As cloud computing becomes increasingly popular with companies looking to cut IT costs and increase efficiency, it is not surprising that cloud services providers seem to offer Software as a Service (SaaS) solutions to meet just about every business need.
Cloud vendors are specifically targeting life science companies by developing SaaS products that meet industry-specific compliance requirements. These specialized products can manage a range of regulated activities, such as the application of electronic signatures and the management of pharmacovigilance cases.
The sales pitch is enticing - avoid the costs (and headaches) that come with maintaining internal IT infrastructure, while utilizing software that allows your organization to operate in accordance with applicable regulations. But is this promise too good to be true? Let’s take a closer look at some important considerations that should be taken into account when validating a SaaS product to manage GxP content and achieve compliance in the cloud.
The main thing to remember when evaluating SaaS products is that the burden of demonstrating that applicable regulations are met by the system falls on the end-user, the regulated life science customer. Moreover, regulatory compliance must be demonstrated prior to using a system for regulated activities.
Compliance is demonstrated by providing evidence that the system’s functionality is in line with the regulatory requirements and by ensuring that the system’s state of compliance is maintained for as long as the solution is in use.
For example, consider that the requirement outlined in 21 CFR Part 11 stipulating that a solution used for the application of Part 11 compliant electronic signatures must display the reason for a signature in the signature manifestation. The choice to use a system setting that allows for the reason for a signature to be displayed in the signature manifestation must be documented so that the system configuration can be maintained in a controlled manner. Moreover, evidence that applying this setting results in the signature manifestation meeting a specific requirement must be generated before operational use of the system is authorized.
This exercise is part of the computer system validation process, an activity centered around demonstrating that the system is fit for its intended use.
Before fitness for intended use can be demonstrated, it is crucial to define the functionality end-users expect from the system to meet business process needs and to address any regulatory considerations. The system must next be assessed to ensure that it is able to meet end-users’ needs. This evaluation may include consulting user guides and manuals, discussing the system features with the solution provider and testing the product by attempting to perform scenarios that are in line with the intended use.
The life science organization using a SaaS product to perform regulated activities is ultimately responsible for demonstrating and maintaining the validated state of the solution. However, the cloud service provider shares some responsibilities for system maintenance and validation activities.
The SaaS subscriber must, therefore, assess the vendor to ensure that the vendor’s quality standards and practices are in line with the customer’s expectations. It is also important to ensure that the vendor has processes in place to inform subscribers of system changes with potential regulatory or functional impact.
It is unrealistic to think that a configurable SaaS solution will incorporate all the necessary technical controls to satisfy every end-user requirement. Since SaaS solution providers often cater to companies in different industries, not all configuration options available in the system are compatible with regulatory expectations.
Regulatory compliance is usually achieved when a specific software configuration is applied and, even then, procedural controls may be needed to ensure compliance. These procedural controls supplement the system’s technical capabilities by dictating how the end-users must interact with the system and by detailing any process steps performed outside the system.
While the implementation of these types of workarounds should be expected, any measures imposed via procedural controls must nevertheless be carefully assessed. It is important to ensure that additional controls are appropriate and that any risks posed by their implementation are evaluated and addressed.
To illustrate this point, let’s focus on a practical example involving a SaaS product that allows users to approve controlled documents like standard operating procedures (SOPs) by applying an electronic signature to the document.
Suppose that the solution requires approvers to sign a document in the order in which their names are entered in the request for signature and that the organization’s process for approving SOPs states that the final approval of controlled documents must be performed by a QA representative.
In this scenario, a procedural control is needed to instruct individuals responsible for generating the request for signature to ensure that the QA representative is listed as the final approver on all SOPs approved using the system.
This measure can be considered a reasonable provision to ensure that the document approval process meets business needs. It can also be easily implemented by end-users and any deviations to the procedural control would be highly detectable.
The implementation of a SaaS solution to perform regulated activities is not as simple as subscribing to a cloud service. While vendors targeting life science customers may promise a seamless transition to the cloud, business needs and regulatory considerations must be evaluated to ensure that the appropriate service is selected and validated.
Carefully assessing the system’s functionality, the cloud vendor’s processes and the regulatory expectations will allow your organization to be compliant and for you to benefit from the many advantages of using cloud-based SaaS.