Professional Documents
Culture Documents
HealthCloud and ICOS Qualification Overview
HealthCloud and ICOS Qualification Overview
including
IBM Watson Health Cloud for Life
Science Compliance (LSC)
– What is GxP
– Typical Workloads
– IaaS offering for GxP Workloads
© IBM Corporation 2
The full benefits of cloud have only been available to life science
companies for non-regulated workloads
Non-regulated
Non-regulated Data
Data Regulated
Regulated Data
Data
© IBM Corporation 3
Why and how the life science industry is regulated
Patient safety and drug or device efficacy are the two paramount concerns
HIPAA
Protecting data – data security
E.g. Encrypting data on rest
HIPAA can be achieved by technical means.
GxP
Traceability: the ability to reconstruct the development history of a drug or medical
device.
Accountability: the ability to resolve who has contributed what to the development
and when.
Documentation is a critical tool for ensuring GxP adherence. It cannot be provided ‘after
the fact’ but needs to be put in place before the first environment is setup.
© IBM Corporation 5
Life Science Industry Regulations
© IBM Corporation 6
How global health authorities view IT systems
A computerized system is a group of entities that includes people,
hardware, software, documentation such as manuals and standard
operating procedures (SOP’s), and peripheral devices
People
Hardware
Software
SOPs
Peripherals
IT systems Hardware + Software
© IBM Corporation 7
The key regulation in the industry, GxP, has significant impacts on IT
infrastructures
© IBM Corporation 8
Validation of computerized systems
Attributable,
legible,
contemporaneous,
original, and
accurate
© IBM Corporation 9
Excerpt of a System Requirements Specification
Document Predefined Requirements
© IBM Corporation 10
Excpert of an executed Test Script – 2 Sample Test Steps
Documented Evidence
© IBM Corporation 11
Computerized System Validation comprises
QUALIFICATION
VALIDATION
OPERATIONS
© IBM Corporation 12
Qualification of the IT infrastructure
© IBM Corporation 13
Perform Infrastructure Qualification
In order to perform the infrastructure qualification verifications, two
qualification test plans are developed, the installation qualification and the
operational qualification
© IBM Corporation 14
1
5
Perform Infrastructure Qualification –
Master Qualification Plan
The Infrastructure Master Qualification Process (MQP) includes the following
activities/deliverables:
– The above documents are reviewed by the COE and stored/approved in QDMS
– This process is closed by the approval of the Infrastructure Commissioning Memo
© IBM Corporation 15
Inhibitors to Cloud Adoption in Life Science
© IBM Corporation 16
d
s
f
o
–r SAP
–LDocument Management Systems
if
– Emerging Cloud Based Health Services
e • Analytics
S • Cognitive
c • IoT
i
e
n
c
e
C
u
s
t © IBM Corporation 17
IBM‘s LSC Offering
© IBM Corporation 18
GxP Compliance Foundation
A robust and comprehensive Quality Management System based on ICH Q10
Management Engagement
Provide management oversight, quality metrics,
and quality planning
19
19 © IBM Corporation 19
An Integrated set of validated management tools is needed to
support GxP compliance
© IBM Corporation 21
LSC – GxP Compliant IaaS Offering –
Dedicated Cloud Infrastructure
used in a Customer Disaster Recovery (DR) Scenario
Application Level
Compute Storage Load Balancing and/or Compute Storage
Data Replication
OpenStack OpenStack
Softtlayer Softtlayer
DAL Data Center LON Data Center
Customer
© IBM Corporation 22
IBM provides end to end GxP compliance hypervisor and
below saving customers massive efforts …….
App 4
App 1
Customer
Hypervisor
IBM
On infrastructure level IQ, Incident Change and Problem management, Document Management
Giving an access to the infrastructure in minutes instead of hundreds of hours enabling early
time to market
© IBM Corporation 23
Building a GxP Compliant Cloud means qualification and
validation of the cloud components themselves
Document Set
1) DMS & LMS systems are the compliant
1. Validation Plan (VP)
tooling to ensure reliability and integrity of
data and training requirements 2. System Requirements Specification (SRS)
2) Incident, Problem & Change Management
3. System Configuration Specification (SCS)
System
3) Bare Metal Server – qualified and controlled 4. Traceability Matrix (TM)
hardware configuration through to the
X
physical switches 5. IQ Test Plan (IQP)
© IBM Corporation 24
IBM Watson Health Cloud for Life Sciences Compliance (LSC)
Overview
Validated
Validated Systems
Systems and
and Tools
Tools IBM
Managed
Qualified
Qualified and
and Validated
Validated Cloud
Cloud Infrastructure
Infrastructure
Dedicated
© IBM Corporation 25
GCCI 3CI
Compute Storage
LSC Overall Flow GCCI 2
Compute Storage
Document
GCCI 1
Management Compute Storage
System OpenStack
Learning
OpenStack
Management
System
OpenStack
GMCI
Compute Storage
SCCD
Customer AET
1 One GCCI dedicated to one
OpenStack customer
Flow
1. Customer logs into SCCD, triggers Service Request via Service Catalog
2. Service Request execution calls AET
3. AET selects customer GCCI
4. openstack API is called by AET
5. AET waits for completion of openstack request
6. AET triggers SCCD workflow continuation
7. SCCD workflow completes
© IBM Corporation 26
LSC Solution Technical Components
Validated
Validated Systems
Systems and
and Tools
Tools
– Document Management System - opentext Document
Management
System
Qualified
Qualified and
and Validated
Validated Cloud
Cloud Infrastructure
Infrastructure
GCCI 3
OpenStack
© IBM Corporation 27
ICOS – Standard Architecture CI 3 CI
Compute Storage
CI 2
Compute Storage
CM CI 1
setup Compute Storage
OpenStack
monitor
OpenStack
OpenStack
© IBM Corporation 28
ICOS – Qualification Overview CI 3 CI
Compute Storage
CI 2
Compute Storage
CM CI 1
setup Compute Storage
OpenStack
monitor
OpenStack
OpenStack
– CM
• Bare Metal Infrastructure Qualification
• CM installation (partly automated) -> CM Infrastructure Qualification
– Each CI
Documents
– CI Operations
12. System Commissioning Memo (SCM)
© IBM Corporation 29
ICOS Qualification - Lessons Learned
– Shared components are cumbersome to qualify / validate
• For the CM, we need to have a ‚GxP CM‘, we cannot use the global ICOS CM
• Devops tool chain, like RTC, Jenkins, chef need to be split up
– Non-qualified / non-validated: RTC
– Qualified / validated: Jenkins and chef
• For this we had to clone the central jenkins server from Austin lab into the CM
– Test Environments: Change history piles up and at a certain point makes re-runs of
qualification and validation test steps impossible
• Can only be addressed by ‚pristine‘ environments.
– throwing away complete environments (SL accounts) including hardware
– Re-order SL hardware and follow the complete qualification / validation process – although not as an ‚official‘
run.
© IBM Corporation 30
Standard ICOS GCCI Infrastructure Redundancy Features
for High Availability and Data Path Diversity
Notes:
• Each blue rectangle represents a virtual machine
• Grayed out rectangles are available in ICOS but not used by LSC in this release – they
are shut down to reduce validation efforts.
• MGW: vyatta bare metal used as management gateway routing management traffic to and from
CM, especially to the CIs
© IBM Corporation 32
LSC GxP Customer Cloud Instance (GCCI) Architecture
GCCI
Bare Metal Server Bare Metal
Load OpenStack OpenStack Tivoli Nova Vyatta
Horizon QPID Nova
Balancer Controller DB Directory
SDNVE
SDN SDN SDN Mongo SDNVE
Ceph GCCI-Compute
Controller Connectivity egw DB MGW
GCCI-Controller 1 Nodes (2-n) MGW
GCCI-Compute
GCCI-Compute
...
Nodes (2-n)
Nodes (2-n)
Load OpenStack OpenStack Tivoli
Horizon QPID
Balancer Controller DB Directory
SDN SDN SDN Mongo CGW
Ceph Connectivity
Controller egw DB
CGW
GCCI-Controller 2
Ceph
Load OpenStack OpenStack Ceph
Balancer
Horizon
Controller DB
QPID Cluster
Cluster
Tivoli
Ceph
Mongo
Logstash
GCCI-
GCCI-
Directory DB
Storage
Storage
GCCI-Controller 3
Nodes(2)
Nodes (2)
Notes:
• Standard ICOS setup
• Each blue rectangle represents a virtual machine – GCCI Controller 1 and 2 are setup identically, GCCI Controller 3 has a slightly
different set of VMs.
