23-26 April 2024
The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:
In addition to commercial reasons, which will not be discussed further here in the context of GxP-regulated applications, practical reasons often play a role in the choice of a cloud model. In particular, smaller companies with correspondingly limited IT resources tend to use a cloud service which they would not be able to provide with their own resources. This may be because they do not have the personnel resources to offer all the topics required, or because they simply do not have the necessary expertise (process-related, technical, data security).
In the GCP area, the special conditions prevailing there also promote the use of cloud services for very practical reasons: Clinical trials are shared with many parties (hospitals, physicians, CMOs, sponsors), usually worldwide. In addition, the composition of the parties involved is not a fixed group, but is subject to change. Cloud services, with their universal accessibility via the Internet, support this way of working and are designed for 24x7 operation due to their international orientation.
Another factor to be considered, especially when choosing cloud services, is the security requirements of the GxP process supported by the system. In Annex 11, the pharmaceutical company is explicitly requested to align the required security measures with the risk (EU GMP Annex 11 [12.2]: "The extent of security controls depends on the criticality of the computerised system)".
This may mean that particularly sensitive data should often not be processed in a public cloud for reasons of GxP data integrity. A decision of this kind requires the cooperation of all specialist disciplines (IT, Process Owner, QA) in order to achieve a well-considered, technically justified risk assessment. This requires in-depth IT expertise in particular, since the topic of "data security" can be very complex (nesting of cloud services, redundancies across multiple data centers, authentication providers used, ...) and is subject to permanent change.
If the business process to be supported by a computer-based system places high demands on the availability of data and functions, this can have a direct influence on the suitability of cloud-based services:
Especially in the GCP area, data protection requirements (e.g., for personal data in clinical trials) play an essential role. Data protection thus determines whether the desired cloud service is even considered and, if so, in which country the data centers used must be located.
Even if this is not based on GxP requirements, high demands on the confidentiality of sensitive data (e.g., data from clinical research or product development) can also determine whether a cloud service is even considered or with what restrictions.
Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart