Regulated industries & cloud-based systems validation
Introduction
Within cloud computing, there are three main service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
IaaS is where the customer subscribes to use the Infrastructure; this is similar to buying and deploying self-hosted servers, storage, and networking components.
PaaS is where the customer subscribes to use the Platform - that is, a complete suite of Development tools which can assist the customer in developing and deploying custom applications on the cloud; this is similar to utilizing classical self-hosted development tools, operating systems etc.
Finally, SaaS is where the customer subscribes to use the Software; this means using the provider’s applications running on a cloud infrastructure. Here, there is an inherent risk in the way the SaaS vendor designs and pushes any future updates to their offering – you may be able to decide when and which updates/features to apply thus keeping a strict change control, or you may find that the software is updated according to the vendor’s schedule. Let’s look into this in more detail.Validation in the context of cloud-based systems
Assuming your SaaS falls under the latter category, it is necessary to create a continuous cloud validation framework for ensuring a proper validation during initial implementation and a robust re-validation under typical change management practices.
Translating the standard GAMP5 approach to validation for the cloud is crucial if you want to remain compliant while reducing the effort required by such complex systems. These are the steps such a framework can be organized in:
- Step 1: Audit and Qualify your software provider’s cloud IT Infrastructure. Ensure the Infrastructure is deployed in a compliant manner and the durability, security, and continuity are ensured. Ideally your software provider has already performed Qualification – leverage their findings to avoid duplication!
- Step 2: Audit and Qualify your software provider’s app to ensure compliance with applicable regulations (21 CFR Part 11, Annex 11 etc). Your software provider will most likely have performed such testing, and for most this is also their main selling point – utilize this once more in your documentation.
- Step 3: Develop your validation strategy based on your intended use. Define URS, perform your Risk Assessment and Design Review and design your IQ/OQ/PQ according to your testing needs and evidence required. You don’t need to spend more time on functional tests for features or functionalities which you will not use.
- Step 4: Following initial validation, implement a continuous validation strategy for validating your cloud app on an ongoing basis – assessing the changes and impact and combining change control and regression testing to keep your environment in a continuously validated state.
Where can you start?
With the right cloud validation framework in place you can keep updating and improving your system without fear of disruptions, creating vulnerabilities, or running into compliance issues.
The i2b Continuous Cloud Validation is the tool that will help you stay on-line with compliance even in this day and age of evolving regulations. Contact us to learn more about how we can help your business needs or support your validation projects.