What's procedurally required for "cloud computing"? TS16949 Clause 4.2.4.

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#1
An auditee has opted to keep his records as Google Docs since our IT people moved us from Lotus Notes to Google mail. I wrote a nonconformance based on their losing records during the switch. They dug up paper copies and scanned them in. Now I am refusing to close the CA based on a lack of system corrective action: their not having a written procedure that addresses the requirements of TS16949, 4.2.4. My auditee has obtained the attached Google paper and wants to use it as a procedure.

I have said it isn't good enough because it does not go into enough specifics on how the data is protected and how my people might go about retrieval from backups (even if that is simply who we contact in Google) should a data loss occur.

My auditee says "Well, Google is certified SAS 70," to which I respond that's great, but the IT group has not yet established that as a proxy for providing specifics about how data will be protected.

Bottom line is, neither corporate or internal procedures yet exist for supplier control of contracted data management; they just haven't thought of it yet and were unlucky enough to have me audite them and bring it up as an issue.

Am I being too hard on my auditee?
 

Attachments

Last edited:
Elsmar Forum Sponsor

Jim Wynne

Staff member
Admin
#2
Re: What's procedurally required for "cloud computing"?

An auditee has opted to keep his records as Google Docs since our IT people moved us from Lotus Notes to Google mail. I wrote a nonconformance based on their losing records during the switch. They dug up paper copies and scanned them in. Now I am refusing to close the CA based on a lack of system corrective action: their not having a written procedure that addresses the requirements of TS16949, 4.2.4. My auditee has obtained the attached Google paper and wants to use it as a procedure.
That Google document is just a loose description of the features and benefits of the service. Where are the "...controls needed for the identification, storage, protection, retrieval, retention time and disposition of records"? Your company's internal controls over these things are what the standard is looking for, not a third-party description of its controls. In other words, you should have a documented procedure that (a) identifies the approved storage medium; (b) tells how records are identified; (c) how records are stored and retrieved; (d) what happens in the absence of Internet access; (e) provides requirements for retention and disposition.
 
#3
Re: What's procedurally required for "cloud computing"?

I don't think so...however, it rather depends on how much IT were an integral part of your QMS in the first place...

So, for example, are they represented at Management Review? Did anyone see this "coming down the pike" at the last Management Review, such that you could have put the brakes on as far as making sure there was a plan to do what you've found was necessary to protect your organization?

If they aren't part of the overall QMS, or represented at Mgmt Review, then it's kinda tough to make them eat an NC, really, however much you feel like they should.

Let us know more about the degree to which they're part of your QMS
 
N

Neil V.

#4
Re: What's procedurally required for "cloud computing"?

What's procedurally required for cloud computing? I don't think anything different than what's required for any other process.

I would demand corrective and preventive action from whomever initially used the term "cloud computing". :tg:
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#5
Re: What's procedurally required for "cloud computing"?

Thank you for this temperature check. :agree1:

The thing that makes this discussion surreal is that I am arguing it with my manager two levels up - I feel like I'm in an alternate universe to be explaining this simple concept. He's just really in love with Google Docs, yet I am insisting he's not off the hook.

The other thing that creeps me out is my apparently being the first one to notice the gap. I have dragged a corporate IT manager into the issue and made it clear that his group is best positioned to define these controls.

Maybe it's just a test of some kind.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#6
Re: What's procedurally required for "cloud computing"?

I don't think so...however, it rather depends on how much IT were an integral part of your QMS in the first place...

So, for example, are they represented at Management Review? Did anyone see this "coming down the pike" at the last Management Review, such that you could have put the brakes on as far as making sure there was a plan to do what you've found was necessary to protect your organization?

If they aren't part of the overall QMS, or represented at Mgmt Review, then it's kinda tough to make them eat an NC, really, however much you feel like they should.

