IQ and Configuration Management
…there is no IQ visibility into the platform and no control over the location of the data on the cloud infrastructure. (p. 160)
Software as a Service (SaaS) applications used in a GXP regulated work process still require end user validation to FDA Part 11 and EU Annex 11 standards. These regulations still require that supporting infrastructure is qualified and documented at installation (IQ). In addition there must be evidence that the application and supporting infrastructure are maintained under documented change control and configuration management standard practices.
While the SaaS developers themselves can control configuration management of their own software application, control of the infrastructure is usually under a third party “cloud” data center that is a contractor to them. Normally, visibility into the operations and change control of a cloud service is not available to its users. The SaaS developers need to have negotiated for IQ transparency up front so that their clients can receive an established set of IQ evidence for their installations of the SaaS product.
Cloud data centers normally have elaborate online tools to test and monitor the security and performance of their systems, networks, and facilities. They run ticket tracking software to monitor issues and their individual resolution from both internal and customer sources. They have network operating centers (NOCs) with specialists that examine performance 24/7/365.
What many data centers don’t understand is that regulated customers are required by law to have a window into the ongoing configuration management of their SaaS application and its supporting infrastructure. A pre-purchase and annual audit is not enough and neither is a SOCII or ISO certification. A Part 11/Annex 11 regulated user performing GXP actions with a SaaS application still carries full responsibility for the daily fitness for purpose of both application and supporting infrastructure. There is a requirement for some type of documented evidence of the ongoing fitness of the virtual and underlying physical components of the computerized system performing GXP regulated tasks.
Some data centers are totally dedicated to a GXP-regulated customer base. Others usually have some form of physical and logical sequestering of GXP client systems into a special group/community focus to organize an efficient support process for their special needs. It is important that audits of the SaaS provider include audit time with the cloud provider as well. A regulated user needs to understand just what IQ package has been defined between the developer’s hosting service and the cloud provider. Then define what configuration management evidence will come to the SaaS customer.
It is still early days in the use of cloud services for GXP purposes. The computing paradigm shift to virtualization and cloud technologies is still in debut stage for regulated environments. Software and data center providers are still sorting out the mechanics and business models for these new modalities. Compliance to specific regulations will get better as regulated customers push for it.
Next Month: Cloud Validation – Safe Harbor Challenge
Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)