By Nicola Brady

Periodic review of computerised systems is a regulatory requirement. EU GMP Eudralex Vol. 4 Annex 11 states, “Computerised systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports.” This regulatory requirement applies to both validated computerised systems and qualified infrastructure. The periodic review process ensures that a system remains compliant with applicable regulations, is fit for its intended use and satisfies company policies and procedures. There are no exceptions for the performance of periodic reviews, however the frequency, scope and depth may differ dependent on the system under evaluation and this should be determined using a risk-based approach.

Periodic review is often considered a challenging exercise as it requires a detailed, comprehensive, holistic review of all elements pertaining to a computerised system or computer infrastructure for a defined period at a defined frequency. This review represents an even bigger challenge when computerised system, applications or infrastructure are outsourced and in particular when they are outsourced to the cloud.

The primary requirements for periodic review are the same whether the computerised system or infrastructure is located in-house or outsourced to a service provider. The table below summarises the particular challenges associated with outsourced cloud-based applications and infrastructure when it comes to periodic review:

The end goal of the periodic review exercise is to establish a clear understanding relating to the current state of the computerised system or infrastructure to conclude that it remains in a compliant, validated (or qualified) state. So, what is the best way to assure this if you are utilising outsourced cloud-based applications or infrastructure? Well, it is imperative that there is a clear understanding of the controls that are the responsibility of the subscriber versus those that have been delegated to the provider. Where controls are being delegated, the subscriber should ensure they are assessed and accepted and reflective of how they are currently managed. A contract should be established between both parties with clear details in relation to the service provision, responsibilities and controls including but not limited to commitment to supporting activities relating to periodic review. The contract should also establish the supplier support required for regulatory inspections, where applicable.

A comprehensive contract between the outsourced cloud-based application or infrastructure provider and the subscriber, where all required elements are clearly established and endorsed, will help the subscriber satisfy their periodic review requirements and assure the maintenance of the computer system or infrastructure in a compliant, validated (or qualified) state.