Cloud computing is gaining increasing attention from the pharmaceutical and medical device industries – its flexible and cost effective. However, it also presents many questions surrounding the traditional approach to controlling computer systems, including:
- Can GxP regulatory requirements still be met with Cloud computing?
- Is a different approach required when GxP companies don’t have full control over the Cloud?
The following sections consider aspects relevant to these questions.
Cloud computing is still an evolving technology and the risks to compliance must be balanced against the benefits. Careful development of risk-based, GxP defendable, cloud strategies are required before committing to cloud-based solutions. Tasks to consider are:
- Risk-Benefit Analysis
- Developing requirements and constraints for the system
- Determining the type of service model to implement – Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS)
- Determining the type of deployment model – private, public, community or hybrid
- Developing criteria for vendor selection and procedures for conducting service provider audits
- Developing requirements for data integrity and security
- Detailling the procedural controls – for example, managing the system, user instructions, security and access controls.
What validation approach should be used?
According to PIC/S PE 009-10 Annex 11 (Computerised Systems), ‘The application should be validated; IT infrastructure should be qualified.’ Consequently, infrastructure qualification documents are still mandated for validated applications hosted in a cloud environment.
Installation Qualification (IQ) of the application hosted on the cloud presents unique problems – for example, there is no dedicated server for the software or a specific physical location. Therefore, the IQ design must meet the intended purpose of an IQ and not just follow the standard implementation approach – consider the underlying requirements of CSV.
Which vendor is appropriate?
Vendor management plays a vital role in assuring that the quality and compliance of the services provided are maintained. PIC/S PE 009-10 Annex 11 (Computerised Systems) clearly defines the responsibilities of the suppliers and service providers involved and these should be included in any service level agreement (SLA):
When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party.
PIC/S, PE 009-10 (Annexes), 1 January 2013
Third-party cloud providers (Iaas and Paas) are generally not aware of the security, privacy and regulatory needs for GxP. Therefore, all GxP requirements must be included in the SLA and ensure that the service provider understands their responsibilities (this might require several discussions).
Cloud suppliers must be regularly audited, like any other supplier, to confirm that the quality of the services is well maintained with respect to the agreement and therefore GxP requirements. However, unlike other service providers, you cannot always audit the specific ‘physical’ site where your data is being kept, but you can check that there are adequate controls in place to maintain data integrity. Even though it is cloud-based, patient safety and product quality must not be compromised.
The future and beyond
Despite all the concerns regarding controls around cloud-base solutions, cloud computing offers significant potential to the pharmaceutical industry – if it is GxP-compliant. However, until the technology matures and new control strategies become more accepted by the regulators and within the regulatory environment, solutions still require careful consideration to meet the compliance, security and regulatory hurdles.