
GxP-compliance Software as a Service (SaaS) is becoming increasingly popular owing to its flexibility and ease of use.SaaS is a web-based service that uses the internet to conveniently make software available for direct use to its clients. Also known as “on-demand software”, SaaS can get clients to get up and running quickly without going through lengthy installation processes.
It provides many benefits to the biotech, medical device, and pharmaceutical industries. Particularly, its ease and flexibility of use made SaaS a revolutionary method of delivering software to the end user.
However, to maximize the benefits of a SaaS platform for a GxP-compliant environment, it is necessary to understand both its advantages and any challenges that could diminish its potential.
This article will help you to secure an optimal experience of SaaS by effectively managing the crucial aspects of GxP compliance as per 21 CFR Part 11, EU Annex 11, GDPR, PCI DSS, HIPAA, ISO, and other applicable regulations.
How to choose the right GxP compliance software provider
It is important to have a pre-decided metric to assess the SaaS provider’s suitability for GxP compliance. A careful evaluation process can minimize the post-implementation activities on your behalf. The important assessment metrics should include:
GxP compliant cloud infrastructure support
Although there is no GxP guideline on the specifics of the cloud infrastructure, considering the nature of information being stored on the cloud, and your budget constraints, you can decide this key selection metric for the SaaS provider based on the cloud infrastructure they use.
This metric can be defined in terms of your organization’s internal cloud policy. For example, what type of cloud deployment option will be preferred in your organization?
Is it a private cloud deployment, a public cloud deployment, a hybrid deployment, or a community deployment?
Remember that it is always desirable to go with a private cloud deployment to have the highest level of security control, provided you have a supporting budget and in-house resources to manage the same.
GxP compliant software development lifecycle
This key metric is about assessing the SaaS provider's development process. The GxP compliance software you're considering should adhere to good engineering practices, including a software development life cycle (SDLC) with appropriate controls for development and testing.
Therefore, it may be worthwhile to know how the SaaS solution provider tackles the following aspects:
Physical and environmental security
What measures are in place to safeguard the physical infrastructure and hosting environment of the SaaS solution?
Logical security
Have they implemented the right safeguards and controls to protect the SaaS solution from unauthorized access and ensure data confidentiality?
System monitoring and maintenance
Do they regularly monitor and maintain the SaaS system to ensure optimal performance, identify potential issues, and apply necessary updates?
Data retention
Do they have established policies and practices for the retention of data in compliance with regulatory requirements and business needs?
Data classification
Is data categorized by sensitivity and criticality to apply proper access and security controls?
Data access policy
Can data be deleted or altered by the service provider without your permission? Are there policies and controls in place to prevent unauthorized data deletion or alteration?
Data protection and confidentiality
How do they protect the integrity and confidentiality of your data throughout its lifecycle
Software development
Does the GxP compliance software adhere to proper software development practices, including coding standards, testing, and quality assurance, to ensure the reliability and security of the SaaS application?
Computer system validation
Have they validated the software to prove it functions as intended and meets regulatory expectations?
Change management
How are changes tracked, reviewed, and documented to ensure control over software updates
Incident management
Are there established procedures to promptly identify, report, and respond to security incidents or breaches that may occur in the SaaS environment?
Risk management
Do they assess and mitigate potential vulnerabilities and apply appropriate controls
Documentation management
Is there proper documentation of all processes, procedures, and policies to ensure clarity, consistency, and compliance?
Asset/inventory management
How do they track and control SaaS-related assets and components?
Training management
Are training materials and programs provided to ensure users understand how to use the SaaS system securely and compliantly?
Data backup
How frequently is data backed up, and what recovery protocols are in place to prevent data loss and facilitate recovery in case of emergencies or system failures?
Disaster recovery
What strategies do they have to restore services and recover data in the event of a system failure or disaster?
Business continuity
How do they ensure minimal disruption and continuity of services during critical events?
Vendor management
How do they select, assess, and manage third-party vendors and ensure their compliance?
GxP compliant data integrity and record management support
For SaaS applications that handle GxP electronic records in accordance with 21 CFR Part 11 and EudraLex Volume 4 Chapter 4, the SaaS provider should be assessed for the necessary technical and procedural controls to ensure data integrity within the application.
The GxP compliance software provider should demonstrate how these control objectives are achieved through a combination of technical, procedural, and behavioral measures.
As data integrity responsibilities are shared between the SaaS provider and the regulated company, it is crucial to define the responsibilities of each party.
These activities should be clearly specified in a roles and responsibilities table, covering all aspects of generating, processing, reviewing, reporting, archiving, and retrieving GxP data. This ensures data integrity is maintained at every step of the process.
The SaaS Provider should also be assessed for the required technical and procedural controls to uphold the data integrity requirements of the audit trail data. The primary purpose of an audit trail is to provide assurance regarding the integrity of electronic records. Therefore, an appropriately implemented audit trail should possess the following key characteristics:
Technical
The computer system generates audit trail entries when a user creates, modifies, or deletes an electronic record.
Secure
Audit trail data must be securely stored and not editable by users.
Contemporaneous
Each audit trail entry must have a timestamp based on a controlled clock that cannot be altered by users. The time should be based on either the central server time or local time, with clarity about the relevant time zone.
Traceable
Record updates should not obscure previous values, and where regulations require, the reason for data changes and the person responsible for the change should be recorded.
Archived
The audit trail must be retained for the duration specified for storing the electronic record.
Available
The audit trail must be accessible for review and copying purposes.
