Question 5: The German AMWHV (Arzneimittel-und Wirkstoff-Herstellungs-Verordnung) requires that all data be stored in the premises according to the manufacturer's authorization. Is the cloud solution viable?

The German EFG (Expert Working Group) 11 interprets the legal basis of this issue as part of the vote on "electronic data storage requirements.

Article 20 of the AMWHV states that the documents must be "deposited in the appropriate area of the premises covered by the licence in accordance with the provisions of Article 13, Article 72 or Article 72c(4) of the German Medicinal Code".

In the pharmaceutical environment, the trend towards digitization and the replacement of paper documents with electronic records (e-records) is steadily increasing. At the same time, multinational companies are introducing computerized systems as client/server solutions worldwide. This involves enterprise resource planning (ERP) systems, manufacturing execution systems (MES), laboratory information and management systems (LIMS), as well as change systems, CAPA and training management systems. In recent years, outsourcing some or all of IT and computer-based systems to third parties in favor of various cloud service models: Infrastructure as a Service (IAAS), Platform as a Service (PAAS) and Software as a Service (SAAS), the latter as a service model is becoming increasingly common.

As far as electronic documents are concerned, if there is at least one terminal (such as a terminal or PC plus a printer) in the room covered by the permit, it meets the requirements for storing electronic records/documents in the room covered by the permit in accordance with Article 13, Article 72 or Article 72c(4) of the German Drug Act so that all data and metadata can be accessed, A readable printout and copy can be generated on the data carrier. Similarly, service providers (internal or external) must meet requirements for IT infrastructure (IAAS, PAAS), application validation (SAAS) and ensuring availability, readability and integrity.

Question 6: Do common certifications (such as 27000ff) reliably prove that the cloud service provider is suitable, or what requirements must the certification meet to play a role in the applicability of the CSP?

The fact that suppliers and service providers must have a quality assurance system stems from the EU-GMP Appendix 11:3.4 Inspectors shall be provided with quality system and audit information on the supplier or developer of the software and systems used upon request.

It is not possible to determine from Appendix 11 what kind of quality system it should be. However, Germany's EFG 11 commented on the issue in its Votum V1100202 "Requirements for the retention of electronic data. It states: In the following, the requirements for CSP quality and data integrity (for dynamic and static data) are formulated. These requirements are not clearly found in the EU GMP guidelines in this way, but are considered from the perspective of EFG 11. Reasonable:

n CSPs that handle confidential data or data with high availability requirements must have a certified ISMS (for example, according to DIN 27001). However, it remains to be seen whether this can be enforced from a legal point of view.

Question 7: Can we assume that if an appropriate QMS is implemented and the CSP's behavior conforms to the QMS (as a result of the audit), the service functions and operation controls provided according to the specification are carried out in accordance with the CSP's internal procedures?

According to Appendix 11, the use of a computerized system does not result in a reduction in quality assurance. The evaluation of the service provider includes an evaluation of its quality assurance system. In addition to this initial assessment, Chapter 7 also requires RUs (Regulated Users) to continuously monitor the service provider by monitoring KPIs.

In the case of application and an appropriate quality management system, it can be assumed that the operational controls defined in the quality management system will be implemented, and the results of non-compliance with the specification will be resolved within the meaning of deviation/OOS.

However, RUs (Regulated Users) need to continuously assess compliance when implementing QMS. Chapter 7 of the EU Guidelines for Good Manufacturing Practices states that "the contract maker is ultimately responsible for ensuring that processes are in place to ensure control over the outsourced activities". The type and scope can be defined in terms of risk, and they are influenced by the service provider's experience of continuous monitoring.

Question 8: What must be covered by the change control of the service provider and how must the contractor be included in the system?

Although the responsibility for patient safety, product quality and data integrity of regulated companies cannot be delegated to cloud service providers (CSPs), CSPs still play an important role and take over important tasks such as specification, verification and change documentation (in addition to implementation), whether in the infrastructure (IaaS), platform (PaaS), or application (SaaS) itself. One of the goals of regulated companies is to maintain the verification and compliance status of the system. This requires appropriate verification measures (impact analysis, risk assessment, and further testing and documentation activities, if applicable), which usually require knowledge of the changes implemented by or at the CSP.

Therefore, the following elements of the proof-of-concept are recommended:

n The regulated company verifies that the CSP has established a high-quality and compliant change control process (e. g. through audits).

n Service level agreements (SLAs) ensure that information (and documentation) on plans and required changes are available on time to the extent necessary, enabling regulated companies to conduct (risk) assessments and plan required actions as appropriate.