From the Experts | Montrium Services Blog

Why You Need to Validate (and Re-Validate) a Cloud-Based System

Written by Tamara Mitchell | January 8, 2020 at 2:45 PM

Whether it’s a machine you’re using to develop treatments, or the software used to send in your regulatory submissions, validation is a critical element in the pharma and biotech operational process.  

Validation involves testing whether something works, observing the results, and recording the evidence. Ongoing validation of evolving cloud-based systems ensures that the processes occurring within your system are compliant with GxP regulation and that the information you are producing is of high-quality.  

The FDA requires the validation of computer systems used to create, modify, and maintain electronic records and to manage electronic signatures under 21 CFR Part 11. “Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records,” and, “All production and/or quality system software, even if purchased off-the-shelf, should have documented requirements that fully define its intended use, and information against which testing results and other evidence can be compared, to show that the software is validated for its intended use.” - FDA 

Validation in the context of computer systems means creating evidence to show that your system can lead to a consistent and reproducible result in compliance with GxP regulations. To make sure that you’re not at the whim of the developers making changes to your system, the activities of initial validation and ongoing re-validation are critical to the success of your technology investment and accelerating your R&D process.

  

 

The basic principles of validation  

What are the basic principles of validation? These three principles must be considered when tackling the validation of your cloud-based system.   

  1. Fitness for the intended use of a computerized system is verified and documented. A system like Office 365 was originally not designed for GxP purposes. So, as regulated users of the application, we are responsible for ensuring that the system is validated and fit for its intended use in the context it will be used in.  
  1. Risks associated with using the system are mitigated. Regulatory agencies like the FDA, EMA, and industry best practices talk about the risk-based approach, which is widely adopted across the life science industry. By only focusing on areas that present an actual risk, we reduce a lot of effort in validating the system.   

  2. The validated state is maintained through effective change control mechanisms. There isn’t value in revalidating an entire system, but certain elements need to be tested and change control management steps taken to make sure your system and process still comply with GxP regulations.
     

The computer system validation model related to a configured cloud system 

Computer system validation or CSV in the context of the cloud brings us to the traditional GAMP®5 methodology. In the following graphic, we’re seeing the classic “V model” of GAMP®5 as specified for Category 4 configured products.   

On the left side of the diagram, the definition of specifications is done through a user requirements definition. Functional specifications describe which features of the system will meet the requirements of the users. Next, configuration specification defines specific parameters that will be configured to make sure the system functions as intended.   

The configured product is delivered by the supplier. However, you do have control over some configurations, and this should be done to facilitate 21 CFR Part 11 compliance. Leveraging resources that show supplier activities is a good way to streamline your own validation activities. In our example below, when using Office 365 for GxP content management, Microsoft’s software development life cycle process (SDLC) and quality management system (QMS) may be valued as part of the vendor assessment you undertake.   

On the right side, verification processes are listed. Typically, configuration verification and functional testing are completed to make sure that the system is configured, and functions as expected. User requirements or user acceptance testing is represented by PQ to ensure that the system is fit for its intended purpose.   

By and large, this model holds even in the cloud. However, the change management process is where it varies. Managing the changes in your applications in the cloud is very different from an on-premise environment, we explore this more in the next section.  

 

Figure 1 GAMP5 CSV Framework for a Configured Product (Category 4) 

 

A shift in the validation paradigm 

Traditionally, when an on-premise or legacy system was validated, we would freeze the system, and there would be intermittent changes requested that would be implemented under a strict change control process. However, with the cloud-based model, we can’t freeze and control the changes happening to our system. These continuous changes and improvements pushed by the cloud services provider bring forth the need for continuous validation to be sure that those changes are not negatively impacting the state of the system.   

Given the evolving nature of a cloud-based content management platform, continuous validation is crucial to keep up with changes and mitigate them. Continuous validation means knowing the current state of your system and ensuring alignment with specifications and user requirements. You can read more about the steps to performing continuous validation and the tools available in the context of a system like Office 365. 
 

The Takeaway 

System change is a good thing in most cases. Whether making security patches, implementing an update, or adding new features, all of these changes are brought forth by developers to improve your system and the quality of your data. The initial computer system validation and continued validation of cloud systems will help to reduce any errors and avoid problems with audits further down the road 

Montrium’s Professional Services Group specializes in computer system validation, cloud strategy and compliance, quality assurance, and digital transformation within the context of the life sciences. We work with Microsoft as a Gold Partner and have developed several whitepapers, including the Office 365 GxP Guidelines that detail how to manage Office 365 and Microsoft Azure products - targeted for organizations working in the context of GxP processes. If you would like to leverage our services, please reach out by submitting the form on our Office 365 Toolkits page