regulatory inspection readiness.

Medical Device Manufacturer: MDR PMCF System

A German orthopaedic implant manufacturer is required under EU MDR to collect and evaluate PMCF data for their Class III products. The AWS platform integrates data from the manufacturer's implant registry, hospital EHR systems, and the German Arthroplasty Registry (EPRD). Compliance reports are automatically generated for the Notified Body submission cycle.

Health Insurer: Multi-Party Health Services Research

An Austrian statutory health insurer used AWS Clean Rooms to collaborate with pharmaceutical partners on outcomes research studies. The insurer contributed claims-based outcome data; pharma partners contributed exposure data. The Clean Rooms architecture satisfied all requirements of the Austrian data protection authority and produced peer-reviewed findings on real-world drug effectiveness.

Benefits and Challenges

Strategic Benefits

• Accelerated regulatory submissions through automation of PSUR and PMCF report generation
• GDPR-compliant multi-party collaboration without raw data exchange (Clean Rooms)
• Scalable infrastructure for growing product portfolios without proportional cost increases
• More robust safety signals from larger patient populations
• WORM-archived records immediately accessible for regulatory inspection

Challenges

• Data quality: RWD is inherently messier than trial data. Mitigation: automated FHIR validation and data quality monitoring via AWS Glue Data Quality.
• Regulatory acceptance: Not all regulators accept RWE with equal enthusiasm. Mitigation: document RWE methodology rigorously; use pre-submission meetings with agencies to agree on approaches.
• Validation overhead: RWE systems feeding regulatory submissions require CSV validation. Mitigation: Infrastructure as Code for reproducible environments substantially reduces IQ/OQ effort.

Outlook: Federated Learning and Synthetic Data

The next generation of RWE methods on AWS uses federated learning and synthetic data generation to further reduce privacy risks while expanding the evidence base:

Federated Learning with SageMaker: ML models are trained locally on health data at hospitals and insurers — only model weights, not data, are aggregated. This enables more robust signal detection models across populations without data migration.

Synthetic Data Generation: AWS HealthAI and SageMaker can generate synthetic patient populations that preserve the statistical properties of real datasets without direct personal reference. Synthetic data enables model training and feasibility studies before real partner data is available.

Storm Reply anticipates that DACH pharmaceutical companies will integrate these approaches into their RWE strategies between 2025 and 2027, as regulatory guidance on federated learning from EMA and BfArM is expected in this period.

Frequently Asked Questions

What is Real-World Evidence (RWE) in life sciences?

Real-World Evidence refers to clinical insights derived from analysing Real-World Data collected in routine care — from EHRs, claims, registries, and wearables. Unlike controlled clinical trials, RWE reflects the actual treatment reality of diverse patient populations and can support regulatory decisions on effectiveness and safety.

Which AWS services are best suited for Post-Market Surveillance?

For PMS on AWS: Amazon HealthLake (FHIR-native health data lake), AWS Clean Rooms (privacy-preserving multi-party analysis), Amazon Comprehend Medical (NLP for clinical text), Amazon SageMaker (ML models for safety signal detection), and AWS Lake Formation (data access governance and audit). S3 Object Lock provides WORM storage for regulatory records.

How does AWS Clean Rooms enable GDPR-compliant multi-party RWE studies?

AWS Clean Rooms allows multiple parties to run joint analyses without exchanging raw data. Each party retains control of their data; only aggregated results are produced. This supports GDPR Article 9(2)(j) (scientific research) and data minimisation principles, enabling collaboration that would otherwise be legally untenable.