Classification of the system based on GxP systems should be the first step in the validation process. The classification should be based on these categories:
- Infrastructure software as Category 1. Most of the cloud-related software (eg: AWS etc.,) belong to this category
- Non-configured software as Category3
- Configured software as Category4
- Custom software as Category 5
Authoring the hardware and software specification should be a combined responsibility between cloud vendor and platform/application vendor. The cloud qualifi- cation of the data center and hardware are to meet the hardware and software specifications. The configuration management of the software applications, tools, and Operating System (OS) images are critical and should be a shared responsibility between cloud vendor and SI.
The qualification plan strategizes and controls the qualification of infrastructure provided by cloud vendor. This should list the entire set of infrastructure-related deliverables with RACI matrix which shows the responsibility of each stakeholder towards the infrastructure qualification. On the other hand, separate Validation Master Plan should be created to control the validation of the application installed on the cloud.
Using the hardware and software specification, the Installation Qualification Protocol which contains the checklist of hardware and software installation scripts can be developed. The IQ execution to qualify the installation should be conducted. Qualification summary report will list the entire installations of scripts and the execution status to ensure that the qualification is achieved as per the qualification plan.
After the qualification of infrastructure, SI team should create the User Requirements Specification (URS) and Architecture Design as part of the Define Application Phase. System description and the validation strategy should be well-documented in Validation Master Plan. Also, schedule, list of validation deliverables, RACI matrix, and handover approach should be documented in the Validation Master Plan.
Validate & Deploy
Application IQ, OQ and PQ should be conducted against the specifications and the objective evidences to fulfil the FDA requirement should be captured. A review to ensure that the evidences are sufficient, neat and legible should be carried out. Trace Matrix should be updated right from Define Application phase till Deploy to make sure that the traceability is maintained all across.
Validation summary report sign-off will allow the system go-live. And, at this point, we should have the post Go-Live Standard Operating Procedures (SOP) in place to maintain the validated state of the applications hosted over the cloud.
Key Benefits of the Approach
- Compliance to regulatory standards, leading to quicker time to market
- Well-defined boundaries between various stakeholders to meet validation end goals
- Complete validation of both, cloud infrastructure and applications
- Effective and secure access to the application and personal data for patients
- Post launch, maintenance of thoroughly validated cloud systems via very well-defined SOPs. This enables such systems to be audit-ready on all occasions
Hosting an application on cloud in a regulated environment is a complex, multi-vendor engagement. Using a holistic approach, cloud vendors and companies can ensure they are meeting all their validation requirements with respect to GAMP5 and the validation package is developed and executed seamlessly.
Documents and Artifacts Produced as Part of Validation
These are the typical sets of documentations required to be compliant with the FDA requirements for Infrastructure Qualification and Application Validation.
Deliverables list for infrastructure qualification
- Qualification Plan
- Hardware and Software Specifi- cation (URS etc)
- IQ Protocol, IQ Hardware Checklist and IQ Scripts, IQ Summary Report
- Configuration Management – for Patch Upgrade Installation
- Qualification Summary Report
Deliverables list for application validation
- Regulatory Classification of System as GAMP5
- User Requirements Specification
- Functional Risk Assessment
- Validation Master Plan
- Architecture and Design
- System Testing – Operational Qualification
- UAT – Performance Qualification
- Validation Summary Report
- Traceability Matrix
- Post-go-live Standard Operating Procedures on
- Incident/Change Management
- Release Management
- Application Monitoring and Performance
- Disaster Recovery o Business Continuity Management