In my first blog entry I provided background on some of the issues life sciences companies are facing and the potential for cloud computing in dealing with these challenges. In my previous blog entry I provided a high level overview of the extensive system validation and verification process required by the FDA regulatory guidelines. This entry will focus on the infrastructure services side of cloud computing. I will also discuss how the aspects of public versus private cloud impacts the approach for implementing cloud computing in the life sciences. I have already received feedback from a number of you and the regulatory compliance topic seems to be of the most interest so I will focus my next few entries on cloud services and FDA compliance.
As mentioned in my prior post, CFR 21 Part 11 validation is a basic fact of life for FDA regulated companies. While my focus is and will continue to be on the life sciences, the FDA also provides the regulatory framework that food and cosmetics companies must adhere to. Many of the challenges faced by these companies are the same that life science companies are dealing with. This includes such items as product recalls, lot traceability, clinical testing studies, and managing product manufacturing.
So – how does the cloud infrastructure paradigm align with the FDA regulatory compliance model? Part 11 validation outcome is all about ensuring system quality and to be able to trust that the system in question was installed, operates, and performs correctly. Keep in mind that the FDA, like similar regulatory bodies, doesn’t tell you ‘this is how you must do things’ what they do is state ‘this is what needs to be done’ and it is up to you to prove that you are meeting the guidelines as stated. If you went to the FDA and said ‘we want to leverage cloud for this new system we are implementing’ they would not tell you how to do it and if it would be accepted or not. They would simply point to CFR 21 Part 11 and say ‘if you meet those standards it is acceptable’. That is not something you want to gamble on after investing significant funds in a new cloud based system that must be validated.
Since the Installation Qualification (IQ) document covers the infrastructure piece we can concentrate on how to support IQ validation requirements while attempting to utilize cloud based infrastructure and the differences between private and public environments.
An IQ document contains a complete set of detailed information on the hardware environment, the underlying software (from OS to application) and instructions on how to install the system from out of the box. A significant amount of this information is captured simply to avoid the risk of failing an audit and these procedures were originated prior to the advent of cloud computing. Some of the items recorded as part of the IQ script normally include:
• Hardware serial number
• System configuration
• Equipment location
• Exact versions off all installed software
Of course you can see that with public cloud services there are already some issues. In a public cloud offering there is no way to know the detailed information on the hardware and software that your system will be running on or even the exact location of the system itself. In the current way of approaching the IQ validation process, public cloud computing is just not a viable option for these types of applications. Until regulatory auditors can handle not knowing the hardware configuration and location it is just too big a risk to attempt to put a validated application into the public cloud and hope you can pass any potential regulatory audit. That doesn’t mean that a life science company couldn’t use public cloud provisioned infrastructure for non-validated applications and many are doing so now.
Now for private cloud the situation can be different if, and it is a big if, the provider of the public cloud is willing to go through the time and expense to pre-validate their entire environment prior to loading any real applications. This would mean creating and executing an IQ document for each server/OS configuration installed in the private cloud. While this sounds like a lot of work, it would be manageable if the private cloud environment were to be completely homogenous from both a hardware and system software standpoint. You would create one IQ document template and execute it for each separate server being installed. This way you could record the hardware information and software installation configuration for every machine. The drawback to this is that every potential user of this validated environment would need their applications to fit into this ‘one size fits all’ offering limiting its appeal to potential clients.
Another approach would be to create a certain base level of validation for the private cloud environment. In other words, validate the hardware piece and common software components through the IQ process. The data center operator could then create pre-qualified machine images with all of the supporting documentation which could then be ordered by the client to fit their particular needs. These machine images could include various operating systems, database engines or other supporting software. These would have been through a qualification process meaning that most of the IQ portion is complete with only minor client unique portions remaining. A client could then pick the most appropriate machine image for their needs with supporting documentation and most of the IQ complete. They would then only need to go through the IQ process for those pieces necessary to meet their specific needs.
So – in a nutshell, the public cloud model just does not fit, at this time, the current practices for validation in FDA regulated companies. However the private cloud environment could be leveraged to provide life science companies with a short-cut to completing overall system validation. Any cloud infrastructure provider willing to put in the up-front effort will find they have a solution that would be very appealing to FDA regulated companies looking to be more efficient with their IT dollars. I am actually in the process of starting this effort with a large managed services provider and will keep you updated on how it works out.
In my next entry I will discuss how infrastructure as a service can be used to lower costs and increase speed to market for life science companies. I will also provide some examples of what is being done currently in the industry.
Feel free to contact me at [email protected]
Cloud Infrastructure and FDA Compliance
May 5, 2010