The purpose of this series is to discuss the impact of GMP (Good Manufacturing Practice) regulations on cloud computing and to debate some of the regulatory issues facing an organization contemplating this approach. In this part, we look at the options for auditing a cloud service provider.

Introduction

In the first part of this series,¹ we discussed the impact of the GMP regulations on cloud computing and, in the second part, we discussed Software as a Service (SaaS) requirements and the need to qualify IT infrastructure.² In this part we will look at the ways you can audit a cloud service provider.

Service Providers: Requirements for Audits and Agreements

EU GMP Annex 11, section 3.1³ requires that there must be an agreement between the IT service provider, such as a hosting company and the regulated user. This agreement must cover the roles and responsibilities of the people involved and the services offered. However, before the pen hits the paper, there is a more important considerations that must be taken into account. Do we audit the cloud provider? Annex 11 provides some guidance in this respect.

• Clause 1 states that risk management should be applied throughout the lifecycle of the computerized system, taking into account patient safety, data integrity and product quality.³
• More specifically, clause 3.2 states that: The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.³
• However, the audit reports must be shown to an Inspector on request as noted in clause 3.4: Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.³

Therefore, from a regulatory perspective, have you done demonstrable due diligence on your cloud provider? This expected due diligence should not be considered only from a regulatory point of view but also a business perspective, since in many cases the decision to move to a cloud-based solution will impact many types of data, e.g. GMP-relevant data, knowledge-related data or even your company’s intellectual property. Table 1 shows further GMP-related requirements e.g. Part 21 CFR 11⁴ for IT infrastructure that need to be considered as part of an initial audit and included in the agreement between you and the hosting provider.

The key issue with cloud service providers is that you may think you are dealing with a single company but, in reality, many functions can be subcontracted to other suppliers and even sub-suppliers, and do all of these entities know the GMP regulations and are their staff members trained?

Table 1: Additional 21 CFR Part 11 and Annex 11 Regulations Applicable to IT Infrastructure

Annex 11 Requirements for IT Infrastructure

21 CFR 11 Requirements for IT Infrastructure

Staff and training records (Annex 11 item 2): Qualifications and CVs / resumes Training records including Initial and on-going GMP awareness & competence Security (Annex 11 items 7.1 and 12) Backup and recovery (Annex 11 item 7.2) Change control and configuration management (Annex 11 item 10) Periodic evaluation (Annex 11 item 11) User account management (Annex 11 item 12) Incident management (Annex 11 item 13) documented and linked to CAPA

GMP predicate rule requirements e.g.: Qualifications and CVs / resumes of staff Training records including Initial and regular on-going GMP awareness & competence 11.10(b) Generate accurate and complete copies of records 11.10(c) Protection of records 11.10(d) Limiting access to authorised individuals 11.10 (e) Time stamped (audit trails)

Although it is relatively easy to audit an active pharmaceutical ingredient (API) or a contract manufacturer, providing objective evidence with a reasonable degree of assurance that a cloud service provider is delivering a compliant, reliable and secure service can often be a real challenge.

Auditing a Cloud Service Provider

When auditing a cloud service provider, it is important not to lose sight of the main objectives, i.e.

• to generate confidence in the service provider’s working capability and demonstrable compliance with regulations
• review of the Service Provider’s Quality Management System (QMS) and the necessary openness and transparency during this review contribute to build the confidence for the future customer – service provider relationship
• How are integrity, accessibility, readability and confidentiality of data ensured, and can these be verified during an audit?

However, since no organization is perfect, usually the audit outcome will be:

• Identification of findings that are not compliant with the regulations
• Correction of findings through a corrective and preventative action plan (CAPA)

Only if the audited organization accepts the audit findings and agrees to modify their approach through implementing appropriate corrective and improvement measures, can an audit make sense for securing a future collaboration.

What Are We Auditing Against?

Based on the above explanations of the regulations, Table 2 provides an overview of the main audit areas to be considered.

Table 2: Key Areas and Criteria for Auditing IT Hosting Providers (excluding the Quality Management System)

