cloud and saas in gxp 2021 06 07 - validation center · 2021. 6. 8. · 800 hillgrove avenue, suite...

800 Hillgrove Avenue, Suite 201, Western Springs, IL 60558 Validation Center™treximo.com | +1(847) 295-7160 validationcenter.com

Cloud and SaaS in GxPBy Treximo

Reproduction or re‐transmission in any form or by any means, electronic or mechanicalwithout prior written permission from Treximo is prohibited.

© 2021 Treximo, LLC.. All rights reserved.

Validation Center™validationcenter.com

Treximo, LLC | Treximo.com10 Parkway North, Suite 310, Deerfield, IL 60015 | +1 (847) 295‐7160 1

© 2021 Treximo, LLC

Cloud and SaaS in GxP

© Copyright 2021 by Treximo, LLC. All rights reserved. No part of these materials may be reproduced or transmitted in any form without the written permission of Treximo.

v.21.06


Your Presentor

Validation Center™ 2

• Debra Bartel, MBA, CQA, PMP

• VP, Life Sciences QA

• 30 years experience specializing in software quality assurance, validation and regulatory compliance, Information Systems project management, and process design

• Prior to joining Treximo, held management positions in the pharmaceutical industry in both Quality Assurance and Information Systems organizations

• Active member of American Society for Quality (ASQ), Northeastern Illinois Section, Software Division


1

2






Intro to ValidationCenter.com


Follow us!



Target Audience


• Pharmaceutical & Biologics• Medical Device• Clinical Studies• Blood Products

Industries

• Operating in the US

• Selling to the US MarketRegions

• IT Personnel and Managers

• Quality Personnel and Managers

• Auditors and Audit ManagersRoles


3

4






Webinar Outline


• Terminology and Definitions1

• Benefits, Risks, and Trends2

• Regulatory Requirements3

• Changed Responsibilities4

• Supplier Audits and Assessments5

• Key Take Aways6



Terminology andDefinitions

Part 1


5

6






Part 1: Terminology & Definitions


• Section Overview• GxP

• GLP = Good Laboratory Practice

• GCP = Good Clinical Practice

• GMP = Good Manufacturing Practice

• GDP = Good Distribution Practice

• “Cloud” Terminology• “as a Service” Terminology• SLAs



“Cloud” Terminology


Shared computing resources • Software applications• Computing power• Storage space• Networks• Software development and deployment platforms


7

8






Public Cloud



Pharma Distributor

Blood Supply

Medical Device Maker

Auto Maker

Medical Research Lab

Gas Station ChainRestaurant



Community Cloud



Pharma Distributor

Blood Supply

Medical Device Maker

Medical Research Lab


9

10






Private Cloud


Company X

External Private Cloud

Company X

Internal Private Cloud



Hybrid Cloud


Company XCompany X


11

12





© 2021 Treximo, LLCValidation Center™ 13

“as a Service” Terminology

Software as a Service

Platform as a Service

Infrastructure as a Service

SaaS

PaaS

IaaS



Traditional IT Model


ApplicationsApplications Company DataCompany Data

VirtualizationVirtualization

Storage SpaceStorage Space

RuntimeProgramsRuntime

Programs

NetworkingNetworking

Operating SystemOperating System

Computer HardwareComputer Hardware

MiddlewareMiddlewareManaged by Regulated Company


13

14






Infrastructure as a Service (IaaS)






Programs




MiddlewareMiddleware

Managed by Regulated Company

Managed by Vendor



Platform as a Service (PaaS)






Programs





Managed by Regulated Company

Managed by Vendor


15

16






Software as a Service (SaaS)






Programs





Managed by Vendor



Service Level Agreement (SLA)


17

18






Benefits, Risks and Trends

Part 2



Part 2: Benefits, Risks, and Trends


• Section Overview• Adoption Trends• Benefits of Cloud and SaaS Deployments• Risks of Cloud and SaaS Deployments


19

20






Trends


•“The proportion of IT spending that is shifting to cloud will accelerate in the aftermath of the COVID‐19 crisis, with cloud projected to make up 14.2% of the total global enterprise IT spendingmarket in 2024, up from 9.1% in 2020.”

