Professional Documents
Culture Documents
Ref-Sub
Date
Table of Contents
Introduction 2
Scope 2
Field of Application 2
Definitions 3
Regulatory framework 3
Other references 3
Concepts 3
Bibliography 10
Introduction
The pharmaceutical industry, as a complex and structured environment requires performing a large amount
of activity in transparency: the quality of each ingredient, the on-time product shipping, the storage and
transport conditions should be performed in accordance to high quality standards and to the official
pharmaceutical requirements.
The attainment of this quality objective is the responsibility of the entire personnel in many different
departments and at all levels within the company, including the company’s suppliers and its distributors. To
achieve this quality objective reliably there must be a fully documented system continuously monitored on
its effectiveness by the Pharmaceutical Quality System on the basis of Good Manufacturing Practice (GMP)
and Quality Risk Management (QRM) principles.
In the context of Infrastructure as a Service, there are many providers of public and private infrastructures.
These providers differ in terms of the types and quality of the provided infrastructures. In the pharmaceutical
industry, there is much concern about the availability, reliability, security, and confidentiality of the data. It
is important to evaluate how those properties are ensured by the cloud provider at any level of the
infrastructure.
Assuring data integrity is an essential part of the technology for guaranteeing the safety, quality, identity,
purity and effectiveness of the pharmaceutical products and processes with the aim to protect the health
and safety of patients.
Scope
The present protocol is the first of a series of protocols which aim at providing evaluation criteria in order
to assess suitability of IT architectures used for providing services based on application of Cloud
technologies.
It is recommended the application of the present protocol to be addressed to providers of services applying
Cloud technologies. The evaluation issued by Codema on the grounds of the information collected through
the protocol will serve pharma companies in better assessing the providers (and the relevant services).
Competent auditors duly acknowledged by Codema shall apply the present protocols and carry out relevant
verifications and testing according to the criteria and requirements provided here in.
Field of Application
The present general protocol applies to all providers and relevant IT architectures concerning services
provided (or to be provided) within the pharmaceutical industry, by using cloud technologies.
Regulatory framework
- Eudralex, Volume 4 “Good Manufacturing Practice Medicinal Products for Human and Veterinary Use”,
Annex 11 “Computerised Systems” (effective since 30 June 2011)
- Eudralex, Volume 4 “Good Manufacturing Practice Medicinal Products for Human and Veterinary Use”,
Annex 15 “Qualification and Validation” (effective since 1 October 2015)
- Eudralex, Volume 4 “Good Manufacturing Practice Medicinal Products for Human and Veterinary Use”, Part
III “GMP related documents”, Document “Q9 Quality Risk Management” (effective since January 2006)
- Draft document for comments WHO Guideline on Validation. Working document “QAS/16.667/Rev.2”,
Appendix 5 “Validation of Computerized Systems” (written on August 2018)
- PICS “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments”. Document
“PI 041-1 (Draft 3)” (written on 30 November 2018)
Other references:
The nomenclature used in this protocol is fully compatible with ISO/IEC 17788:2014. The architecture used
for the analysis of IaaS platforms is fully compatible with ISO/IEC 17789:2014
Disclaimer
The present protocol shall be implemented under the direction of an expert.
Each specific case needs to be properly addressed. Codema shall not be responsible and/or accountable for
any issue arising from application of the present protocol.
Codema is not responsible for inaccurate or false information provided by the manufacturer to the qualified
CAE (Codema Acknowledged Expert) auditor during the audit, which may affect the reliability of the final
evaluation.
The structure of the evaluation system and organization of contents, method of procedures of protocols of
evaluation constitute exclusive intellectual property of Codema Pharma S.A. (Codema). Codema Cloud
Technologies Project has been entirely developed by Codema and exclusively belongs to Codema. Codema’s
protocols may not be copied, edited, scanned, or duplicated, in whole or in part.
Concepts
Unless explicitly mentioned in the following chapter, in this protocol we use the definitions provided by
ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary.
Availability
Confidentiality
Information security
Integrity
Party
Documented agreement between the service provider and customer that identifies services and service
targets.
Cloud auditor
Cloud service partner with the responsibility to conduct an audit of the provision and use of cloud services.
Classification of the functionality provided by a cloud service to the cloud service customer, based on
resources used.
Cloud computing
Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources
with self-service provisioning and administration on-demand.
Way in which cloud computing can be organized based on the control and sharing of physical or virtual
resources.
Cloud service
One or more capabilities offered via cloud computing invoked using a defined interface.
Party which is in a business relationship for the purpose of using cloud services.
Class of data objects under the control, by legal or other reasons, of the cloud service customer that were
input to the cloud service, or resulted from exercising the capabilities of the cloud service by or on behalf of
the cloud service customer via the published interface of the cloud service.
Class of data objects under cloud service provider control that are derived as a result of interaction with the
cloud service by the cloud service customer.
Class of data objects, specific to the operation of the cloud service, under the control of the cloud service
provider.
Natural person, or entity acting on their behalf, associated with a cloud service customer that uses cloud
services.
Data portability
Ability to easily transfer data from one system to another without being required to re-enter data.
Cloud service category in which the cloud capabilities type provided to the cloud service customer is an
infrastructure capabilities type.
Cloud capabilities type in which the cloud service customer can provision and use processing, storage or
networking resources.
Measured service
Metered delivery of cloud services such that usage can be monitored, controlled, reported and billed.
Multi-tenancy
Allocation of physical or virtual resources such that multiple tenants and their computations and data are
isolated from and inaccessible to one another.
Private cloud:
Cloud deployment model where cloud services are used exclusively by a single cloud service customer and
resources are controlled by that cloud service customer.
Public cloud
Cloud deployment model where cloud services are potentially available to any cloud service customer and
resources are controlled by the cloud service provider.
Resource pooling
Aggregation of a cloud service provider's physical or virtual resources to serve one or more cloud service
customers.
1. Locality
2. Data Integrity
The integrity of the data stored in the data centers is a critical requirement for an IaaS provider.
At any time the cloud provider must ensure the data to be available, accessible and uncorrupted.
2.1. Availability
Data availability and reliability are ensured by replication, checksum and regeneration strategies. Please
complete the following section describing the strategies adopted to ensure data integrity.
Each document should describe how the issue is mitigated and which recovery actions are planned in case of
incident.
3. Monitoring
Each of the users should always be allowed to determine the state of the system through dedicated metrics.
Those metrics should be offered through easy-to-use portals so that their usage is not restricted to technical
users. Access to those portals should be granted to all users to enhance transparency.
Users should be promptly notified of any incident or failure regarding the infrastructure running their
applications.
4. Confidentiality
Most of the data handled by the cloud infrastructure is confidential. Cloud providers must ensure that no
one can access the user’s data unless explicitly authorized.
For each entry in the following table describe who can access the related data and which privacy techniques
are in place to ensure confidentiality.
5. Security
Security is crucial to prevent unauthorized access to confidential data. In a cloud infrastructure, security must
be granted at different levels, from physical access to the hardware to remote access to the virtual
infrastructure.
For each entry in the following table describe who can perform the described action and which privacy
policies are in place to ensure security.
Provide, in the following table, a description of the measures adopted to secure the customers access to
the cloud infrastructure.
6. Isolation
In a cloud infrastructure many users share the same hardware. This section will explore the policies
adopted to ensure isolation of a user environment inside the cloud infrastructure.
7. Conformities
Bibliography
[1] ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary