Qualification of Cloud Infrastructure and SaaS to Demonstrate Regulatory Compliance

Cloud infrastructure solutions, as well as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) solutions, offer significant benefits to manufacturers in the pharmaceutical and medical device industries. Cloud-based solutions still need to be validated, however, just like your on-premises software.

The main difference, of course, is the introduction of third parties to not only provide a service, but to ensure they properly manage that service as well. You can’t do this simply based on trust as you are the organisation that is subject to regulations, not the cloud infrastructure or SaaS, IaaS, or PaaS vendor.

Therefore, you need a clear qualification strategy, based on Computer Software Assurance (CSA) methodology, to ensure you can benefit from cloud-based technologies while also ensuring regulatory compliance.

Working Towards the Same Objectives

When qualifying cloud-based solutions, the objectives are the same as they are when qualifying in-house IT infrastructure or software that runs on your own system. Those objectives include:

  • Cloud infrastructure, SaaS, IaaS, and PaaS solutions must be specified;
  • They must be qualified to demonstrate they work as intended;
  • They must be subject to change control;
  • Written procedures must be created;
  • Records must be kept; and,
  • Staff must be trained.

As you are responsible for ensuring all your systems are compliant, including cloud-based elements, the principles of qualification are the same. That said, innovative solutions are often possible.

For example, one of the advantages of cloud solutions is that vendors constantly work to improve their products, releasing frequent updates. Unlike in-house infrastructure, you are not in control of the implementation of these updates.

An automated testing process might be the solution in the above example as regulators do not stipulate it must be done manually. They instead require you to provide evidence that shows the solution performs as expected. So, a software program can perform this task in relation to cloud infrastructure, SaaS, IaaS, or PaaS, automating the process and making it significantly less time-consuming.

Effective Qualification Strategy for Cloud Infrastructure, SaaS, IaaS, & PaaS Solutions

Whatever the specifics of qualifying cloud infrastructure and cloud-based solutions, you first need a clear strategy. This strategy should include:

Vendor Assessments

Vender assessments are required from a technical point of view to ensure the vendor’s solution can deliver on the requirements of the project. However, you should also assess the vendor’s quality system to confirm and demonstrate they have proper procedures in place for things like system security, data integrity, data recovery, change management, staff training, and more.

If the vendor has already qualified their solution, the process should be easier as you should only have to check the qualification documentation. If the documentation is high-quality, you can focus your efforts on ensuring the solution is suitable for the use it is intended.

Risk Assessments

Using CSA best practices, you should take a risk-based approach to all stages of qualifying cloud infrastructure and SaaS, IaaS, and PaaS solutions. This includes completing risk assessments on things like security and data integrity, while putting in place process controls that mitigate risks. This especially applies when the solution has no direct impact on the safety or quality of the product you are manufacturing.

Taking a risk-based approach involves focusing your efforts vendor by vendor, platform by platform, and process by process. As a result, you can prioritise these efforts where they make the most sense.

Qualification Plan

Your qualification plan should outline the approach you have taken to qualification while also detailing activities, tasks, and responsibilities.

Taking Advantage

Broadly speaking, the pharmaceutical and medical device industries are playing catch-up in their adoption of cloud computing technologies. It’s understandable that solutions like these have been viewed in the past as adding an element of risk to manufacturing operations.

Today, however, solutions and practices exist from equipment-to-cloud providers like us at SL Controls that make it possible to realise the benefits of cloud computing while reducing risk. This includes cloud infrastructure, SaaS, IaaS, and PaaS qualification solutions that demonstrate regulatory compliance to a standard that is equal to on-premises systems.