1• “Although software as a service (SaaS) remains the largest market segment and is forecast to grow to $117.7 billion in 2021, application infrastructure services (PaaS) is anticipated to grow by a higher margin at 26.6%.”

2

• “The increased consumption of PaaS is driven by the need for remote workers to have access to high performing, content‐rich and scalable infrastructure to perform their duties, which largely comes in the form of modernized and cloud‐native applications.”

3



Trends

• “Enterprises’ average cloud spending is up 59% from 2018 to 2020”1

• “92% say their IT environment (infrastructure, applications, data analytics, etc.) relies on cloud.“2

• “42% of all enterprises are using some form of cloud‐based storage, archive, backup, or file server functionality today.”3

• “17% of enterprises plan to migrate to cloud‐based Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), Human Resource Management (HRM) and various other line of business applications by next year.”

4


21

22






Trends


• “At present, the world’s top 3 cloud providers are AWS, Microsoft Azure, and Google Cloud.”1

• “Microsoft Office 365 has currently about 200 million monthly active users.”2

• “1 out of 5 corporate employees use a Microsoft 365 cloud service.”3

• “About 79% of healthcare organization were reported to have adopted Microsoft Office 365.”4


Benefits

Space

Expertise

Scalability Elasticity

Price

Staffing

UpgradesMaintenance

Start Up Time


23

24






Risks

Security Privacy

Support

Availability

Vendor Longevity

Change Control

Data Mobility

RegulatoryCompliance



Regulatory Requirements

Part 3


25

26






Part 3: Regulatory Requirements


• Section Overview• Software Requiring Validation• Regulatory Expectations for purchased systems



CSV Regulatory Requirements


Computer System Validation is require for companies that …

Activities Design

Develop

Conduct clinical trials

Manufacture

Package

Label

Store

Distribute

Install

Service

Products Pharmaceuticals

Biologicals

Medical Devices

Blood and Blood Components

Human Cell and Tissue Products


27

28






What Software Requires Validation?


What Types of Computer

Systems and Software Require

Validation?



Validation?

Medical Device Software• Software used as a component, part, or accessory

of a medical device• Software that is itself a medical device



Sources: General Principles of Software Validation: Final Guidance for Industry and FDA StaffGuidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application



Examples: Medical Device Software


Medical Device SoftwareSoftware used as a component, part, or accessory of a medical device.

And, software that is itself a medical device.

Medical Device SoftwareSoftware used as a component, part, or accessory of a medical device.

And, software that is itself a medical device.

Patient Monitoring Software

Infusion Pump Software

Robotic Surgery Software

Wheelchair and Scooter Software

Laboratory Diagnostics

Software

Hospital Bed Software

Injury Treatment Machine Software

Heart Arrhythmia Detection Software

Radiation Treatment Control

Software

Blood Donor Management

Software

Medical Imaging System Software

Blood Supply Management

Software

Laser Treatment Software

Defibrillator Software

Pacemaker Software

Oxygen Regulating Software


29

30










Validation?



Validation?





Production Software• Software used in the production of the FDA

regulated product


regulated product




Examples: Production Software


Production SoftwareSoftware used in the production of the FDA regulated product

Production SoftwareSoftware used in the production of the FDA regulated product

Laboratory Management

Software

Laboratory Instrument Software

Laboratory Calculations (e.g.,

spreadsheets)

Labeling SoftwareBuilding

Management Systems

Product Testing Software

Product/Part Inspection Software

Batch Release Software

Production MonitoringSoftware

Programmable Logic Controllers

(PLCs)

Computer Numerical

Controls (CNCs)

Manufacturing Automation

Software

Material Control Software

Bill of Material Software

Yield CalculationsWork Order

Management Software


31

32










Validation?



Validation?






regulated product


regulated product

Quality Management Software• Software used to implement the FDA-required

quality management system






Examples: Quality Management Systems


Preventive Maintenance Management

Inventory Control Software

(e.g., ERPs)

Document Management

Software

Calibration Software

CAPASoftware

ComplaintsSoftware

Non-Conformance Tracking Software

Deviation TrackingSoftware

Internal Audit TrackingSoftware

Change ControlSoftware

Device HistorySoftware

Specification Management

Software

Product Recall Management

Software

Product Returns Management

Software

Specification Setting Software

Quality Trending Software

Quality Management SoftwareSoftware used to implement the FDA-required quality management system

Quality Management SoftwareSoftware used to implement the FDA-required quality management system


33

34










Validation?



Validation?







regulated product


regulated product





Software for FDA-Regulated Records• Software used to create, modify, maintain, archive,

retrieve, or transmit FDA-required records. And electronic records submitted, per FDA requirement.

Software for FDA-Regulated Records• Software used to create, modify, maintain, archive,

retrieve, or transmit FDA-required records. And electronic records submitted, per FDA requirement.



Examples: Records Software


Adverse Event Reporting Software

Service Records Software

DistributionRecords

Electronic Submissions

Software

Clinical Trial Records Software

Prescription Order Fulfilment Software

Warehouse Management

Software

IRB Records Software

Organ / Tissue Donor Records

Call Center Records Software

Training Records Software

Learning Management

Software

Supplier Approval Records

Validation Records

Software for FDA-Regulated RecordsAny software used to create, modify, maintain, archive, retrieve, or transmit

FDA-required records. And, electronic records submitted, per FDA requirement.

Software for FDA-Regulated RecordsAny software used to create, modify, maintain, archive, retrieve, or transmit

FDA-required records. And, electronic records submitted, per FDA requirement.

MDR Reporting Software

Product Rework Records


35

36






Overall Responsibility


The … manufacturer is responsible for ensuring that the product development methodologies used by the OTS (off‐the‐shelf) software developer are

appropriate and sufficient for the device manufacturer’s intended use of that OTS software

FDA, General Principles of Software Validation

The regulated company has overall responsibility

for the system

1Although much of the

software validation may be accomplished by outside firms, such as computer or software vendors, the

ultimate responsibility for program suitability rests with the pharmaceutical

manufacturer.

FDA, ORA Guide to Inspection of Computerized Systems in Drug Processing



Validation Scope


For example, a device manufacturer who chooses not to use all the vendor‐supplied capabilities of the software only needs to validate those functions that will be used and for

which the device manufacturer is dependent upon the software results as part of production or the

quality system


Validation scope can be limited to the features that will be

used by the regulated company

2

The device manufacturer retains the ultimate responsibility for ensuring that the production and

quality system software:∙ is validated according to a written procedure for

the particular intended use; and∙ will perform as intended in the chosen application.



37

38






Intended Use


The acceptance of vendor‐supplied validation data in

isolation of system configuration and intended use is not acceptable. In

isolation from the intended process or end user IT infrastructure, vendor

testing is likely to be limited to functional verification only, and may not fulfil the

requirements for performance qualification.

MHRA, GMP Data Integrity Definitions and Guidance

Validation must be specific to the regulated company’s planned and documented use of the

application

3

All production and/or quality system software, even if purchased off‐the‐shelf, should have

(a) documented requirements that fully define its intended use, and

(b) Information against which testing results and other evidence can be compared, to show that the software is validated for its intended use.




Vendor Assessment


Each manufacturer shall … ensure that all purchased … services conform to specified

requirements.

Each manufacturer shall evaluate and select potential suppliers, contractors, and consultants on the basis of

their ability to meet specified requirements, including quality requirements.

The evaluation shall be documented.

