Steps to adopting SaaS in Pharma IT landscape

Pharma IT and Validation

According to regulatory guidelines for Pharma industry, a system must be adequately validated before it can be used into production and use by the end user. FDA guidance defines validation as the confirmation process for examination and the provision of objective evidence that software specifications are consistent with the user's needs and its intended uses, and that the special requirements to be fulfilled through the software can be consistently met. In simple terms, a system starting during its life cycle from commission to the retirement phase will function appropriately and consistently as per the validated requirements and that the data generated by the system will provide sufficient confidence in its integrity and quality. Throughout the industry, GAMP 5 is considered a comprehensive guidance to validate the effectiveness and efficiency of the GxP computerized system.

How Cloud is contributing to the IT value

Add to Agility & Scalability, Reliability and Secure IT infrastructure available for remote access anytime from anywhere is now the new evolved business pre-requisites after the pandemic. Responsive and agile business requires the IT infrastructure and the application to be securely accessible anytime, anywhere. Cloud and SaaS hosted applications offers significant capabilities for enterprises to exploit when it comes to agility. The case of cloud became even more compelling and evident during the recent pandemic times with business able to access Cloud workloads seamlessly and collaborate with Cloud hosted collaborative tools. Had it not for hosted platforms / services on the cloud, businesses would have struggled to manage this shift to remote working without minimal disruption.  

Recent research and surveys show that in the next two years more than a 75% of organizations are more likely to adopt cloud infra / services in their portfolio for improved availability and agility. To say, cloud today is a potential option to business competitiveness. Pharma and life sciences industry can derive substantial benefits by adopting cloud into their technology architecture.  For one you do not have to worry about the upfront investment, but also business are freed from worrying about infra ageing / refresh / upgrade, and maintain relevant skills on-board to look after those. Cloud hosted solutions help ease in scaling, both horizontally and vertically, and is a perfect solution to handle you demand variation.

However, the Life Science and Pharmaceutical community particularly has been conservative or more vigilant to cloud acceptance with reasons cited related to security, transparency into environment & operations, besides lack of experience in migrating on-premises application to cloud platform and similar.  While the concerns are real but not necessarily bound to occur or happen if done correctly. These are likely to occur in the absence of right diligence, right skills involved in the diligence and solution design, coupled with past experience and sound planning that needs to go into preparing the organization for change. This is especially important for organizations who haven't thought or done before and hence organization resistance will likely to be dealt out with care and perseverance with facts. The good news is with the right team on board and by putting a structured approach in place you are very set to achieve success with your cloud adoption. This article attempts to provide a time-tested pragmatic approach to preparing for the change - provide you a quick guide on how to select a right SaaS vendor and validate cloud-based software service.

About SaaS Hosted Applications

These refers to the application / software hosted on the cloud and made available to users for consumption as-a-service. These days most OEM vendors offer their COTS (off-the-shelf) application in the consumption model hosted in a multi-tenant (shared) or dedicated model. The data is logically secured. The custom or bespoke ones are developed per industry standard requirements and are vendor-validated for standard use i.e. pre-tested and pre-validated. Add flavor to above, in certain cases the vendor offers platform and hosted application that is configurable to customer needs, and will test and validated for standard use or user requirements. To sum all of above, he vendor is responsible and maintains the currency of its systems validated state latest at any time including the periodic upgrades and bug fixes besides ensuring the environment is secured, compliant, is resilient to hardware failures with provisions for business continuity. Customers do not have to worry about the upgrades and fixes and validating these in detail. Rather they simply are required to do incremental User Acceptance Testing (UATs). 

Cloud service providers and / or SaaS vendors pay a lot of attention to their Security, Compliance and Disaster Recovery fabric which otherwise is practically quite effort and cost intensive for an individual business. The service providers on the other hand have an entire team of IT and functional experts responsible for the development, testing validating, hosting, and maintaining the SaaS platform. However, it is important to note that that, according to GAMP 5, the data and the final ownership of the system is with the end user organization. This is to say, it is for customer to ensure that the hosted application tick the boxes for regulatory compliance, data and system protection / privacy and overall organizational needs both functional and operational. Hence choosing an appropriate vendor and its services is key to SaaS adoption success.  

 Start of Journey

In the following sections we will talk through the What and the Why's to conducting due diligence and selecting an appropriate vendor.

Achieving the broad consensus.

This is arguably one of the most important step, if not the most, that will lay the foundation for smooth ride ahead in migrating to cloud and adoption success. Moving to SaaS cloud should not be just about infra, it should also entail the operational metrics, ability to scale and descale by need and most importantly if you want to see the cloud environment as an extension to your business network or environment. Debate and discuss, with stakeholders the existing pain point and how cloud / SaaS platform could effectively alleviate those pain points. For e.g. doing in on premise could require a significant investment and time upfront besides skill to deploy and maintain the environment. List down your priorities and needs in an order to evaluate amongst the available solutions. In our experience people resist the change and refuse to look at the bigger picture. Bring all the concerned stakeholders onboard – both directly and indirectly impacted to achieve consensus on the path forward. Include outcome from risk-based assessment (based on application usage and its data) for the application or process you are contemplating to host on cloud along with intended benefits.

