Cloud Computing: Multi-tenant provisions of SAAS and Change Control
Recommendation
26-29 November 2024
The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:
- Basics of Cloud Computing Technology
- Regulations and Expectations of Inspectors
- Customer-Supplier-Relationship
- Requirements for Cloud Service Providers (CSP)
- Requirements for Supplier Evaluation and Supplier Audits
- Requirements for Qualification / Validation
The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.
Question 9: The multi-tenant provision of SAAS is accompanied by a source code basis for all customers. This implies that all customers must have the same software version irrespective of whether or not a customer accepts a certain change. Is this compatible with GxP? Topic: Basics of Cloud Computing Technology
A regulated company strives to avoid extensive and risky changes of an application that might potentially challenge the validated and compliant state of a system. This is even more the case if the changes have no or only a minor benefit for the regulated company but may cause additional validation effort.
However, the relevant SaaS changes formally do not constitute a violation of GxP. Otherwise, it would not be allowed to update any operating system if the update introduces a new but unused function. It is required that corresponding measures (impact analysis, risk assessment, further test and documentation activities, if appropriate) are performed to maintain the validated state, as for any other change. Since these measures are also required for ordered / deliberate changes the procedure must be described in the SOPs or in the validation protocol, anyway. Hence, it makes sense to contractually ensure the timely provision of the corresponding information with the CSP (cloud service provider) (see also question 8).
Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.
The Experts
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart