Cloud Computing: QMS of the Cloud Service Provider (CSP)

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualification / Validation

The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 7: Can we assume that if there is an appropriate QMS implemented and if the CSP acts in compliance with this QMS (as a result of an audit), the service provided functions in accordance with the specification and the operational controls are carried as described in the CSP's internal procedures? Requirements for Supplier Evaluation and Supplier Audits

 In accordance with Annex 11 the use of computerised systems may not result in a decrease in quality assurance. The assessment of a service provider includes the evaluation of its quality assurance system. In addition to this initial assessment Chapter 7 requires the RU (regulated user) to continuously monitor the service provider by means of the supervision of KPIs.

In the case of an applied and appropriate QMS it can be assumed that operative controls defined in the QMS will be carried out and that results not compliant with the specifications will be addressed within the meaning of deviations / OOS.

The RU (Regulated User) is nevertheless required to continuously evaluate compliance when implementing the QMS. Chapter 7 of the EU Guidelines to Good Manufacturing Practice specifies: "The Contract Giver is ultimately responsible to ensure processes are in place to assure the control of outsourced activities." Type and extent can be defined on the basis of risk, and they are influenced by the experiences from the continuous monitoring of the service provider.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart