Scribd Logo
Upload

Welcome to Scribd!

  • Cloud Infrastructure Regulations Compliance

    Uploaded by

    Dimitris Papamatthaiakis
    47 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    47 views4 pages

    Cloud Infrastructure Regulations Compliance

    Uploaded by

    Dimitris Papamatthaiakis

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Cloud Infrastructure Compliance

    Basic Infrastructure Compliance Elements.


    Related with any computer hardware compliance, such as the cloud infrastructure, the US FDA CPG 7132a.11
    "Computerized Drug Processing; CGMP Applicability to Hardware and Software," provides how to connect
    computer hardware and the GMPs.
    CPG 7132a.11 confirms the correlation between the Current Good Manufacturing Practice (CGMP) regulations
    to the computer hardware and computer software. In the absence of a US FDA specific reference on a
    computer-related topic, the CGMP regulation provides the guideline to comply with the FDA.
    Cloud Service Provider.
    A cloud service provider1 is a company that offers some component of cloud computing, typically
    Infrastructure as a Service (IaaS), Software as a Service (SaaS) or Platform as a Service (PaaS), to other
    businesses or individuals.
    The enclosed sidebar provides a view
    of the typical models in cloud
    environments. In each model, the
    dark-colored portion relates the
    elements controlled by the cloud
    service provider.

    IaaS: A virtual data center


    environment including servers,
    databases, network, storage, and so
    on, hosted at the cloud service
    provider's facility.

    PaaS: A development environment for


    software application hosting by the
    cloud service provider who provides tools, programming codes, interface modules, and so on, that allows IT,
    professionals, to develop software applications and integrate them in the cloud infrastructure environment
    either hosted by the service provider or contracted to another provider.

    SaaS: Software application hosted by the cloud service provider to perform functions or processes. In this
    model, a regulated user uses a vendor's software application from a web browser or program interface. The
    regulated user does not manage or control the underlying cloud infrastructure; including the network, servers,
    operating systems, storage, or application capabilities; with the possible exception of application configuration
    settings.

    1
    Service provider - An organization supplying services to one or more internal or external customers. (ITIL Service Design,
    2011 Edition)

    1
    Cloud Infrastructure Compliance

    The regulated user must implement a Cloud Governance Policy to establish a standard and effective cloud SLC.
    This SLC contains your approach to the selection, integration, ongoing management and subsequent
    decommissioning of cloud-based services.

    The Cloud Governance Policy points to procedures and records that indicate how and on what basis (e.g., risk
    assessment and requirements) the cloud service provider is evaluated and selected (PIC/S PI-011-3-11.2), the
    tools for assessing fitness for purpose against predetermined requirements, specifications and anticipated
    risks, and periodic reviews to assess if the cloud service is maintained and operated following the specified
    requirements and quality agreement. How to add new services and how these services are developed,
    qualified/validated and deployed must be part of this evaluation.

    The evaluation may consist of technical capabilities, security-related evaluation and, procedural and technical
    control evaluations. Other critical evaluations are financial and contract.

    Specifically, applicable to security, the selection criteria to be considered for the capabilities of a cloud service
    provider are as follows2:

    Data Center Security


    • Hardware security
    • Software security
    • Web vulnerability scans and reports
    • Penetration testing

    E-records Protection & Compliance


    • E-records protection (encrypted)
    • Backup & Restore
    • Datacenter location
    • E-records ownership declarations

    Network Security
    • Connection security (encrypted)

    Reliability
    • Disaster recovery

    Trustworthiness
    • Auditing

    As part of the above evaluation, the cloud service E-records Integrity Governance is assessed.

    2
    ECA IT Compliance Working Group, "SOP - Selection Process for Cloud Service Providers," Rev 1.0, Draft.

    2
    Cloud Infrastructure Compliance

    The tools for assessing fitness for


    purpose against predetermined
    requirements can be a history report of
    previous deliveries or service
    provisions, transfer and assessment of
    questionnaires (postal audits) or
    supplier/vendor audits.

    The evaluation and audit reports


    should exist for review providing an
    understanding into the audit
    processes3.

    Cloud Infrastructure Regulations


    Compliance.
    • 21 Code of Federal Regulations (CFR) 211.25 establishes that the personnel involved in the installation,
    maintenance and management of the computer infrastructure must have the training and experience
    to perform the assigned functions.
    • 21 CFRs 211.42 and .63 establish the suitability of the design, construction, and performance of the
    computer infrastructure.
    • 21 CFR 211.68 establishes that there must be documented verification of the inputs and outputs (I/Os)
    for accuracy and that computer infrastructure must be qualified. In the EU Annex 11, the built-in
    checks (EU Annex 11 p5) are the correspondence to the 21 CFR 211.68.

    The following table lists a few sections in the cGMP regulations applicable to computer systems performing
    manufacturing-related regulated functions. Equivalent sections can be found in the other FDA predicate
    regulations.
    US Drugs GMP Description

    211.22 Responsibilities of QC Unit.


    211.25 Personnel Qualifications.
    211.42 Design and Construction.
    211.63 Equipment design, size, and location.
    211.67 Cleaning and Maintenance.
    211.68 Maintenance and Calibration.
    211.68 Written Procedures.
    211.68(b) Record Controls.
    211.68(b) Validation of computer systems (implicit requirement).
    211.100 Written Procedures, Deviations.
    211.101(d) Double Check on Computer.
    211.105(b) Equipment identification.

    3
    Aide-mėmoire of German ZLG regarding EU GMP Annex 11, September 2013.

    3
    Cloud Infrastructure Compliance

    US Drugs GMP Description

    211.180 General (Records and Reports).


    211.180(a) Records retention.
    211.180(c) Storage and record access.
    211.180(d) Records medium.
    211.182 Use of log(s).
    211.188(a) Batch records production accuracy.
    211.188(b) Batch records documentation and operational checks.
    211.180(e) Records review.
    211.192 QC record review.
    211.220(a)4 Validation of computer systems (explicit requirement).

    References.
    1. ECA, "Ensuring the data integrity of cloud service providers," August 2019.
    2. ECA, "GMP Data Governance and Data Integrity," Rev 2, January 2018.
    3. López, O., "Electronic Records and Cloud Computing," in Best Practices Guide to Electronic Records
    Compliance, López, O., Ed. (CRC Press, Boca Raton, FL, 1st ed., 2017), pp. 193-197.
    4. López, O., "Regulatory Requirements," in Computer Infrastructure Qualification for FDA Regulated
    Industries, López, O., Ed. (DHI Publishing, LLC, River Grove, IL, 1st ed., 2006), pp. 41-47.

    4
    1996 CGMP proposed regulations, FR, Vol. 61, No. 87, May 3, 1996.

    You might also like