Past issues of PM QM have dealt with the topic of embedding a cloud-based solution in the pharmaceutical environment. Many questions have arisen, especially in this highly regulated industry, as to the appropriateness and compliance of a cloud-based approach. Common cloud models have been presented briefly and clearly. Special use cases were also highlighted. The following interview of experts provides brief and compact insights into the view and thinking of an XaaS service provider (X as a service–where X can stand for one of the various cloud models), a pharmaceutical company as a customer, a cloud provider as a service provider, a representative of a German government agency, and, finally, an application provider.
Below are the three cloud models, the core terms, and the definitions of each.
The expert interview that follows provides answers to general questions that are equally important to all stakeholders. These questions are not exhaustive, and answers provided by stakeholders reflect their personal nature, professional experience and practice, and thus should not be considered a general applicable standard. This article provides a basis around which all stakeholders involved in a cloud implementation process can build their own systems. The questions selected thus represent a consensus among the five authors and, in their opinion, are the most important to ask.
This article examines the storage of data on servers of external suppliers, but here are two fundamental aspects to the issue that are distinguished.
On the one hand, storing data on servers of various providers yourself is already standard practice. However, the following article does not go into detail about what kind of data is involved specifically, but remains rather general given the complexity of the matter. The use of the term “GMP data” would complicate matters, and such an article would exceed the scope of the journal. Very few companies are likely to store their batch reports externally. With documents such as SOPs or guidance documents, however, we are already a bit further ahead today.
The second aspect, and probably the more interesting one, is the storage of data by third parties. It is perhaps a useful and transparent approach to use an example to explore the issue. Therefore, the topic in question is explained by an example: Data logger leasing – what happens to this data?
Based on this, the questions are easier to understand or answer, but should not be applied to all other areas.
We are all familiar with the “cloud.” It has become an indispensable part of everyday life in most places and makes our personal lives easier. The days of worrying about how to get data from point A to point B, so that someone else can access it too, are in the past. As already explained in the previous article, the cloud is being used increasingly in industrial applications. This is a good thing because in times of climate change, lean management and globalization, a “rethink” is needed. Faster, more efficient, and climate-friendly are just a few of the important keywords. Still, the adoption and application of cloud-based solutions is potentially difficult in many areas. There are many reasons for this, but above all, there are concerns about compliance with guidelines, laws and regulations, maintaining data integrity, data security, traceability, failsafe measures, etc. For this reason, all stakeholders in the supply chain, all the way up to the government agency, have come together to provide answers to the most important questions as a basic building block for this decision: Cloud, yes or no? If anything, the term cloud must be “avoided” here – technically, we are ultimately talking about a server and the relevant customer interface.
AT: I would like to use the term RU (“regulated user” which corresponds to the license holder HE, IE, ...) in this context. According to Section 10(2) of the German Ordinance for the Manufacture of Medicinal Products and Active Pharmaceutical Ingredients (Arzneimittel- und Wirkstoffherstellungsverordnung, AMWHV), the RU is responsible for ensuring that if records are made using electronic, photographic or other data processing systems, the system must be validated adequately. At a minimum, it must ensure that the data are available for the duration of the retention period, and can be readable within a reasonable timeframe. The stored data must be protected against loss and damage. In addition, the RU must comply with the European General Data Protection Regulation (GDPR). In particular, data that are not confidential and/or contain personal data are critical. This is relevant, for example, for clinical platforms or blood bank software deployed as SaaS using a cloud-based model. Territorial boundaries are, of course, irrelevant in cloud computing from a technical point of view. However, the place of processing is relevant for the applicable law.
When drafting agreements (SLA) with the CSP, the following aspects should be taken into account:
PO: Data ownership, i.e., the question as to who owns the data, must be clarified contractually in any case. When it comes to monitoring data, I think it is obvious that it belongs to the customer. However, additional questions may arise in the future. For example, whether the customer as data owner chooses to grant an anonymized right of use to the application provider, so that the latter can aggregate a heat map of the problem points in the global transport network based on the data of many customers. This would allow customers to benefit with regard to better planning of their transport routes. As already mentioned, having a clear contractual arrangement is important.
AT: The choice of the geographical storage location is relevant if you want to ensure that third parties cannot access the RU’s data under existing national laws (e.g., USA), and that the RU can thus avoid violating the GDPR. Another motivation is that the RU protects their intellectual property by specifying the location. The fact that the physical storage location is the only place where the data is stored and not, for example, at subcontractors in other geographic regions as backup or IaaS, should be stipulated in the SLA, and verified as part of the CSP qualification.
PO: The geographical storage location is critical for privacy and other legal reasons to prevent access by unwanted “authorities.” Meanwhile, in view of the increasing use of database clusters, the question of the specific server or hard disk should no longer matter, even for on-premise solutions.
AT: Based on the results of the data assessment, the criticality assessment of the application, and the business continuity assessment, a decision should be made as to whether outsourcing and, in particular, the use of a CSP is possible without compromising patients and/or the quality of the drug product. If outsourcing is agreed to, the deployment model should be chosen based on criticality. Private and community cloud models are preferable to the public cloud where confidential data is concerned. The way different tenants are demarcated, and separated from each other, depends on the deployment model, and is better in a private cloud than in a public cloud.