• Compute nodes run nova and sdnve agents
• MGW: vyatta bare metal used as management gateway routing management traffic to and from GCCI
• CGW: vyatta bare metal used as customer gateway routing management traffic to and from customer VMs on the compute nodes.
© IBM Corporation 33
LSC GxP Management Cloud Instance (GMCI) Architecture
GMCI
Edge App IQ Document PDF Writer Edge App IQ Document PDF Writer
Server Server Srv (iText) Server Server Srv (iText)
GCCI-Controller 1 MGW
MGW
GCCI-Controller 2
CGW
GMCI:
• SCCD and AET running on 4 compute nodes like ICOS customer workload
• The SCCD system supports multi-tenancy and segregation of tenant’s data
• The SCCD data is segregated based on the customer or customers assigned to the logged in user.
• The AET executes requests from the SCCD catalog and provides required regulatory documentation
© IBM Corporation 34
Sample Customer GCCI – Network Overview
Customer admin users
accessing SCCD
LON2P CI69 CI50
Internet
(Central Mgmt) (GMCI) (GCCI)
IBM admin users
accessing LSC Vyatta: Mgmt Gateways Vyatta: Mgmt Gateways
Internet
SCCD – compute
mgw01 Service Catalog mgw01 nodes
lon02mgw001ccz069 dal09mgw001ccz050
Public IP:
www.lsc.ibmcloud.com kvm001
dal09kvm001ccz050
mgw02 mgw02
jmp01 lon02mgw002ccz069 see01 – edge server dal09mgw002ccz050
lon2jmp01pcczra lon02see001ccz069
kvm002
dal09kvm002ccz050
see02 – edge server
Vyatta: Customer Gw. lon02see002ccz069 Vyatta: Customer Gw.
chf01 kvm003
lon2chf01pcczra dal09kvm003ccz050
cgw01 cgw01
lon02cgw001ccz069 scc01 – SCCD server dal09cgw001ccz050
lon02scc001ccz069
to customer VMs
Mgmt Network
172.20.0.0 Internet SCCD checking for authentication Internet end users accessing customer VM‘s
Operating System
VPN Tunnel to Customer LDAP VPN Tunnel to OpenVPN Access
© IBM Corporation 35
Customer Site
LSC – Cloud Features
Images
Images must be KVM based – Windows and Linux images only.
Images need to be provided by customer and imported from customer provided URL
Virtual machines
Initial size (flavor) may be upgraded by submitting a service request – add CPU, Memory, Disk Size.
Two vCPUs per physical core
Physical servers have redundant power and redundant network connections with 10Gbps NICs
Accessible through VPN. No inbound public internet access. Outbound on request.
Storage volumes
Block storage. Size can be determined during provisioning
Not encrypted. Customer is responsible for implementing encryption as required.
Life time for Volume is different from VM. If VM is destroyed, block storage is still available
Volume operations (Create/Attach/Detach/Delete) are included in the service catalog
© IBM Corporation 36
LSC – Configuration Options
LSC provides dedicated configurable cloud environments in a SoftLayer data center - initially in Dallas and London
Restrictions apply e.g. for scalability due limitations in ICOS – accepted for the minimal viable product approach
Dual 12 core 2.6Ghz Xeon v3
Compute nodes 128 GB RAM
Minimum 2 – Maximum 32 12TB RAID10 storage
1x10GbE network link
KVM hypervisor
© IBM Corporation 37
Disaster Recovery – Normal Operation
CM GMCI CM GMCI
Continous
Replication
Or
SCCD DB SCCD DB
Continous copy
of full /
Other data incremental Other data
backups
Active Stand-By
© IBM Corporation 38
Disaster Recovery – After Fail Over
CM GMCI CM GMCI
SCCD DB SCCD DB
ACTIVE
© IBM Corporation 39
Definitions/Abbreviations/Acronyms
Abbreviations Descriptions
AET Automated Evidence Tool
CM GxP Central Management site -- monitors all GCCIs
GCCI GxP Customer Cloud Instances – single customer tenant private cloud
GMCI GxP Management Cloud Instance – private cloud that hosts SCCD and AET
ICOS IBM Cloud OpenStack Services
IPsec Internet Protocol security for securely encrypting network traffic
LSC IBM Watson Health Cloud for Life Sciences Compliance
OpenStack OpenStack Cloud Management software
Private Cloud Private Cloud is an ICOS Cloud Instance. GCCI and GMCI are both ICOS Private
Cloud instances.
