Product lifecycle management (PLM) systems have evolved from being custom-built, on-premise applications to cloud-based, off-the-shelf solutions. As adoption for PLM in the cloud increases, system validation approaches in FDA/GXP regulated industries have had to adapt as well.
The FDA and Computer System Validation
Computer system validation is mandated by the Quality System regulation (FDA, 21 CFR Part 820) which requires that “when computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol.”
Furthermore, computer systems that implement part of a manufacturer’s production processes or quality system are subject to the Electronic Records and Signatures regulation (FDA, 21 CFR Part 11).
The classical V-Model is typically applied for Software Verification and Validation for enterprise systems:
Applying the V-Model to Cloud Based Service Models
There are three basic service models in the cloud (source: David Chou, http://blogs.msdn.com/b/dachou/):
The V-Model may be applied to systems in the cloud as follows:
While the IQ, OQ responsibilities are shifted to the cloud service provider, as the regulated company you are still accountable for compliant quality systems. As the regulated company, you must verify that the service provider has appropriate controls in place.
Before you select a cloud service provider for your PLM solution:
- Conduct a supplier audit and perform a risk assessment
- Document risks related to roles and responsibilities, processes controls and technology used
- Formally document the responsibilities of the cloud service provider
After going live with cloud based solution continue periodic performing periodic audits of the cloud service provider.