Separate from the URS, a PRS should be defined to describe the users operational requirements, e.g., 24/7 access by telephony, the software supplier’s technical requirements, e.g., database and infrastructure specifications, and IT operational needs, e.g., fit with other applications, as well as ongoing support of the software application on other systems in the organization. (p.153)
The June 2011 update of the EU GMP Annex 11 on Computerized Systems defined internal IT functions as suppliers to end users requiring SLAs and monitoring audits just as much as external IT service suppliers. The use of a Platform Requirements Specification (PRS) is a convenient way to define a GXP application’s needs for data center services. The PRS then forms an objective performance basis for Service Level Agreement (SLA) terms and the metrics for formal testing in installation qualification (IQ).
It is important that end users, IT and QA collaborate on describing the required needs of a specific GXP application for compliant data center services. As Infrastructure as a Service (IaaS),Platform as a Service (PaaS), and Software as a Service (SaaS) become ever more a part of the computing scene, life science companies must use formal platform requirements and compliance-defined contracts for SLAs to assure auditable services from private, public, and hybrid cloud computing suppliers.
PRS points to consider for both internal IT data centers and cloud services include the following:
- Security and data integrity controls, encrypted communications with data transfers, location of PHI data for regulatory compliance
- Certifications of Operational controls and external stress test of system/network security
- Documented process for incident, problem, and change management
- Compliance and quality management program and QA staff
- Upgrade and patch scheduling process with notification and flexibility for Users PQ work
- Planned procedure for availability of IQ’d test bed for PQ testing of patches and updates
- Periodic QA audit of ongoing IT services and support for inspection by authorities
- Standard procedures and records for IQ of infrastructure and platform components
- Disaster Recovery Plan, physical testing of DRP, and GXP systems priority
- Recovery site location, capacity, distance, and failover testing
- Tools and functions for backup and recovery for entire range of failures, encryption capabilities, and procedure for return to normal operations after disaster
- Service windows and user uptime/support schedule
- Compensation for outages and alternative arrangements
- Financial stability and experience with regulated clients
It is important that users define their business and regulatory needs as well as their technical and service needs for the IT support of their critical systems used in a regulated work process. This is the purpose of a PRS.
Next Month: Validation and Outsourced IT Services
Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. Computerized systems used for GXP purposes require validation whether internal or external to the company… (p.160)