Questions and Answers to Cloud Computing in a GxP Environment
The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:
- Basics of Cloud Computing Technology
- Regulations and Expectations of Inspectors
- Requirements for Cloud Service Providers (CSP)
- Requirements for Supplier Evaluation and Supplier Audits
- Requirements for Qualifcation / Validation
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, formerly Local GMP Inspectorate /Regierungspräsidium Tübingen
Oliver Herrmann, Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspectorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart
1. Basics of Cloud Computing Technology
What’s the meaning of IaaS / PaaS / SaaS / XaaS?
IaaS, PaaS, and SaaS are abbreviations and different grades (or service models) of various cloud service provider (CSP) offerings. "aaS" always stands for "as a Service". In XaaS, the X is a placeholder for either I, P, or S, meaning Infrastructure, Platform, or Software. Sometimes, XaaS is also called "Anything as a Service" or "Everything as a Service" and can take very specific characteristics like "High Performance Computing as a Service (HPCaaS)" or "Artificial Intelligence as a Service (AIaaS)".
Table 1: Cloud Services – Service Models and Responsibilities
CSPs offer various services and benefits depending on the basic service model, and the tasks to be executed may shift accordingly (see Table 1):
- For computerized systems or applications that are being operated traditionally on premise, the regulated company (or its IT department or IT service provider, if outsourced), is responsible for all tasks related to computerized system validation (CSV).
- IaaS: If the infrastructure is provided and managed by the CSP, the model is called IaaS. Here, the tasks and responsibilities of the regulated company start with the installation of the operating system.
- PaaS: At the next level, the CSP takes over installation and operation of both, infrastructure and operating system. The regulated company steps in with the configuration of the runtime environment.
- SaaS: For this model, the CSP provides and operates the configuration of the runtime environment and the application on top of infrastructure and operating system.
In other words, the activities shift from user (regulated company as client) to cloud service provider (supplier). However, the responsibility for validation and operation of the application and all related topics like data integrity, data privacy, data security etc. remains with the regulated company.
Berlin, Germany23 April 2024
Computerised System Validation: Introduction to Risk Management
2. Basics of Cloud Computing Technology
What cloud models are there and where do they apply in the GxP environment?
Basically, the classification of cloud models is not uniformly regulated. A so-called "Deployment Model" has been formulated by NIST (National Institute of Standards and Technology), which describes a widely used classification1:
- Private Cloud
In a private cloud, the cloud infrastructure is operated for one organization only. It can be organized and managed by the organization itself or by a third party and can be located in the data center of the organization itself or in the premises of third parties.
- Public Cloud
We speak of a public cloud if the services can be used by the general public or a large group, such as an entire industry sector; these services are provided by the respective cloud service provider in its facilities/data centers.
- Community Cloud
In a community cloud, the cloud infrastructure is shared by several institutions that have similar interests (e.g., regarding security, compliance). Such a cloud can be operated by one of these institutions or a third party.
- Hybrid Cloud
If several cloud infrastructures, which are independent of each other, are shared via standardized interfaces, this is called a hybrid cloud.
While in a private cloud, where provider and user are usually identical, the user has complete control over the services used, in a public cloud the user transfers control to the cloud service provider.
However, the definitions above do not cover all variants of cloud services, leading to further definitions such as "virtual private cloud", etc. Another common distinction of cloud models is the classification by "Service Models" (SaaS, PaaS, IaaS) - see question 1.
Basically, all "Deployment Models" or "Service Models" are also used in the GxP-regulated industry. Here, the selection of the cloud model is primarily based on the criticality of the GxP process supported by the cloud service and the data processed in the process. For example, tools to support the training process, so-called Learning Management Systems (LMS), are often licensed as public cloud. In contrast, very critical applications, such as the management of trial master files, are at most operated as a community cloud service.
Regardless of the criticality of processes and data, the particular characteristics of the supported process support the use of community or private cloud offerings: The more specialized a process is - e.g., maintaining a trail master file - the smaller and more specialized the group of potential subscribers becomes.
3. Basics of Cloud Computing Technology
What are the reasons for choosing a particular cloud model (private cloud, community cloud, public cloud)?
In addition to commercial reasons, which will not be discussed further here in the context of GxP-regulated applications, practical reasons often play a role in the choice of a cloud model. In particular, smaller companies with correspondingly limited IT resources tend to use a cloud service which they would not be able to provide with their own resources. This may be because they do not have the personnel resources to offer all the topics required, or because they simply do not have the necessary expertise (process-related, technical, data security).
In the GCP area, the special conditions prevailing there also promote the use of cloud services for very practical reasons: Clinical trials are shared with many parties (hospitals, physicians, CMOs, sponsors), usually worldwide. In addition, the composition of the parties involved is not a fixed group, but is subject to change. Cloud services, with their universal accessibility via the Internet, support this way of working and are designed for 24x7 operation due to their international orientation.
Another factor to be considered, especially when choosing cloud services, is the security requirements of the GxP process supported by the system. In Annex 11, the pharmaceutical company is explicitly requested to align the required security measures with the risk2. This may mean that particularly sensitive data should often not be processed in a public cloud for reasons of GxP data integrity. A decision of this kind requires the cooperation of all specialist disciplines (IT, Process Owner, QA) in order to achieve a well-considered, technically justified risk assessment. This requires in-depth IT expertise in particular, since the topic of "data security" can be very complex (nesting of cloud services, redundancies across multiple data centers, authentication providers used, ...) and is subject to permanent change.
