Questions and Answers to Cloud Computing in a GxP Environment - Part 2
The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:
• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualifcation / Validation
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, formerly Local GMP Inspectorate /Regierungspräsidium Tübingen
Oliver Herrmann, Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspectorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart
7. Requirements for Supplier Evaluation and Supplier Audits
Can we assume that if there is an appropriate QMS implemented and if the CSP acts in compliance with this QMS (as a result of an audit), the service provided functions in accordance with the specification and the operational controls are carried as described in the CSP's internal procedures?
In accordance with Annex 11 the use of computerised systems may not result in a decrease in quality assurance. The assessment of a service provider includes the evaluation of its quality assurance system. In addition to this initial assessment Chapter 7 requires the RU (regulated user) to continuously monitor the service provider by means of the supervision of KPIs.
In the case of an applied and appropriate QMS it can be assumed that operative controls defined in the QMS will be carried out and that results not compliant with the specifications will be addressed within the meaning of deviations / OOS.
The RU is nevertheless required to continuously evaluate compliance when implementing the QMS. Chapter 7 of the EU Guidelines to Good Manufacturing Practice specifies: "The Contract Giver is ultimately responsible to ensure processes are in place to assure the control of outsourced activities." Type and extent can be defined on the basis of risk, and they are influenced by the experiences from the continuous monitoring of the service provider.
Which contents must be covered by the service provider's change control and in which way must the contract giver be integrated into this system?
Though the regulated company's responsibility for patient safety, product quality, and data integrity cannot be delegated to the cloud service provider (CSP), the CSP nevertheless plays an important role and takes over important tasks such as specification, verification, and documentation of changes (in addition to their implementation), be it at the infrastructure (IaaS), the platform (PaaS), or the application (SaaS) itself. One of the goals of the regulated company is maintaining the validated and compliant state of a system. This requires corresponding validation measures (impact analysis, risk assessment, and further test and documentation activities, if appropriate) that typically require knowledge regarding the changes carried out by or at the CSP (see also question 9).
Therefore, the following elements of a validation concept are recommended:
- The regulated company verifies whether the CSP has established a high-quality and compliant change control process (for instance by means of an audit).
- A service level agreement (SLA) ensures to obtain information (and documentation) on planned and required changes on time and to the extent necessary allowing the regulated company to perform a (risk) assessment and to plan the required measures, as appropriate.
9. Principles of Cloud Computing Technology
The multi-tenant provision of SAAS is accompanied by a source code basis for all customers. This implies that all customers must have the same software version irrespective of whether or not a customer accepts a certain change. Is this compatible with GxP?
A regulated company strives to avoid extensive and risky changes of an application that might potentially challenge the validated and compliant state of a system. This is even more the case if the changes have no or only a minor benefit for the regulated company but may cause additional validation effort.
Berlin, Germany23 April 2024
Computerised System Validation: Introduction to Risk Management
However, the relevant SaaS changes formally do not constitute a violation of GxP. Otherwise, it would not be allowed to update any operating system if the update introduces a new but unused function. It is required that corresponding measures (impact analysis, risk assessment, further test and documentation activities, if appropriate) are performed to maintain the validated state, as for any other change. Since these measures are also required for ordered / deliberate changes the procedure must be described in the SOPs or in the validation protocol, anyway. Hence, it makes sense to contractually ensure the timely provision of the corresponding information with the CSP (cloud service provider) (see also question 8).
10. Requirements for Supplier Evaluation and Supplier Audits
Which persons (functions) should participate in the audit of a CSP and which topics should (must) be addressed?
According to the vote 1100202* the following applies:
Persons are to be included in the audit who are sufficiently experienced in this special technology. In principle, at least one person should come from IT. The lead auditor will normally come from quality assurance.
According to the vote the following topics should be addressed:
• Security of the data centre
• Server security
• Network security
• Application and platform security
• Data security
• Encryption and key management
• ID and rights management
• Selection and training of staff
• Validation and qualification
• External services and subcontractors
• Maintaining the validated state (change management, configuration management, patch management, monitoring and reporting, incident management)
*www.zlg.de – Vote V1100202 of the group of experts 11 „Anforderungen an die Aufbewahrung elektronischer Daten“ (Requirements for the storage of electronic data)
11. Requirements for Supplier Evaluation and Supplier Audits
How many days must be planned for the audit of a CSP? Is it also possible to carry out a remote audit?
If activities of the pharmaceutical entrepreneur are outsourced to third parties the contractors are to be qualified. This applies to the outsourcing of the manufacture of active pharmaceutical ingredients, finished medicinal products and medical devices - as has been common practice for decades - as well as to the outsourcing of services in the area of IT, including cloud service providers. In the first place a cost-saving questionnaire that is sent to the service provider via email and evaluated subsequently would be useful as concerns qualification. In doing so, it is nearly impossible to assess the correctness and truthfulness of the answers given.
An increasing number of remote audits of IT service providers has been carried out for some years now. These audits are very demanding for the auditors since video technology reaches its limits when analysing the reactions and body language of the audited party and the reading and assessing of large documents are involved and when taking a tour to the premises (e.g. the data centre).
