Cloud Computing: Validation of SaaS; who is accountable?

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

  • Basics of Cloud Computing Technology
  • Regulations and Expectations of Inspectors
  • Customer-Supplier-Relationship
  • Requirements for Cloud Service Providers (CSP)
  • Requirements for Supplier Evaluation and Supplier Audits
  • Requirements for Qualification / Validation

The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 15: Special considerations for validation of SaaS; who is accountable? - Requirements for Qualification / Validation

SaaS means "Software as a Service" and describes one of several service models of Cloud Service Providers (CSP). SaaS means that the CSP provides and manages the complete application including infrastructure and platform. The regulated company pays a subscription fee but does not have to invest in server hardware and software development. Thus, it pays for provision and operation only, whereas the CSP takes care of IT administration and further services like maintenance and updates of the solution.

However, to be frank: Accountability cannot be delegated! The regulated company is still fully responsible for the regular use of the application and its implementation by the CSP. This responsibility can be realized by qualifying the CSP and validating the provided SaaS solution(s).

As for any other software application, the initial step is to write down the requirements, e.g. as a user requirements specification (URS). The URS defines the application's purpose and can be used as a baseline for the evaluation of different CSPs and its applications, often complemented by commercial aspects. CSPs on the short list should be qualified, ranging from filling in a questionnaire to conducting a multi-day on-site audit, depending on the application's risk and the data to be processed.

Therefore, transparency of the CSP as well as the customer / supplier relationship and the collaboration method will significantly impact the validation process. Basically, SaaS should be considered a "black box" solution that is going to be validated like any other type of software. However, the following aspects require special attention:

  • Documentation provided by the CSP / supplier
    This aspect gains weight as it does not affect the application alone, but includes infrastructure, operating system etc. installed, implemented, and operated by the CSP.
  • Supplier activities (towards validation) and quality of the application
    Both can be verified by reviewing the CSPs documentation.
  • Data security, privacy, and protection
    GDPR regulations apply. Regulated companies need to understand how and where its data is being stored and processed and how multi-tenant systems segregate and protect their data.
  • Update strategy / deployment
    Besides the application's quality at the time of (initial) evaluation and assessment, regulated companies need to understand the processes and methods for configuration management, change control, error correction, and deployment, all contributing to maintain high quality in a validated state. Typically, the regulated company is not involved in and therefore has no control over scope and time of updates.
  • Exit strategy
    Finally, another important aspect that should ideally be considered during evaluation is the exit strategy: SaaS solutions are convenient but may lead to reliance ("vendor lock-in"). Keep in mind that the CSP operates the application, but additionally stores and manages your data.

Generally, validation of SaaS follows the same principles as traditional computerized system validation (CSV). However, SaaS introduces new risks and shifts the focus, as the CSP's / supplier's activities take a larger role.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart

Go back


Stay informed with the GMP Newsletters from ECA

GMP Newsletter

The ECA offers various free of charge GMP newsletters for which you can subscribe to according to your needs.

To subscribe, please click here.