9 Advisory: Oracle Cloud Infrastructure and Good Practice (GxP) Guidelines / version 2.0
Copyright © 2022, Oracle and/or its affiliates / Public
EudraLex, Volume 4, Annex 11: Computerized Systems
The following table details key considerations for customers running their medicinal products regulated by the
European Commission on computerized systems and/or applications on OCI. This information includes a brief
summary of customer responsibilities, OCI practices and controls, and OCI services and features that might help
customers meet their obligations under the EudraLex, Volume 4 Good Manufacturing Practice (GMP), Annex 11
Computerized Systems guidelines.
PRINCIPLE GUIDANCE IMPLEMENTATION
1. Risk
Management
Risk management should be applied
throughout the lifecycle of the
computerized system taking into
account patient safety, data integrity
and product quality. As part of a risk
management system, decisions on the
extent of validation and data integrity
controls should be based on a justified
and documented risk assessment of
the computerized system.
Customers are responsible for identifying and assessing
environmental, regulatory, and technological changes and, if
necessary, updating the design and deployment of its internal
controls to help ensure the continuing security, availability, and
confidentiality of their applications and workloads.
However, Oracle has implemented protective measures for
identifying, analyzing, measuring, mitigating, responding to, and
monitoring risk specific to its cloud services organizations.
Risk assessments are performed annually across Oracle Cloud
services to identify threats and risks that could impact the security,
confidentiality, or availability of the system. Risks are reviewed,
assigned an owner, and remediated in line with the Oracle Cloud
services risk management assessment program.
There should be close cooperation
between all relevant personnel such as
Process Owner, System Owner,
Qualified Persons and IT. All personnel
should have appropriate qualifications,
level of access and defined
responsibilities to carry out their
assigned duties.
Customers are responsible for implementing a formal training, and
education program to help ensure that personnel have the
knowledge and experience required to meet GxP requirements in
their environment. Customers are responsible for establishing and
enforcing their own internal policies and procedures to hold their
employees or other users accountable and responsible for their
individual actions. Customers should maintain records of personnel
qualifications and training and, where applicable, disciplinary or
corrective actions.
For information about OCI training and certification, see
education.oracle.com/learn/oracle-cloud-
infrastructure/pPillar_640.
Note: Oracle employees are assigned a job description when they are
hired that defines their role and the necessary qualifications for
their position.
Organizational charts are in place to communicate the defined key
areas of authority, responsibility, and lines of reporting to personnel
related to the design, development, implementation, security,
operation, maintenance, and monitoring of the system.
OCI’s Quality Management System consists of policies,
requirements, and procedures to help ensure that records of
appropriate compliance training, staff education, and experience for
all positions are maintained.
3. Suppliers and Service Providers
3.1 When third parties (e.g., suppliers,
service providers) are used e.g., to
provide, install, configure, integrate,
validate, maintain (e.g., via remote
access), modify or retain a
computerized system or related service
or for data processing, formal
agreements must exist between the
manufacturer and any third parties,
and these agreements should include
clear statements of the responsibilities
of the third party.
Customers are responsible for ensuring that they have formal,
written agreements with all third parties (for example, suppliers and
service providers) that clearly define the roles of each party.
Contracts between Oracle and its customers set out the rights and
obligations of each party, and are executed before the provision of
cloud services.
Oracle Cloud Service Contracts are available at
oracle.com/corporate/contracts/cloud-services/contracts.html.
Oracle maintains formal, written agreements with all third parties
(for example, suppliers and service providers) that it uses. These