The best solution is the well-known audit on site where the auditor can get an objective impression of the quality and performance of the future contractual partner.
Depending on the scope of services one or two days on site can be sufficient for an audit of IaaS. In the case of SaaS applications, a very detailed control of the cloud service provider needs to be carried out since this service provider also takes over crucial parts of validation. Here, an audit duration of 5-7 auditor-days is quite common.
Depending on the services outsourced the lead auditor should call in further experts (for instance from the area of security) in order to obtain a complete impression.
For carrying out the detailed planning of the audit the service provider usually obtains a plan which clearly displays the content of the audit. This audit plan can also be integrated into a time schedule. It is recommendable, however, to leave the detailed schedule up to the company audited since the temporal availability of the staff has to be assured for the specific audit topics.
The following is an extract from a SaaS audit plan. On this plan the service provider can see the potential topics so that he can make the corresponding staff and management available for the interviews.
• Lead Auditor
• Further Auditors
• Audit History - Follow-up of last audit
• QMP,CSV, SOP's available and followed
• Training of personnel on QMS including updates
• Incident management
• Change management
• Documented baseline configuration
• Software release process
• Release testing, Patch testing
• SDLC process
• Traceability of requirements
• Project methodology
• Functional testing
• Third Party management, Security of third parties
• Back-up/Restore, Disaster Recovery and Business Continuity test evidence
• Service Level Agreements (SLAs)
• Security/Access Control
• Data Encryption
• 21 CFR Part 11
• 21 CFR Part 58
• 21 CFR Part 210/211
• 21 CFR Part 820
• ICH E6 Good Clinical Practice
• EU Annex 11
• ISO 27000 series
• GAMP5 and GAMP Good Practice Guide
12. Requirements for Supplier Evaluation and Supplier Audits
Will it be sufficient to send a check list for the assessment of the CSP - for instance Amazon and Microsoft?
Cloud service providers are among the most important qualityrelevant suppliers a pharmaceutical company has to assess in the course of the supplier qualification. This places heavy responsibility on the quality assurance or on the audit department as concerns the qualification of auditors and the availability of the required information at the supplier's: For each cloud service provider the request for an audit signifies the introduction of comprehensive coordination activities for the audit carried out on site or for answering long questionnaires. Both are rather unpopular since they bind a lot of resources. That's why cloud service providers often ask for cost sharing for audits carried out on site hoping that then the audits won't be carried out at all. Obviously, the quality department of the cloud service provider isn't very pleased about questionnaires full of open questions either, when answering these questions might require several days.
In order to assess a SaaS cloud service provider offering a qualityrelevant application it is strictly necessary to carry out an audit - it would be best on site - since the documentation on the development and validation of the system must be assessed considering GMP aspects. In case only a remote audit would be possible it has to be guaranteed that there is sufficient time for reading the documentation made available online. The auditor should try to receive a copy of the quality-relevant documents for examination before the actual remote audit takes place. Most suppliers will refuse this for confidentiality reasons, however.
The quality assessment of global service providers in the area of IT infrastructure (IaaS service provider) often poses bigger problems as such companies (for instance Microsoft, Amazon) simply ignore such requests. In this case, the pharmaceutical entrepreneur is required to assess general documents made available on a broad basis. Microsoft provides a comprehensive quality manual (Microsoft Azure GxP Guidelines, © 2020 Microsoft Corporation, 99 pages) which can be downloaded from the Microsoft website. Here, the auditor finds answers to a number of questions she/he would want to discuss in the course of the audit.
Amazon also provides a number of documents on the relevant subject areas in the form of not contiguous fragments which are made completely available to the auditor only after signing the delivery contract, however, so that they are not suitable for the initial assessment of the supplier.
The auditor should absolutely try first to send a questionnaire with the request for replies also to these global companies in order to leave nothing undone. In this context it should be noted that I've sent a request to Amazon recently and have received an almost completely answered questionnaire which allowed me an assessment.
Berlin, Germany24-26 April 2024
Computerised System Validation: The GAMP 5 Approach
It is very important for the pharmaceutical company to include the option of regular audits (without additional costs) into the contract with the service provider. Furthermore, the bundling of audits activities of several pharmaceutical companies (joint audit) with sharing of the costs should be considered. This would have a lot of advantages and win-win situation for both parties - the customer as well as the service provider - since time and costs could be saved.
A cloud service providers refers to SOC reports when assessed, especially to the SOC2 report. Would this report be sufficient as concerns the requirements of the assessment and could it be used?
The SOC2 report can be used for the requirements we have in the GMP/GLP environment. It should be noted, however, that the SOC2 report must meet the requirements of the financial sector. This does not fully cover the requirements of the pharmaceutical sector. For example, we reviewed the change process in the SOC2 report and there remain some requirements that have not yet been answered.
Conclusion: The SOC2 report alone is not sufficient for the Evaluation of a CSP.
About the Author
Dr Andreas Mangel organises and conducts courses and conferences for the ECA Academy in the areas sterile production and computer validation.