FDA 21 CFR 820 Quality System Regulation

The regulated company needs a documented assessment of

vendor suitability

4

The regulated user should take all reasonable steps to ensure that the system has been developed in

accordance with an appropriate quality management system.

The supplier should be assessed appropriately.

Eudralex Annex 11, Computerised Systems


39

40






Vendor Audits


… depending upon the … risk involved, the … manufacturer should consider auditing the

vendor’s design and development methodologies used in the construction of

the OTS software.

The audit should demonstrate that the

vendor’s procedures for and results of the verification and

validation activities performed the OTS software are appropriate and sufficient

…


For critical risk level systems, the regulated company may need to audit the vendors

5

The need for an audit should be based on a risk assessment.

Quality system and audit information relating to suppliers or developers of software and

implemented systems should be made available to inspectors on request.




Less Testing


Records of software validation should be maintained by the drug establishment, although when conducted by outside

experts such records need not be voluminous but rather

complete enough (including protocols and general results) to allow the drug manufacturer

to assess the adequacy of the validation.

Mere vendor certification of software suitability is

inadequate.

FDA, ORA Guide to Inspection of Computerized Systems in

Drug Processing

Less validation testing is needed for systems from

qualified vendors

6

Commercially available software that has been qualified does not require the same level of testing

ICH Q7A Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients


41

42






Vendor Documentation


If the vendor can provide information about their system requirements, software requirements,

validation process, and the results of their validation,

the medical device manufacturer can use that information as a beginning point for their required

validation documentation.


Vendor documentation can be used as the starting point for

validation

7

Documentation supplied with commercial off‐the‐shelf products should be reviewed by regulated users to check that user requirements are fulfilled




Formal Agreements


When third parties are used e.g. to provide, install,

configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related service or for data

processing, formal agreements must exist between the

manufacturer and any third parties, and these agreements

should include clear statements of the

responsibilities of the third party.


Formal agreements are required to document

responsibilities

8

Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of

changes in the product or service so that manufacturers may determine whether the changes

may affect the quality of a finished device.

FDA 21 CFR 820 Quality System Regulation


43

44






Read

More

WWW.VALIDATIONCENTER.COM

Validation Center™ 45© 2021 Treximo, LLC


Responsibilities

Part 4


45

46






Part 4: Responsibilities


• Section Overview• Quality Management Processes• Computer System Validation• Part 11 Compliance• SLAs



Quality Management Procedures

User TrainingUser TrainingUser Management

User Management

Application UseApplication Use

Record Retention

Record Retention

Audit Trail Review

Audit Trail Review

Business ContinuityBusiness Continuity

Issue Management

Issue Management

Supplier Qualification


Validation / Quality Assurance


Disaster RecoveryDisaster Recovery

Defect TrackingDefect TrackingData Center Security

Data Center Security

Back-Up & Restore

Back-Up & Restore

Performance Monitoring


System Maintenance

System Maintenance

Code ReviewCode ReviewDesign ReviewDesign ReviewSoftware Dev.

Life CycleSoftware Dev.

Life Cycle

Businessand User

Procedures

QualityAssuranceProcedures

TechnicalProcedures

Risk Assessment & Mitigation


Change Management

Change Management

Periodic Validation Review



47

48






Procedures: Traditional IT Model

Procedures Owned

by Regulated Company


User Management


Record Retention

Record Retention

Audit Trail Review

Audit Trail Review


Issue Management

Issue Management





Disaster RecoveryDisaster Recovery

Defect TrackingDefect TrackingData Center Security

Data Center Security

Back-Up & Restore

Back-Up & Restore



System Maintenance

System Maintenance

Code ReviewCode ReviewDesign ReviewDesign ReviewSoftware Dev.

Life CycleSoftware Dev.

