Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)

 

The quality and integrity of electronic information submitted to the FDA for regulatory purposes is expected to be of a high standard. Sponsors are expected to have documented evidence to support their high standard status. This can be difficult to do if ongoing IQ reports are not negotiated into the cloud vendor’s service contract.

Without specified contractual support, cloud platforms become a black box with no transparency or documented control of the infrastructure for the regulated customer. Changes can be made to any component at any time without notification to the users and there is no reporting of cumulative changes over time, which could impact the need for regression testing in the user’s Performance Qualification (PQ) package.

Some Cloud Suppliers do keep their cloud cluster servers for regulated clients in a sequestered area within the data center and auditors do not have access to view the conditions therein. Frequently there are no Standard Procedures for management of the regulated platforms and training of Network Operating Center (NOC) personnel on the relevance of Part 11 and Annex 11 regulations to such platforms is not provided by the supplier. General Disaster Recovery Plans will focus on recovery of the data center as a whole without special protections for the regulated platforms.

It is important that a pre-contract/pre-purchase audit be performed by IT and QA to check for all the IQ Package needs of the regulated applications expected to use the Cloud infrastructure. To do this, a Platform Requirements Specification (PRS) is needed to support the audit process. Are there IVR telephony needs, global data constraints, or metadata deduplication/data integrity concerns? What about long term data retention in an electronic archive system?

Special clearance may be required to allow a full audit instead of the technology flash facility tour. Otherwise you won’t get to view standard procedures, training records, change control logs, Disaster Recovery test records, and security reports. A close examination of the customer services process for documenting and resolving customer reported issues and concerns is needed.

For smaller, local vendors, you may have to be prepared to provide Part 11/Annex 11 training to the vendor’s staff so that they understand the business context in which your applications work and how their actions could cause problems for compliance. In addition they can be shown how your own IT department has addressed the IQ package needs and where that relates to their environment and the monthly or quarterly IQ report you expect to receive from them as per your negotiated service level agreement (SLA) with them.

 

Next Month: Installation Qualification (IQ) Package – Service Level Agreements (SLAs)

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)