The advent of third-party suppliers and cloud services drove the revision of the GPG, which first appeared in 2005. At that time, recalls Ferrell, “people were buying their own servers and setting them up; they largely were contained within their own facility. They then subjected them to a quality assessment within their own ‘four walls.’ IT infrastructure was a low-risk proposition at that time because it was tangible: you could see it, you could touch it.”
The advent of the cloud changed all that. “You lose the ability to control the infrastructure and that really drove the revision,” he explained. The revised GPG expands the scope of the first edition to include guidance on the emergence of cloud and virtualized technologies. Information has also been added to reflect significant changes in the technologies that make up IT infrastructure, including:
- Virtualization technologies that allow the sharing, combining, and maximization of resources
- Cloud computing, including cloud-based infrastructure and three cloud-based service models: infrastructure as a service, platform as a service, and software as a service
- GxP applications as a service
- Outsourcing and the increased use of third-party data centers
Ferrell acknowledges that most pharma companies have some form of cloud engagement, but for those that do not, the Guide serves as a road map, and identifies risk mitigation strategies. It tackles areas such as how to build your risk assessment, how to design your supplier qualification, how to structure your audit, and what questions you should ask.