Posted on

5 key components of a VMP for SaaS

Image created with Midjourney

Artwork management in the pharmaceutical industry is a critical process that requires accuracy and precision to ensure compliance with regulatory requirements and avoid errors in the packaging design that make it to the market and risk a product recall. The artwork management process is sometimes underestimated as it pertains to a non-core activity for brands and manufacturers of medicines and medical devices. However, it can be a critical aspect when facing an audit and even more when such audit is triggered by a product recall.

Multi-tenant SaaS solutions are becoming more popular with pharmaceutical companies, despite the traditional on-site installations, as they offer lower pricing points and less on-boarding hassle (lower financial costs and faster implementation). One key component that is still not fully understood is the fact that validation of on-site custom made solutions differs significantly from the validation approach required for multi-tenant SaaS applications.

The first key component is the Validation Master Plan (VMP) which outlines the validation process. Here we will discuss five key components that must be included in a VMP document for the validation of a multi-tenant SaaS Artwork Management System.

  1. Scope and Objectives – This section needs to clearly define the scope and objectives of the validation process. Let’s dive in. The scope should outline the functionalities of the multi-tenant SaaS solution that will be validated, including any third-party integrations. It is important to define the scope with care and discuss which components need to be included. One aspect that is often overlooked when validation a SaaS application is that in many cases, there will be external services (typically micro services) and infrastructure. These, as long as they only play a servicing role, can be left out of the scope since they are controlled by a third party. The objectives should detail the specific outcomes that the validation process aims to achieve, such as ensuring compliance with regulatory requirements or minimizing the risk of errors or data loss.
  2. Validation Strategy and Acceptance Criteria – The validation strategy should specify the validation approach, including the type of validation to be performed, such as installation qualification, operational qualification, and performance qualification. It is a good idea to include specifically which aspects of the solution will be relevant for the validation. The acceptance criteria should detail the testing methodology, including the type of testing to be performed, such as functional testing, user acceptance testing, and performance testing.
  3. Roles and Responsibilities – This section should clearly outline the roles of the validation team, project manager, system administrator, and any other key stakeholders involved in the validation process. It should also detail the responsibilities of each team member, including their participation in the validation activities and their expected deliverables.
  4. Testing Documentation – The documentation section should detail the testing documentation that will be used and delivered during the validation process. This section should include a list of all required testing documents, including test plans, test scripts, and test cases. It can also outline the testing schedule and the expected timeline for completing each testing activity.
  5. Change Control – The final component of a VMP document should detail the procedures for making changes to the multi-tenant SaaS solution after the validation process is complete. It should include a list of change control forms (or other methods for documenting the required changes), detailing the requirements for documenting changes, and the process for reviewing and approving changes.

The VMP document is an essential tool that will guide you through the validation process.There is however not a single way to create it. Depending on your scope and criteria, the contents of the document can change dramatically. One critical aspect is choosing carefully which components of the application you are going to validate. For applications that rely on external infrastructure or services, specially when managed by third parties, it might prove difficult to get all the components required to validate those services. Our advice is to focus on your application and ensure that all third party infrastrucure and services are only services and do not represent a core data processing unit of your set of features.

If you get the VMP right, the rest of the validation will be much more approachable than having to come back to the VMP to make changes. Spend your time wisely, get the VMP right and your validation will be a breeze.

Want to know more key differences between a traditional VMP and a VMP for a SaaS solution, let us know!

Posted on

Is Software Validation outdated?

Image generated with Midjourney

Software validation is the process of ensuring that software systems meet the requirements set forth by regulatory bodies, such as the FDA in the United States. This is particularly important in highly regulated industries, such as the pharmaceutical industry, where software systems are used to manage and analyze critical data that is used to support the development and manufacture of drugs.

The origin of software validation can be traced back to the early days of computer technology in the pharmaceutical industry. In the 1970s, the FDA began to recognize the importance of software validation as a means of ensuring the accuracy and reliability of data generated by computer systems. This led to the development of guidelines and regulations for software validation, specifically in the pharmaceutical industry, such as the FDA’s “Guideline on General Principles of Software Validation” in 2002.

One key document that is created during the software validation process is the Master Validation Plan (MVP). The MVP is a comprehensive document that outlines the overall strategy and approach for validating the software. It includes details such as the scope of the validation, the validation team, and the schedule for validation activities. It is the first and foremost piece to documentation that needs to be created.

Following the MVP, you need to build three key documents: OQ, IQ and PQ.

Operational Qualification (OQ) and Installation Qualification (IQ) are used to ensure that the software system is installed and configured properly, and that it functions as intended in its intended environment.

Performance Qualification (PQ) is a process of testing software systems in order to verify that it performs as intended, and that it meets the acceptance criteria defined in the Qualification Protocol (QP).

As the technology and software development methodologies have evolved since the 70s, the need to adapt the validation model for modern SaaS cloud-based solutions has become increasingly important. With the advent of cloud computing, software systems are no longer installed and run on a single machine, but rather they are accessed through the internet from various devices and locations. This is the so called “single tenant system”, which is a radically different paradigm from the early on-site installations. This has led to the development of new guidelines and regulations for validating cloud-based software systems, such as the FDA’s “Guidance for Industry: Cloud Computing and Mobile Medical Applications” in 2013, although one might argue that those models are still outdated given the speed of the advancement of technology and cloud services.

In conclusion, software validation is a critical process in ensuring the accuracy and reliability of data generated by computer systems in highly regulated environments. However, application of outdated validation methods will only led to frustration and failure.

If you are about to embark on a validation process for a SaaS solution but your QA team has only experience on traditional on-site installations, do not rush. Take your time, read the available literature, get familiar with the tools and infrastructure used by your chosen vendor and if necessary, ask for additional budget to ensure the validation is not only successful, but more importantly, relevant.