We recently completed a 21 CFR Part 11 gap analysis engagement for a client that was largely using SaaS applications, but had no cloud vendor qualification process in place. They had just been allowing each business unit to select the applications that met its user requirements, accept whatever validation documentation the cloud vendor supplied (if any), and trust that the cloud vendor had been thorough and compliant.
Unfortunately, this approach doesn’t fly with auditors, nor does it protect companies and their data from risk. Because the ultimate responsibility for regulatory compliance lies with you – the pharmaceutical or medical device company – you need to be much more proactive and critical.
Your documented cloud vendor qualification standard operating procedure (SOP) must describe how you verify that a cloud vendor holds itself to the same degree of compliance as you would hold yourself, if you were building and/or hosting the system. It must also describe how you ensure the cloud vendor maintains those standards over time.
When qualifying a cloud vendor, be sure to evaluate their written procedures and the documented evidence that they follow their procedures in the following key areas:
- Security of the physical space, which houses the servers that host IaaS, PaaS, and/or SaaS products, even if that space is in a third-party data center
- Security, privacy, and confidentiality of customer data
- Technical support, including enhancements for PaaS and SaaS products
- Availability or uptime of its products, including backup and recovery processes
- Data mobility (i.e., options for extracting your data out of their product in a regulatory compliant manner and format)
- Regulatory compliance, specific to your company’s needs and operating locations (e.g., 21 CFR Part 11, Annex 11)
- Change control procedures for its products. Specifically: How is a change authorized? How is a change documented? Is an impact assessment performed, prior to making a change? Is adequate testing performed, prior to releasing a change? Are customers notified in advance of a change? Is a test environment provided to customers in advance of a change? What options do customers have if a change breaks existing functionality or creates a compliance risk?
- How the cloud vendor qualifies the third parties it uses, including data centers
Additionally, you want to consider each cloud vendor’s longevity. How long has the cloud vendor existed? How stable does the company seem to be? And, of course, you will want to speak with other companies using the product(s) you are considering, ideally for similar purposes, to get a feel for their satisfaction with the cloud vendor.
Finally, your cloud vendor qualification SOP should also include a periodic re-qualification process to ensure the cloud vendor continues to maintain the standards you originally verified.
If at any point – either during initial qualification or periodic re-qualification – a cloud vendor does not meet your minimum requirements, you have two choices: negotiate with the cloud vendor to revise its procedures to meet your needs, or walk away. The latter option is more complicated, if the failure occurs during re-qualification, but that is why it is critical to verify data mobility during the initial qualification.
Up next in this series on regulatory-compliant cloud systems is a detailed look at protecting yourself with contract terms or service level agreements (SLAs). In the meantime, feel free to download our guide on this topic – just fill out the form below!