41. Cloud Validation – PQ Testing of SaaS Applications

…PQ, however, can still be performed by users as usual using their work process to validate the ability of the cloud-hosted software application to perform as expected. (p. 160)


Software as a Service (SaaS) applications used in a GXP regulated work process still require end user validation to FDA Part 11 and EU Annex 11 standards. These regulations still require documented evidence that the SaaS application operates its GXP process functions as intended, that SOPs for how to use the application in the work environment have been approved, that GXP data is secure and of trustworthy quality, and that end users have been fully trained on the use and security measures for the SaaS system.

End user performance qualification (PQ) must show testing of both normal and various problem/stress conditions. Configuration management of both SaaS application and associated infrastructure must be in place and audited by end users for documented evidence and ongoing compliance to change control, backup/recovery, and Disaster Recovery standard operating procedures and plans.

End users can delegate software development and data center support of their SaaS application to third party suppliers, but they cannot delegate to another party their regulatory responsibility for compliance of the computerized GXP work process and the integrity of its GXP data. End users must use audits, service level agreements (SLAs), and ongoing monitoring and review of supplier operations to assure continued compliance of software development and data center operations to relevant laws and directives for software, system, and data handling operations including relevant data privacy restrictions on data movement across geopolitical regions.

The user requirements specification (URS) for a SaaS application needs to include certain cloud-specific issues in addition to the GXP work process and regulatory needs. In particular a clear view is needed into the configuration management practices by the software supplier for installation of updates, fixes, and new versions of the application software and by the hosting data center service for their updates and maintenance to the platform infrastructure and their data storage management practices. Both suppliers should have documented Disaster Recovery Plans and reports of exercised tests of their plan.

Both suppliers should have training records for training in FDA Part 11, EU Annex 11, and relevant data privacy and security directives, e.g., HIPAA, Safe Harbor, EU Privacy Directive. The critical importance of intact and complete audit trails must be emphasized. No “deduplication” of data in audit trails or GXP data should be allowed. Single sign on (SOS) to multiple cloud applications at once will not give a complete audit view for actions taken within each application, because only the date, time, and name of the original single signing will be noted. GXP requires action-specific data in an audit trail for date and time of the specific change, what that change was, who made it, why it was made, and a record saved of what was the original data.

It is important to work with SaaS and cloud infrastructure providers that focus on and understand FDA regulated data integrity requirements.


Next Month: Cloud Validation – Technology Challenges – IQ and Configuration Management

…there is no IQ visibility into the platform and no control over the location of the data on the cloud infrastructure. (p. 160)