Cloud Computing: Validation performed by a CSP on its own - what is the Value?

Recommendation

22-24 May 2024
Copenhagen, Denmark

IT / OT Infrastructure Qualification and Operation in a GMP Environment

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualification / Validation

The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 18: What is the value of a "validation" performed by a CSP on its own for the services it provides? - Requirements for Qualification / Validation.

For SaaS applications offered by the cloud service provider for GMP, a full validation of the base system is usually intended. In this case, the CSP carries out all the necessary sub-steps of the validation (from URS to UAT) itself and documents them in accordance with the current regulations. The pharmaceutical entrepreneur can refer to these validation documents for the standard system, but must carry out all steps of system adaptation (customizing) on top of the standard itself. The user acceptance test (UAT) must always be performed by the pharmaceutical company itself and cannot be transferred to the CSP. Of course, system test documents created by the CSP that are available can be used for this purpose.

Specifically developed MES applications (Manufacturing Execution System), where the "standard" made available by the provider is only a small part of the system, are of course excluded from this procedure.
Some providers already demonstrate a clear overview of who provides which validation documents on their homepage. Nevertheless, it makes sense to clearly define in the SLA (Service Level Agreement) which documents will be provided by the CSP in case of health authority inspections and which costs will be charged by the CSP. It is quite common for CSPs to charge the usual daily rates for the provision of personnel "on duty" during an authority inspection, even though no questions were addressed to the CSP.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart