44. Cloud Validation – FDA Part 11 Challenge for IaaS

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)


Cloud technology for Infrastructure as a Service (IaaS) and Platforms as a Services (PaaS) must comply with US Food and Drug Administration (FDA) law 21 CFR Part 11 Electronic Record Keeping; Electronic Signatures. Referred to as “Part 11” – this is not a guidance or nice-to-have, it is regulation, it is US law and must be complied with by pharmaceutical, medical device, and biopharmaceutical organizations submitting product approval applications to the FDA.

The focus of Part 11 is providing evidence to ensure the protection, accuracy, integrity, and trustworthiness of electronic records and signatures related to health care product safety, efficacy, and quality. Consumer safety is the number one goal of the FDA and it is critical that FDA’s product decision data submitted by companies be trustworthy and accurate in describing all work performed to Good Practice regulation standards for human clinical trials (GCP), animal safety testing (GLP), and product manufacturing (GMP).

When using external data center vendors to outsource infrastructure expansion, it is still possible to retain Part 11 compliant control by using remote system configuration management tools. The vendor provides and manages all the physical and logical security, network, and telephony capabilities of their facility connected up to your system cage or cabinet. Inside the cage or cabinet, however, you provide all your own servers and equipment and you manage all accounts, access, and data on those systems. The vendor’s network operations center (NOC) does no work inside your systems cabinet or cage. This allows you to maintain all your usual IT SOP practices for system account and data management and ongoing change control and installation qualification (IQ) practices.

You can run your own cloud remotely with independent control from the rest of the data center cloud practices. You can purchase your disaster failover cage or cabinet in another subsidiary location of your vendor and be sure where your data is being backed up for Safe Harbor compliance. In this way you relieve yourself of the heavy lifting to maintain a data center environment, but continue to keep your management control of the close-in data environment.

Be cautious of any vendors who offer “hands off” Part 11 compliance for GXP cloud configurations. You will need a full Part 11 compliance audit of the vendor on site to verify their understanding of Part 11, HIPAA, Safe Harbor, and EMA Annex 11 and whether these regulations have been implemented in the operational standard practices (SOPs) and personnel training records. Most data centers are not very transparent on these topics and tend to not take them seriously unless they have a special market focus on FDA/EMA regulated clients. They can say the words, but follow-through with transparent evidential details is often not there. This results in missing installation qualification (IQ) evidence for regulated GXP cloud applications or expensive cost overruns to get it. FDA holds the data owner responsible for protecting GXP data in validated systems that are installation qualified and kept in qualified status through operational activities and change control practices.


Next Month: Cloud Validation – EMA GMP Annex 11 Challenge for PaaS

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)