[Stability Testing related News – vol.41]

◆  Ensuring the data integrity of cloud service providers (08-May-19 ECA)

The introduction of cloud services into the GMP environment increases. The cost factor dominates the discussion; however, specific risks need to be taken into consideration. Especially the issue of data integrity in cloud applications is not to be underestimated. What agreements need to be included in contracts with cloud service providers in order to ensure data integrity?

The necessity for contractual agreements is laid down in chapter 7 “Outsourced Activities” of the EU GMP Guidelines as well as in Annex 11 “Computerized Systems” of the guidance. The following are requirements for contractual agreements between a Regulated User (RU) and a Cloud Service Provider (CSP) which are meant to ensure the integrity of data (in motion and at rest). These requirements cannot explicitly be found in the EU GMP Guidelines, they should however be considered as useful:

• Data transfer should only occur in encrypted form and in a way which ensures that the data being transferred are complete and unchanged.
• CSP handling sensitive data or data with high availability requirements must have a certified ISMS (Information Security Management System) in place (e.g. as per DIN 27001).
• CSP handling sensitive data or data with high criticality must submit to penetration testing in the course of their qualification.
• Sensitive or critical data may only be stored in encrypted (or pseudonymized) form.
• A deployment model should be chosen based on criticality. Private or community cloud models should be chosen rather than a public cloud for sensitive data.
• Sharing data with a third party (e.g. subcontractors), e.g. providing infrastructure (storage space for backups, redundant computing power, etc) should be prohibited or dependent on the RU’s approval.
• The deletion of data must be fully guaranteed.
• It must be possible to export data in a way that allows RUs to switch CSPs or get the data back on premise.
• Only a limited, specifically selected and qualified group of people from the CSP should be able to access the data.
• If data has been encrypted, the key management should lie with the RU.
• The CSP informs the RU about changes which might impact the application or database. A notification of change with release note is expected, ideally issued before the actual implementation of the change so that the RU may check the effects of those changes, if necessary.

◆ New WHO Draft for GDP Guidance (23-May-19 ECA)

The World Health Organization WHO plans to revise its Good Storage and Distribution Practice guidelines. During the 53. WHO Expert Committee on Specifications for Pharmaceutical Preparations (ECSPP; October 2018), the Expert Committee recommended the consolidation of the Good Storage Practices and the Good Distribution Practices for pharmaceutical products and the elements of the Good Distribution Channel Guidance into one document. A draft for comments was posted on the WHO Medicines website under Current Projects.

In contrast to other international guidelines like those from PIC/S, the new document has not been aligned with the structure of the EU-GDP Guidelines. It comprises 21 chapters and in chapter three a comprehensive glossary. The scope is rather broad; the guideline “is intended to be applicable to all persons and outlets involved in any aspect of the storage and distribution of medical products from the premises of the manufacturer of the product to the person dispensing or providing pharmaceutical products directly to a patient or his or her agent.” That includes all parties involved in trade, storage and distribution, like for example:

• Manufacturers
• Wholesalers
• Brokers and traders
• Suppliers
• Distributors
• Logistics providers, transport companies and forwarding agents

The new guidance does not necessarily call for a designated Responsible Person like EU-GDP does. However a “designated person(s) should be responsible for recalls” (chapter 10) and chapter 13 (Stock Control and Rotation) mentions a “person responsible for quality”.

◆  WHO plans Inclusion of environmental Aspects in GMP (29-May-19 ECA)

The World Health Organization WHO has published a draft document on “Environmental Aspects of GMP: points to consider for manufacturers and inspectors in the prevention of antimicrobial resistance”.

With this working document the WHO plans to include the topic of waste and wastewater management into their GMP Guidance: it “addresses the current needs for guidance on how GMPs should be implemented to waste and wastewater management for production of antimicrobials, with a focus on Critically Important Antimicrobials.”

This initiative could raise concerns with national competent authorities and within industry. The underlying problem is that most active substances (APIs) are produced in countries with weak environmental legislation. An appropriate initiative would be advisable.  The WHO therefore means well, but is perhaps wrong to link this to GMP. One will see what the feedback will be from those who have the World Health Organization’s permission to do so.