Cloud Computing: Regulations for the Return Transmission of Data in the Event of Business Discontinuation

Recommendation

22-24 May 2024
Copenhagen, Denmark

IT / OT Infrastructure Qualification and Operation in a GMP Environment

The trend towards cloud computing means that a large amount of data is stored by cloud providers. Now, how do you get your complete data if the cloud service provider goes out of business or gets insolvent?

What do Regulations demand and how can they be implemented?

Both the German AMWHV and the EU GMP guidelines consider the responsibility to lie with the RU (Regulated User). The AMWHV focuses on the retension of documentation, i.e. the availability of GxP-critical data. According to § 20 AMWHV, the pharmaceutical manufacturer must take precautions to ensure that the documentation is kept available for the entire storage period in the event of closure of the manufacturing or testing site where the documentation is stored in accordance with sentence 1.

The EU GMP guidelines focus on the business process and thus on the GxP-critical application and data. According to Annex 11 of the EU GMP Guideline, Chapter 16 - "Continuity of business operations" - precautions should be taken to ensure the continuous support of these processes in the event of a system failure (e.g. by a manual or alternative system), if computerised systems support critical processes. The time required to put these alternative processes into operation should be determined on a risk-based assessment for a particular system and the processes supported. These procedures should be adequately documented and tested.

This task/obligation could be included in the service contract with the CSP (Cloud Service Provider) by obliging the CSP to ensure the availability of data and, if necessary, application via an additional subcontractor. However, the RU should evaluate within the scope of a risk assessment whether it would not be reasonable to keep a backup site on premise.