Life Cycle

Businessand User

Procedures


TechnicalProcedures



Change Management

Change Management





Change Management

Issue Management




Procedures: SaaS Model

Procedures Owned

by Regulated Company


User Management


Record Retention

Record Retention

Audit Trail Review

Audit Trail Review




Change Management

Change Management



Issue Management

Issue Management





Disaster Recovery

Defect TrackingData Center Security

Back-Up & Restore


System Maintenance

Code ReviewDesign ReviewSoftware Dev.

Life Cycle

Businessand User

Procedures


TechnicalProcedures

Procedures Owned

byService Provider


49

50






Validation

UserRequirementsSpecification

FunctionalSpecifications

DesignSpecifications

PerformanceQualificationTests (PQ)

OperationalQualificationTests (OQ)

InstallationQualification

Tests (IQ)

SystemBuild

Verifies

Verifies

Verifies

Planning ReportingVerifies



Validation: Traditional IT Model




PerformanceQualification

Tests (PQ)



Tests (IQ)

SystemBuild

Verifies

Verifies

Verifies


Activities Performed

byRegulated Company


51

52






Validation: SaaS Model




PerformanceQualification

Tests (PQ)



Tests (IQ)

SystemBuild

Verifies

Verifies

Verifies



byServiceProvider


byRegulated Company



Validation Process: Traditional IT Model

Change Request

URS FS

DesignBuild,

Config.Unit Test

Val. Plan

Test Plans

Test Plans

Test Plans

Test Plans

Test Plans

Write OQs & PQs

Test Plans

Test Plans

Run OQs

Test Plans

Test Plans

Run PQs

Test Summary

Val.Summary

ReportRun IQ

TIME

Trace Matrix

WriteIQs

Regulated Company

Risk Assess-

ment


53

54






Validation Process: SaaS Model

Change Control

URS FS

Design BuildUnit Test

Quality Plan

Test Plans

Test Plans

Test Plans

Test Plans

Test Plans

Write Tests (OQ)

Test Plans

Test Plans

Run OQs

Test Summary

QualitySummary

ReportRun IQ

Trace Matrix

WriteIQs

Service Provider

Confirmed by Supplier Qualification

Change Control

URS

DesignConfig-uration

ValidationPlan

Test Plans

Test Plans

Write Tests (PQ)

Test Plans

Test Plans

Run PQs

Validation Summary

Report

Trace Matrix

Regulated Company

Risk Assess-

ment



21 CFR Part 11

Actions

Policies & Procedures

Technology


55

56






21 CFR Part 11: Technology

Requirement Ref.

Electronic signature manifestations 11.50

E‐Sig Linkage to Electronic Reports 11.70

User ID /Password uniqueness 11.100(a), 11.300(a)

Continuous E‐Sig sessions 11.200(a)

Biometric signature uniqueness 11.200(b)

Password expiration 11.300(b)

Reporting invalid access attempts 11.300(d)

Service Provider Responsibilities

Technology

Requirement Ref.

Secure audit trails 11.10(e)

Inspectable copies of records 11.10(b)

Limited access to authorized users 11.10(c)

User access levels 11.10(g)

Operational system checks 11.10(f)

Device checks 11.10(h)

Encryption (open systems) 11.30

Digital signatures (open systems) 11.30



21 CFR Part 11: Activities/Actions

Requirement Ref.

Validation 11.10(a)

Protection of records through retention period

11.10(b)


Requirement Ref.

Validation 11.10(a)

Certification letter to FDA before use of electronic signatures

11.100(c)

Regulated Company Responsibilities

Actions


57

58






21 CFR Part 11: Policies & Procedures

Requirement Ref.

Process to qualify the people who build and support system

11.10(i)

Process for updating and controlling system documentation

11.10(k)

Process for controlling system maintenance procedures

11.10(k)


Requirement Ref.

