
To cloud or not to cloud – FDA’s Part 11 implications
FDA’s Part 11 implications
These days you can read a lot about the advantages of cloud–based, shared infrastructure. Public virtual server providers are praised for scalable and flexible storage, affordable pay-per-use service or subscriptions, and convenient back up and disaster recovery.
Many providers are reputable companies based in the US. What does this mean for a Canadian company? Impacts of the US Patriot Act and the Canadian-based Personal Information Protection and Electronic Documents Act are well discussed in the Ottawa Business Journal.
The matter becomes even more complicated if your organization has to comply with the FDA’s guidance ”Part 11, Electronic Records; Electronic Signatures — Scope and Application”.
During an FDA inspection, you have to be prepared to answer many questions:
- Is your provider Part 11 complaint- and if not, were you able to qualify them as an approved supplier?
- How did you validate the use of the cloud service?
- How did you document the system architecture that is not under your control?
- How did you implement change control/configuration management?
- Are you able to determine if revalidation is required and the extent of revalidation?
- Are your electronic records trustworthy and reliable? Do they meet applicable record-keeping predicate requirements?
- Do you know the exact location of where your data is stored?
- Are you allowed to inspect the provider and would the provider allow FDA to conduct an inspection of their site?
For companies whose services or products fall under FDA regulations, it is mandatory to revisit user requirements before the final decision is made to move your data from your servers to the cloud.
Image: © Can Stock Photo / Paha_L