The purpose of this series is to discuss the impact of GMP (Good Manufacturing Practice) regulations on cloud computing and to debate some of the regulatory issues facing an organization contemplating this approach. In this part, we look at the SaaS (Software as a Service) hosting options available to consider for regulated users and the requirement for qualified IT infrastructure.
In the first part of this series,1 we discussed the impact of the GMP regulations on cloud computing. In this part, we will look at the Software as a Service options and the requirements for qualified IT infrastructure.
Cloud Options: SaaS
For the purposes of this article, I will limit the discussion to the SaaS service model with delivery using a private cloud. This approach ensures better confidentiality and reduces the risk of compromising it with data from another company. Thus, users are typically physically and logically separated from the application plus the hosting site where the computing resources are located. Business applications, such as Enterprise Resource Planning (ERP), Quality Management System or LIMS could be operated using cloud computing, as the latency of the Internet (delay between entering data or requesting a function and receiving a response from the software) is usually acceptable.
The great advantage of SaaS from the perspective of the company is that the potential financial cost model moves from a capital cost one (purchase of the software and associated licences) to a revenue cost one (hire of user accounts and the software). However, we need to go into more detail about how a SaaS service can be delivered, and we have two main options to consider.
Single or Multi-Tenant Option?
With a SaaS computing, there are two main options possible: single tenant or multi-tenant. We will discuss here what they are, as well as their advantages and disadvantages.
The first is shown in Figure 1; here the cloud service provider has the computing resources, and each customer has their own version of the application with a separate database in separate virtual machines. Some comments on the single tenant SaaS option are:
- Configuration of the application, if available, is possible to meet a company’s specific business needs and processes rather than a generic process
- Your data is in a separate database
- You set up and control the user account management for the whole of your application instance
- It is easier to convince an inspector or auditor via documented evidence generated during a validation that you are in control and data integrity is not compromised, as your application is installed on a separate virtual server.
- Change control is easier and can be phased, as each instance of the application is separated. Indeed, specific updates may be omitted if there is no business benefit to an organization.
In contrast, the second version of the SaaS is shown in Figure 2, this is where the service provider offers a single instance of the application with a single database. Here, each company’s operations and data are separated logically within a single database (setting up of company-specific user groups), and there is the logical separation of each company’s data. Some comments about this approach are:
- Costs should be lower than with single-company instances of the application
- The application usually is a one-size-fits-all approach. As there is only a single instance, it will be difficult to configure the software to an individual laboratory’s business processes. Therefore, it will be a take it or leave it option: there is typically no configuration other than user account management. This means that your business process will need to conform to the application’s mode of operation.
- Validation of some elements of data integrity (e.g. shared application and database) can be difficult, as accessing another user’s portion of the system will not be allowed. However, there could be a good case for having a basic validation that is then confirmed by each regulated company. However, the basic validation may not meet every company’s CSV policies and procedures so there would be some additional work needed.
- Each organization’s data is separated logically in the database. However, how will you convince an inspector or auditor that one laboratory cannot change the data in a second laboratory’s portion of the database? This is achieved via validation.
- Change control will be difficult: does each company delegate change control to the cloud company? This would be very unlikely, as the service provider could issue service packs and application software updates with no consultation with the client companies. There could be a situation where simple patching of the operating system with security patches could be delegated to the service provider who had an appropriate procedure. However, no changes could be made to the application without agreement of ALL parties involved, or a company has a month to evaluate upgrades before there is a universal installation for all customers.
So for the reasons given above, the single tenant SaaS approach shown in Figure 1 is much more preferable to that of multi-tenant version illustrated in Figure 2.
Requirements for Compliant IT Infrastructure
From the regulations above, there are three basic requirements for IT infrastructure operating in a regulated GMP environment, which can be located within an organization, outsourced to a third party or in the cloud:
- IT Infrastructure – physical, virtual and software elements – must be specified and qualified to show that it works as intended and be kept under change control throughout the operational life. This is to comply with the specific requirements of EU GMP Annex 11 that IT infrastructure be qualified2 and the expectation of the pharmaceutical industry as evidenced by the GAMP Good Practice Guide on IT Control and Compliance3 of which the author of this article was a contributor.
- Written procedures (instructions) must be in place, and when executed have records to show that the activities actually occurred. Records generated in this and the item above must comply with GMP and 21 CFR Part 114 regulations e.g. documented contemporaneously with the activity and you can identify the individual who performed the work and to comply with the requirements of EU GMP Chapter 4 on documentation.5
- Staff operating the infrastructure must be trained to do their work and additionally in the principles of GMP and 21 CFR Part 11 compliance especially change control. This is especially important when the cloud provider with whom you are contracting only has a few employees and may sub contract large parts of the work to third parties you may or may not be aware of. EU GMP Chapter 7 on outsourcing6 and contract agreements is applicable here.
IT Infrastructure Elements
It is important to understand the scope of IT infrastructure before we go much further in this discussion. From the perspective of GAMP, it consists of category 1 infrastructure software and category 1 hardware.7
The category 1 software consists of two types:
- Established or commercially available layered software (e.g. operating systems, databases, programming languages, etcetera)
- Infrastructure software tools (e.g. network monitoring software, help desk, backup and recovery software and agents, security software, anti-virus software and configuration management utilities, etcetera)
The software applications, tools and utilities are installed on category 1 hardware, which is equated to equipment under the GMP regulations that has to be appropriate design, adequate size and suitably located for its intended purpose.8,9 When these qualified components are integrated together, they form the IT infrastructure. However, care has to be taken with some of the infrastructure tools, e.g. help desk, as depending on how the application is used, e.g. help desk tickets can develop into change control records. In this case, the application may need to be validated, as it contains GMP records.
However, in the author’s opinion, there is a problem with the hypervisor software. Owing to the complexity of function and pervasiveness in a virtual environment, this software should be validated and not qualified. Therefore, when assessing potential service providers, this is an area to assess: how well is the hypervisor software controlled? Another area to consider is how the service provider deals with the qualification of the central firewall (and especially the maintenance of the qualification), as this is the primary entry for hacker’s attempts, such as Denial of Service attacks.
- R.D.McDowall Sci Comp Part 1 www.ScientificComputing.com/Cloud_Meets_GMP_Regulations_1
- EudraLex Volume 4, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11 – Computerized Systems, June 2011.
- GAMP® Good Practice Guide: IT Control and Compliance, International Society of Pharmaceutical Engineering, Tampa FL, 2005
- 21 CFR Part 11 – Electronic Records; Electronic Signatures; Final Rule. 1997.
- EudraLex, The Rules Governing Medicinal Products in the European Union Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Chapter 4: Documentation, January 2011
- EudraLex, The Rules Governing Medicinal Products in the European Union Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Chapter 7: Outsourced Activities, Revision 1, January 2013.
- ISPE GAMP®: A Risk Approach to Compliant GMP Computerized Systems, International Society for Pharmaceutical Engineering (ISPE), Fifth Edition, February 2008.
- US Food and Drug Administration, 21 CFR 211, Current Good Manufacturing Practice in for Finished Pharmaceutical Products, 2008.
- EudraLex, The Rules Governing Medicinal Products in the European Union Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Chapter 3: Premises and Equipment, August 2014.
R.D. McDowall is Principal, McDowall Consulting. He may be contacted at editor@ScientificComputing.com.
The Cloud Meets GMP Regulations – Part 1: Applicable Regulations