If the business process to be supported by a computer-based system places high demands on the availability of data and functions, this can have a direct influence on the suitability of cloud-based services:
- Be it that the additional dependency on an internet connection alone argues for an 'on premise' implementation that is accessible via LAN;
- While the highly-redundant design across multiple regions as well as the ease of horizontal scalability can be crucial for the use of a cloud service, as opposed to an installation on the local network.
Especially in the GCP area, data protection requirements (e.g., for personal data in clinical trials) play an essential role. Data protection thus determines whether the desired cloud service is even considered and, if so, in which country the data centers used must be located.
Even if this is not based on GxP requirements, high demands on the confidentiality of sensitive data (e.g., data from clinical research or product development) can also determine whether a cloud service is even considered or with what restrictions.
4. Basics of Cloud Computing Technology
Are SaaS closed systems per 21 CFR Part 11?
Well, it depends …
The terms SaaS and "Closed System" are not related, i.e. one does neither imply nor exclude the other. First and foremost, SaaS is a service model for providing a software application in the cloud (i.e. via internet) by a cloud service provider (CSP). This requires data to be transferred at least temporarily to the cloud and to store and process data in the cloud, typically permanently.
On the other hand, the definitions of "open" and "closed" systems do not refer to the way data or applications are provided, but define the expected level of control. This control of data and applications is primarily realized by operational and technical measures related to access protection, user identity and rights management, and encryption. Thus, the level of control is not independent of SaaS, but represents a different dimension.
In §11.3(b)(4), 21 CFR part 11 defines a closed system as "an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system". Contrastingly, §11.3(b)(9) defines an open system as a system that lacks this control. Consequently, resulting measures for validation, data privacy etc. differ significantly for closed and open systems and are being defined in detail in paragraphs §11.10 and §11.30, respectively.
Hence, an application provided per SaaS may be an open system, but will usually be operated as a closed system, particularly if critical, sensitive, or trustworthy data (generally: data worth to be protected) are being processed.
5. Regulatory Basis and Expectations of Inspectors
The AMWHV (Arzneimittel- und Wirkstoff-Herstellungs-Verordnung) requires that all data according to the manufacturer's authorization reside on the premises. Is then a cloud solution possible at all?
The EFG (Expert Working Group) 11 has interpreted the legal basis for this question as part of a vote on the "Requirements for the storage of electronic data".
Section 20 of the AMWHV stipulates that documents must be stored "in a suitable area of the premises covered by the permit pursuant to Section 13, Section 72 or Section 72c (4) of the German Medicines Act."
The trend toward digitization and the replacement of paper-based documentation with electronic records (e-records) is steadily increasing in the pharmaceutical environment. At the same time, computerized systems are being introduced globally by multinational corporations as client/server solutions. This concerns Enterprise Resource Planning (ERP) systems, Manufacturing Execution Systems (MES), Laboratory Information and Management Systems (LIMS), but also systems for change, CAPA and training management. In recent years, there has been a massive trend to outsource some or all of the IT and computer-based systems to third parties in favor of various cloud service models: Infrastructure as a Service (IAAS), Platform as a Service (PAAS), and Software as a Service (SAAS), with the latter becoming more prevalent as a service model.
In the case of electronic documentation, the requirement to store e-records/documents in rooms covered by the permit pursuant to Section 13, Section 72 or Section 72c (4) of the German Medicines Act is met if at least one terminal (e.g. terminal or PC plus printer) is available in the rooms covered by the permit, so that access to the entirety of the data and metadata is possible, readable printouts and copies on data carriers can be generated. Likewise, the requirements for qualification of the IT infrastructure (IAAS, PAAS), validation of the application (SAAS) and ensuring availability, readability and integrity must be fulfilled by an (internal or external) service provider.
Berlin, Germany24-26 April 2024
Computerised System Validation: The GAMP 5 Approach
6. Requirements for the Cloud Service Provider (CSP).
Are common certifications (e.g., 27000ff) reliable evidence that a cloud service provider is suitable, or what requirements must a certification fulfill in order for it to play a role in the suitability of a CSP?
The fact that suppliers and service providers must have a quality assurance system is derived from EU-GMP Annex 11:
3.4 Quality system and audit information concerning suppliers or developers of software and systems used should be made available to inspectors upon request.
What kind of quality system it should be cannot be determined from Annex 11. However, EFG 11 comments on this issue in their Votum V1100202 "Requirements for the retention of electronic data". It states:
In the following, requirements for the quality of the CSP and data integrity (for data in motion and at rest) are formulated, which are not explicitly found in the EU GMP Guideline in this way, but are considered reasonable from the point of view of EFG 11:
- CSPs that process confidential data or data with high availability requirements under their responsibility must have a certified ISMS (e.g., according to DIN 27001).
Whether this can be enforced from a legal perspective, however, remains to be seen.
About the Author:
Dr Andreas Mangel organises and conducts courses and conferences for the ECA Academy in the areas sterile production and computer validation.
1 The NIST Definition of Cloud Computing, Special Publication 800-145, Sept. 2011
2 EU GMP Annex 11 [12.2]: The extent of security controls depends on the criticality of the computerised system.