SCCD Smart Cloud Control Desk
SDN-VE Software Defined Networking for Virtual Environments
VM Virtual Machine
VNID Virtual Network ID
VPN Virtual Private Network using Internet Protocol Security
Vyatta Firewall Gateway
© IBM Corporation 40
Resources
© IBM Corporation 41
Backup Charts
© IBM Corporation 42
Key Architectural Decisions 1 of 2
For helping regulated workload to move from a traditional data center to the cloud, some key architectural decisions had to be
taken in order to
• Remove Qualification / Validation effort from customer (yellow)
• Reduce and Optimize Qualification / Validation effort for IBM as Provider (green)
Server / • Qualification of server • By using only dedicated bare metal servers for each customer and avoiding
Storage and storage other SL services, SL‘s IMS needs not to be validated. Black box approach
infrastructure for IMS validation is not acceptable for compliance, white box approach is not
accepted by SL.
• Qualification is done for private cloud hardware, only.
• Cookie cutter approach: Qualify and validate 2 private clouds (DAL and
LON) and subsequently only perform infrastructure qualification for new
private clouds.
Network • Qualification of all • Encryption of all traffic between TopOfRack switches and customer end
network gear and point plus encapsulation of all traffic between customer dedidcated racks
related configuration avoids qualification of all network gear outside the customer dedicated racks.
• Usage of SDN avoids qualification of virtual network gear within the private
cloud.
Hypervisor / • Mostly VMWare for • KVM with openstack allows a disruptive move to the cloud and a forces a
Virtualization long living VMs more cloud like pattern for regulated workload. Avoids legacy in the cloud.
• Using ICOS based on openstack allows a white box validation.
VMs • Qualification for each • Automated qualification for each new VM using AET. Reduces IQ time
new VM significantly.
• QMS process change to allow for automated IQ.
© IBM Corporation 43
Key Architectural Decisions 2 of 2
Area Traditional DC LSC Cloud
IPCM • Individual Incident • SCCD with a standard set of validated automated changes for the VM life
Problem Change Mgmt. cycle.
• Qualification, Validation • SCCD is validated once, shared between customers.
of IPCM • Customer segregation within SCCD.
DMS / LMS • Validation of Document • Opentext and Learnflex are validated once, shared between customers.
and Learning Mgmt. • Customer have access to documents related to their private cloud.
System
Middleware • Qualification and • Customer responsible for qualification and validation including OS Images.
and validation including OS
Applications images
Audit • Customer is responsible • Customer needs to internally audit the provider for the stack up to and
for the complete stack including the hypervisor. Proposal is to have a 3rd party audit.
(Monolithic approach) • Customer can re-use existing qualification and validation porcess above the
hypervisor
© IBM Corporation 44
How IBM meets network qualification requirements for GxP compliance
North <-> South Traffic: Encapsulated with-in Rack, Encrypted outside of ToR
Dedicated
Customer 1
Dedicated
Customer 2
service portal
on-prem
environments Customer 1 Customer 2 Customer 3 Customer n
Dedicated
Customer 3
service portal
on-prem
environments Authenticate
using customer
LDAP AET
Dedicated
or SAML
Customer n
service portal
IPCMS DMS
on-prem
environments
LSC Management Cloud
© IBM Corporation 46
Disaster Recovery - Facts
text
– SLA
• RTO = 24 hours for CM/GMCI + another 6 hours per GCCI
• RPO = 30 minutes
– Switch over is a series of semi-automated tasks
• Switching off network connections to primary site
• Starting LSC services on backup site
• Reattach remaining GCCIs to backup site
– Customer is responsible for DR on application level
• Ordering 2 GCCIs in different DCs
• Replicating data from one GCCI to other GCCI
• Restriction: currently based on public VPN
– Network connection from customer site to both GMCIs is established
during onboarding
© IBM Corporation 47