Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)


Cloud technology for Software as a Service (SaaS) is being sold to provide end users as a cost effective solution to address growing and global business activities. The message is to free customers from having to manage software and infrastructure so that they can concentrate on their primary business activities with outsourced application, infrastructure, and IT operations.

The challenge with SaaS products and services for GXP regulated customers is that EMA and FDA do not allow end users to outsource their Annex 11 and Part 11 responsibilities. End users must still qualify the performance (PQ) of an application with a validation package of documented evidence to show that the application reliably performs its GXP activities to the user requirements specification (URS) in the user’s GXP work process.

FDA’s 21 CFR Part 11 gives end users an 11 item list of procedures and controls for computerized systems in Section 11.10. Highlights of this list (a-k) are shown below:

“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and , when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine.  Such procedures and controls shall include the following:

a.Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records….
c. Protection of records to enable their accurate and ready retrieval throughout the records retention period.
d. Limiting system access to authorized individuals.
e. Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records…
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction…”

SaaS vendors who tell you that they can provide a “validated” system for your immediate use are seriously misinformed. The purchasing end user must still document the performance of the SaaS application in their own GXP work process with positive and negative scenarios. Verifying the SaaS provider’s evidence for OQ of their Software Development Life Cycle and the installation qualification of their one or more data center configurations for SDLC platform and SaaS production systems is also required. Then there is HIPAA and Safe Harbor compliance to be considered as appropriate. If you are a GXP regulated business, then the GXP validation compliance responsibility is always yours and it cannot be outsourced to any vendor.


Next Month: Cloud Validation – End User Validation Challenge for SaaS

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)