Overview
Software as a Service (SaaS) is growing in demand more each year with the evolution of cloud services and the lack of capital budgets for on-premise deployments. Software as a service features a complete application offered as a service on demand. (Cloud Validation Solutions) A single instance of the software runs on the cloud and services multiple end users or client organizations. The past few years have seen significant growth in virtual implementation due to improved web infrastructure, security, and speed combined with the economy exerting pressure to reduce costs and downsize the workforce. (Nettleton, David) Outsourcing IT has become a more viable option. SaaS features a complete application installed as a single instance and offered on demand to multiple end users or client organizations.
Challenges
There are numerous challenges and risks involved with undertaking a SaaS, especially for the regulated industry. The switch to a SaaS may not reduce work efforts or even costs when all considerations for compliance are made. A regulated company carries 100 percent of the responsibility to maintain compliance regardless of the software being outsourced. Inspection and upkeep of the documentation for both the hardware and software of a third party host needs to be the equivalent of their own internal IT departments.
Regulations
The FDA’s Code of Federal Regulations Title 21 Part 820 Section 820.70(i) states “When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.” (Food and Drug Administration [FDA], 2013). Section 820.50 further covers purchasing controls and states that “Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.” (FDA, 2013) A documented evaluation is required for “potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements (FDA, 2013) An important portion of this regulation that is inherently not followed by hosting providers is in part 3 (b) that state “Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device.” (FDA, 2013) A Service Level Agreement needs to be agreed upon that does not allow the vendor to change the environment without permission from the customer.
Considerations
Below is a list of considerations and risks to be evaluated when moving towards a SaaS solution along with a possible tactic (Assuming the system falls into a CAT 3, 4, or 5 as per GAMP5):
Security | |
Concern | Validation Tactic/ Approach |
Do you have sole access to run/load/update? | If not, procedures in place requiring hosting service to obtain permission are necessary |
What physical security is included? (eg: firewalls and SSL login) | These should be detailed in a validation plan |
Have access controls been tested? (multi-privilege, multi platform/hardware tests) | If not, must be outlined in validation documentation |
Does an audit trail exist documenting a history of users added/modified/deleted? | Must be manually recorded if not included as functionality of software |
Is there a separate testing instance to use for simulation when an upgrade is needed? | If not, proper justification should be provided within validation documentation. |
Have tests been performed ensuring another tenant of the physical server cannot access data from another? | If not formal testing, documentation, pointing to server hosts’ documentation |
Data recovery procedures | |
Redundancy and backups in place? | Must be implemented and procedures must be effective. |
Will notification be made prior to upgrades or maintenance taking place? | Absolutely necessary, create agreement. |
Is it possible your virtual server may be moved to a different physical box? | Not preferred, but tested and documented prior to move |
Installation | |
Ensuring the minimum specs are met for processor / RAM / space | An IQ or installation document verifying what is available |
The environment must be qualified and well documented | Vendor provided installation records |
Vendor Audits | |
Does the vendor already have core validation documentation available? | If not, additional testing is necessary from the client |
Is there documentation of data migration from an existing system? | If available, verification of successful migration should be included with Validation documentation |
Is regression analysis performed when an upgrade is made? | There should be a procedure in place for this |
Does cloud host realize they may need to accept FDA inspections, or other domestic and international regulatory inspections? | Ensure documentation procedures are in place and installation is documented adequately. |
Responsibilities
The responsibility of documentation is spread between the regulated client and the provider. Below is a table segregating responsibilities.
Responsibilities | Software Vendor | Regulated Client | Integrator/3rd party | Host |
Validation plan | X | |||
Vendor qualification including supplier audits to support verification of quality system, adequate testing/qualification (host/developer/others) | X | |||
Quality control agreements specifying who has responsibility for what | X | |||
URS/Configuration/Work Flow Development | X | X | ||
Qualification of Hosting Facility Infrastructure: reviewed as part of audit, held in escrow (Note: includes operational, maintenance, and change SOPs.) | X | |||
Qualification of Client Facility Infrastructure, including hardware/software/SOPs. | X | |||
Installation testing and configuration of the application | X | |||
IQ Configuration testing | X | |||
Functional testing GAMP5 CAT5 (where needed) | X | X | ||
Functional testing GAMP5 CAT4 tested as required based on the supplier audit, scale of testing entirely dependent on the audit results. | X | X | ||
Work flow/ Use case testing | X | |||
Any special testing base on SaaS, connections, data push, number of remote connections, security of data. | X | X | ||
Client driven SOPs to address maintenance, operation, administration of the software, vendors, etc. | X |
Supplier Questions and Service Level Agreements
Deciding on a vendor and coming to an agreement on responsibilities is the most important portion of validating a cloud based application. The ownership of the Service Level Agreement (SLA) is with the business but typically managed by a Contracts department. This document is as important as the contract and it needs to contain incident management specifics and must understand each party’s needs.
Good communication translates to less compromising and negotiating later which in turn leads to less dissatisfaction for both parties. This document should be treated as a living document and revisited as necessary. The SLA should contain:
- Statement that “We have the right to physically examine if a regulator asks”
- Change control terms and conditions (agreement between regulated company and hosting company)
- Notification must be provided for any and all backups, security updates, and environmental controls
- A test environment or other alternative must be provided for development and validation testing
- Roles and responsibilities clearly identified
- Environment can be cloned and archived
- Responsibility for the qualification of the hardware belongs with cloud provider
- SOPs in place
- Change management
- Data redundancy as well as power backup
- Disaster recovery
- Requiring unauthorized access to be reported
- Managing hardware changes effective and efficiently
- Vendor has data integrity insurance
- Clear identification of where the data truly resides
- Physical security to the storage location
- Is the vendor an acquisition target
- Data purged
- Upon termination of service, the vendor must allow migration of all files, data and information
- Overall financial situation of vendor
- System Development Life-cycle established
- Reassurance that both the data, and the software to view it, remain available for years
Conclusion
In some cases, the amount of validation documentation is the same as an internal software solution with the additional burden and difficulty of multiple non-regulated companies being involved. All risks associated with SaaS need to be identified in validation planning documentation and a careful risk assessment needs to reinforce the decision to utilize this ever more prevalent form of software as a service.
About the Author:
Marc Carls is a Validation Specialist with Performance Validation. His area of expertise is in Computer System Validation of Business Information Systems. Marc has supported GLP compliance projects for the pharmaceutical industry since 2005. He developed and executed validation plans for small-scale instrumentation software to enterprise-scale LIMS and authored computer system SOPs including system use, maintenance, security and business continuity for clients. In addition, Marc assisted with supplier audits, system retirement activities (decommissioning), regulatory gap analyses (including 21 CFR Parts 11 and 58), testing documentation, traceability matrices, user requirement, functional, software specifications, and other business analysis activities.
Referemces
- “Cloud Validation Solutions.” com. Cloudfidence. 2011. Web. 14 Jan. 2014.
- Nettleton, David. “Software As A Service (SaaS): Is outsourcing IT a good idea?” Computer System Validation. 2014. Web. Computersystemvalidation.com. 14 2014
- Bowker, Mark. “VMware View Business Process Desktops, Improving Productivity while Cutting Costs.” com. The Enterprise Strategy Group, Inc, June 2012. Web. 14 Jan. 2014
- S. Food and Drug Administration FDA. “CFR – Code of Federal Regulations Title 21”. April 2013. Web. 14 Jan 2014