Debate and capture the rationale in your business case why the business must do this – for scalability, reliability, global collaboration, or improved DR or all the things, increased tie available to focus on core area, cost savings and so forth. More compelling the rationale, faster and easier would be to gaining consensus across the board. Your business case should clearly state success attributes i.e., the support required from the leadership and other parties, their role, the role functional team needs to play to obtain the end results, the indicative timelines for evaluation and deployment, benefits and trade-off, if any. Sponsorship support is very much critical for your success.

 Put in place the Evaluation team.

Once you have the go ahead, put in place a team for conducting the evaluation. The probable ones on your team would include SMEs from:

1. Business process
2. IT
3. Information Security and Privacy
4. Quality
5. Commercial

With team’s help put in place the evaluation checklist. If would be considering consuming a software as-a-service consider capturing your service requirements & expectations from the vendor. SaaS vendors offer software as a service in a managed service model. It is always a good idea to segregate the checklist (requirements) into MUST TO HAVE & GOOD TO HAVE while doing evaluation so you know what is the trade-off cost. Consider obtaining consensus on the checklist from relevant stakeholders to avoid future surprises. Remember that this could result in a change and will have resistance. Beware of tripwires.

Evaluate Vendors Security, Regulatory Compliance and Business Continuity design and related processes.

Security and Compliance is of paramount importance in current scenario. Spending time to evaluating the vendors approach / methodology to security, compliance and data protection / privacy measures is worth investing time. Time spent now will help from future scrambling and untasteful dialogues later. This exercise could be jointly led by your IT and information security team. To help you understand the broad contours to focus your effort into:

1.      Understand how does the vendor handle information security and privacy – the process and architecture in place to ensure the three triads - Confidentiality, Integrity and Availability (CIA). With the establishment of EU GDPR data privacy and protection has gained more prominence now than ever before. Understand where the vendor will host your application and data, what kind of processing will the vendor have on your data other than backup and restore,, what are the associated processes and procedures implemented for information security and privacy. Know if the vendor subcontracts services for processing your data i.e. who all will have access to your data as part of application administration, data backup and other services that you expect vendor to perform.

2.      Review vendors certification to international / industry / regulatory standards such as ISO27K, SOC2/3, CSA Star. The certification demonstrates vendors’ commitment and maturity to Data Protection and Privacy.

3. If you are expecting vendor to perform specific database administration activity or processing, discuss with vendor on the data protection agreement. Having a data protection agreement will ensure that both parties agree to the needs, how the breach will be handled and the vendors’ responsibility towards to protecting the customer commercially if the breach is the result of shortfall on their responsibility. 

4. Review vendors process and architecture around data backup. The point you need to ensure here is what could be the data loss should a disaster strike and what is the ability to restore from past backups should your existing online copy gets corrupted or someone accidentally deletes an important file or record. Review vendor process documents on how they do backups, verification and restore.

5. Understand vendor’s disaster recovery (DR) architecture, process and what RTO / RPO the vendor commits to in case of disaster. Most SaaS vendors will have a primary – secondary architecture where data snapshots are replicated to secondary location in addition to backup at frequent intervals as part of their DR design. Understand how and when the vendor performs disaster recovery drills. Review past DR drill certificates / documents for understanding on depth of the disaster and if your specific needs are being met.

Evaluate vendor validation approach.

For SaaS platform verify vendors validation approach. The overall validation approach remains the same for cloud-based hosted systems / platforms with only change in system and related documents ownership. The SaaS vendor is responsible for keeping its platform and applications (for SaaS model) in a validated state and maintain related validation and architecture documentation e.g., System Architecture, Install Qualification (IQ), User Requirement Specification (URS), Functional Requirement Specification (FRS), Operational and Performance Qualification (OPQ). It is suggested that you obtain / request a copy vendor validation kit to understand their validation approach, artefacts maintained.

The assessment of the vendors validation approach and its documentation will help you understand and decide if the validation performed by vendor meets all your requirements (in line with your organizations Validation methodology) or you would need to further augment it with your specific user and system configuration requirements and related testing. In case you are planning to host your on-premise application to the cloud, the responsibility for IQ lies with you. It is customer’s responsibility to perform User Acceptance (UAT) testing as part of the formal and final System Acceptance Testing. The UAT is necessary to corroborate customers understanding of the application and environment.

The good part here is you can leverage and build upon vendors Validation documentation that in turn saves a significant amount of validation time and effort for the customer. Here are some tips to performing due diligence of vendors validation process and artefacts:

1.      Perform thorough analysis of vendors validation methodology and the validation artefacts. To re-iterate, it is the customer responsibility for the system’s validated state. If you need to further augment the vendor validation approach, discuss with vendor as to how they can accommodate your needs as part of the final scope of work.