Process to qualify the people who use the system

11.10(i)

Policy for E‐Sig accountability 11.10(j)

Process for controlling system operation procedures

11.10(k)

Process to ensure links between manual signatures and e‐records

11.70

Policies to prevent re‐use of user IDs

11.100(a)

Process to confirm identities prior to allowing e‐signature

11.100(b)

Policies against password sharing 11.200(a)

Process to void compromised IDs 11.300(c)

Regulated Company Responsibilities

Policies & Procedures



Service Level Agreements (SLAs)

Business Continuity Investment Protection

Data Protection Regulatory Compliance


59

60






SLA Contents

Change Management

Compliance

ResponsibilitiesUp Time /

Down Time

Back-Up & Recovery

Security

Defect Management

Service Termination


Data Ownership

Data Location

Data Storage



Supplier Audits and Assessments

Part 5


61

62






Part 5: Supplier Assessments & Audits


• Section Overview• When• Method• Audit and Assessment Topics



When to Assess the Service Provider

• Prior to Purchaseo Ensure investment quality

• Prior to Validationo Leverage vendor documentation

• Other Timing ….o Periodic Supplier Review

o Follow-up to earlier audit

o Investigation of issues


63

64






Assessment Methods

Method Description Pros Cons

On Site Audit

Company representatives conduct formal audit at

vendor’s site

‐ Most thorough‐ Best method toreview policies, procedures, and actual practices

‐ Most Time‐ Most Expense‐ Some vendors won’tagree to audit

Remote AuditCompany representatives conduct formal audit via online meeting, etc.

‐ Less Time‐ Less Expense

‐ Less thorough‐ Some vendor’s won’tagree to audit

Questionnaire

Company representatives send a self‐assessment to

vendor

‐ Little time‐ Little expense

‐ Low assurance ofaccurate responses

‐ Some vendors won’tcomplete questionnaire

Basic Assessment

Company representativesinvestigate public domain information & contact

other users

‐ Little time‐ Little expense‐ Vendors can’tdisagree to thisMethod

‐ Surfaceevaluation only



On‐Site Audits


On Site Audit

Company representatives conduct formal audit at

vendor’s site

‐ Most thorough‐ Best method toreview policies, procedures, and actual practices

‐ Most Time‐ Most Expense‐ Some vendors won’tagree to audit

• Traditional Approach

• Scope depends on intended use of vendor’s software and documentation

• Recommended for critical applications, especially when intending to leverage vendor’s documentation


65

66






Off‐Site Audits


Remote Audit

Company representatives conduct formal audit via online meeting, etc.

‐ Less Time‐ Less Expense

‐ Less thorough‐ Some vendor’s won’tagree to audit

• Options

• Online Meetings• Phone Interviews• Hybrid


• Alternative to on site audits for less critical applications



Questionnaires


Questionnaire

Company representatives send a self‐assessment questionnaire or survey

to vendor

‐ Little time‐ Little expense

‐ Low assurance ofaccurate responses

‐ Some vendors won’tcomplete questionnaire


• Alternative to audits for non‐critical applications and services


67

68






Basic Assessments


Basic Assessment

Company representativesinvestigate public domain information & contact

other users

‐ Little time‐ Little expense‐ Vendor’s can’tdisagree to thisMethod

‐ Surfaceevaluation only

• Online information• Financial Ratings• Gartner vendor ratings

• Vendor provided information• Customer lists• Awards received

• User provided information• User groups• Contacts in similar companies• Prior experience• References (from vendor)



Method Selection


Decision Factors:

1. System criticality

• Risk to product quality

• Risk to patient safety

• Risk to data integrity and confidentiality

2. Business operations dependency

3. Degree of reliance on vendor deliverables

4. History of Vendor, Service, and Application

5. Experience with the vendor


69

70






Audit and Assessment Topics


General

•How long has the vendor been in business?

•How long has the vendor been providing this service?

• Is the vendor focused on your industry?

•Does the vendor have sufficient resources to support your company?

Quality Management

•Does the vendor have an independent Quality Assurance function?

•Does the vendor perform internal quality assurance audits?

•Are the vendor’s practices and procedures focused on providing high quality products and services?

