This short video explains, in simple terminology,
what Computer System Validation is,
and how it saves your company money!

Lab5 - Webdesign Schweiz 

For more than a decade, companies have added more and more computer systems and productivity steadily increased.  Today, the state of the economy exerts pressure to reduce costs and downsize the workforce.  This includes the once sacred information Technology (IT) budget.

Outsourcing now affects every area of a company. Server rooms have become bloated with multiple servers for each system environment: production, testing and development.   Server rooms require ample physical space, a great deal of electricity, a 24/7 monitoring staff and disaster recovery safeguards.  It seems outsourcing IT would be a viable solution; but is IT outsourcing the answer?

A few years ago, software vendors tried to help their customers by employing the Application Service Provider (ASP) model.  The software vendor hosts the application and users connect remotely.  Since the software vendor needs to continually maintain and upgrade the software, IT was quick to support this model.  It seemed like a good idea and the cost estimate was about the same as having IT host the servers within the company. In many cases, what actually happened was less than ideal. These are the questions or points to be addressed:

Do software vendors excel at hosting servers and providing IT services?

Do software vendors do the best job of controlling maintenance and upgrades to software applications used in GxP and other critical applications?

Systems were constantly changing, causing breakdowns and work disruptions. The FDA and other regulatory groups audited many of the ASP systems and found compliance was poor. There are no guarantees of passing an FDA inspection with non-regulated software vendors. Many companies neglected to inspect the ASP, as they did their own internal IT departments.  A regulated company, when outsourcing, still carries 100 percent of the responsibility and liability with respect to regulatory compliance. Perhaps out of sight out of mind is the thinking.

Almost all of the ASP models failed and were stopped or evolved into a third party hosting model.  In this model, another company hosts the servers in a location separate from the software vendor. The questions and points are the same:

Are third parties the best at providing IT services and hosting servers?

Do third parties excel in controlling the software vendors who maintain and upgrade software applications used in GxP and other mission critical applications?

This ASP model definitely cost more than the two tier model, but the systems were changing and breaking less. There still were work disruptions, but they were less frequent.   When audited by the FDA and other regulatory groups, compliance was still found to be poor. The regulated companies still didn’t inspect the third party host, as they did their own internal IT departments.

Today, we have a third evolution of the hosting model called Software As A Service (SaaS).  This is a three tier approach which often costs considerably more that the internal IT system.  The term ASP has been re-branded to SaaS and at first look seems to have great potential. SaaS is purported to have these characteristics: vault-like data center rife with redundancy, outstanding staff monitor the servers, secure backup, immediate hardware maintenance, logic and physical security. Despite the vastly improved model, the regulated companies still do not do their due diligence and perform inspections of the host. The host company is a surrogate IT department and as such, the same regulatory requirements apply. Take a closer look at these host companies:

Do they have Standard Operating Procedures and documented training?

Do they test their disaster recovery processes?

Prospective companies are easily impressed with the SaaS marketing offering redundant servers and locations in other cities.  Many companies think the SaaS software runs in a cluster – or cloud – so that a failure of their server will be taken over by another. Often, these companies are not advised there is an additional expense for this and other features such as an automatic failover to another server to an alternate datacenter.

How does the SaaS model actually control how the software vendor maintains and updates the software?  This is relatively simple when the servers are in the local IT server room.  However, this is not the case in the ASP and SaaS models. 

The answer is SaaS really only works when users of the software control the hosting service separate from the software vendor.  It would be more difficult to control a remote host versus a local host reporting to the same management as yourself. Again, is outsourcing and SaaS really the best solution?

Where can SaaS be of benefit? When there isn’t a mature IT infrastructure and mission critical applications are in use SaaS seems to have the potential for immediate improvement.  However, the end users of the application must manage the software vendor and host properly.  If the IT infrastructure is already in place, technologies like VMware can be used to eliminate most of the physical servers and provide failover redundancy at a lower cost and with more control.

There is really not much difference between outsourcing IT and any other kind of outsourcing.  The caveat – Buyer Beware applies.  Compliance is almost always more difficult when multiple non-regulated companies are involved.  If cost is the primary concern, why do these companies often invest and spend more dollars in SaaS solutions?   Why not invest in their own IT departments?  In the final analysis, it is essential for these companies to control their intellectual property, data, documents – any and all information that is the core of their business.

Throughout 2009 I worked on more than a dozen SaaS projects. I have found little regulatory compliance originating from the hosting companies.  The regulated companies purchasing these services demonstrated little compliance too.  That is, they did not perform inspections of the software implementations nor did they have system change control methods in place.  In many cases SaaS was chosen without the involvement of local IT.

In my opinion, SaaS was being utilized to relinquish responsibility, which is completely contrary to regulatory requirements. A company cannot transfer liability to a hired third party.  Outsource IT is not a fad that will quickly fade. My experience is: regulated companies who get into big trouble and don’t pass audits, finally put processes in place to ensure the third party is delivering the equivalent of what they would have from their own internal IT departments.  Time will tell if it really was worth outsourcing IT at all.

2009 was also the year that VMware implementations grew dramatically. The costs savings, local control, and continued regulatory compliance suggest it beats SaaS for most regulated applications. Now that Microsoft has a virtualization product, I think the race is on. I’m excited to be working on both sides and learning something new about these solutions every day.

David's Books

One of the nation's foremost experts on CSV for 21 CFR Part 11, David Nettleton has written four books with Janet Gough:

Risk Based Software Validation
Risk Based Software Validation - Ten easy Steps

Electronic Record Keeping
Electronic Record Keeping; Achieving and Maintaining Compliance with 21 CFR Part 11 and 45 CFR Parts 160, 162, and 164

Managing the Documentation Maze
Managing the Documentation Maze
Read a Review

Commercial Off the Shelf COTS Software Validation
Commercial Off-the-Shelf (COTS) Software Validation for 21 CFR Part 11 Compliance

See the Books page for more information and to order.