Area for Audit	Criteria
Data integrity maintained throughout record retention period	Data confidentiality Data security Access control & user management Data retention measures
Legal requirements placed on data stored in infrastructure	Intellectual property claims Patriot Act requirements EU Data Protection Directives and US Safe Harbor agreements
Qualified Infrastructure	Correctly designed and specified infrastructure Correctly installed infrastructure Verified Operation Qualified infrastructure applications Authored and approved specifications and designs Installation plans and records Component verified / tested to show correct operation versus the specification Where appropriate integration testing to the rest of the infrastructure All infrastructure applications qualified e.g. network management software
Data management	Backup & restore processes Business continuity and disaster recovery Archiving
Change Management	Does the change control procedure involve the data owner for changes to infrastructure? Does the change control procedure involve the data owner for changes made to the system and application?
GMP knowledge	Does the service provider know the regulations and the need for records of activities? Regulations require an appropriate combination of education, training and experience Knowledge of GMP regulations to enable them to perform their job There must be regular GMP update training (typically annually) Formal training materials with assessment of competence
QA oversight of IT activities is essential	Knowledge of individual Quality assurance regulatory requirements Sufficient technical knowledge of IT infrastructure Individuals can be either Business QA with appropriate technical knowledge Regulatory compliance within IT

 

Does ISO 27001 Certification provide Compliance with GMP Regulations?

Quality standard and certifications should be leveraged within the specific context of GMP, since they represent — at least partially — a significant and reliable basement for the required good practices and for the regulated processes. The Quality Management System of an IT Hosting Company can be certified to one or more quality standards such as ISO 27001,⁵ COBIT (Control Objectives for IT)⁶ or SSEA 16.⁷

NOTE WELL: such quality standards and certifications CANNOT replace GMP regulations, which are mandatory requirements for a regulated user. This is not an area for discussion: the regulatory requirements must be followed, as they are the law. Therefore, there must be a demonstrable understanding of the requirements of GMP by a cloud service provider. Let me reiterate ISO is voluntary, and GMP is the law — no discussion, no debate.

For example, Montrium has a white paper entitled Qualification Guideline for Microsoft Azure.⁸ This document attempts to leverage the various certifications such as ISO 27001 that the Azure cloud platform for PaaS has as being suitable for GMP compliance. However, this document is merely based on the reading and interpreting of audit reports. Using non-GMP standards for meeting regulatory compliance for a hosting company, such as physical security, environmental controls, power supplies and redundancy of these controls, is an adequate approach. However, there are a number of basic problems in this document that are either omitted or glossed over as there is:

• No mention of GMP awareness training for the Microsoft staff operating Azure (section 2.7.12)
• No mention of physical infrastructure qualification and installation of the hypervisor layer performed by Microsoft — the only mention is of the qualification of the customer’s virtual environment in section 3. This is akin the building a house without any foundations.
• In many cases, there is a mention of “compliance” in the Microsoft procedures, but compliance with what standards or regulations? This is not mentioned.
• Risk assessment and risk management is passed to the customer, which is difficult when the regulated user does not control the underlying infrastructure.
• The document is silent on the mechanism where changes in the infrastructure that impact regulated GMP applications are alerted to a regulated user.

However, the key point is IF staff does not have GMP awareness training, how can they be aware of the need for GMP regulatory documentation requirements, as outlined in EU GMP Chapter 4 on documentation?⁹

Therefore the key question is “How can a cloud solution be compliant with the GMP regulatory requirements?” Enter stage left the supplier audit.

Ways of Auditing a Cloud Supplier

Given the fact that IT infrastructure is critical for any pharmaceutical company, it is surprising that many decisions are based solely on financial considerations. One reason for this is that IT generally reports through the Finance Group of an organization. However, it is important that IT infrastructure, regardless of how it is delivered, provides a reliable and compliant service. Therefore, if outsourcing your IT services and infrastructure, sufficient due diligence needs to be performed to assure you that the service provider knows their job, follows written procedures, produces records and has appropriately trained staff, including all people who are sub contracted by the service provider. There are three basic options for auditing a supplier, including a cloud service provider:

• Questionnaire only
• Questionnaire plus follow up teleconference and review of documents
• Questionnaire plus on site audit and verification of answers

We will consider the advantages and disadvantages of each approach.

Questionnaire

This is the option that is the quickest to perform, but leaves you with the least confidence in the supplier. You are reliant on the supplier being honest and truthful when completing the questionnaire. Therefore you must ensure that the questions asked are searching and, where appropriate, request supporting information e.g. a list of procedures or specifications and evidence of actions. When the completed questionnaire is received, it needs to be reviewed and assessed and not thrown in a drawer and forgotten. Are the answers acceptable, or do you need to ask the company for clarification? In the end, you need to make a decision whether to use this supplier or not and the reasons for this should be documented in a summary report.

