There are so many advantages using a cloud-based SaaS for your temperature data, but many hurdles as well. Today, with real-time monitoring and use of public network infrastructure, it’s important to secure your data, while meeting data integrity and 21 CFR requirements. Answer vital questions before you embark:
- Are performance and availability reports made available by the cloud provider?
- Is the communication safe and the data protected from unauthorized access?
- Are data privacy certain and does the solution comply with the new GDPR?
- Does the SaaS provider guarantee GAMP 5 compliance?
Make sure you ask all the right questions before choosing a SaaS provider. This article will help you get answers to critical questions and help you protect the quality and integrity of your valuable Cold Chain data.
#pharmaceutical #pharmaceuticals #coldchain #pharma #pharmaindustry #supplychain #Pharmalogistics #Clinicaltrials #clinicalsupplies #IoT #Temperaturedatamonitoring
Documentation of release decisions are quality-relevant and popular documents during authority audits. Historically, using traditional cold chain data loggers, it was clear to keep control of the raw data and reports.
Today however using real‐time devices communicating via public mobile phone network it is literally impossible to “keep the data in‐house under control” since the data flows through many different antennas, network providers, servers, and data centers. The following checklist describes security requirements to a Cold Chain Database provided as Software‐as‐a‐Service:
To achieve GxP‐compliance, the Cold Chain Monitoring Database must fulfill some basic requirements:
- Does the supplier perform a computerized system validation (CSV)?
- Does the supplier guarantee that data is immutable?
- Is an audit trail available tracking each login, event, and action?
Does the SaaS provider guarantee GAMP 5 compliance?
GAMP 5 is a guideline issued by ISPE, describing standards and methods for a risk‐based approach in the development of GxP‐compliant computerized systems (Software and/or Hardware). GAMP 5 is regarded as the definitive industry guidance on GxP computerized system compliance and validation for companies and suppliers and is referenced by regulators worldwide.
Are Validation Plan, Risk Analysis & Validation Report available?
If the solution is GAMP 5 validated, the supplier has followed a risk‐based approach and must have summarized their documentation efforts in a Validation Plan, Risk Analysis, and a Validation Report. Those documents should be available for customers supporting their own validation efforts.
Are Qualification templates available for IQ and OQ?
It is very helpful if the supplier provides qualification templates to perform Instrumental Qualification (IQ) and Operational Qualification (OQ).
Are there clear policies regarding notification, documentation, and qualification?
The validation of a system is pointless if there is no controlled and well‐documented change management in place.
Does the supplier provide comprehensive change management notifications and documentation?
Each change to the system must be evaluated and documented. Major changes must be announced well in advance.
Is the communication safe and the data protected from unauthorized access?
Encrypting the communication is not enough. The communication must be made robust by waiting for confirmation from the database and each level of access needs to be protected by individual logins. Furthermore, the raw data should always be “read‐only” so it is not possible to change or delete the original data.
Are data backed up regularly at a secure place (protected from deletion or loss)?
Performing backups is a standard procedure, but there are additional requirements. Similar to the original data, the backup also needs protection from manipulation, deletion, or loss. In the case of a recovery, the integrity of the backup data becomes key.
Are data recoveries exercised and documented regularly?
Having a backup is useless if you do not know how to recover the system. The expectation for the recovery of a monitoring system is a fast and complete recovery without data gaps.
Are data privacy guaranteed (and does the solution comply with GDPR)?
A GxP‐compliant temperature monitoring solution includes the personal login data of all users (user name, email addresses, and passwords). When using a SaaS cloud provider, data are out of your direct control. Data privacy must be guarded and GDPR rules followed.
Does the SaaS system support your data being compliant with ALCOA principles?
International regulators require pharmaceutical data to be Attributable, Legible records, Contemporaneous, Original, Accurate (ALCOA). They align closely with FDA 21 CFR Part 11.
Are clear performance and availability levels of the solution defined?
Although the system architecture prevents data loss, by buffering values in the IoT sensors in case the system is down, the software must have a documented performance with defined maximum downtimes.
Are performance and availability reports made available to clients regularly?
A serious cloud provider publishes regular availability reports showing the overall availability ( e.g. 99.99%), as well as the downtimes of the events (e.g. 16. Jan 2020, System update, Downtime 2.5 hours).
Are process data available for as long as they are needed in the business processes?
Process data or “fresh data” are used to execute business decisions. The service provider must ensure that, for two years, process data are available electronically for visualizations, statistics, reporting, and exporting.
Are the final assessment reports archived for a minimum of 10 years in a human‐readable format?
A provider must ensure that the data are clearly labeled and stored in a secure (data) archive; human-readable. Human‐readable could be a printed version or a PDF.
Does the client remain the owner of the data?
Although the data are not under your direct control, it is important that all involved parties have a clear agreement that the ownership of the data is always with the customer.
Does the Service provider accept on‐site audits by the client?
Audits are an important controlling instrument to evaluate and maintain GxP compliance. All of the points mentioned above can be checked easily during an audit at the provider of the cloud‐based temperature monitoring solution.
Is a service level agreement (SLA) in place covering all of the points above?
A service level agreement (SLA) defines the terms and conditions of use, technical features as well as legal issues.
Source from ELPRO Global