How do you Validate a Cloud Application? What Questions Need to be Asked?

Hi All,

I would like to get a discussion started as to how one would begin to validate a cloud application used in the regulated environment.

I want to create a mindmap of all possible questions that need to be asked

I’ll get the ball rolling please reply with bullet points if possible:

Where is the server hosted?

What is the backup and restore policy?

Is it a true cloud application or is each company running off different versions of the software?

How many concurrent users are allowed at one time?

Is the browser compatible with all browsers?

Does it work with IE 6.0

Please add as you see fit.

Best Regards

Probably the first thing after you come up with your User Requirements for the cloud application would be a thorough Supplier Assessment or Audit.

Thanks Russ, that makes sense

The next item needed after selecting the service provider is a strong Service Level Agreement (SLA). The SLA will detail out many things that will be needed for the qualification / validation. Security (Physical and electronic), Will you have a public private or combo cloud, Who has privileged access to Data, Location of the Data (different laws for different countries), Data Segregation, Data Recovery, Data Availability, What happens to the Data at service termination, Patch management, Software configuration changes, Change Control… You really need to do your work up front for this. It will be the way of the future, but you need to be compliant.

Is the cloud on a validated server?

Posted by Carl Miller MeD

Does the cloud have a audit trail ?

Posted by Carl Miller MeD

Bill Becker • Hi Graham, Our company provides a private cloud based document management software system as a service to FDA regulated companies. I recently attended an ISPE training session on CFR 11 Part 21 compliance with Electronic Records and was very interested in being able to answer the question you just asked.

So, first there are a number of variables.

IS the Cloud public or private? GMail is a public cloud, whereas you may use leased software hosted in an internet based environment, that would still comprise a “cloud” but you’re not sharing databases or other storage resources with other users, each customer has a private slice of that cloud environment.

I agree with Elizabeth, that ultimately you are still making a risk based assessment on what you plan to do in the cloud, but even if you have a high risk opportunity, that only rules out public clouds where you have no real control over the software provider. In our particular case, we recommend that each individual client validate their implementation of our cloud based ECM, because each client has to meet their specific regulatory requirements, and make certain that your cloud provider has a SAS70 or SSAE16 opinion from a third party CPA firm to be certain their technical environment is controlled adequately.

Hope this helps!

If you are working with anything covered by predicate rules or CFR11, then I would definitely recommend a private cloud environment and you still need to validate the application as it is implemented within your organization and customized for your needs. But this also all needs to be weighed against the risk of what you are putting in the cloud. IF it’s not covered by FDA rules, you can still use the public cloud to great success.
Posted by Bill Becker

The MAIN questions that should be asked in regards to “The Cloud” (validated app or not), are Can I live without my data? Am I willing to place the responsibility of ownership and security of my data in someone else’s hands? Someone who claims to do it better but mainly just does it cheaper. Is my organization, my application really ready for that?

Posted by Jason Demmi

Begin by looking at what makes the 2 deployment methodologies different. Security, for starters…

Posted by Jason Demmi

The new European Annex 11 regulatation state that applications should be validated; Infrastructure should be qualified. Although an EU regulation, with the FDA joining the PIC/S scheme, an FDA inspector (or any inspector from a country that’s in the PIC/S scheme) can now pick up Annex 11 and use that as their definition of good practice to audit/inspect you against.

At the very least, contractual arrangement need to cover the assurance that the infrastructure in the cloud is qualified and that the supplier can evidence this on demand.

Kind regards,
Phil

I would be all over audit trail capability. Who has access to change any data and how do I know the data are original?

All,

It is unlikely that you are going to get a strong SLA from either Google or an Amazon engineer. If the cloud does not meet the requirements of 21 CFR part 11 maybe you should think about doing without the “Cloud”. Demonstrating ‘control’ is the most important part of compliance.
Posted by Bruce Neagle

Bruce Neagle

Yes. You can use the ‘cloud’ for sales data, templates, etc. were 21 CFR part 11 is not required but once you use it to make a judgement decision about the quality of a marketable pharmaceutical/biological you must validate.

Hard-line interpretation (server/software/application) I know but it is the next scandal to come. Remember everything you put on the internet (cloud) may be hacked, become known, tampered with. Ask Sony and PS3

Jason Demmi

The importance of security is the same whether the application is in the cloud or not. The level of effort (time and money) required to insure, maintain and validate the security is the only thing that will differ. In the past, we chose not to expose (outside the firewall) an application to our customers and suppliers simply because validating it (which includes maintenance – validation is not a one time thing) would have cost us more than it was worth.

I believe these questions are extremely valuable in scoping the validation effort. However, in the context of “How to Validate a Cloud-based Solution”, there are many other things to consider.

Depending on the organization and their particular guidance around validation of software (i.e. internal policies, procedure, work instructions, etc.), there may not be a mechanism for identifying “supplier/vendors” for this particular type of service. This then would require the organization to develop a means for vetting this service provider with the intent to satisfy validation. If validation has never been done against such a solution, then a means would have to be established - which may impact supplier quality, the audit team, and any sponsors/users of the proposed solution.

Consequently, executing validation may be a considerable challenge.

In some cases, the desire to consider a cloud-based solution may be due to the “total cost of ownership” for certain client/server-based solutions (or in-house maintained). Updating or developing support guidance for a new Document/Content Management System (as well as the specialized administrative staff required) may be a less appetizing approach when comparing ROI. At least, at a glance.
Then comes the rub…how, then, to “validate” something the organization doesn’t control??? Historically, an organization will develop a Validation Plan. From the Plan: the scope, approach, deliverables, etc. Perhaps the validation is done per a “lifecycle” and certain phases/stages are followed to effectively execute particular tasks commensurate with the phase. All this should culminate in a report which “releases” the system for use (assuming the report is the gating item).

I can’t imagine any reason why this overall approach would not be followed for a cloud-based solution. The inherent difference is in the details. Further, once the system is in the Maintenance phase of its lifecycle, how are Change Controls implemented? Particularly if change requests might exist outside of any existing in-house change management process/system???

Here’s a laundry list of things to consider:
identify/specify intended use.

• Does/will the system support existing business processes, or will new processes be developed?
• Have workflows been identified/established?
• User-base defined?
• Support staff for configuration and maintenance (in-house)?
• Policies/procedures for use and administration?
• Access to data/records/archives/back-up: who, when, how?
• Does the vendor have a Quality system?
• Does it have guidance affecting change management? Configuration management? Patches, upgrades, updates?
• Hardware maintenance and management (servers)?
• Does the solution allow for different environments (e.g. Sandbox, Development, QA, Production)?
• How are these environments different?
• How is data maintained across environments?

Answers to these questions may assist in appropriately scoping/defining the level-of-effort for validation. The verification methods and objective evidence will most-likely be quite different from anything anyone has seen to-date; however, can they satisfy the expectations of the validation effort and (ultimately) support the prescribed Intended Use?

Great post WGutierrez