System Life Cycle

•Does the vendor have a documented, standard methodology for developing and modifying systems?

•Does the vendor consistently follow this methodology?

•Does the Quality Assurance function have an appropriate role in the methodology?





Design and Development

•Does the vendor document requirements prior to designing the system?

•Does the vendor conduct design review to mitigate risk?

•Does the vendor have and follow development standards?

Testing

•Does the vendor have sufficient testing practices for the risk level?

•Do the vendor’s testing practices include regression testing?

•Can any of the vendor’s requirements or/or testing documents be used in your validation?

Documentation

•Does the vendor have up‐to‐date documentation for system requirements, design, and testing?

•Does the vendor retain the documentation for previous versions of the system?

• Is the vendor’s documentation sufficient to support the system?


71

72








Data Privacy

•Can the vendor access your data? Would you know?

• Is your data protected from other clients? How?

• Is the vendor certified for compliance to standards such as HIPAA?

•Will you be notified of breaches?

Data Security

•Does the vendor have adequate physical security, e.g. for data centers?

•Does the vendor provide adequate logical security, e.g., user management?

•Does the vendor provide adequate cyber security, e.g., from hackers?

•Does the vendor encrypt data?

Data Retention

•Does the vendor provide adequate back‐ups, mirroring, archiving or other method or data retention?

• Is the vendor able to retain data for the duration required by FDA predicate rules?

• If not, can your data be extracted for retention elsewhere?





Disaster Recovery

•Does the vendor have disaster recovery plans for natural disasters, hardware failures, hacking, and major defects?

•Are the vendor’s disaster recovery plans documented?

•Have the vendor’s disaster recovery plans been tested?

Defect Resolution

•Does the vendor have an adequate escalation process for defects reported by clients?

•Does the vendor promptly notify clients of reported defects?

•Are the vendor’s defect management and communication procedures documented?

Support

•Are the vendor’s support hours sufficient to support your business?

•Are the vendor’s support and issue escalation processes adequate to support your business?

•Does vendor provide any training materials that you can use in your training program?


73

74








Performance History

•What has been the vendor’s performance history for:

o Uptime/downtime

o Time to failover

o Time to disaster recovery

o Defect introduction

o Defect resolution

o Security breaches

Personnel

•Does the vendor have documented training requirements for each role?

•Does the vendor have training records demonstrating that each person has completed assigned training?

•Does the training program include temporary staff?

Vendor Management

•Does the vendor have a suitable program for qualifying its suppliers, contractors, and service providers?

•Does the vendor monitor the performance of its suppliers, contractors, and service providers?





Functionality

•Does the vendor’s system meet the requirements of Part 11 and other regulations? e.g.,

o Security audit trails

o Unique user IDs

o Password protection

o Data elements required by predicate rules

Maintenance

•Does vendor have adequate procedures for maintaining the system? e.g.,

o Performance monitoring and management

o Virus protection updates

o Proactive infrastructure additions and upgrades

Scalability

•Can the vendor’s system and services grow with your company’s needs? e.g.,

o Projected data growth

o New users

o New geographical locations

o Integrated features for future use


75

76






Conclusion

Part 5



Summary

• Cloud, SaaS, PaaS, IaaS• Trends, Benefits, Risks• Regulatory Compliance• Responsibilities• Vendor Assessment• Service Level Agreements (SLAs)


77

78






Need Help?

ValidationCenter.com Library of Template and SOPs

Online and Classroom CSV Training

Computer System Validation Services

Vendor and Service Provider Audits



Thank You!


Thanks for your interest in Cloud and SaaS Compliance!

Any questions about what we have discussed today?Please, feel free to contact me:

Follow us!

Deb Bartel

+1 (847) 295‐7160 [email protected]

validationcenter.com | treximo.com


79

80

cloud and saas in gxp 2021 06 07 - validation center · 2021. 6. 8. · 800 hillgrove avenue, suite...

Documents