新闻中心
您现在的位置:首 页 > 新闻中心 > 案例分析
新闻中心
【CSV验证专题】制药企业云服务管理策略!
日期:9/26/2023 9:01:12 AM 访问:次浏览 作者:admin

随着制药企业对于云服务的需求递增,涉及集团化企业级别ERP、药品追溯系统、QMS、LIMS、MES,PCS等云平台的运用,制药企业的云服务管理风险面临巨大挑战。

Relationship of IT Infrastructure and Processes with Business Systems and Processes(from ISPE GAMP 5 Second Edition)

IT基础设施和流程与业务系统和流程的关系(来自ISPE GAMP 5第二版)


云服务IaaS、PaaS和SaaS合规性管理:

基础设施即服务(IaaS)

平台服务(PaaS)

软件服务(SaaS)

用户可以在云服务提供商提供的基础设施上部署和运行任何软件,包括操作系统和应用软件。用户没有权限管理和访问底层的基础设施,如服务器、交换机、硬盘等,但是有权管理操作系统、存储内容,可以安装管理应用程序,甚至是有权管理网络组件。

PaaS给用户提供的能力是使用由云服务提供商支持的编程语言、库、服务以及开发工具来创建、开发应用程序并部署在相关的基础设施上。

SaaS给用户提供的能力是使用在云基础架构上运行的云服务提供商的应用程序。可以通过轻量的客户端接口(诸如web浏览器(例如,基于web的电子邮件))或程序接口从各种客户端设备访问应用程序。



Any use of cloud resources brings infrastructure qualification considerations into scope. Shows the various levels of delegation of control to the supplier for IaaS, PaaS, and SaaS deployments. In all cases, however, the infrastructure management and control expectations are constant, and are represented by the blue background. In both PaaS and SaaS, all infrastructure activities are delegated to the supplier, while it is shared in IaaS, and of course resides solely with the regulated firm, for a traditional deployment in their own data center.(from ISPE GAMP 5 Second Edition)

制药企业云服务的任何使用都会将基础设施资格考虑因素纳入范围。下图显示了IaaS、PaaS和SaaS部署对供应商的不同级别的控制委托。然而,在所有情况下,基础设施管理和控制期望都是不变的,并且以蓝色背景表示。在PaaS和SaaS中,所有基础设施活动都委托给供应商,而在IaaS中共享,当然也只由受监管的公司负责,以便在他们自己的数据中心进行传统部署。针对ISPE 对于云服务的管理架构图解:


Data integrity should be a factor in any decision to manage GxP data in the cloud. Considerations involving infrastructure include:

数据完整性应该是在制药企业云服务管理GxP数据的任何决策中的一个因素。涉及基础设施的注意事项应包含以下元素:

• Access management: What are the implications (if any) if supplier staff sees data?

访问管理:如果供应商员工看到数据,会产生什么影响(如果有的话)?

• Encryption: If data (in motion and/or at rest) is encrypted, who manages the key?

加密:如果数据(运动中和/或静止中)被加密,谁来管理密钥?

• DR: What happens if the cloud supplier has a major incident? RTO and RPO must be agreed.

DR:如果云供应商发生重大事故,会发生什么?RTO和RPO必须达成一致。

• Certifications: Which (if any) certifications does the "as a Service" provider hold? e.g., ISO 27001 [44], SOC 1,SOC 2 Type 1 or Type 2 [55], HITRUST® [56], etc.

认证:“即服务”提供商持有哪些(如果有的话)认证?例如,ISO 27001[44]、SOC 1、SOC 2类型1或类型2[55]、HITRUST®[56]等。

• Frequency of vulnerability scans and third-party penetration tests

漏洞扫描和第三方渗透测试的频率

• Local, regional, and global redundancies and segregation

本地、区域和全球冗余和隔离

• Deployment model and service model compatibility with the level of GxP risk Cloud service suppliers are not GxP regulated, and it is the accountability of the regulated organization using such services to ensure that quality processes provide an equivalent level of assurance that patient safety, product quality, and data integrity are protected.

部署模型和服务模型与GxP风险级别的兼容性云服务供应商不受GxP监管,使用此类服务的受监管组织有责任确保质量流程提供同等级别的保证,确保患者安全、产品质量和数据完整性得到保护。


Continual Improvement 持续改进

For all IT infrastructure, but especially for cloud implementations, there should always be the question: “What could we be doing better?” Key processes should be monitored by the service provider and adherence to SLAs agreed by the regulated customer, along with dialog between the parties as to the areas that need improvement, are performing adequately, or are working very well. Including specific Key Process Indicators (KPIs) in the monitoring is recommended.

对于所有IT基础设施,尤其是云实施,应该始终存在这样一个问题:“我们能做得更好吗?”关键流程应由服务提供商监控,并遵守受监管客户同意的SLA,同时双方就需要改进、表现良好或运行良好的领域进行对话。建议在监控中包括特定的关键流程指标(KPI)。