IT Outsourcing & GMP requirements

Several pharmaceutical companies are planning or are currently in the process of IT Outsourcing Programs. The related buzzwords are Cloud Computing, Software as a Service, or Grid-Computing. Part of cloud’s appeal is clearly financial, also GMP regulated companies require a secure solution and sufficient risk control.

Before starting such an outsourcing approach, it should be clearly defined as a project or program. The starting point should be a change control record, indicating what is planned to be changed and how it will be done (concrete steps, impacts, qualification, personnel, audit processes, validated solutions and their status, update of VMPs, licence management, dedicated networks for Production/Lab, etc.). For the management it should be clear that the return of investment can not be achieved in the first year of such a program. In addition don’t forget the process and costs of de-clouding – whenever it will be needed to do so, with respect also to the defined retention periods of GxP data.

The change control record should define the scope of the outsourcing project, e.g. PaaS, IaaS, or SaaS. Please keep in mind that for SaaS it is impossible to outsource the ultimate responsibility for the validation of applications by a GMP regulated company to any third party. A clear definition and setup of the cloud strategy is required.

Also the change control record should include a risk-based analysis of the impacts to the Pharmaceutical Quality System, e.g. Site Master File (Name and official address, contact information), current IT procedures and processes in place, manufacturing authorization (GMP certificates), Validation and Qualification procedures, and/or other contracts and quality agreements to any third party.

Please note, do not start an outsourcing program without the involvement of the QP or Quality Assurance department. Contracts, Master Agreements, Service Level or Quality Agreements, or Program Quality Plans should be reviewed or approved by the Quality Department or QP. Typically a supplier audit is required and the planning of the ongoing “internal” audits for the future. It is not sufficient just to refer to existing certification standards (e.g. ISO 20.000, ISO 27.000).

You ought to consider also that for example a “cloud” is defined as an IT infrastructure component, which should be qualified. So the question is if the “cloud” is already existing and might be in operations at the service provider (e.g. hybrid or shared clouds). Basically the so called cloud solution is not just existing from nothing – it also needs software, where it is generated from and parameters are set up (e.g. which “controlled” data centers are connected, which storage networks are used). A retrospective qualification will be nearly impossible, if such parameters are not known or properly documented during “cloud” installation (setup).

It is also strongly recommended to inform your local inspectorate / agency before any GMP related data is “outsourced”. Basis of such consultation or meeting should be the planned change control record and an impact analysis – and execution details of such a Quality Program for Outsourcing.

More information on IT Outsourcing can be found also in the ISPE GAMP 5 Guide – Appendix S5.

Recommended Further Reading: ISPE GAMP Good Practice Guide – A risk-based approach to testing of GxP Systems – Second Edition – Appendix E2- Testing of Cloud Applications – ToC

Contact as at for more information.