2.      The IQ will include the system architecture and installation verification testing documentation. The system architecture would include the qualification of infra used for hosting the application, the verification of application installation. Verify with vendor that the IQ will be performed fresh and specific to your environment.  

3.      Know well that the User Requirement and Functional Specification documents match your needs.

4.      Understand if the testing performed as part of OQ and PQ are relevant and meet your in-depth testing needs.

5.      Verify with vendor if how your specific user and functional requirements can be incorporated in the validation process, what kind of support will vendor offer and what role will customer play. It is important to have this conversation at the beginning so to avoid the disagreements later.

It is important to have dialogue with the vendor what your organizations validation methodology is and what support would you need / expect from vendor to complete this process through an incremental effort, if the need be. During this conversation you help the vendor understand and obtain affirmation that they understands your validation needs, and that they are willing to offer you needed support in meeting your unique validation requirements. Having this conversation upfront help both the parties ensure:

1.      They understand each other’s requirements for compliance,

2.      The amount of add-on effort and cost involved to meet your specific validation needs,

3.      Provides a level playing field for negotiation and agreement. The idea is to create standard bundle and minimize the T&M effort. Managing change during the project leaves a bad taste due to schedule delays and cost increase..

Evaluate if application is fit for purpose.

As much this is about cloud, it is equally about the application. The business process person could lead this evaluation exercise with teams help. This evaluation is required if you are not doing like for like replacement or even upgrade for existing. In scenarios when you are trying to automate an existing partial manual process with the help of the new software, make sure you understand your existing process and be ready to tweak its workflow. Most manual processes mature over the period and evolve to meet the specific needs of the business. For e.g. your existing process could have multiple toll gates and in a specific order. Notably this may not be the case with best practice followed in the industry. While you can ask the vendor to tailor the software to your needs such exercise should be avoided if possible. One of the reasons that we have seen is difficulties in replicating paper based process on electronic platform simply expanding the work and wallet spend with only incremental benefit. You may notice functions adamant towards changing their legacy processes for various reasons but we suggest looking at the positive side of process re-engineering to make it look lean and mean.

Performing Vendor Audit

Vendor (Quality) Audit is necessary to ensure the vendor fits the organizations quality objectives i.e., product maturity, compliance, and maintenance support etc.  A formal audit will be performed by your Quality function for the shortlisted vendors. A formal audit is usually performed prior to contract signing. Conducting this exercise is imperative when your SaaS application touches GxP process/es and especially if the product has a bespoke development element. While the audit process is straight-forward for industry standard off-the-shelf vendors and their products, for a bespoke application this requires verifying Vendor Quality Management System:

1. The coding practices - how development is done, how codes are versioned and maintained, how bugs are fixed, how changes are tested and implemented into production.
2. Adherence to regulatory guidance- how the vendor organization, their systems and practices strictly adheres to drug regulatory guidelines in all aspects including electronic data and signature production, protection, and maintenance.
3. Understand vendor organization training process, the experience and expertise of the resources involved in product development and testing and their know-how of highly regulated pharmaceutical and life sciences industry products to avoid the overlook of any necessary regulatory functionality and/or documentation.
4. Understand how does the vendor support customers in their audits. Will they be part of the audits on request, how will they fulfil document request from the auditors given that customer will be leveraging vendors quality management system, the underlying compliance fabric for the platform. This point is very significant as vendors participation and partnership will be required to ace the audits successfully. Insist on understanding from vendor how will they achieve this. Typically vendors will have a Helpdesk operation which can take your request and assist you with your needs within the accepted SLA response / resolution time. Hence negotiate smart, measurable, targeted SLAs. It is also suggested that you work with vendor to put in place a governance fabric, as part of account management, involving key stakeholders from operations and sponsorship. Put in place cadence to discuss the plans, unique requirements such as audit support, operational issues and so forth. The idea is to have key people eyes and ears on both sides to problems and needs on the table.

Performing Validation

Your exhaustive approach to validating the SaaS application could vary based on

1. the application / software category (per GAMP 5 defined software categories)
2. GxP risk assessment outcome & system's risk assessment based on the selected vendor's existing quality practices and intended use of the application. To say, if the application touches the GxP process, application is considered as critical and so, its functionality, availability, reliability, and data security.

Your validation plan will be the guiding document throughout the journey.  If you have already discussed with the vendor your specific validation needs, your actual validation cycle will complete at ease. It is suggested that the Validation approach is discussed and defined in a joint workshop involving vendor team during the planning phase. To ensure the workshop success, ensure on getting the same team those involved during the evaluation. In case you do not have in house validation team you may look to getting a consultant to lead this exercise.

Leveraging SaaS based application brings in varied benefits to the enterprise such as flexibility, cost savings, reduced lead time and so forth. By having the right vendor and right contract in place business could accomplish their objectives with ease. For sure, with rapid deployment and leveraging vendor work and collaboration it is easier maintain the systems validated state and compliance with ease something which otherwise is an onerous task.