Cloud Computing: What happens if the CSP does not allow audits?

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualification / Validation

The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 22: The information on the Quality System and on audits concerning suppliers or developers of software and systems used should be made available to inspectors on request. What happens if the CSP does not allow audits? What alternatives to an audit would be accepted? - Requirements for Supplier Evaluation and Supplier Audits

If quality-related services are outsourced by the pharmaceutical company to third parties, the contractors must be assessed for their competence and suitability; this assessment must be available in writing. Such obligation also extends to service providers in the cloud area, where a summarized assessment might also have to be presented to the pharmaceutical inspector. Unfortunately, global cloud service providers (CSP) are often quite arrogant and do not accept audits, in particular, if the pharmaceutical company is small.

An alternative is a postal audit, where a detailed questionnaire is sent to the CSP hoping that it will be returned completed. Answering such a list of questions is quite complicated for the CSP and takes a lot of time, provided that precise and complete answers to the individual questions are given. Once the completed questionnaire has been received, the individual elements are evaluated in a (short) summary, where the CSP is classified (e.g. approved, approved with restrictions, not approved) by the relevant department, with the involvement of quality assurance.

Furthermore, it is sometimes possible to clarify important questions during a short assessment in a telephone conversation with the quality manager of the CSP. Then they are summarized in a memo/statement, together with other documents, allowing at least a reliable and GMP compliant classification of the provider.

If the CSP is not prepared to make any compromises, documents available on the Internet must be used. Information proving that the CSP has worked in the GMP area and provided services to other pharmaceutical companies is particularly useful. In this context, reference could be made to the Microsoft Azure GxP Guidelines (White paper, July 2020), where the most relevant quality elements are outlined on around 100 pages. Amazon Web Services (AWS) is also providing similar single documents, but unfortunately only after the contract has been signed, which is too late for the classification. In this case, too, the reviewed documents must be evaluated in summary form to enable the classification of the CSP.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart