Cloud Computing: Content of a SLA/Contract with a XaaS Provider
Recommendation
27-29 November 2024
The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:
- Basics of Cloud Computing Technology
- Regulations and Expectations of Inspectors
- Customer-Supplier-Relationship
- Requirements for Cloud Service Providers (CSP)
- Requirements for Supplier Evaluation and Supplier Audits
- Requirements for Qualification / Validation
The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.
Question 20: What shoud be the content of a SLA / contract with a XaaS provider? - Customer-Supplier-Relationship.
In order to work with a cloud service provider, it is absolutely necessary to conclude a service level agreement that defines the details of the service to be provided. It is advisable to separate the commercial supply part oft he contract, which contains the monetary conditions, from the pharmaceutical or IT sections. Unless all services with the associated costs are contractually agreed from the outset, they will later be invoiced separately by the CSP and usually at a very high price.
When reviewing draft contracts provided by the CSP, it should be noted that often only general wordings of key performance indicators (KPIs) are included, which do not provide enough certainty to the pharmaceutical company in the event of any disputes. It is therefore absolutely necessary to deal with the details of the KPIs in order to work out suitable wording.
An SLA should contain at least the following elements:
- Description of the Service to be delivered
- Contact Details and Escalation procedure
- Scope of the agreement with start, end and review dates
- CSP Duties and Responsibilities
- Key Performance Indicators (details of KPIs)
- Responsibilities of the customer
- Service Level (Platin/Gold/Silver/Bronze) Targets e.g.
- Service hours
- Service Availability
- Response and resolution times
- RTO / RPO - Service Reporting and Review
- Audit provisions (e.g. every 2nd year)
- Support in case of HA inspections at customer
- Security, Data Privacy and Confidential Information
- Legal Compliance and Resolution of Disputes
- Termination
The most important criterion for using a CSP is the continuous availability of the system and an immediate response in the event of interruptions; for this purpose, RTO (Recovery Time Objective) and RPO (Recovery Point Objective) should be clearly defined. The reaction time after system failures, which are logged as "incidents" or "deviations", should ideally be clearly defined in tabular form. It is essential to determine one's own criticality and relevance (P1-P4) with the corresponding response times, see example.
P1 = Emergency, P2 = High, P3 = Standard, P4 = Low, Resp. = Response
It is also advisable to set up regular conference calls with the CSP, for example weekly at the beginning of the collaboration, later monthly. It has proven to be a good idea to set up a so-called Joint Operations Committee, which a named contact person and deputy in the event of problems.
Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.
The Experts
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart