The purpose of this series is to discuss the impact of GMP (Good Manufacturing Practice) regulations on cloud computing and to debate some of the regulatory issues facing an organization contemplating this approach. In this part, we look at a process to select a suitable hosting provider that can demonstrate compliance with GMP and possession of qualified IT infrastructure.

Introduction

In the first three parts of this series,^1-3 we discussed the impact of the GMP regulations on cloud computing, then looked at the Software as a Service (SaaS) options and the requirements for qualified IT infrastructure and then ways to audit a cloud service provider. In this final part of the series we will discuss a way to select a Cloud service provider. The process is shown in Figure 1 and consists of three stages.

The prerequisites before this process is started are:

• Define the business objectives for the cloud hosting – what do you want to achieve in terms of regulatory compliance, financial cost, business efficiency, etc.
• What are the service objectives of the outsourced applications?
• What will be the roles and responsibilities of those people involved? Outsourcing may reduce headcount but it does not absolve the regulated user form the responsibility or accountability. Auditing the service supplier is a key role when going to the cloud.

Stage 1: Review Provider Web Sites

The first stage of the assessment process is a remote assessment of each potential hosting provider that is achieved by looking on their Web site. What you are looking for is information about their customers and knowledge of GMP regulations for the pharmaceutical system. Specifically:

• Does the company know about the GMP regulations?
• Is their infrastructure qualified and can they provide a GMP compliant service?
• Do they have any regulated pharmaceutical customers?

If the answers are no, reject these companies and move to stage 2 of the process.

Case Study Example: A Web site search of about 20 Web sites of hosting providers identified only five potential hosting companies worthy of further consideration.

Stage 2: Remote Assessment of the Quality Management System (QMS)

The remaining candidates are then sent a detailed questionnaire that asks questions about their accreditation schemes and their QMS, such as quality manual, procedures infrastructure qualification and staff training and knowledge of GMP regulations. Some potential service providers may state that, because they are certified against a specific standard e.g. ISO 27001⁴ or SSAE 16⁵ that this is acceptable to the pharmaceutical industry. However, as discussed earlier, ISO 27001 cannot ensure compliance with pharmaceutical industry regulations, as there are gaps.³ Therefore, you need to ask specific questions to assess the service provider’s knowledge of pharmaceutical specific regulations e.g.

• Question: Are specific controls in place for closed systems (i.e. availability and protection of records, audit trails, sequencing, access, training, documentation, and change control)?
• Answer: 21 CFR Part 11 compliance is the responsibility of the regulated customer on a solution-specific basis.

This is an interesting answer by the hosting provider to a key question, as it demonstrates no understanding of the Part 11 regulation or its interaction with the applicable predicate rule. Therefore, the hosting provider should be rejected without any further consideration.

Other questions to ask at this stage could be:

• Question: How do you qualify a virtual server?
  This question should also request evidence of the server specification and the execution of the installation
• Answer: These documents are confidential and are not disclosed to customers.

This answer to this question means that you have identified another company for rejection. Any service provider is acting as your agent, but you are still responsible for their work. The qualification of a server is important and the documentation of the process needs to be available during the supplier qualification and for any inspection. If the company wants to go further, ask how the infrastructure is qualified and how the hypervisor is validated. I strongly recommend that the availability of any such material is documented in any agreement between you and the company.

You also need to focus on asking questions around backup and recovery, change control and configuration management and incident management in the questionnaire to check that these functions are carried out in a compliant way.

Case Study Example: The five hosting companies were sent and returned questionnaires. Three companies were rejected, as they responded with some of the examples cited above that demonstrated no knowledge of the GMP regulations.

