APR January/February 2022 - 49

« MANUFACTURING
However, if we are to operate smoothly in this new environment,
we must look beyond the current practices of the pharmaceutical
industry. We have to present a pragmatic and risk-based approach that
satisfies the need of the regulator, regulated company and the cloud
service provider.
Although the QA and Compliance units in pharma/life-science
industries are strict and accurate, thus very often considered blockers
for innovation, the truth lies somewhere in between. The IT function
is less focused on the proper documentation and recording of the
actions that must take place when working within a highly regulated
environment. The constant growth and evolution of the IT services and
platforms is taking into consideration the needs from stricter areas,
often guarded not only by standards and regulations but international
law per se.
The question in front of us now is about how we can start to better
understand and manage and not simply avoid the risks which come
with this technology.
What do we need to do to allow us to:
* Identify and analyze the risks across and within an enterprise
(business, compliance, security, etc.)
* Create a framework to manage these risks both in-house as well
as part of our supplier management processes
* Obtain the cost optimization without compromising the
integrity of the data that impacts product quality and patient
safety
* Realize the responsiveness the end-user demands
Basing on the well-established industry guidance GAMP®5 we were
able to adapt the requirements to ensure the compliance of our
own infrastructure and systems/applications. Those activities were
embedded in the qualification and Computer System Validation
processes that have a long history in the industry. We now have to create
parallel processes for an IaaS, PaaS or SaaS provider. The execution of
the IT controls will be slightly different than the " traditional " one (like
paper-based documentation, traceability and accountability achieved
by signatures, etc.), but better reflect the current environment.
As there is no such thing as " GxP certification " we have to rely on the
regulations and controls that are currently in place but interpret them
to suffice the new landscape and service setup. In many organizations
that are creating and updating the industry guidance such as ISPE
(International Society for Pharmaceutical Engineering), Special
Interest Groups (SIGs) are created to facilitate interactions among
those with interests in specialized areas within new technologies. ISPE
membership is not required to subscribe and participate in a SIG.
When considering the control framework and choosing the cloud
provider the Business and Quality units need to partner with the IT
departments and providers to understand the fundamentals judging
the quality of the processes. Quality units need to assess why, where
and by whom controls are established and then examine what those
controls are. Quality professionals must be willing to view controls in a
way that they are meaningful, not to move the same controls directly
to the provider. They will need to understand the difference between
formal elements of control and controls that may impact the data and
processes being operated at a cloud provider (the difference between
what and how). These traditional controls will have to be accounted
for within a company's quality framework, and then they must be
reviewed in order to understand if this new model will require different
or additional controls to meet the rigor of the regulated industry. This
will likely result in a shift from quality processes contained within a
regulated company to a model where quality is achieved as a result of
a partnership (or partnerships) and between the regulated company,
service providers and regulators. Above all, compliance, security and
data integrity are to be maintained.
As a starting point, we can verify leading industry guidances:
* GAMP® 5 guidance, along with the GAMP® Good Practice Guide
on IT Infrastructure Control and Compliance
* The National Institute of Standards and Technology (NIST)
Definition of Cloud Computing (Special Publication 800-145)
* The Cloud Security Alliance documents, including the " Cloud
Controls Matrix " and " Security Guidance for Critical Areas of
Focus in Cloud Computing v3.0 "
* The whole family of ISO/IEC 27000 with a special interest in ISO/
IEC 27001, ISO/IEC 27017 and ISO/IEC 27018 for Information
Security Management System and Data Privacy in Cloud
* State of the art defined by BSI, ENISA (European Union Agency
for Cybersecurity), NIST, COBIT, CSA STAR, etc.
When considering the particular cloud strategy, a risk assessment
is advised to understand and address the risks involved with
cloud computing. We have to understand the services that will be
provided, their delivery processes, technology, resource pools and
the challenges that the organization has. We should then consider
the regulatory requirements, qualification and potential validation
of the cloud. Within qualification we should take into consideration
the infrastructure part, processes, tools and resources that will be
used within the cloud service provision. Also, internal controls and
requirements have to be taken into consideration. Very often the
Business will have different requirements than the Quality unit. It is
advised to find a partner who can support the organization with
experience, awareness and maturity. The partner should understand
the GxP applicability based on intended use, support in the assessment
of the risks that include GxP, (but also broader - e.g., Data Integrity,
Privacy, Security), apply intended use to applicable GxPs, regulatory
guidance, etc. expectations, effectively leverage an FRA and so on.
Best case scenario is to identify the level of data protection and privacy
basing on legal requirements and leverage the responsibilities of the
cloud service provider and the cloud customer. Also, it is beneficial
www.americanpharmaceuticalreview.com |
| 49
»
http://www.americanpharmaceuticalreview.com

