R.D. McDowall is Principal, McDowall Consulting. The purpose of this series is to discuss the impact of GMP (Good Manufacturing Practice) regulations on cloud computing and to debate some of the regulatory issues facing an organization contemplating this approach. In this part, we look at the applicable regulations.

Introduction

Although the focus of this series of articles is on GMP, the principles discussed are also applicable to Good Laboratory Practice (GLP), especially following the issue of the new draft guidance issued from the OECD in September 2014¹ and Good Clinical Practice (GCP) under which computerized systems are inspected in Europe by using a PIC/S guidance on Computerized Systems in GXP Environments written by GMP inspectors.^2,3

Many GMP-regulated companies are considering using the cloud to reduce cost and outsource applications. The financial benefit is to move from a capital to a revenue cost model. However have the people involved in the process considered the impact of GMP regulations on their choice of cloud supplier? This series explores the impact of GMP regulations, specifically EU GMP Annex 11, on the cloud. One question that is raised: “Is a company increasing their regulatory risk when going to the cloud if regulations are not considered fully?” Note that the pharmaceutical company is responsible and accountable for the outsourcing and the consequences if regulatory data are lost or the hosting environment is not compliant with regulations.

In this series, we will look at the impact of GMP regulations on cloud computing. Although there are several cloud computing options available,⁴ we will look only at Platform as a Service (PaaS) and Software as a Service (SaaS) running on private clouds. Cloud computing can be seen as a mode of outsourcing of IT infrastructure and operations from a regulated organization. However, it is important to realize that, although the operations are outsourced, the responsibility and accountability for GMP compliance remains with the regulated organization. This is often forgotten by the people negotiating the contracts. Furthermore, with the rapidly changing environment in hosting with sub-contracting of services by a hosting provider, it is important to undertake regular audits.

Annex 11 GMP Regulations

The most recent regulation for computerized systems is EU GMP Annex 11,⁵ and GMP requirements for compliant cloud computing are contained in several sections of EU GMP Annex 11, as shown in Table 1 and Figure 1. There is also FDA 21 CFR Part 11 for electronic records and electronic signatures⁶ to consider. However, as most of the requirements in Part 11 are covered in more detail and with wider scope especially for service providers, the majority of references will be to Annex 11 rather than Part 11.

There are four areas of a cloud life cycle that should be considered:

Selection of an appropriate cloud provider
Negotiating the contract to include measurable levels of service and backup of the data
Operation and monitoring phase, including proactive and on-going auditing to ensure compliance
Declouding, which is the orderly migration of data from the cloud to another provider, application or archive, which will not be discussed in this article and the reader is referred to the article by Stokes.⁷ However, de- clouding must be considered when selecting a supplier and negotiating the contract for services with a supplier.

The main area of focus in this article is the selection of an appropriate cloud provider that includes the assessment of the quality management system, security, qualification of the IT infrastructure and training of all staff involved with operating it, including GMP awareness as it relates to their work.

Table 1: EU GMP Annex 11 Clauses Applicable to Cloud Computing⁵

Annex 11 Clause	Clause Requirements
Principle	IT Infrastructure shall be qualified
1. Risk Management	Risk management should be applied throughout the lifecycle of the computerized system, taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.
2. Personnel	There should be close cooperation between all relevant personnel, such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.
3. Suppliers and Service Providers	3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous. (Note that this requirement should also take into consideration the applicable requirements in EU GMP Chapter 7 on Outsourcing⁸). 3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.
7. Data Storage	7.1 Data should be secured by both physical and electronic means against damage. 7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.
10. Change Control	Any changes to a computerized system, including system configurations, should only be made in a controlled manner in accordance with a defined procedure.
12. Security	12.1 Physical and/or logical controls should be in place to restrict access to computerized system to authorised persons. Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.
13. Incident Management	All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions.
16. Business Continuity	For the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested. Note: Many hosting companies may equate this with high availability and disaster recovery, but this also needs to be interpreted as how will the hosting site cope with storms, floods, power outages, etcetera.

Legal Requirements

In addition to GMP regulations on the IT infrastructure there may also be legal requirements to consider; these impact three main areas of a pharmaceutical company:

data privacy e.g. EU directives and Safe Harbor agreements, patient confidentially for investigational new drugs (IMP)
intellectual property e.g. ensuring the confidentiality of data and intellectual property
location of the server e.g. knowing the exact physical location of the data in case of regulatory agency impounding of regulatory data over which the agency has jurisdiction

Space is not available to discuss these topics in detail, and the reader is referred to the chapter in a new book on Annex 11 edited by Orlando Lopez [Ref 9].

References

Draft Advisory Document no 16, The Application of GLP Principles to Computerized Systems, Organization of Economic Cooperation and Development (OECD), Paris, 2014
Computerized Systems in GXP Environments, PIC/S PI-011 3, PIC/S Geneva, 2007Procedure for Conducting GCP Inspections requested by the EMEA, Annex III Computer Systems, European Medicines Agency, 2007
www.ema.europa.eu/docs/en_GB/document_library/Regulatory_and_procedural_guideline/2009/10/WC500004468.pdf
P. Mell and T. Grance, “The NIST Definition of Cloud Computing”, NIST Special Publication 800-145 National Institute of Standards and Technology, Gaithersburg, Maryland 2011.
EudraLex Volume 4, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11 – Computerized Systems, June 2011.
21 CFR Part 11 – Electronic Records; Electronic Signatures; Final Rule. 1997.
D. Stokes, Compliant Cloud Computing – Managing the Risks, Pharmaceutical Engineering, 33 (4) 1 – 11, 2013.
EudraLex, The Rules Governing Medicinal Products in the European Union Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, Revision 1, January 2013.
R.D.McDowall and Y.Samson, in Orlando Lopez editor, EU Annex 11 guide to Computer Validation Compliance for the Worldwide Health Agency GMP, Taylor and Francis, in press

R.D. McDowall is Principal, McDowall Consulting. He may be contacted at [email protected].

The Cloud Meets GMP Regulations – Part 3: Options for Auditing a Cloud Service provider

The Cloud Meets GMP Regulations – Part 4: Selecting a Cloud Service Provider

Introduction

Annex 11 GMP Regulations

Legal Requirements

References

Related Articles Read More >

Quantum Brilliance, Pawsey integrate room-temp quantum with HPC on NVIDIA GH200

Frontier supercomputer reveals new detail in nuclear structure

BYD and DeepSeek plan to bring “God’s Eye” autonomous driving features to sub-$10k vehicles

This week in AI research: U.S. lawmakers push to ban a Chinese AI disruptor’s app from government devices

Search R&D World