Stage 3: On Site Audit of the Service Provider

In my view, this stage is essential if GMP critical systems are being hosted externally to the organization and is also in compliance with Annex 11 clause 3.2,⁶ as you may only be allowed to view some key documents at the supplier’s site. This stage gives you much more detail and knowledge about a supplier than a questionnaire can ever provide. You should cover:

• Details of the ISO quality policy, quality manual and procedures or the equivalent from other quality standards: Look at the services offered by the company within the QMS and how these are documented e.g.
  • Building and qualifying the physical infrastructure upon which the virtual systems will be installed
  • Building and qualifying virtual infrastructure components and their integration
  • Operating the infrastructure: both physical and virtual elements
  • Change control processes for physical and virtual infrastructure including the records associated with a sample of change requests — some of these may require requalification of a component.
    • Throughout this process, you will be looking to see that records are created according to GMP principles.
    • Datacenter facilities. Many hosting companies may not build their own ISO 27001 certified facility, but may hire space in one. Therefore, you need to understand where your virtual server is located in case of seizure etcetera. However, this is only the start, GMP regulations will provide further requirements to overlay on top of these basic requirements.

Case Study Example: The remaining two hosting companies were ranked with one as the preferred candidate for an on-site audit and the other held in reserve. Both companies claimed to have qualified IT infrastructure from the returned questionnaires plus any clarification questions. We will look at the audit findings from the preferred candidate together with the responses as shown in Table 1. Although the company claimed compliance, you will note that IQ/OQ documents are executed without approvals and that staff that are untrained in GMP awareness are let loose to work on the infrastructure until they have clocked up 80 hours. Not an appealing thought.

 Table 1: Audit Findings with Some Hosting Company Responses

Audit Finding	Company Response
Installation qualification documents are not pre-approved prior to execution.	believes this is an inappropriate application of the GAMP standard, and also that the standard has been misinterpreted in this case.
IQ/OQ documents are not executed against equipment specifications to demonstrate fitness for intended use.	product delivers qualified hardware and so this is beyond the scope of the product.
There is no specification and associated qualification testing, with associated quality assurance oversight, of the hypervisor layer	Acknowledged. A plan will be placed to qualify the hypervisor.
GMP awareness training was only given to staff working greater than 80 hours per year on the qualified infrastructure	only considers that staff working for longer than 80 hours on the infrastructure should be trained in GMP compliance.
Qualification documents are electronically signed in an EDMS. The electronic signatures are not compliant with the requirements of §11.50	utilizes EDMS as the predominant repository of documentation, and the deployment of EDMS is considered fit for purpose across our client base. Utilization of a different document repository or amendment of its deployment is out of scope of the product.
The EDMS was incompletely validated by the vendor of the software as only two test cases, both designed to pass, were found in the validation documents. There were no test cases for security, audit trail or other part 11 functions.	considers this system adequately validated.

As a result of this audit, the preferred supplier was rejected and the reserve supplier audited. The audit was satisfactory and confirmed qualified infrastructure, GMP compliant procedures and records and adequately trained staff including GMP awareness training. They moved to the next stage in the process — the agreement.

Conclusions

To ensure that any cloud hosting provider is fit for purpose requires that sufficient effort is applied at the start of the selection process to know that the supplier selected knows enough about GMP regulations to control and document work performed. Failure to do this leads to gaps in regulatory compliance that can lead to serious non-compliances during inspections. Once the due diligence has been performed, a quality agreement can be signed with standards and monitoring metrics. Periodic audits should also be performed. In addition, the service provider should also be available for support in case of regulatory inspections, including planned but also unannounced inspections.

References

1. R.D.McDowall. Sci Comp, Part 1 www.ScientificComputing.com/Cloud_Meets_GMP_Regulations_1
2. R.D.McDowall. Sci Comp, Part www.ScientificComputing.com/Cloud_Meets_GMP_Regulations_2
3. R.D.McDowall. Sci Comp, Part www.ScientificComputing.com/Cloud_Meets_GMP_Regulations_3
4. ISO/IEC 27001: 2013, Information technology— Security techniques — Information security management systems — Requirements, International Standards Organization, Geneva, 2013
5. Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, American Institute of Certified Public Accountants (AICPA) 2010.
6. EudraLex Volume 4, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11 – Computerized Systems, June 2011.

R.D. McDowall is Principal, McDowall Consulting. He may be contacted at [email protected].

 

Related Content
The Cloud Meets GMP Regulations – Part 1: Applicable Regulations
The Cloud Meets GMP Regulations – Part 2: SaaS and Qualified IT Infrastructure
The Cloud Meets GMP Regulations – Part 3: Options for Auditing a Cloud Service provider