45. Cloud Validation – EMA GMP Annex 11 Challenge for PaaS

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)


Cloud technology for Platforms as a Service (PaaS) are being engaged to provide software vendors with a cost effective product development environment. This lets them concentrate on their primary business which is producing software applications for clients. It outsources the non-proprietary application SDLC platform to a data center vendor.

When applications are being written for GXP regulated markets, developers must implement and document installation qualification (IQ), quality control testing, and change control practices for their SDLC platform and their GXP application product. That means that evidence of IQ of their platform and OQ of their product must continue to be documented and available for customer audit and regulator inspection purposes. Maintaining documented IQ control of PaaS installations requires careful contract negotiations and ongoing audits with the PaaS vendor.

FDA’s counterpart in Europe, the European Medicines Agency (EMA) has more about IT department and software development controls in its GMP Annex 11 regulation than does the FDA in its Part 11.

Annex 11 Principle: This annex applies to all forms of computerized systems used as part of GMP regulated activities…The application should be validated; IT infrastructure should be qualified…

1. Risk Management should be applied throughout the lifecycle of the computerized system taking into account patient safety, data integrity, and product quality…

3. Suppliers and service providers
3.1 When third parties (e.g. suppliers, service suppliers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify, or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT departments should be considered analogous.
3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

4. Validation
4.5 The regulated user shall take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated…Automated testing tools and test environments should have documented assessments for adequacy.

This excerpt from the Annex 11 makes it quite clear that GXP responsibility remains with the end user even as it is executed in an outsourced way. Contracts, audits, and ongoing change control monitoring allow users to maintain management control of the quality of data in outsourced activities.


Next Month: Cloud Validation – End User Validation Challenge for SaaS

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)