PO: Of course, such decisions must always be made on a risk basis. From a technical point of view, it could be argued that for GxP applications, secure control of access must be ensured at the user level, i.e., at a more granular level than between different organizations sharing an instance of a cloud application. Looked at in this way, from a data security and integrity perspective, the question of public or private cloud should not matter. But there will generally be differences in other important aspects, e.g., in determining when updates are to be applied. Here, private instances certainly offer advantages.
AT: According to Annex 11, competence and reliability of the supplier are key factors in the selection of a product or service provider. The need for an audit should be assessed in terms of risk. In other words, the higher the requirements to be met by the service and the deployment model, the more important it is to qualify and continuously monitor a CSP. Poor configuration of the infrastructure can lead to service failure, or data may be lost or compromised. Based on a risk assessment, a decision must be made as to whether an on-site audit is necessary. Certification can attest to compliance with security standards. Preference should be given to international standards that address the specific subject matter of the service: ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27017: Cloud Computing Security and Privacy Management System-Security Controls, ISO/IEC 27036-4: Guidelines for security of cloud services. In any case, the scope of the certificate should be assessed.
AT: If the outcome of the assessment shows that an on-site audit is required, then a CSP that does not allow it is not appropriate. At this point, reference should be made to the possibility of joint audits or shared audits.
BN: You also always have the option of requesting a joint audit from a cloud provider. This means that several companies/customers join forces, and jointly perform an audit that is valid and applicable to all. This reduces the workload on all sides, but at the same time provides good evidence of compliance with legal and customer requirements. This is currently being planned at Amazon Cloud Services in Munich, for example.
AT: The application must be validated, and the infrastructure qualified. The validation of the application is essentially the same as for an on-premise application. Annex 11 and GAMP®5 provide relevant guidance here. The challenge is the triad of CSP, RU, and software provider. Good communication and project management are required here.
The qualification of a dynamic infrastructure, which is also subject to very dynamic ongoing evolution, is the real challenge. Here, there are often weaknesses of the CSP in providing the “documented evidence” to the RU, which enables the RU to assume a qualified infrastructure.
PO: When it comes to validating GxP-relevant applications, such as those provided by ELPRO, there is no difference between cloud-based and on-premise solutions.
PO: Since the ownership rights of data are identical to those of other tangible objects, we believe that the same protection mechanisms can be used by analogy:
Data access to customer data by the cloud provider must be defined very clearly and set out contractually.
AT: According to Annex 11, physical and electronic measures should be taken to protect data from damage. The availability, readability, and accuracy of stored data should be checked. Access to data should be guaranteed throughout the retention period. In the view of the German Federal Office for Information Security (BSI), this can only be ensured by cryptographic procedures. I share that view.
PO: Encryption is the logical first starting point. In order to effectively rule out manipulation, blockchain-based solutions are also an option. However, the additional security is set against high computing efforts, and ultimately also the distributed data storage in blockchains. Still, we will see new solutions in this area in the future.
AT: If the storage location is critical, it will have to be defined as part of the SLA, and verified as part of the qualification process. This is not only critical to GxP, but also to business.
AT: It must be ensured for the RU that their data on all storage media and locations, as well as in all versions (e.g., various backup versions), are deleted when the business relationship is terminated, or if the RU requests this. This should be part of the SLA and qualification.
AT: Yes, at the very least, there should be a log file.
AT: Cloud Service Providers (CSPs) are not required to operate under GAMP®5 or 21CFR Part 11, but they must have an appropriate framework that complies with equivalent principles. If this framework is aligned with the principles of the EU GMP Guide and/or GAMP®5, it will be useful for the pharmaceutical industry.
AT: According to Annex 11, the IT infrastructure (IAAS, PAAS) should be qualified, and the application (SAAS) validated. Specifically related to data storage, this means that data must be protected from damage by physical and electronic measures and that the availability, readability, and accuracy of the stored data must be checked (see above). Access to data should be guaranteed throughout the retention period. The following are requirements for the quality of the CSP and the data integrity (for data in motion and at rest), which are not explicitly found in the EU GMP Guide, but are considered useful from the point of view of EFG 11:
What is the minimum documentation required from the provider? What is the scope of the qualification of the system? Degree of validation of the interfaces and functions.
AT: Basically, the same requirements apply to a CSP as to a regulated user. The following deficits are frequently observed:
There are many questions and concerns. Probably an almost infinite number. Nevertheless, we have summarized what we consider the most important questions with the appropriate answers from different perspectives. Ultimately, however, the responsibility falls to the customer, and thus, to the user of the cloud. The customer alone decides how and which path to take in order to face this issue well prepared. In the end, patient safety is, and remains, the most valuable asset to protect in the pharmaceutical sector. Software must work. Data must be available, tamper-proof, traceable, and must have its integrity protected. Signatures and authentication are equally important. Data are what make up our digital daily lives today: our virtual elixir of life. We each have to decide for ourselves who we can entrust with it. It is our hope that that answers provided here should and can help in decision-making. However they are not, nor can they ever be, conclusive.
*only available in German | PQ MA issue 11/2020