Cloud Computing: Validation documents for a SaaS application
Recommendation
5-7 March 2025
Challenges and Solutions
Register now for ECA's GMP Newsletter
The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:
- Basics of Cloud Computing Technology
- Regulations and Expectations of Inspectors
- Customer-Supplier-Relationship
- Requirements for Cloud Service Providers (CSP)
- Requirements for Supplier Evaluation and Supplier Audits
- Requirements for Qualification / Validation
The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.
Question 23: What validation documents are required for a SaaS application? Who provides which documents? - Requirements for Qualification / Validation
The providers of cloud-based GxP applications (SaaS) often state in their advertising promises that the pharmaceutical company can completely eliminate the costly and time-consuming validation activities. This statement is only partially correct, as the regulated company is left with a whole range of validation activities that the service provider cannot take over or must be carried out by both parties. In principle, there are three options for validation.
Scenario 1: Full trust in the provider
As long as the cloud provider has established a good relationship of trust with the customer, is audited regularly without major complaints/observations and allows insight into all activities, the pharmaceutical company can limit itself to testing the critical functions in the user acceptance test (UAT). The prerequisite is a carefully conducted functional risk analysis to determine the critical functions of the application.
Scenario 2: Partial trust in the provider
In many cases, there is only a short contractual relationship between the customer and the cloud service provider, and the audit may have identified major but non-critical issues/complaints and not all processes were disclosed to the customer. Here, a complete user acceptance test should be carried out by the customer with each release.
Scenario 3: "Be on the safe side"
This costly option is very common in the conservative pharmaceutical industry, as people do not want to take any risks in the event of regulatory inspections. The pharmaceutical company carries out a complete validation with each release, including extensive documentation requiring considerable resources.
The table below outlines which validation documents are to be provided by the customer or by the service provider.
Before entering into a contractual agreement with the service provider, the pharmaceutical company must qualify the supplier in an audit. A corresponding audit report may have to be submitted to the investigator in the event of an official inspection. The usual first steps for validation (System Risk Assessment, Electronic Records Assessment and Validation Master Plan) are carried out and the requirements specification is developed. The service provider creates a validation plan, functional specification and design specification for its application. The functional risk analysis is the task of the customer, but may be supported very positively by the service provider, as he has the best insight into the functions of his application.
The usual IQ/OQ test activities are carried out regularly by the service provider and randomly checked by the customer during the regular audit. In this context, IT infrastructure qualifications and security settings as well as certificates (ISO27001, SOC, etc.) must also be evaluated in detail. Frequently, the IT infrastructure is outsourced to a third-party company (e.g. Amazon, Microsoft) which act as third-party sub-contractors.
The User Acceptance Test (UAT) is carried out by both partners on the basis of the test cases developed by the service provider, the UAT report by the customer and the service provider, whereby the report of the pharmaceutical company is decisive for the assessment of the validation success.
It is favorable to perform the testing using automated test tools, as a new UAT is due with each release
Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.
The Experts
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart
Related GMP News
04.12.2024Cloud Computing: What happens if the CSP does not allow audits?
27.11.2024Cloud Computing: Are (GMP) Supervisory Authorities allowed to inspect CSP?
20.11.2024Cloud Computing - Content of a SLA/Contract with a XaaS Provider
31.07.2024FDA Warning Letter on Data Integrity Issues
14.02.2024Cloud Computing: Workaround for non-compliant PaaS