Cloud computing offers clear advantages for regulated industries when compared to traditional on-premise application deployment. However, like their on-premise counterparts, cloud-based solutions used for GxP activities must be validated in order to demonstrate regulatory compliance. Prior to validating any application, the underlying infrastructure should be qualified.
The basic principles governing on-premise infrastructure qualification also apply to cloud-based systems. The main difference between qualifying on-premise infrastructure and cloud infrastructure is a shift in qualification project roles and responsibilities stemming from the introduction of new stakeholders.
Traditionally, the regulated company has been responsible for all aspects of their IT infrastructure, such as data storage and server maintenance. In contrast, depending on the cloud service model employed, the regulated company must rely on vendors to properly manage the services they provide. At the same time, the regulated company cannot blindly trust that the vendor is compliant.
How does a regulated company demonstrate control over a system when responsibility for the system is shared with a vendor? Here are some simple steps to formulating a qualification strategy for cloud infrastructure.
Step 1: Perform a Vendor Assessment
The regulated company is ultimately responsible for demonstrating that its GxP system is compliant, even when a vendor is involved in providing and maintaining the infrastructure. Whether the vendor offers its services on-premise or on the cloud, the regulated company should perform due diligence on the vendor.
The vendor (cloud service provider and/or cloud application vendor) must be assessed to determine not only their ability to deliver the service offered from a technological standpoint, but also to ensure that the vendor has a quality system in place that is systematically followed. The vendor must:
- Demonstrate that they have taken the necessary steps to manage crucial issues like data integrity and recovery.
- Show that they follow approved procedures governing activities such as training, change management and system security.
It is also important to periodically reassess the vendor to make sure that these standards and practices are maintained over time.
Once it is established that the vendor is acceptable, a Service Level Agreement (SLA) should be put in place. This agreement outlines contractual obligations with respect to expected services and quality standards.
Step 2: Define the Qualification Scope
Identify all the infrastructure components via an inventory list, network architecture diagram or other tool. Next, determine if the components will be used to support an application used to perform a GxP activity and only include the components found to have GxP impact in the scope of qualification. For instance, a server hosting a payroll services application may be excluded whereas a server that hosts an application used for regulatory submissions must be retained within the scope of qualification.
It is possible that the vendor has qualified the cloud infrastructure. In this case, the regulated company simply needs to evaluate the vendor’s qualification documentation and quality practices to ensure that the methodology employed by the vendor is adequate. Make sure that all in-scope components were qualified and any issues noted during qualification were resolved.
Step 3: Perform a Risk Analysis
Examine the in-scope components to evaluate potential risks to system security and data integrity. Qualification activities should be tailored to ensure that infrastructure components have been selected, designed and configured in a way that minimizes these risks.
For example: When firewalls are configured, they should be tested to ensure that unauthorized traffic is blocked effectively.
Step 4: Formulate the Qualification Approach & Generate a Qualification Plan.
Combine the outputs generated from Steps 1 through 3 to define the qualification activities and the parties responsible for each of the activities. For a comprehensive qualification methodology, we recommend a risk-based approach in accordance with GAMP 5.
The qualification approach should be formally described within a Qualification Plan. This document summarizes the qualification approach, activities, responsibilities and deliverables for the qualification project. The Qualification Plan is approved by the system owner and quality group and it serves as the road-map for the qualification effort.
Following these steps will get you to ask yourself the right questions to be able to evaluate the vendor’s suitability and to formulate a risk-based approach to infrastructure qualification.
The approach should be outlined within a Qualification Plan. By executing this plan, you will establish documented evidence that the infrastructure is qualified, laying the groundwork for the validation of your cloud-based solution(s).