Access to pre-production environment for GxP compliance
In cases where significant customer configuration of the SaaS application is required, the SaaS provider should grant users access to a pre-production environment for assessing changes, testing, and training.
This allows them to assess the impact of upcoming changes, conduct regression testing, and provide training to users before these changes are implemented in the production environment. Key metrics and measures to consider include:
- Frequency of updates
- Time required to deploy updates
- Number of bugs discovered in new releases
- Duration of maintenance downtime
Service Level Agreements
In GxP-compliant industries, it is crucial to establish a Service Level Agreement (SLA) with your SaaS provider to guarantee the ongoing compliance, security, and protection of your system. The SLA functions as a legally binding document that enumerates the actions and commitments that the SaaS provider agrees to undertake in order to comply with the industry standards and quality requirements deemed important by the regulated company.
The regulated company is responsible for verifying that the SaaS provider can meet the quality requirements, and both parties must reach a consensus on the responsibilities for fulfilling these requirements. To ensure optimal service quality, the SLA should address the following aspects to clarify the deliverables expected from the SaaS provider:
- The SLA should provide details on whether the SaaS solution comes prevalidated from the vendor.
- The SLA should provide details on environments, release processes, and metrics to ensure transparency and effective management of updates.
- The SLA should specify the types of environments accessible to users and provide clear information about the release process, including:
- Agreed upon release frequency.
- Publication and extent of release notes.
- Impact assessments that identify the key features/functions updated in the system.
- Time allocated for the regulated company to evaluate, test, and train on upcoming features/functionality in a pre-production environment before releasing them to the production environment.
- Prior notice of scheduled maintenance downtime should be provided by the SaaS provider.
- The SaaS provider should give a notice of 45-60 days before a Major/Medium release in the production environment, following the completion of validation in the validation environment. This allows regulated organizations to conduct testing and validation of the new version of the cloud solution before it is released to the "Production" environment.
- Customer support should be available 24 hours a day, 7 days a week.
- The supplier must ensure backup, restore, and disaster recovery mechanisms for data.
- Data transfer and access should comply with GDPR and other relevant local regulatory requirements.
- Data should be removed upon termination of the contract.
- The supplier should adhere to confidentiality obligations, data protection measures, and subcontracting policies, and be open to audits.
If there are any shared dependencies, the SLA should explicitly specify the shared dependencies.
Validating pre-validated SaaS solutions
When using validated GxP compliance software in the cloud, it is essential to adopt a risk-based approach. These solutions are commonly known as prevalidated SaaS. Organizations have the flexibility to implement a minimum validation approach for prevalidated SaaS based on their internal business processes and the regulatory requirements they must adhere to.
The table below outlines the suggested validation steps that should be undertaken when utilizing prevalidated SaaS either in its original form (GAMP category 3) or with additional modifications to workflows and configurations (GAMP category 4).
Scilife's hassle-free validation approach of SaaS platforms
At Scilife, we understand that validation can be one of the most resource-intensive aspects of adopting GxP compliance software. That’s why we’ve designed a risk-based, streamlined validation strategy that reduces your workload.
Our system is built and validated in accordance with GAMP 5, 21 CFR Part 11, and EU Annex 11 guidelines, and hosted securely on the Amazon Web Services (AWS) cloud platform.
We offer a:
- Fully validated platform:
Scilife is developed following regulatory requirements and internally validated by our team. This significantly reduces the validation workload on your end. - Comprehensive validation package:
We provide a ready-to-use validation documentation that’s drafted, executed, and signed off for our customers to use as the basis for the validation of Scilife on their end. - Risk-based methodology:
All validation paths follow GAMP5-aligned, risk-based approaches, helping you focus only on what matters for your intended use.
“Imagine going to a restaurant, where the system is that your waiter orders the food for you and then tells you liked it. Is this valid? The answer is no. You’re the only one who knows what you want to eat. Same goes with validation, it can only be done by you, so you have to have requirements.”
Angela Bazigos, Leader Compliance Consulting.
If you're looking to dive deeper into key considerations for specifically SaaS eQMS validation, don't miss out on our training webinar with Angela Bazigos.
While no provider can eliminate 100% of the validation responsibility, by providing you with all the documentation, templates, and tools you need, we help you remain responsible for ensuring the system's configuration, processes, and usage align with your internal requirements and regulatory expectations. We believe in shared validation responsibility.
Key takeaways
-
Know what to assess in a GxP SaaS provider: From cloud infrastructure and SDLC practices to incident management and audit trails, a structured evaluation ensures your provider supports regulatory needs.
-
Validation remains your responsibility, but can be simplified: Even with prevalidated solutions, regulated companies must ensure fitness for intended use. Providers like Scilife can significantly reduce the burden with ready-to-use, risk-based validation packages.
-
A strong SLA is non-negotiable: Your Service Level Agreement should define release timelines, validation support, data handling, and responsibilities to ensure long-term compliance and control.
Conclusion
By careful selection of GxP compliance software providers, defining acceptable deliverables in service level agreements, and maintaining the system in a validated state with the help of GAMP guidelines, GxP industries can secure an optimal experience with the SaaS solutions.
Collaboration with SaaS solution providers, defining performance metrics, and appropriate investment in the infrastructure are key to successfully using SaaS Solutions while maintaining compliance and data integrity. With the right approach and partnerships, GxP industries like pharma and medical devices can embrace SaaS as a transformative tool that drives innovation and enhances their future success.
Overall, SaaS is very convenient and always promises cutting-edge technology. Understanding how best to use it is the most efficient way to optimize your experience.
Discover how Scilife's Smart QMS software is offered effectively as a GxP software platform
.