Search This Blog

Monday, July 19, 2010

Best Practices for Validation of a Software as a Service (SaaS) Customer Relationship Management (CRM) Solution

Part 1: An Introduction to Cloud Computing and SaaS

What is “Cloud Computing”?  Cloud Computing is essentially computing over the internet without the expense and maintenance of an in house data center.  With cloud computing, applications are accessed over the internet and maintained by the third-party hosting the application.  Using a third-party hosted application reduces initial development costs and recurring system maintenance costs.  Since the application is hosted over the internet, data storage issues and maintenance responsibilities also rest on the third party hosting the application.  The customer only pays for the resources utilized, or on a subscription basis, such as the “Software as a Service (SaaS)” model.  Cloud Computing enables large amounts of data to be shared across a large amount of users, since system access is through a web browser and can be accessed from virtually any location.  Security of the system is also centralized, which also places the responsibility of solving security issues on the third party, rather than the customer help desk support.  Keep in mind that there are also risks involved with cloud computing, which include login security, access to audit trails, data recovery and data storage location.  Risk Assessments should be performed to identify all risks and Vendor Audits should be performed to determine if and how the vendor can handle these risks.

The “Software as a Service (SaaS)” model refers to multi-tenant software that is deployed over the internet through a third-party vendor, such as Salesforce.com.  The vendor provides the application license to the customer through a “pay as you go” or a subscription service.  The customer will rent the software platform, rather than owning the software.  With this model, all users from different customer organizations utilize the same instance of the software; therefore, everyone is operating on the same version of the application.  This allows for centralized updates to the system, and also leads to more efficient administration of the system.  Although all users operate on the same version of the software, data is logically separated and some configuration is typically allowed.  In this way, SaaS applications are scalable and configurable to allow the customer to fit the software to their business processes without affecting the common infrastructure.  Due to the centralized nature of the application, the core system can be validated once for use in regulated environments, leading to a validation savings for the end user.  The customer-specific configurations of the system must still be validated for that particular customer, although the validation burden will be much reduced.  

In Part II, we will outline the best practices for the validation of an example SaaS CRM application.

*Gregg will be presenting more information on this subject during an interactive workshop, at IVT’s 16th annual Validation Week on October 26th.  The workshop will be presented along with our colleague, Elise Miner.

QPharma's has a host of solutions that are helping clients stay compliant "in the cloud", including training and practitioner validation web-based solutions.  For more information, contact us at info@qpharmacorp.com,  Subject: "Web Based Solutions".

Monday, July 12, 2010

Considerations for Risk Based Validation


“Risk based validation” is now a commonly heard expression in the pharmaceutical industry, but the methodology to implement it is unclear. The consensus is that an effective risk based validation process will reduce the overall time and effort spent on validation, thereby increasing productivity and profitability within the company.  However, if you are unaware on how to implement such an approach, chances are the real benefits will not be seen.

The Food and Drug Administration (FDA) and others are actively embracing the advantages of a “risk based” approach to validation. The guidance on General Principles of Software Validation states: “The selection of validation activities, tasks, and work items should be commensurate with the complexity of the software design and the risk associated with the use of the software for the specified intended use.”  The FDA’s Part 11 Scope and Application guidance document states: “We recommend that you base your approach (to implement Part 11 controls, e.g., validation) on a justified and documented Risk Assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.”

If there is one area of focus that is worthy of the time spent, it is in conducting the Risk Assessment.  A Risk Assessment can be used to guide the scope of the entire validation effort, allowing you to target more intensive testing in high risk areas while minimizing testing in lower risk areas.  Risk based validation also presents the opportunity for significant cost savings since comprehensive validation testing may be reduced or eliminated in low risk areas of the application.  Another thing to remember about risk based validation is that “if it’s not documented, it didn’t happen.”  It is not enough to simply assess the risk and make the decisions based on that risk. The process of assessing risk must be documented as well.  A validation approach that is based on an undocumented analysis would be difficult to defend in an audit.  The approach taken, the findings uncovered, the decisions made, and the justification for those decisions must be documented and available for inspection during an audit.

When assessing risk, the level of effort, formality and documentation should commensurate with the level of risk.  There are several key factors to consider when evaluating the risk of a system:

1.     Risk
What is the impact on product efficacy and safety?  What is the GxP criticality?  What is the business criticality and impact on business continuity? What is the risk of inspection by a regulatory agency? 

2.     Complexity
How complex is the system? What is the level of networking and influence on other systems?

3.     Novelty
How new is the technology?  How mature is the system?  What is the level of customization?

Once the critical risk factors are documented, the next step in assessing risk is a comprehensive evaluation of the risk and its associated impact.  A Risk Assessment will examine three fundamental questions:
1.    What might go wrong?
2.    What is the likelihood (probability) it will go wrong?
3.    What are the consequences (severity)?


The classification and prioritization of risks can then be used to help determine the need for and/or extent of validation.  An effective and efficient risk based validation process will result in less validation work, faster system deployment and a reduction in overall validation costs.

For more information on risk based validation, please contact us at 888-742-7620, and ask to speak to Robert Finamore - Director, Professional Services.

Thursday, July 1, 2010

How Prepared Are You? Gap Analyses, Audits, and Risk Assessments

 Written by Alexis Stroud - Manager, Regulatory Compliance at QPharma

Almost all worldwide regulatory agencies that regulate the healthcare industry, including, the European Medicines Agency (EMA), Japanese Ministry of Health (JMW), Organization for Economic Cooperation and Development (OECD), U.S. Food and Drug Administration (FDA), as well as recognized international quality standards organizations, such as the International Organization for Standardization (ISO), require that manufacturers conduct internal audits of their quality management systems on a regular basis to ensure compliance with appropriate standards and regulations. In addition, critical suppliers must be audited to ensure their systems and processes meet the appropriate standards and regulations. An effective audit system proactively identifies weaknesses in the quality system and provides the opportunity to correct and prevent these problems. An effective analysis system helps provide the company with insight into areas which could be improved. In addition, it is becoming evident that risk management, including assessment and mitigation strategies, is a valuable component of an effective quality system and should be part of your audit and analysis program. Without an effective audit and analysis program, a company is at higher risk for non conformance, regulatory action, security breaches, poor product quality, loss of certification and registration, increased product liability risk and an ineffective process improvement system.

Regulatory Significance

As recent headlines demonstrate, failure to comply with laws and regulations could cost a company millions in fines, loss of consumer confidence, decrease in stock prices and loss of business partners and investors. In addition to significant revenue losses, regulatory inspections may also lead to injunctions, consent decrees, Warning Letters, 483s (Notice of Inspectional Observations), delays or rejections of product approvals, import detentions, recalls, criminal investigations and prosecutions, seizures, compliance problems, revocation of licenses and registrations and regulatory oversight.

Recent Headlines

Don’t believe me? Check out a few recent headlines:





FDA slaps Apotex with import ban (FiercePharma, September 9, 2009)



September 31, 2007: Bristol-Myers Squibb to Pay More Than $515 Million to Resolve Illegal Drug Marketing and Pricing Allegations (DOJ, September 28, 2007)


So let me ask again: How prepared are you for a regulatory inspection? What are some of the techniques you use to ensure you have an effective audit and analysis program?

Stay Tuned!


For more information and an in-depth look into the basics of conducting gap analyses, audits and risk assessments, keep an eye out for my article Introduction to Performing Gap Analyses, Audits, and Risk Assessments to be published in the July edition of FDA Compliance Digest.