Cloud Computing in a GxP Environment - Challenges and Solutions
Including Workshops on Cloud Computing, Risk Assessment and Audit of a Cloud Provider
11-13 February 2026, Hamburg, Germany
Course No. 22436
Speakers
Dr Wolfgang Schumacher
formerly F. Hoffmann-La Roche
Michael Wegmann
F. Hoffmann-La Roche
Dr Arno Terhechte
GMP inspectorate / Bezirksregierung Münster
Robert Gärtner
Veeva Systems
Note: All times mentioned are CET.
Target Group
The ECA Training Course is aimed at employees who are entrusted with the planning and implementation of “cloud” projects in the GxP environment. The event also offers support for decision-making, whether cloud services are available as an alternative in the GxP environment.
Objectives
Get to know the different types of Cloud Computing, their technical basics and their validation approaches.
What are the pharmaceutical authorities’ requirements with regard to Cloud Computing and what regulations have to be observed? An inspector will present his perspective to these questions and the experience gained so far in audits and will further cover critical points.
You can assess the use of Cloud Computing from the perspective of IT security and data protection rules, and based on that you can formulate requirements for cloud service providers.
You can evaluate the opportunities and risks of cloud computing in the GxP Environment.
Background
As well as in other sectors, the use of Cloud Computing is discussed in the pharmaceutical industry. For commercial reasons there is a lot speaking for the use.
However, is Cloud Computing an acceptable way in a GxP environment of the pharmaceutical industry? And, if yes, what has to be observed from the point of view of IT and quality assurance, as well as from the perspective of a pharmaceutical inspector?
From the points of view of the user and the pharmaceutical inspector this event gives you an overview of the current state of the technical possibilities. The speakers evaluate opportunities and risks of the use of Cloud Computing in the GxP environment and make recommendations for the pharmaceutical practice.
Programme
Regulatory Background – Important Issues to consider from the Point of View of an Inspector
Requirements for CSP (cloud service providers) resulting from Annex 11
To dos for regulated users with respect to chapter 7 of the EU GMP Guide
German Drug Law – does the German Drug Law or European Law effect the business of CSP; enforcement of corrective actions
Definition and Types of Cloud Computing
Service models: Private Cloud, Public Cloud, Community Cloud, Hybrid Cloud
In this workshop the participants will perform a risk assessment for a given cloud strategy. A practical exercise that helps to understand and get on top of the risks involved with cloud computing.
Inspections and Findings
European Framework to conduct inspections
Availability, data integrity and confidentiality of data
Possibility to perform inspections of CSP
State of the art defined by BSI, ENISA and NIST
Inspections: experiences and findings
Cloud Computing: IT Security
Examples of incidents
Strategic planning and preparation for going to cloud services
Security management and security architecture
Security certifications (e.g. ISO 27001) and what they really mean
Integration of cloud services with internal IT landscape
The Technology behind Multi-Tenant Cloud Services
Why Multi-tenancy
Typical service provided and their delivery processes
Technology and resource pools
Risk and opportunities
Compliance Requirements for the Cloud Infrastructure
Regulatory requirements
Qualification of the cloud
Validation of the cloud
Cloud Computing in a GxP Environment from a Service Provider Perspective
Cloud Computing in a GxP Environment from a Service Provider Perspective
Current adoption of Cloud Computing in GxP Areas
Expectations from a Customer perspective, pre-requisites on the Service Provider side
Shared operating model and handling of planned/unplanned Events
What information does a CSP need from the customer before signing a contract?
Transparency & Auditability of CSP operations, e.g., compliance of data storage
Future progression of partnering models
Contracts with Cloud Service Providers
Business & Technology Risks
Intellectual Property
Service Access / Service Quality KPIs
Data storage requirements
Inspection & audit Support
Example Contract/SLA
Lessons learned
Workshop: Audit of a Cloud Provider
Audit preparation based on risk-based approach
How to interpret audit results
How to manage various CSPs of SaaS solutions
Tips and tricks about the audit topics
GxP, Data Integrity, Best Practice: How to partner with your Cloud Provider
Understanding GxP Applicability based on intended use
Assessing risks that include GxP, but also broader (e.g., Data Integrity, Privacy, Security)
Applying intended use to applicable GxPs, regulatory guidance, etc. expectations
Effectively leveraging an FRA - What does it drive and where efforts should be focused by the Supplier and Life Science company?
Review Case Study with examples of risk assessment, validation, and associated deliverables. And, discussion on how to effectively leverage and supplement internal requirements
Cloud Computing: Data Protection
Data protection and privacy – legal requirements
Responsibilities of the cloud service provider
Responsibilities of the cloud customer
Impact of the EU Court of Justice Ruling (311/18 – “Schrems-II”) on the Use of Cloud Services
Data Classification
Responsibility and integration in the IT project management framework
Handling, processing, commissioned processing of data
Forced disclosure
Applicable regulations
Examples and lessons learned
Cloud Computing: Use Cases in a GxP Environment
Risk-based approach
Specific responsibilities of the cloud service provider
Specific responsibilities of the cloud customer
Separation of GxP vs. non GxP
Examples
How to validate a Cloud Process – Manage the Risks and stay in Compliance
URS / GxP/functional risk assessment
Validation planning and testing
Validation report
Change control, bug fixes, monitoring
Government Agencies and Cloud Computing
Objectives and capabilities of government agencies
How and where do they hook in
Internet surveillance and specific attacks
Industry espionage
Countermeasures and their limitations
Experiences With Outsourcing and Cloud Computing
QA involvement
Pain points
Cloud Computing: Pros and Cons
Opportunities and risks of cloud computing
Rationale for using cloud services
Rationale for not using cloud services
Conclusions and recommendations
Further Information
Venue Barceló Sants Hotel Plaça dels Països Catalans, s/n 08014 Barcelona, Spain Tel. +34 (93) 503 53 00 sants@barcelo.com
Accommodation CONCEPT HEIDELBERG has reserved a limited number of rooms in the conference hotel. You will receive a room reservation form/POG when you have registered for the course. Reservation should be made directly with the hotel. Early reservation is recommended.
Conference language The official conference language will be English.
Fees (per delegate, plus VAT) ECA Members € 2,290 APIC Members € 2,390 Non-ECA Members € 2,490 EU GMP Inspectorates € 1,245 The conference fee is payable in advance after receipt of invoice and includes conference documentation, Social event and dinner on the first day, lunch on day 1 and day 2, and all refreshments. VAT is reclaimable
Social Event On the evening of the first couse day, you are cordially invited to a social event. This is an excellent opportunity to share your experiences with colleagues from other companies in a relaxed atmosphere
Presentations/Certificate The presentations for this event will be available for you to download and print before and after the event. Please note that no printed materials will be handed out on site and that there will not be any opportunity to print the presentations on site.
Testimonials
