XaaS: Adapting Your Validation Approach for a Service-Providing Vendor

As more life sciences companies are founded on the use of contract research, development and manufacturing organizations, the need to communicate and manage thousands of records and tens of GxP processes across the globe via cloud-hosted software infrastructure continues to grow.  Cloud services (SaaS, PaaS, IaaS, etc.) offer numerous benefits for life sciences companies but can pose problems during validation and operation.  This post will explore some of the problems facing cloud-hosted software solutions in life sciences.

Selecting the right system for your organization’s size, complexity and use can be difficult and the source of continued problems during validation or operation.  In many cases, problems arise when businesses or departments select systems that meet the needs of their business process without consulting with their IT or Quality organizations to see if the system will meet applicable regulatory or data integrity requirements.

Implementing a cloud-based system requires an assessment of the vendor offering that system and, if that vendor does not exhibit an understanding of the controls required in life sciences, it can lead to technical issues and increased costs.  For example, validating a system for use in a GxP laboratory that does not have significant controls for user or administrator permissions can result in the implementation of procedural controls that tax users or introduce risk to data integrity.  By selecting a vendor that understands your specific needs, you can save time and money on validation and ensure that business owners receive systems that streamline operations rather than encumbering them.

Another challenge facing life sciences companies looking to implement cloud software and infrastructure is the lack of an appropriate computer system validation program.  Existing validation programs may not build in considerations for accommodating Agile software development or frequent software upgrades, for example, that are common with many XaaS (Software-, Infrastructure-, Platform-as-a-Service) vendors.  By revising your computer system validation program to include considerations for cloud software and infrastructure, you can streamline your process for requesting necessary documentation, assessing risk and implementing appropriate controls.

Risk assessments have been a part of computer system validation for decades, but rarely has an assessment of the vendor been included when developing a validation strategy.  By conducting a thorough audit of your vendor, you can develop a risk profile that allows you to focus your testing and validation on high-risk aspects of the system as determined by your organization, rather than relying solely on the assessment performed by your vendor.  By implementing an integrated program that involves Validation, IT, and Quality Auditing as part of system selection, system risks can be anticipated rather than accommodated.

Another challenge life sciences companies may face while attempting to validate cloud systems are vendors who are unwilling to provide technical or process-related (change control process, for example) information.  The ISPE GAMP Community of Practice is currently working on further guidance for developing a sound GxP process for managing cloud services including XaaS.  By leveraging other aspects of regulatory compliance that apply to software vendors, like Sarbanes-Oxley, auditors may be able to conduct an audit supported by testing of those regulatory controls, implement corrective actions and make the results of those audits available to users of that software.

As technologies serving life sciences continue to advance, industry communities of practice must develop new techniques within the boundaries of existing regulations to ensure data integrity.  Life science companies and the vendors that serve them still have much to learn about implementing these systems but, by working together, stand to mutually benefit each other by achieving more efficient validation, more thorough system delivery and stronger data integrity.