GxP Cloud Compliance: Frequently Asked Questions, Answered

As the use of cloud technology continues to increase in the life sciences and becomes ever more integrated into the enterprise, IT and Quality groups are challenged with ensuring that the underlying cloud infrastructure and the regulated applications that run in the cloud comply with the necessary regulations.

While knowledge around how to implement cloud within life sciences organizations is improving, there are often several common questions that arise as we consult with organizations in moving to the cloud. These questions and their answers are not only vital to success, but the logical first step as organizations build their business case and plan for a move to the cloud. 

We've outlined some of the frequently asked questions in the below article, providing some detail and advice in response to these questions.


Question: Have any of your customers using Azure for GxP applications been audited by the FDA, and the new approach to the qualification of infrastructure passed as compliant?

While Montrium is available to participate in FDA audits and inspections of our clients upon request, our direct involvement has not been requested at this time. Moreover, we have not received any feedback related to FDA inspection schedules, nor do we have any insight into any observations they have received. We are happy to facilitate audits with our clients and provide answers to specific questions and supply pertinent documentation if needed.


Question: Where can I find the Azure Qualification Pack?

Our Azure Qualification Pack focuses on ensuring that the Azure Infrastructure as a Service (IaaS) is configured properly and is qualified in accordance with applicable regulations and the clients Standard Operating Procedure(s) (SOPs). You can view what is included in the pack, and access samples here


Question: How is data created for testing when infrastructure changes made - copy production or create "production like data"?

Regression testing should be performed within a testing environment that is identical to the production environment. The mechanisms used for performing this testing will depend on the cloud deployment model and the testing tools you have at your disposal. For example, in the case of an IaaS deployment model, it may be possible to create a copy of the entire Production environment and run regression tests on this environment.

New call-to-action

 Who maintains the master copy of the qualification document and are subscribers notified when changes are made so they have the correct data when queried by the FDA so when they ask for Objective evidence there is agreement and the subscriber demonstrates knowledge of control?

The regulated user is responsible for maintaining qualification documents related to the GxP application. There are shared responsibilities with the cloud vendor when it comes to demonstrating that proper technical and procedural controls are in place to mitigate risks associated with changes made to the cloud environment. The regulated user should be able to demonstrate that a proper assessment was made prior to selecting the cloud vendor.


Question: What is the requirement for having the HIPAA BAA coverage from Azure? Any paperwork that needs to be signed and any specific steps to follow? 

Currently, there is no official certification for HIPAA compliance that can be assigned to Azure or Microsoft as a cloud vendor. However, several Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for ISO/IEC 27001 certification. Microsoft also offers qualified healthcare companies or their suppliers a BAA that covers in-scope Microsoft services. Additional information about HIPAA compliance can be found on the Azure Trust Center.


Question: Does Microsoft accept an on-site audit by a Life Science company?

Due to reasons related to confidentiality, security and logistics (among others), large public cloud service providers like Microsoft Azure typically do not provide customers with the ability to perform on-site audits of their facilities. It is nevertheless possible for Life Science companies to perform the due-diligence as part of a vendor assessment process using documentation that Microsoft publishes on the Microsoft Service Trust Portal, which includes annual ISO & SOC audit reports.  In order to obtain these industry standard certifications which are widely recognized


Question: We have internal Computer System Validation SOP. Is this an industry best practice to amend it or create a new SOP for a cloud-based validation procedure?

As long as your internal Computer System Validation procedure allows for the acceptance of third-party documentation in your validation process, a separate procedure for cloud-based validation is not usually required. The definition of activities and deliverables required for a specific validation effort would be documented in the validation plan. The plan would also detail the attributes of a cloud-based system that fall under the responsibility of the cloud service provider who would consequently be responsible for validation activities involving these attributes. Your vendor assessment process would complement the CSV process. The vendor assessment allows you to demonstrate that the cloud service provider follows a robust quality management system, thus permitting you to leverage the validation documentation provided by the service provider.


Question: Is the service available 24 x 7 even during patching so it does not interfere with our backup?

It is reasonable to expect occasional service interruptions due to patching or system upgrades. These situations should be covered within the Service Level Agreement (SLA) with your cloud service provider, including a definition of what is considered sufficient notice of service interruptions and the acceptable time period during which the system may be down. The SLA should also outline penalties to be imposed if these terms are not respected.


Question: Can we identify which machine is being accessed with objective evidence?

The nature of cloud services does not allow end users to trace the machine being accessed at any given time. Tracking the machine being accessed is only relevant when the computer system’s functionality is dependent upon specific physical hardware attributes. In this case, these types of systems should not be hosted in the cloud. However, for most applications, it is sufficient to validate your system to provide documented evidence that the system is correctly installed and that it is fit for its intended use.

New call-to-action

About the Author: Michael Zwetkow

Related posts

Office 365 Compliance Toolkits

Recent Posts