Questions and Answers to Cloud Computing in a GxP Environment - Part 4


GMP/GDP – On Demand Online Training

You can book the desired online training from our extensive database at any time. Click below for more information.


Stay informed with the GMP Newsletters from ECA

The ECA offers various free of charge GMP newsletters  for which you can subscribe to according to your needs.

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

Basics of Cloud Computing Technology
Regulations and Expectations of Inspectors
Requirements for Cloud Service Providers (CSP)
Requirements for Supplier Evaluation and Supplier Audits
Requirements for Qualifcation / Validation

The experts:
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Local GMP Inspectorate/Regierungspräsidium Tübingen
Oliver Herrmann, Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspectorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart

20. Customer-supplier relationship

What should be the content of an SLA/contract with an XaaS provider?

In order to work with a cloud service provider, it is absolutely nec-essary to conclude a service level agreement that defines the details of the service to be provided. It is advisable to separate the commercial supply part of the contract, which contains the monetary conditions, from the pharmaceutical or IT sections. Unless all services with the associated costs are contractually agreed upon from the outset, they will later be invoiced separately by the CSP and usually at a very high price.

When reviewing draft contracts provided by the CSP, it should be noted that often only general wordings of key performance indicators (KPIs) are included, which do not provide enough certainty to the pharmaceutical company in the event of any disputes. It is therefore absolutely necessary to deal with the details of the KPIs in order to work out suitable wording.

An SLA should contain at least the following elements:

  • Description of the Service to be delivered
  • Contact Details and Escalation procedure
  • Scope of the agreement with start, end and review dates
  • CSP Duties and Responsibilities
  • Key Performance Indicators (details of KPIs)
  • Responsibilities of the customer
  • Service Level (Platin/Gold/Silver/Bronze) Targets e.g.
    - Service hours
    - Service Availability
    - Response and resolution times
    - RTO / RPO
  • Service Reporting and Review
  • Audit provisions (e.g. every 2nd year)
  • Support in case of HA inspections at customer
  • Security, Data Privacy and Confidential Information
  • Legal Compliance and Resolution of Disputes
  • Termination

The most important criterion for using a CSP is the continuous availability of the system and an immediate response in the event of interruptions; for this purpose, RTO (Recovery Time Objective)  and RPO (Recovery Point Objective) should be clearly defined. The reaction time after system failures, which are logged as "incidents" or "deviations", should ideally be clearly defined in tabular form. It is essential to determine one's own criticality and relevance (P1-P4) with the corresponding response times, see example.

Computerised System Validation: Introduction to Risk Management


Vienna, Austria6 May 2025

Computerised System Validation: Introduction to Risk Management

It is also advisable to set up regular conference calls with the CSP, for example weekly at the beginning of the collaboration, later monthly. It has proven to be a good idea to set up a so-called Joint Operations Committee, which a named contact person and deputy in the event of problems.

Fig. 1: P1 = Emergency, P2 = High, P3 = Standard, P4 = Low, Resp. = Response

22. Requirements for supplier evaluation and sup- plier audits

The information on the Quality System and on audits concerning suppliers or developers of software and systems used should be available to inspectors on request. What happens if the CSP does not allow audits? What alternatives to an audit would be accepted?

If quality-related services are outsourced by the pharmaceutical company to third parties, the contractors must be assessed for their competence and suitability; this assessment must be available in writing. Such obligation also extends to service providers in the cloud area, where a summarized assessment might also have to be presented to the pharmaceutical inspector. Unfortunately, global cloud service providers (CSP) are often quite arrogant and do not accept audits, in particular, if the pharmaceutical company is small.

An alternative is a postal audit, where a detailed questionnaire is sent to the CSP hoping that it will be returned completed. Answering such a list of questions is quite complicated for the CSP and takes a lot of time, provided that precise and complete answers to the individual questions are given. Once the completed questionnaire has been received, the individual elements are evaluated in a (short) summary, where the CSP is classified (e.g. approved, approved  with restrictions, not approved) by the relevant department, with the involvement of quality assurance.

Furthermore, it is sometimes  possible to clarify important questions during a short assessment in a telephone conversation with the quality manager of the CSP. Then they are summarized in a  memo/statement, together with other documents, allowing at least a reliable and GMP compliant classification of the provider.

Computerised System Validation: The GAMP 5 Approach


Vienna, Austria7-9 May 2025

Computerised System Validation: The GAMP 5 Approach

If the CSP is not prepared to make any compromises, documents available on the Internet must be used. Information proving that the CSP has worked in the GMP area and provided services to other pharmaceutical companies is particularly useful. In this context, reference could be made to the Microsoft Azure GxP Guidelines (White paper, July 2020), where the most relevant quality elements  are outlined on around 100 pages. Amazon Web Services (AWS) is also providing similar single documents, but unfortunately only after the contract has been signed, which is too late for the classification. In this case, too, the reviewed documents must be evaluated in summary form to enable the classification of the CSP.

Table 1

23. Qualification/Validation Requirements

What validation documents are required for a SaaS application? Who provides which documents?

The providers of cloud-based GxP applications (SaaS) often state in their advertising promises that the pharmaceutical company can completely eliminate the costly and time-consuming validation activities. This statement is only partially correct, as the regulated company is left with a whole range of validation activities that the service provider cannot take over or must be carried out by both  parties.

In principle, there are three options for validation.

Scenario 1: Full trust in the provider 
As long as the cloud provider has established a good relationship of trust with the customer, is audited regularly without major complaints/observations and allows insight into all activities, the pharmaceutical company can limit itself to testing the critical functions in the user acceptance test (UAT). The prerequisite is a carefully conducted functional risk analysis to determine the critical functions of the application.

Scenario 2: Partial trust in the provider
In many cases, there is only a short contractual relationship between the customer and the cloud service provider, and the audit may have identified major but non-critical issues/complaints and not all processes were disclosed to the customer. Here, a complete user acceptance test should be carried out by the customer with each release.

Scenario 3: "Be on the safe side" 
This costly option is very common in the conservative pharmaceutical industry, as people do not want to take any risks in the event of regulatory inspections. The pharmaceutical company carries out a complete validation with each release, including extensive documentation requiring considerable resources.

The table on the next page outlines which validation documents are to be provided by the customer or by the service provider.

24. Basics of cloud computing technology

If the pharmaceutical user has data in the cloud, what type of system is it? Is this an open or closed system according to CFR Part 11?

This is easy to answer using the definition below, even if it is an "on-premise" application: "It is an open system". The cloud provider carries out the compliance checks. The pharmaceutical company  can only introduce the corresponding controls via contracts and check them via audits. Therefore, direct control is not possible!

Definition Part 11 § 11.3:

  • (a) The definitions and interpretations of terms contained in section 201 of the act apply to those terms when used in this part.
  • (b) The following definitions of terms also apply to this part:
    - (4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
    - (9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

25. Customer-supplier relationship

What documents are required for the Pharmaceutical Entrepreneur to plan for a smooth migration to the cloud?

Ten years ago, the conservative pharmaceutical industry rejected the use of cloud technology in the GxP sector due to major concerns about the security and confidentiality of the data. The use of cloud-based applications (SaaS) and infrastructure (IaaS) is now common practice, i.e. more and more systems are being migrated accordingly. In order to ensure that such a migration is structured and to avoid errors, it is advisable for the pharmaceutical company to define the migration process in an SOP that describes roles, responsibilities and procedures. First, it is necessary to clearly outline the migration project, with clear definitions of the pros and cons of Cloud. The project manager (process owner) should submit the requirements developed by the team (requirement specification, request for proposal, RfP) to the possible service providers in order to prepare appropriate offers, including ongoing expenses and license costs.

After the elimination of the non-eligible providers, a so-called "short list" is drawn up from the offers, which forms a basis for further planning. The top candidates on the list are first compared by means of a questionnaire and, if necessary, inspected on-site (preaudit). From these, the most interesting companies (approx. 1-3) are selected, and an on-site audit is carried out to qualify the service provider.

This results in the "ideal" contractual partner with whom a contract could be concluded. Particular emphasis should be placed on the Quality Agreement (also called: Statement of Work) attached to the contract, where at least the following points are to be defined:

  • Roles & Responsibilities
  • Quality System Requirements
  • Audits and Regulatory Inspection Support
  • Personnel and Training
  • Change Management
  • SDLC Methodology details
  • Non-Conformance and CAPA
  • Data Governance / Data Privacy
  • Security / Encryption
  • Validation Deliverables
  • RTO / RPO

The final migration to the cloud should be preceded by an intensive pilot phase; during that time, future users will have the opportunity to test the application (SaaS) in order to identify weak areas  (on the basis of the user requirements and their practical experience; when planning for the migration, the pharmaceutical company should consider whether company-specific customization  makes sense and is really needed, as it will be a significant cost factor for all later versions (releases)). In such cases, standard validation documents from the service provider may not suffice, and  extensive, time-consuming work may be required. If extensive customization cannot be avoided, a locally installed application may be preferable.


About the Author
Dr Andreas Mangel organises and conducts courses and conferences for the ECA Academy in the areas of sterile production and computer validation.

Go back