APR January/February 2022

Table of Contents for the Digital Edition of APR January/February 2022

APR January/February 2022 - Cover1
APR January/February 2022 - Cover2
APR January/February 2022 - 1
APR January/February 2022 - 2
APR January/February 2022 - 3
APR January/February 2022 - 4
APR January/February 2022 - 5
APR January/February 2022 - 6
APR January/February 2022 - 7
APR January/February 2022 - 8
APR January/February 2022 - 9
APR January/February 2022 - 10
APR January/February 2022 - 11
APR January/February 2022 - 12
APR January/February 2022 - 13
APR January/February 2022 - 14
APR January/February 2022 - 15
APR January/February 2022 - 16
APR January/February 2022 - 17
APR January/February 2022 - 18
APR January/February 2022 - 19
APR January/February 2022 - 20
APR January/February 2022 - 21
APR January/February 2022 - 22
APR January/February 2022 - 23
APR January/February 2022 - 24
APR January/February 2022 - 25
APR January/February 2022 - 26
APR January/February 2022 - 27
APR January/February 2022 - 28
APR January/February 2022 - 29
APR January/February 2022 - 30
APR January/February 2022 - 31
APR January/February 2022 - 32
APR January/February 2022 - 33
APR January/February 2022 - 34
APR January/February 2022 - 35
APR January/February 2022 - 36
APR January/February 2022 - 37
APR January/February 2022 - 38
APR January/February 2022 - 39
APR January/February 2022 - 40
APR January/February 2022 - 41
APR January/February 2022 - 42
APR January/February 2022 - 43
APR January/February 2022 - 44
APR January/February 2022 - 45
APR January/February 2022 - 46
APR January/February 2022 - 47
APR January/February 2022 - 48
APR January/February 2022 - 49
APR January/February 2022 - 50
APR January/February 2022 - 51
APR January/February 2022 - 52
APR January/February 2022 - 53
APR January/February 2022 - 54
APR January/February 2022 - 55
APR January/February 2022 - 56
APR January/February 2022 - 57
APR January/February 2022 - 58
APR January/February 2022 - 59
APR January/February 2022 - 60
APR January/February 2022 - 61
APR January/February 2022 - 62
APR January/February 2022 - 63
APR January/February 2022 - 64
APR January/February 2022 - 65
APR January/February 2022 - 66
APR January/February 2022 - 67
APR January/February 2022 - 68
APR January/February 2022 - 69
APR January/February 2022 - 70
APR January/February 2022 - 71
APR January/February 2022 - 72
APR January/February 2022 - 73
APR January/February 2022 - 74
APR January/February 2022 - 75
APR January/February 2022 - 76
APR January/February 2022 - 77
APR January/February 2022 - 78
APR January/February 2022 - 79
APR January/February 2022 - 80
APR January/February 2022 - 81
APR January/February 2022 - 82
APR January/February 2022 - 83
APR January/February 2022 - 84
APR January/February 2022 - Cover3
APR January/February 2022 - Cover4
https://www.nxtbookmedia.com