Cloud Computing: Validation of SaaS; who is accountable?
Recommendation
11-13 December 2024
The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:
- Basics of Cloud Computing Technology
- Regulations and Expectations of Inspectors
- Customer-Supplier-Relationship
- Requirements for Cloud Service Providers (CSP)
- Requirements for Supplier Evaluation and Supplier Audits
- Requirements for Qualification / Validation
The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.
Question 15: Special considerations for validation of SaaS; who is accountable? - Requirements for Qualification / Validation
SaaS means "Software as a Service" and describes one of several service models of Cloud Service Providers (CSP). SaaS means that the CSP provides and manages the complete application including infrastructure and platform. The regulated company pays a subscription fee but does not have to invest in server hardware and software development. Thus, it pays for provision and operation only, whereas the CSP takes care of IT administration and further services like maintenance and updates of the solution.
However, to be frank: Accountability cannot be delegated! The regulated company is still fully responsible for the regular use of the application and its implementation by the CSP. This responsibility can be realized by qualifying the CSP and validating the provided SaaS solution(s).
As for any other software application, the initial step is to write down the requirements, e.g. as a user requirements specification (URS). The URS defines the application's purpose and can be used as a baseline for the evaluation of different CSPs and its applications, often complemented by commercial aspects. CSPs on the short list should be qualified, ranging from filling in a questionnaire to conducting a multi-day on-site audit, depending on the application's risk and the data to be processed.
Therefore, transparency of the CSP as well as the customer / supplier relationship and the collaboration method will significantly impact the validation process. Basically, SaaS should be considered a "black box" solution that is going to be validated like any other type of software. However, the following aspects require special attention:
- Documentation provided by the CSP / supplier
This aspect gains weight as it does not affect the application alone, but includes infrastructure, operating system etc. installed, implemented, and operated by the CSP. - Supplier activities (towards validation) and quality of the application
Both can be verified by reviewing the CSPs documentation. - Data security, privacy, and protection
GDPR regulations apply. Regulated companies need to understand how and where its data is being stored and processed and how multi-tenant systems segregate and protect their data. - Update strategy / deployment
Besides the application's quality at the time of (initial) evaluation and assessment, regulated companies need to understand the processes and methods for configuration management, change control, error correction, and deployment, all contributing to maintain high quality in a validated state. Typically, the regulated company is not involved in and therefore has no control over scope and time of updates. - Exit strategy
Finally, another important aspect that should ideally be considered during evaluation is the exit strategy: SaaS solutions are convenient but may lead to reliance ("vendor lock-in"). Keep in mind that the CSP operates the application, but additionally stores and manages your data.
Generally, validation of SaaS follows the same principles as traditional computerized system validation (CSV). However, SaaS introduces new risks and shifts the focus, as the CSP's / supplier's activities take a larger role.
Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.
The Experts
Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart
Related GMP News
02.12.2024Cloud Computing: What happens if the CSP does not allow audits?
27.11.2024Cloud Computing: Are (GMP) Supervisory Authorities allowed to inspect CSP?
20.11.2024Cloud Computing - Content of a SLA/Contract with a XaaS Provider
31.07.2024FDA Warning Letter on Data Integrity Issues
14.02.2024Cloud Computing: Workaround for non-compliant PaaS
07.02.2024Cloud Computing: Validation performed by a CSP on its own - what is the Value?