Cloud Computing: Which contents must be covered by the service provider's change control?

Recommendation

22-24 November 2023

Computerised System Validation: The GAMP 5 Approach - Live Online Training
Book together with the course "Computerised System Validation - Introduction to Risk Management" and save up to € 590,-

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualification / Validation

The following question is one of a series of questions that we have been and also will be publishing in further GMP News articles on this site.

Question 8: Which contents must be covered by the service provider's change control and in which way must the contract giver be integrated into this system? Topic: Customer-Supplier-Relationship

Though the regulated company's responsibility for patient safety, product quality, and data integrity cannot be delegated to the cloud service provider (CSP), the CSP nevertheless plays an important role and takes over important tasks such as specification, verification, and documentation of changes (in addition to their implementation), be it at the infrastructure (IaaS), the platform (PaaS), or the application (SaaS) itself. One of the goals of the regulated company is maintaining the validated and compliant state of a system. This requires corresponding validation measures (impact analysis, risk assessment, and further test and documentation activities, if appropriate) that typically require knowledge regarding the changes carried out by or at the CSP.

Therefore, the following elements of a validation concept are recommended:

• The regulated company verifies whether the CSP has established a high-quality and compliant change control process (for instance by means of an audit).
• A service level agreement (SLA) ensures to obtain information (and documentation) on planned and required changes on time and to the extent necessary allowing the regulated company to perform a (risk) assessment and to plan the required measures, as appropriate.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart