Loading Awesome Content


Software as a Service (SaaS) is growing in demand more each year with the evolution of cloud services and the lack of capital budgets for on-premise deployments. Software as a service features a complete application offered as a service on demand. (Cloud Validation Solutions) A single instance of the software runs on the cloud and services multiple end users or client organizations.  The past few years have seen significant growth in virtual implementation due to improved web infrastructure, security, and speed combined with the economy exerting pressure to reduce costs and downsize the workforce. (Nettleton, David) Outsourcing IT has become a more viable option.  SaaS features a complete application installed as a single instance and offered on demand to multiple end users or client organizations.


There are numerous challenges and risks involved with undertaking a SaaS, especially for the regulated industry.  The switch to a SaaS may not reduce work efforts or even costs when all considerations for compliance are made.  A regulated company carries 100 percent of the responsibility to maintain compliance regardless of the software being outsourced.  Inspection and upkeep of the documentation for both the hardware and software of a third party host needs to be the equivalent of their own internal IT departments.


The FDA’s Code of Federal Regulations Title 21 Part 820 Section 820.70(i) states “When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.”  (Food and Drug Administration [FDA], 2013). Section 820.50 further covers purchasing controls and states that “Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.” (FDA, 2013) A documented evaluation is required for “potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements (FDA, 2013)  An important portion of this regulation that is inherently not followed by hosting providers is in part 3 (b) that state “Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device.”  (FDA, 2013) A Service Level Agreement needs to be agreed upon that does not allow the vendor to change the environment without permission from the customer.


Below is a list of considerations and risks to be evaluated when moving towards a SaaS solution along with a possible tactic (Assuming the system falls into a CAT 3, 4, or 5 as per GAMP5):

ConcernValidation Tactic/ Approach
Do you have sole access to run/load/update?If not, procedures in place requiring hosting service to obtain permission are necessary
What physical security is included? (eg: firewalls and SSL login)These should be detailed in a validation plan
Have access controls been tested? (multi-privilege, multi platform/hardware tests)If not, must be outlined in validation documentation
Does an audit trail exist documenting a history of users added/modified/deleted?Must be manually recorded if not included as functionality of software
Is there a separate testing instance to use for simulation when an upgrade is needed?If not, proper justification should be provided within validation documentation.
Have tests been performed ensuring another tenant of the physical server cannot access data from another?If not formal testing, documentation, pointing to server hosts’ documentation
Data recovery procedures
Redundancy and backups in place?Must be implemented and procedures must be effective.
Will notification be made prior to upgrades or maintenance taking place?Absolutely necessary, create agreement.
Is it possible your virtual server may be moved to a different physical box?Not preferred, but tested and documented prior to move
Ensuring the minimum specs are met for processor / RAM / spaceAn IQ or installation document verifying what is available
The environment must be qualified and well documentedVendor provided installation records
Vendor Audits
Does the vendor already have core validation documentation available?If not, additional testing is necessary from the client
Is there documentation of data migration from an existing system?If available, verification of successful migration should be included with Validation documentation
Is regression analysis performed when an upgrade is made?There should be a procedure in place for this
Does cloud host realize they may need to accept FDA inspections, or other domestic and international regulatory inspections?Ensure documentation procedures are in place and installation is documented adequately.

The responsibility of documentation is spread between the regulated client and the provider. Below is a table segregating responsibilities.

ResponsibilitiesSoftware VendorRegulated ClientIntegrator/3rd partyHost
Validation plan

Vendor qualification including supplier audits to support verification of quality system, adequate testing/qualification (host/developer/others)

Quality control agreements specifying who has responsibility for what

URS/Configuration/Work Flow Development
Qualification of Hosting Facility Infrastructure:  reviewed as part of audit, held in escrow (Note: includes operational, maintenance, and change SOPs.)

Qualification of Client Facility Infrastructure, including hardware/software/SOPs.

Installation testing and configuration of the application

IQ Configuration testing

Functional testing GAMP5 CAT5 (where needed)XX

Functional testing GAMP5 CAT4 tested as required based on the supplier audit, scale of testing entirely dependent on the audit results.XX

Work flow/ Use case testing

Any special testing base on SaaS, connections, data push, number of remote connections, security of data.
Client driven SOPs to address maintenance, operation, administration of the software, vendors, etc.

Supplier Questions and Service Level Agreements
Deciding on a vendor and coming to an agreement on responsibilities is the most important portion of validating a cloud based application. The ownership of the Service Level Agreement (SLA) is with the business but typically managed by a Contracts department. This document is as important as the contract and it needs to contain incident management specifics and must understand each party’s needs.

Good communication translates to less compromising and negotiating later which in turn leads to less dissatisfaction for both parties. This document should be treated as a living document and revisited as necessary. The SLA should contain:

  • Statement that “We have the right to physically examine if a regulator asks”
  • Change control terms and conditions (agreement between regulated company and hosting company)
    • Notification must be provided for any and all backups, security updates, and environmental controls
    • A test environment or other alternative must be provided for development and validation testing
  • Roles and responsibilities clearly identified
  • Environment can be cloned and archived
  • Responsibility for the qualification of the hardware belongs with cloud provider
  • SOPs in place
    • Change management
    • Data redundancy as well as power backup
    • Disaster recovery
    • Requiring unauthorized access to be reported
    • Managing hardware changes effective and efficiently
  • Vendor has data integrity insurance
  • Clear identification of where the data truly resides
  • Physical security to the storage location
  • Is the vendor an acquisition target
  • Data purged
  • Upon termination of service, the vendor must allow migration of all files, data and information
  • Overall financial situation of vendor
  • System Development Life-cycle established
  • Reassurance that both the data, and the software to view it, remain available for years

In some cases, the amount of validation documentation is the same as an internal software solution with the additional burden and difficulty of multiple non-regulated companies being involved. All risks associated with SaaS need to be identified in validation planning documentation and a careful risk assessment needs to reinforce the decision to utilize this ever more prevalent form of software as a service.

About the Author:

Marc Carls is a Validation Specialist with Performance Validation.  His area of expertise is in Computer System Validation of Business Information Systems.  Marc has supported GLP compliance projects for the pharmaceutical industry since 2005.  He developed and executed validation plans for small-scale instrumentation software to enterprise-scale LIMS and authored computer system SOPs including system use, maintenance, security and business continuity for clients.  In addition, Marc assisted with supplier audits, system retirement activities (decommissioning), regulatory gap analyses (including 21 CFR Parts 11 and 58), testing documentation, traceability matrices, user requirement, functional, software specifications, and other business analysis activities.


  • “Cloud Validation Solutions.” com. Cloudfidence. 2011. Web. 14 Jan. 2014.
  • Nettleton, David. “Software As A Service (SaaS): Is outsourcing IT a good idea?” Computer System Validation. 2014. Web. Computersystemvalidation.com. 14 2014
  • Bowker, Mark. “VMware View Business Process Desktops, Improving Productivity while Cutting Costs.” com. The Enterprise Strategy Group, Inc, June 2012. Web. 14 Jan. 2014
  • S. Food and Drug Administration FDA. “CFR – Code of Federal Regulations Title 21”. April 2013. Web. 14 Jan 2014
Previous When is an Alarm an Alarm
Next Dominance and Validation