Preparation is the key to carrying out a successful validation project. While planning for the validation of a cloud-based application can be overwhelming, it doesn’t have to be that way.
The basic principles of software validation for applications that impact GxP activities still apply in the cloud. However, the roles and responsibilities throughout the validation process have to be realigned to in order to account for the characteristics of today’s cloud services and SaaS (software as a service) applications.
Prior to validating any GxP application, the underlying infrastructure must first be qualified. As with cloud application validation, the rules of infrastructure qualification remain unchanged when qualifying infrastructure on the cloud.
And yet, the qualification approach may be adjusted to include the various stakeholders. In this article, we will look at the steps life sciences organizations should take when preparing for a validation project for a cloud application once you’ve qualified the supporting infrastructure.
The first step to determining your validation approach is to understand the inner workings of your cloud-based application.
Identify the regulatory requirements that apply to your system by analyzing the system’s intended use. Assessing the application’s core functionality will allow you to pinpoint the features that are subject to regulatory requirements, such as the application of electronic signatures.
Additionally, you will want to determine the system’s Software Category as per the GAMP 5 methodology. This category is based on the extent to which the solution is configurable, which in turn will help you determine the scope and extent of testing.
It is good practice to evaluate the application and the relevant regulatory requirements early in the process to have a better understanding of the time and resources required to complete the validation project.
Step two in the process is to get to know your cloud vendor better.
The cloud solution provider’s involvement must also be taken into consideration when determining the activities required to validate a cloud-based solution. Depending on the cloud service model, the vendor may be responsible for some or all of the validation activities.
To further complicate matters, the cloud solution vendor may partner with a cloud service provider (such as Microsoft Azure or Amazon Web Services) who oversees the platform or infrastructure on which the solution is hosted.
If the cloud vendor is responsible for validation, make sure to perform your due-diligence and evaluate the vendor’s system lifecycle documentation, as well as their quality practices. Make sure that they have performed adequate testing on all the in-scope system components, including any components that are managed by the cloud service provider.
It’s also important to ensure that the vendor has standard operating procedures (SOP) in place to cover critical processes such as change control, training and system back-up and security.
Now that you have done your research and acquired a good understanding of the application and the cloud vendor, it’s time to understand the potential risks.
At this stage, it’s important that you prepare a risk-assessment to analyze the system’s intended use (a process which began in Step 1) and to identify high risk areas. The risk-assessment also formally outlines the applicable regulations, such as 21 CFR Part 11 and Eudralex Volume 4 Annex 11.
Remember that the scope of validation activities should always be proportional to the risk that the system poses to patient safety, product quality or data integrity.
The next step in the process will be to outline system requirements.
They are typically defined based on your business (end-user, functional, security) needs in addition to the regulatory requirements established during the risk-assessment process.
The requirements provide an objective standard to which the system is tested during validation, thus demonstrating that the system is fit for its intended use.
Now that you have a clear understanding of your application, the vendor and the potential risks, it’s time to start formulating a plan for validating your cloud-based solutions.
This planning phase will culminate in the development of the Validation Plan. The Validation Plan will document the scope of validation, the validation approach chosen and the resources required to complete the software validation project.
You should also include information regarding the various stakeholders and their respective roles and responsibilities in the validation effort along with the deliverables that will be prepared as part of the project.
The types of testing to be performed should also be specified as well as the method(s) used to ensure that the system requirements are tested, such as a traceability matrix. It is also important to clearly define the SOP and training requirements that must be met prior to releasing the system to the end-users.
The old adage, knowledge is power, certainly applies when planning a validation project.
By having a firm understanding of your system’s capabilities, your business needs, and the applicable regulations, you can help avoid any unwanted surprises. This knowledge is especially useful when validating a cloud-based solution where there is the added challenge of managing multiple stakeholders.
By following the five steps explained in this article, you will be well on your way to coming up with a comprehensive validation plan. And a solid plan will put you on the path to success.