Qualification of Cloud Infrastructure and SaaS to Demonstrate Regulatory Compliance

Cloud infrastructure and Software as a Service (SaaS) solutions offer significant benefits to manufacturers in the pharmaceutical and medical device industries. Cloud-based solutions, including SaaS, still need to be validated, however, just like your in-house IT infrastructure.

The main difference, of course, is the introduction of third parties to not only provide a service, but to also ensure they manage that service properly. You can’t do this simply based on trust as you are subject to regulations, not the cloud infrastructure or SaaS vendor.

Therefore, you need a clear qualification strategy to ensure you can benefit from cloud computing and SaaS technologies while also ensuring regulatory compliance.

The Same Objectives

When qualifying cloud infrastructure and SaaS solutions, the objectives are the same as when qualifying in-house IT infrastructure or software that runs on your own system. Those objectives include:

  • Cloud and SaaS solutions must be specified;
  • They must be qualified to demonstrate they work as intended;
  • They must be subject to change control;
  • Written procedures must be created;
  • Records must be kept; and,
  • Staff must be trained.

As you are responsible for ensuring all your systems are compliant, including cloud computing and SaaS elements, the principles of qualification are the same. That said, innovative solutions are often required.

For example, one of the advantages of both cloud computing and SaaS is that vendors constantly work to improve their products, releasing frequent updates. Unlike in-house infrastructure, you are not in control of the application of these updates.

An automated testing process might be the solution in the above example. After all, regulators do not stipulate manual testing completed by humans. Instead, regulations require you to provide evidence the solution performs as expected. A software programme can perform this task in relation to cloud infrastructure or SaaS, automating the process and making it significantly less time-consuming.

Effective Qualification Strategy for Cloud Infrastructure and SaaS Solutions

Whatever the specifics of qualifying cloud infrastructure and SaaS solutions, you need a clear strategy in place first. This strategy should include:

  • Vendor assessments – this is required from a technical point of view to ensure the vendor’s solution can deliver on the requirements of the project. However, you should also assess the vendor’s quality system to confirm and demonstrate they have proper procedures in place for things like system security, data integrity, data recovery, change management, staff training, and more. If the vendor has already qualified their solution, the process should be easier as you should only have to check the qualification documentation.
  • Risk assessments – you should take a risk-based approach to all stages of qualifying cloud or SaaS solutions. This includes completing risk assessments on things like security and data integrity.
  • Qualification plan – this should outline the approach to qualification and detail activities, tasks, and responsibilities.

Taking Advantage

Broadly speaking, the pharmaceutical and medical device industries are behind other industries in their adoption of cloud computing technologies or the SaaS delivery models. It’s understandable that solutions like these have been viewed in the past as adding an element of risk to manufacturing operations.

Today, however, solutions and practices exist that make it possible to actually reduce risk by switching to cloud infrastructure and SaaS solutions. This includes qualification solutions that demonstrate regulatory compliance equal to in-house systems.

Ronan Sherlock

Ronan Sherlock is a Senior CSV Lead for SL Controls. He is responsible for the Validation of computerised systems for SL Controls clients. He has over a decade of experience in the pharmaceutical and bio-pharmaceutical sectors and has worked in Packaging, Equipment Validation, Computer System Validation, Facilities, and Project roles.

View all posts by Ronan Sherlock