Cloud Computing: Are SaaS closed systems per 21 CFR Part 11?

Recommendation

22-24 May 2024
Copenhagen, Denmark

IT / OT Infrastructure Qualification and Operation in a GMP Environment

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualification / Validation

The following question is the fourth of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 4: Are SaaS closed systems per 21 CFR Part 11? - Topic Basics of Cloud Computing Technology

Well, it depends …

The terms SaaS and "Closed System" are not related, i.e. one does neither imply nor exclude the other. First and foremost, SaaS is a service model for providing a software application in the cloud (i.e. via internet) by a cloud service provider (CSP). This requires data to be transferred at least temporarily to the cloud and to store and process data in the cloud, typically permanently.

On the other hand, the definitions of "open" and "closed" systems do not refer to the way data or applications are provided, but define the expected level of control. This control of data and applications is primarily realized by operational and technical measures related to access protection, user identity and rights management, and encryption. Thus, the level of control is not independent of SaaS, but represents a different dimension.

In §11.3(b)(4), 21 CFR part 11 defines a closed system as "an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system". Contrastingly, §11.3(b)(9) defines an open system as a system that lacks this control. Consequently, resulting measures for validation, data privacy etc. differ significantly for closed and open systems and are being defined in detail in paragraphs §11.10 and §11.30, respectively.

Hence, an application provided per SaaS may be an open system, but will usually be operated as a closed system, particularly if critical, sensitive, or trustworthy data (generally: data worth to be protected) are being processed.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart