… and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level...
Transcript of … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level...
![Page 1: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/1.jpg)
Pharma Cloud Adoption
… and Qualification Trends
![Page 2: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/2.jpg)
Our Cloud Experience
• Numerous implementations of EDMS systems
with external hosting for smaller life science
clients
• Development of qualification strategy for tier-1
pharma company for potentially GxP critical
solution based on Amazon (SaaS)
• Development of qualification strategy for tier-1
pharma company for MS Office 365
implementation (PaaS)
• Development of qualification strategy for tier-1
pharma company for MS Azure (IaaS)
![Page 3: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/3.jpg)
‘Going Cloud’
A number of challenges need to be addressed by
regulated life science companies
• Which Cloud model do I choose (IaaS, PaaS,
SaaS)?
• How do I set forth a validation strategy?
• Can I rely on vendor processes and procedures?
• Has anyone else done it before?
• What do inspectors say?
• Where to get guidance on cloud validation?
• Data Security and Data Privacy
![Page 4: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/4.jpg)
Responsibility
The responsibility does not disappear when you
outsource…
“The regulated company remains responsible for the regulatory
compliance of their IT operations regardless of whether they
choose to outsource/offshore some or their entire IT
Infrastructure processes to external service provider(s).
Compliance oversight and approvals cannot be delegated to the
outsource partner”.
GAMP Good Practice Guide: IT Infrastructure Control and Compliance. Appendix 8: Outsourcing
![Page 5: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/5.jpg)
NIST – National Institute of Standards and Technology
The NIST Definition of Cloud Computing - 2011
What is Cloud?
![Page 6: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/6.jpg)
Regulatory Considerations
• Overall regulatory requirements, in reality, the
same as for on-premise IT systems
• We are responsible for everything in the cloud
including infrastructure
• We need to adopt the vendor’s processes and
procedures and we need to defend these during
audits
– Overall Risk Assessments required
– Adoption of vendor documentation required
– Potential gaps need to be filled
![Page 7: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/7.jpg)
QMS and Cloud
How do we adjust the QMS to include Cloud and how do we overcome the challenge of inexperienced inspectors?
• Accept your regulatory responsibility for everything in the cloud and the infrastructure of the cloud
• Align QMS with approach for Cloud validation, so known approach for a ‘normal’ validation is linked to approach for cloud
• The inspector will understand the approach better, since it is directly comparable to on-premise systems
![Page 8: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/8.jpg)
Overall Process
![Page 9: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/9.jpg)
Compliance Approach
![Page 10: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/10.jpg)
Specifications
• Requirement Specification
– Gather requirements according to standard company
process
• Technical Specification
– Describing technical interfaces to solution, technical
requirements etc.
– Describing interfaces (e.g. Active Directory set-up) etc.
– On-premise interfaces
– Encryption Solution
![Page 11: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/11.jpg)
Assessments
• Use a Cloud Navigation Tool for assessing ‘cloud
suitability’:
– GxP, 21 CFR Part 11 and business criticality
– Data Classification
– Security
– Risk
– Level of control required?
– Where can data be stored?
– Encryption required?
![Page 12: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/12.jpg)
Service and Deployment
The Service and Deployment Model must be
chosen
Evaluate based on the assessments - which Service
and Deployment Model best fit the requirements
and assessments
– IaaS, PaaS, SaaS?
– Type of Cloud?
![Page 13: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/13.jpg)
Service Provider
The Supplier must be assessed
• Perform an audit of Service Provider in order to assess level of quality and controls
– Capability as software vendor
– Capability as service provider
• If not possible make an assessment of material provided by the supplier, certifications and 3rd party reports – and take this into account in the risk assessment and qualification strategy.
• (Standard Operating Procedures) from Service Provider
![Page 14: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/14.jpg)
Contracts and SLA’s
• The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level of control
• Note that some major Service Providers only offer a standard SLA. This may require additional controls
• All services delivered from the Service Provider must be evaluated against both business and GxP requirements.
• Where it is evaluated that the level of control is insufficient, the customer must either request extra controls from the Service Provider or establish own control mechanisms.
![Page 15: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/15.jpg)
Cloud Control
• Identify relevant controls for chosen service using
a ‘Cloud Control Matrix’
• The matrix lists company requirements for e.g.
Change Control.
• These are compared to the service provided and
control objectives and gaps are identified.
• Gaps are filled with revised SLAs, internal
procedures and controls
![Page 16: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/16.jpg)
Infrastructure Controls
![Page 17: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/17.jpg)
Control Objectives
• Changes– Regular reviews of Change Log
– Monitor changes in production environment
– Follow-up on release plan from supplier
– Test documentation
– Training records
• User Access– Periodic User Access Review
• Security– Yearly Penetration testing
– Yearly review of SSAE16 SOC1 Type 2 Audit Report
– Periodic review of Certifications and Accreditations from Service Provider
– Review of Configuration Item List
![Page 18: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/18.jpg)
Annual Control Wheel
Quarterly
Quarterly Quarterly
Quarterly
Yearly
Monthly
Monthly
Monthly
Monthly
Monthly
Daily/
weekly
Yearly Customer
• Periodic Review of Technical Accounts
Service Provider
• Disaster Recovery Test
• Penetration Testing
• SSAE16 SOC 1 Type 2 Audit Report
Monthly
Customer
• Revocation of User Accounts and Shared
Accounts
Service Provider
• Back-up Report
• Monthly Update (summary of updates and
patches, incidents)
QuarterlyCustomer
• Periodic Review of Administrator Accounts
• Periodic review of User Accounts
• Periodic review of Shared Accounts
Service Provider
• Evaluate the security of one site against recognized
standards
• Audit one site for adherence to best practice for high
performance + performance assessment report
Daily/weeklyCustomer
• XX
Service Provider• YY
![Page 19: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/19.jpg)
First Steps
1. Create a Cloud Governance policy to establish a standardized and
effective approach to the selection, integration, ongoing
management and subsequent decommissioning of cloud based IT
services (System Life Cycle)
2. Establish a Cloud Navigation Tool – is cloud a suitable solution?
Which type of cloud? Do the service provider and the service fit?
3. Establish a Cloud Control Matrix with all requirements for
controls. Evaluate the services delivered against internal control
requirements. Fill in the blanks by updating the SLA, creating
internal controls etc.
![Page 20: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/20.jpg)
Extra Material
![Page 21: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/21.jpg)
Cloud Controls
Ensure that all processes are controlled either by the Service Provider, the company or both.
![Page 22: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/22.jpg)
Implementation
Develop a Qualification Plan:
• Identified gaps from the Service assessment are
documented in internal procedures and listed in a
Qualification Plan
• Summary of Service Provider assessment
• Conclusion on risk assessment
![Page 23: … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level](https://reader036.fdocuments.in/reader036/viewer/2022071014/5fcd0c780a9ff637ab194319/html5/thumbnails/23.jpg)
Verification
A Qualification must be executed, including:
• Testing of technical specifications
• Test and verification of requirements
• Checklist for verification of additional controls
that is not provided by Service Provider
• Test and verification of internal company controls