Let us know more about the degree to which they're part of your QMS
These are all good questions. One tricky aspect of this is that I am a site auditor, on loan for this job because their guy can't audit himself. The IT group who makes these grand decisions to do away with our Lotus system is part of corporate, whom I do not audit. I sat with an IT manager and explained the records control needs, and pointed out these audit records are just small stuff really - the QMS entails many, many more important records and people need to know what their capabilities/constraints are for record keeping before they get big cloud computing ideas. I also want those same IT people to not get the big idea that we can just do away with our Novell networks and go solely to 3rd party data management without thoroughly thinking this through first. It's possible, though I hate to believe, that none of this has occurred to any of them because they have been outside the registrar's scrutiny until recently.

So I stressed they really need to understand this, and they should establish a corporate set of procedures we can all point to.

Meanwhile, my boss's boss is still stuck because he doesn't have an adequate procedure either. Thing is, he's high enough up in the food chain that he should be concerned about more than just closing out this CAR. I'm still holding my ground for a systemic corrective action. :whip:
 
#7
Can you leverage a Corporate attorney's input into the situation, in terms of the legal ramifications of not having a complete set of records. Or, if not, a high up in Finance, wrt to taxation impacts..?
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#8
Can you leverage a Corporate attorney's input into the situation, in terms of the legal ramifications of not having a complete set of records. Or, if not, a high up in Finance, wrt to taxation impacts..?
Well that would be a sight to behold! :D Surely, surely this is occurring to someone in the ranks of higher pay and authority. :eek: Surely this is a case of my not knowing what's gone on elsewhere. :cfingers: (My husband, who used to manage a computer network, said "Don't count on it.")

In case it has not, I did describe to the IT manager in our meeting that some records, such as those needed for Sarbanes Oxeley are critical - then I sent him a link to a web site that briefly described the requirements of 4.2.4 (why reinvent the wheel?) and listed all the places in the standard (number and name of process) where these record retention requirements are cited. Yesterday I told my boss-boss that these records of his are low hanging fruit, he was just the lucky one to have me audit the thing and find the gap; :rolleyes: "this issue is bigger than you and me."

That makes him feel like his nonconformance is a corporate nonconformance and he tried to wiggle out of it on that basis, but I came back and stressed that HIS record retention needs to be defined in writing. By this time he had got the IT manager in on the conference call - I told them they should work together, as my boss-boss isn't very well positioned to know what Google is doing or get a hold of the contract. I told the IT manager it would be better if the corporate guys made a procedure we could all point to, versus 180 of us making our own little record retention spec to deal with this.

He just wants to quick close it out, but so far I won't let go.
 
Last edited:
J

John Martinez

#9
An auditee has opted to keep his records as Google Docs since our IT people moved us from Lotus Notes to Google mail. I wrote a nonconformance based on their losing records during the switch. They dug up paper copies and scanned them in. Now I am refusing to close the CA based on a lack of system corrective action: their not having a written procedure that addresses the requirements of TS16949, 4.2.4. My auditee has obtained the attached Google paper and wants to use it as a procedure.

I have said it isn't good enough because it does not go into enough specifics on how the data is protected and how my people might go about retrieval from backups (even if that is simply who we contact in Google) should a data loss occur.

My auditee says "Well, Google is certified SAS 70," to which I respond that's great, but the IT group has not yet established that as a proxy for providing specifics about how data will be protected.

Bottom line is, neither corporate or internal procedures yet exist for supplier control of contracted data management; they just haven't thought of it yet and were unlucky enough to have me audite them and bring it up as an issue.

Am I being too hard on my auditee?
While I have to thiink about your specific question, cloud computing is different than an internet based service such as internet e-mail.

While some services may play on this lack of knowledge, there is non the less a difference.

So long as the organization has a thought process, and does satisfy the requirement for documents, then the process is served.

My main issue is why they lost documents during the transfer? How about changes to the management system? How are they handled?

Just my opinion.

My reference PCToday Vol 7 Issue 13 "Separate the Cloud From the Crowd". "After all, service providers far and wide are quick to pick up on the cloud band-wagon, even if their services don't quite fit the classic definition of cloud computing".
 
