Pharma Cloud Adoption

… and Qualification Trends

Our Cloud Experience

• Numerous implementations of EDMS systems

with external hosting for smaller life science

clients

• Development of qualification strategy for tier-1

pharma company for potentially GxP critical

solution based on Amazon (SaaS)

• Development of qualification strategy for tier-1

pharma company for MS Office 365

implementation (PaaS)

• Development of qualification strategy for tier-1

pharma company for MS Azure (IaaS)

‘Going Cloud’

A number of challenges need to be addressed by

regulated life science companies

• Which Cloud model do I choose (IaaS, PaaS,

SaaS)?

• How do I set forth a validation strategy?

• Can I rely on vendor processes and procedures?

• Has anyone else done it before?

• What do inspectors say?

• Where to get guidance on cloud validation?

• Data Security and Data Privacy

Responsibility

The responsibility does not disappear when you

outsource…

“The regulated company remains responsible for the regulatory

compliance of their IT operations regardless of whether they

choose to outsource/offshore some or their entire IT

Infrastructure processes to external service provider(s).

Compliance oversight and approvals cannot be delegated to the

outsource partner”.

GAMP Good Practice Guide: IT Infrastructure Control and Compliance. Appendix 8: Outsourcing

NIST – National Institute of Standards and Technology

The NIST Definition of Cloud Computing - 2011

What is Cloud?

Regulatory Considerations

• Overall regulatory requirements, in reality, the

same as for on-premise IT systems

• We are responsible for everything in the cloud

including infrastructure

• We need to adopt the vendor’s processes and

procedures and we need to defend these during

audits

– Overall Risk Assessments required

– Adoption of vendor documentation required

– Potential gaps need to be filled

QMS and Cloud

How do we adjust the QMS to include Cloud and how do we overcome the challenge of inexperienced inspectors?

• Accept your regulatory responsibility for everything in the cloud and the infrastructure of the cloud

• Align QMS with approach for Cloud validation, so known approach for a ‘normal’ validation is linked to approach for cloud

• The inspector will understand the approach better, since it is directly comparable to on-premise systems

Overall Process

Compliance Approach

Specifications

• Requirement Specification

– Gather requirements according to standard company

process

• Technical Specification

– Describing technical interfaces to solution, technical

requirements etc.

– Describing interfaces (e.g. Active Directory set-up) etc.

– On-premise interfaces

– Encryption Solution

Assessments

• Use a Cloud Navigation Tool for assessing ‘cloud

suitability’:

– GxP, 21 CFR Part 11 and business criticality

– Data Classification

– Security

– Risk

– Level of control required?

– Where can data be stored?

– Encryption required?

Service and Deployment

The Service and Deployment Model must be

chosen

Evaluate based on the assessments - which Service

and Deployment Model best fit the requirements

and assessments

– IaaS, PaaS, SaaS?

– Type of Cloud?

Service Provider

The Supplier must be assessed

• Perform an audit of Service Provider in order to assess level of quality and controls

– Capability as software vendor

– Capability as service provider

• If not possible make an assessment of material provided by the supplier, certifications and 3rd party reports – and take this into account in the risk assessment and qualification strategy.

• (Standard Operating Procedures) from Service Provider

Contracts and SLA’s

• The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level of control

• Note that some major Service Providers only offer a standard SLA. This may require additional controls

• All services delivered from the Service Provider must be evaluated against both business and GxP requirements.

• Where it is evaluated that the level of control is insufficient, the customer must either request extra controls from the Service Provider or establish own control mechanisms.

Cloud Control

• Identify relevant controls for chosen service using

a ‘Cloud Control Matrix’

• The matrix lists company requirements for e.g.

Change Control.

• These are compared to the service provided and

control objectives and gaps are identified.

• Gaps are filled with revised SLAs, internal

procedures and controls

Infrastructure Controls

Control Objectives

• Changes– Regular reviews of Change Log

– Monitor changes in production environment

– Follow-up on release plan from supplier

– Test documentation

– Training records

• User Access– Periodic User Access Review

• Security– Yearly Penetration testing

– Yearly review of SSAE16 SOC1 Type 2 Audit Report

– Periodic review of Certifications and Accreditations from Service Provider

– Review of Configuration Item List

Annual Control Wheel

Quarterly

Quarterly Quarterly

Quarterly

Yearly

Monthly

Monthly

Monthly

Monthly

Monthly

Daily/

weekly

Yearly Customer

• Periodic Review of Technical Accounts

Service Provider

• Disaster Recovery Test

• Penetration Testing

• SSAE16 SOC 1 Type 2 Audit Report

Monthly

Customer

• Revocation of User Accounts and Shared

Accounts

Service Provider

• Back-up Report

• Monthly Update (summary of updates and

patches, incidents)

QuarterlyCustomer

• Periodic Review of Administrator Accounts

• Periodic review of User Accounts

• Periodic review of Shared Accounts

Service Provider

• Evaluate the security of one site against recognized

standards

• Audit one site for adherence to best practice for high

performance + performance assessment report

Daily/weeklyCustomer

• XX

Service Provider• YY

First Steps

1. Create a Cloud Governance policy to establish a standardized and

effective approach to the selection, integration, ongoing

management and subsequent decommissioning of cloud based IT

services (System Life Cycle)

2. Establish a Cloud Navigation Tool – is cloud a suitable solution?

Which type of cloud? Do the service provider and the service fit?

3. Establish a Cloud Control Matrix with all requirements for

controls. Evaluate the services delivered against internal control

requirements. Fill in the blanks by updating the SLA, creating

internal controls etc.

Extra Material

Cloud Controls

Ensure that all processes are controlled either by the Service Provider, the company or both.

Implementation

Develop a Qualification Plan:

• Identified gaps from the Service assessment are

documented in internal procedures and listed in a

Qualification Plan

• Summary of Service Provider assessment

• Conclusion on risk assessment

Verification

A Qualification must be executed, including:

• Testing of technical specifications

• Test and verification of requirements

• Checklist for verification of additional controls

that is not provided by Service Provider

• Test and verification of internal company controls