Does anyone have any opinions in terms of validating Software-as-a-Service (SaaS) applications? We are looking at doing a contract with Salesforce.com; however I have found that they push out two levels of updates - monthly and quarterly. Monthly updates are intended to fix bugs and implement patches, whereas the quarterly updates are supposed to add or update functionality. We don’t have control over the monthly updates; however we can choose if they will install the quarterly updates. The monthly updates are tested in a development environment before rolled to production, but the testing is done by Salesforce and not the client.
Two big concerns I have with this:
No control over the monthly updates. Although the changes are minor, I don’t think we will have any way of testing the updates before they are rolled out. We won’t have any way of knowing how the changes affected the functionality.
No control over the environment. They could upgrade or change hardware without us even knowing it. In my eyes this would completely invalidate the Installation Qualification.
Salesforce.com has provided software to regulated companies before, but I’m not sure how they have handled this. Does anyone have thoughts about this or how they have validated a SaaS solution?
For this particular application my first question is why validate? From the big picture point of view when utilizing cloud computing You need to define what you need and what you expect. Security is a huge issue. Where is the data (ie the server) as different countries have different laws pertaining to data. Who has access to the data? What happens to data at end of service? And many more. The SLA Service Level Agreement is the Key point for this. There are many things to consider. What other software is running on the server or network that your application is running on. Are other customers using the same application and therefore the same server and network as you. There has been one warning letter specific to MS SharePoint as it was not set up or managed properly by the company that got that warning letter.
Our company will be using it in such a way that will require validation. We aren’t going to be using it for sales, but to document service tickets on our equipment. We will be defining what we need, but there is only so much we have control over. I don’t think we have any control over the envirionment. I don’t know exactly how their environment is set up, but I would assume they are virtual servers, each having a separate instance of the application with database. The application can be customized and tailored to fit our specific needs, and they also do custom development for components that they do not have and we need. I don’t have any specifics on the security at this point and how the data will be protected.
For that warning letter in regards to Sharepoint, was that hosted on-site by the company or by a third-party?
Yes the SLA will determine how the environment is set up, operation, maintenance etc. I would sit down and determine what are the specific requirements that you need. Also if you are going to validate, what level of support will they provide? ie will they tell you make & model of server etc? Will you be able to test anything other than the application that you will have access to. And as far as the application goes will you have super user rights? These are some of the things that you have to think about beforehand. this is the link to that one warning letter.
It seems they used the software but never validated it for use.
keep me posted as I am very interested in these types of applications and how people are using them in a validated environment. One word of caution as far as this application, they are mainly in the CRM area which does not usually have the level of validation that a GxP application would have. So I would not think they have a level of knowledge that another software supplier would have.
We had a conference call and found out some more interesting information. It looks like everyone who uses the application runs the same executables, but the data is housed separately. This would make sense in terms of the update process. Basically, any patches are forced out to the production environment as needed with very little warning, and then we can choose if we want the quarterly updates where they add functionality. Salesforce notifies their clients months in advance of the upcoming updates, and they are placed in the sandbox environment so that people can play around with it and do testing before they enable the feature. Here is the kicker. We found out that once we turn on the feature, we can’t turn it off.
Based on what we found out, I think we are starting to consider other options. There is a service called Oracle On Demand that may provide a better option. I don’t think it has all the bells and whistles of Salesforce.com, but with Oracle On Demaind, we can do a single tenancy setup where even though a third party hosts the application, we have our own dedicated server and we choose when the updates happen. This gives us much more control over the environment that Salesforce did not. I guess we will see what happens.
Does anyone have any opinions in terms of validating Software-as-a-Service (SaaS) applications? We are looking at doing a contract with Salesforce.com; however I have found that they push out two levels of updates - monthly and quarterly. Monthly updates are intended to fix bugs and implement patches, whereas the quarterly updates are supposed to add or update functionality. We don’t have control over the monthly updates; however we can choose if they will install the quarterly updates. The monthly updates are tested in a development environment before rolled to production, but the testing is done by Salesforce and not the client.
Two big concerns I have with this:
No control over the monthly updates. Although the changes are minor, I don’t think we will have any way of testing the updates before they are rolled out. We won’t have any way of knowing how the changes affected the functionality.
No control over the environment. They could upgrade or change hardware without us even knowing it. In my eyes this would completely invalidate the Installation Qualification.
Salesforce.com has provided software to regulated companies before, but I’m not sure how they have handled this. Does anyone have thoughts about this or how they have validated a SaaS solution?[/quote]
Software as a Service is a low cost way for businesses of all sizes to obtain the benefits of internally operated software and a development staff without the complexity and high initial costs. SaaS providers are able to leverage huge economies of scale in deploying, managing, and supporting multiple customer projects by using the architecture and data design of multi-tenant SaaS applications.
SaaS providers are able to leverage large economies of scale in deploying, managing, and supporting the multiple customer projects by using the architecture and data design with the help of multi tenant SaaS applications.