Last edited by a moderator:
Thread starter Similar threads Forum Replies Date
I Is SRN required for a contract manufacturer EU Medical Device Regulations 0
O New GTIN (DI) required? Other US Medical Device Regulations 0
P Is the second factor authentication (2FA) required for external users? Qualification and Validation (including 21 CFR Part 11) 1
validationspec EN 868-5 pdf required. Medical Device and FDA Regulations and Standards News 1
F Uncertainty not Required Measurement Uncertainty (MU) 3
I How to find required testing for a specific device? Other US Medical Device Regulations 3
U Is Initial Importer Status Required if a Medical Device is Manufactured and Sterilized by an OEM in the US Other US Medical Device Regulations 1
S Is it required to complete Internal Audits within one year? ISO 13485:2016 - Medical Device Quality Management Systems 29
D "certified" in ISO 19011, as well as IATF required? IATF 16949 - Automotive Quality Systems Standard 6
M Is validation required when consumables are changed Qualification and Validation (including 21 CFR Part 11) 7
B Is labeling on the device itself required? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
J Scrap Material Scale Calibration Required? IATF 16949 - Automotive Quality Systems Standard 21
K Is Calibration Required for Non-Adjustable Commercial Inspection Devices? General Measurement Device and Calibration Topics 11
C ISO 9001:2015 8.3.2. h) Design and Development Planning - What is required? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
S Does a refurbished product required a new UDI? US Food and Drug Administration (FDA) 3
S For Parts Manufacturer Approval (PMA) Is 100% Inspection Required? Federal Aviation Administration (FAA) Standards and Requirements 2
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
R "Medical devices" required in scope ISO 13485:2016 - Medical Device Quality Management Systems 2
OpExPro AIAG VDA DFMEA Template Required FMEA and Control Plans 2
B PMA Supplement Required? US Food and Drug Administration (FDA) 3
F UDI-PI required on packaging (MDR) EU Medical Device Regulations 4
S Required tests for Surgical gown US Food and Drug Administration (FDA) 1
R Is a FAIR required on parts that we design? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I IQOQ or just initial calibration required? General Measurement Device and Calibration Topics 3
B NIOSH Approval for Surgical N95 Respirators - Required testing US Food and Drug Administration (FDA) 2
A Is calibration of test weight required General Measurement Device and Calibration Topics 4
A 8.6 Release of products and services, 8.3 Design and development - evidence required ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R Green dot required on packaging? Medical Device and FDA Regulations and Standards News 2
M Indian Medical Device Rules - Manufacturing and Wholesale Lic. Required? Other Medical Device Regulations World-Wide 12
M Is IEC 60601-1-2 required by FDA for all electronic medical devices? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
B Where to acquire EN 868-5 required dye (Amaranth red)? Other Medical Device Related Standards 2
Marcel DS How do I know if my product is required be RoHS certified? REACH and RoHS Conversations 6
K When is Bioburden Testing Required? Other Medical Device Related Standards 8
G Is repeatability required for equipment calibration? General Measurement Device and Calibration Topics 10
D Device functionality over service life - Objective evidence required? Design and Development of Products and Processes 10
M Quality management certification required by Health Canada Canada Medical Device Regulations 3
N Usability testing required for FDA IDE (investigational device exemption)? Human Factors and Ergonomics in Engineering 8
M Case study solution help required as per ISO 9001 : 2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
R Shall a new UDI-DI be required when stand-alone software device's version is updated? EU Medical Device Regulations 1
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 11
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 11
MDD_QNA Medical Device Software - Is a Help Button required? IEC 62304 - Medical Device Software Life Cycle Processes 1
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
Jane's Like-for-like critical raw material change qualification - type of testing/ number of lots required ISO 13485:2016 - Medical Device Quality Management Systems 4
V Manufacturing requirements for respiratory ventilators - clean room required? Medical Device and FDA Regulations and Standards News 6
A When there is a 2 year lapse in production, is a full FAI required? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
C Is it required to put"Rx only" on the home page of an app? Medical Device and FDA Regulations and Standards News 4
B IEC 60601-2-10 - Accuracy of Pulse Parameters - Required Measurement Uncertainty IEC 60601 - Medical Electrical Equipment Safety Standards Series 3

Similar threads

Top Bottom