Questionnaire plus Follow up

The next option for supplier assessment is to send the questionnaire and review the completed document as outlined above. Then, the next task is to organize a Web session / videoconference to review the answers and ask follow-up questions in addition to reviewing documents. You are not expecting the company to mail you their QMS, but they must be willing to discuss their approaches and show you their documents. This will probably require you signing a non-disclosure agreement. The video conference in addition to the questionnaire gives a regulated user an opportunity to go into more detail and verify the answers in the questionnaire. Topic areas can be discussed in detail and approaches to compliance confirmed, and one specific issue is the ability to see documentation that has not been provided in the questionnaire around the infrastructure qualification or procedures. Some hosting companies cite “intellectual property” reasons for refusing to disclose any design documentation. If this happens, then the hosting company should not be considered further. Walk away from them. Imagine the situation if an inspector, quite reasonably, requested such documentation and the hosting company refused, what would you do? Beam me up, Scotty?

Questionnaire Plus on Site Audit

The questionnaire is completed and reviewed as above, but in this option there is an on-site audit of the hosting facility or data center and the company offices to go into much greater detail. Note here that the audit may be in two parts, as the offices may not be in the same location as the computing facilities. The dates of the visit need to be planned and the schedule agreed upon, including time to move between locations if needed. The offices will look at the quality management system including staff organization charts and training records, scope of accreditation — typically for ISO 27001⁵ or SSEA16⁶ — and procedures with records of activities occurring. Key areas to spend time reviewing during the audit are the organization chart and the staff training records.

• The organization chart should show where sub-contracted staff are used.¹⁰ This is important for a number of reasons: is there an agreement in place between the service provider and the sub-contracted organization detailing roles and responsibilities and GMP compliance?
• Training records, resumes / curricula vitae and position descriptions for service provider staff, including sub-contractors, must be reviewed to determine if they have a combination of education, training and experience. A problem with ISO standards is that they do not require resumes or curricula vitae, which are required for the pharmaceutical industry and, therefore, the supplier needs to go further than an ISO accreditation.
• A specific GMP requirement of US GMP in §211.25(a),¹¹ Part 11 in §11.10(i)⁴ and EU GMP Annex 11 clause 2³ as shown in Table 4. Therefore, you must determine if there is sufficient GMP awareness training for the staff of your potential service provider INCLUDING any sub-contracted personnel. If GMP training was given, then who was the trainer and what were their qualification / training and /or experience to give it? Failure to understand and probe here can have serious compliance problems later.

Table 3: Regulatory Requirements for Staff Training

Regulation	Regulatory Requirement
US GMP: 21 CFR 211.25(a)	Training shall be in the particular operations that the employee performs and in current good manufacturing practice (including the current good manufacturing practice regulations in this chapter and written procedures required by these regulations) as they relate to the employee’s functions. Training in current good manufacturing practice shall be conducted by qualified individuals on a continuing basis and with sufficient frequency to assure that employees remain familiar with CGMP requirements applicable to them.
US GMP: 21 CFR 11.10(i)	Determination that persons who develop, maintain or use electronic record/electronic signature systems have the education, training and experience to perform their assigned tasks.
EU GMP: Annex 11, Clause 2 Personnel	There should be close cooperation between all relevant personnel, such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.

References

1. R.D.McDowall Sci Comp Part 1 www.ScientificComputing.com/Cloud_Meets_GMP_Regulations_1
2. R.D.McDowall Sci Comp Part 2  www.ScientificComputing.com/Cloud_Meets_GMP_Regulations 2
   1. EudraLex Volume 4, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11 – Computerized Systems, June 2011.
   2. 21 CFR Part 11 – Electronic Records; Electronic Signatures; Final Rule. 1997.
   3. ISO/IEC 27001: 2013, Information technology— Security techniques — Information security management systems — Requirements, International Standards Organization, Geneva, 2013
   4. COBIT 5 (Control Objectives for Information and Related Technology) version 5, Information Systems Audit and Control Association, 2012
   5. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, American Institute of Certified Public Accountants (AICPA) 2010.
   6. Qualification Guideline for Microsoft Azure, Montrium Inc., June 2014
      http://www.montrium.com/montrium-demonstrates-microsofts-continued-commitment-compliance-azure-cloud-life-sciences
   7. EudraLex, The Rules Governing Medicinal Products in the European Union Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Chapter 4: Documentation, January 2011
   8. EudraLex, The Rules Governing Medicinal Products in the European Union Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Chapter 2: Personnel, February 2014
   9. US Food and Drug Administration, 21 CFR 211, Current Good Manufacturing Practice in for Finished Pharmaceutical Products, 2008.

R.D. McDowall is Principal, McDowall Consulting. He may be contacted at editor@ScientificComputing.com.

 

Related Content
The Cloud Meets GMP Regulations – Part 1: Applicable Regulations

The Cloud Meets GMP Regulations – Part 2: SaaS and Qualified IT Infrastructure

The Cloud Meets GMP Regulations – Part 4: Selecting a Cloud Service Provider