Cloud Computing: What is the meaning of Iaas / PaaS / SaaS / XaaS?

Recommendation

9/10 October 2023

(AI) Artificial Intelligence in a GxP Environment - Live Online Training
With a half-day Pre-Training Course on IT Basics for AI

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

• Basics of Cloud Computing Technology
• Regulations and Expectations of Inspectors
• Customer-Supplier-Relationship
• Requirements for Cloud Service Providers (CSP)
• Requirements for Supplier Evaluation and Supplier Audits
• Requirements for Qualifcation / Validation

The following question is the first of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 1: What is the meaning of Iaas / PaaS / SaaS / XaaS? - Topic Basics of Cloud Computing Technology

IaaS, PaaS, and SaaS are abbreviations and different grades (or service models) of various cloud service provider (CSP) offerings. "aaS" always stands for "as a Service". In XaaS, the X is a placeholder for either I, P, or S, meaning Infrastructure, Platform, or Software. Sometimes, XaaS is also called "Anything as a Service" or "Everything as a Service" and can take very specific characteristics like "High Performance Computing as a Service (HPCaaS)" or "Artificial Intelligence as a Service (AIaaS)".
CSPs offer various services and benefits depending on the basic service model, and the tasks to be executed may shift accordingly (see Table 1):

• For computerized systems or applications that are being operated traditionally on premise, the regulated company (or its IT department or IT service provider, if outsourced), is responsible for all tasks related to computerized system validation (CSV).
• IaaS: If the infrastructure is provided and managed by the CSP, the model is called IaaS. Here, the tasks and responsibilities of the regulated company start with the installation of the operating system.
• PaaS: At the next level, the CSP takes over installation and operation of both, infrastructure and operating system. The regulated company steps in with the configuration of the runtime environment.
• SaaS: For this model, the CSP provides and operates the configuration of the runtime environment and the application on top of infrastructure and operating system.

In other words, the activities shift from user (regulated company as client) to cloud service provider (supplier). However, the responsibility for validation and operation of the application and all related topics like data integrity, data privacy, data security etc. remains with the regulated company.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart