EMEA Office
Louizalaan 489
1050 Brussels
Belgium
Key considerations for SaaS eQMS validation
SaaS validation to comply with GaMP5 requirements
06:42
Introduction, Validation Principles to comply with GaMP5 Requirements
27:40
Deliverables Expected for SaaS Validation
40:05
Who is Responsible for What (Vendor vs. Sponsor)
46:30
Special Considerations for eQMS SaaS vs. Other Saas Systems
48:50
Q&A Session
In this free session, Angel Buendia, Scilife’s Knowledge Manager, and Angela Bazigos, CEO at LEADER Compliance Consulting, will discuss the critical aspects of validating SaaS eQMS systems. They will cover SaaS validation to comply with GaMP5 requirements, the expected deliverables, and the roles and responsibilities of your company versus the vendor.
Our eQMS has a DocuSign plugin for external signatures. Would that be Part 11 compliant?**
*This is a great and interesting question. DocuSign offers a separate software module that is Part 11 compliant, which would need to be validated. Like any other SaaS provider, DocuSign provides validation test cases and requirements, but these do not cover everything you need for your specific implementation.
I have validated DocuSign multiple times, and it's crucial to ensure that the specific DocuSign module you are using is Part 11 compliant and has been properly validated. Although I haven't encountered an integration of DocuSign directly within an eQMS, if you are using DocuSign for electronic signatures, you must ensure you have the Part 11 compliant module and validate it.
Recently, I audited a company that was using DocuSign without the Part 11 module and had not validated it. They had to redo all their electronic signatures manually for their SOPs and other documents. Ensuring you have the correct setup is essential to avoid significant rework and potential regulatory citations.
If a vendor's testing addresses our intended use/requirements can we not leverage their testing?
Yes, absolutely. You can leverage the vendor's testing, but you must ensure it aligns with your templates and specific requirements. Make sure you are only using the parts relevant to your needs, rather than everything the vendor provides.
Some people tend to overdo it, testing more than necessary. It's important to strike the right balance; the vendor's testing might include elements that are not applicable to your use case. You need to make thoughtful decisions about which tests to leverage and ensure everything is well-documented. Regulatory agencies look for evidence that you are in control of the process, not necessarily that everything is perfect.
I am currently reviewing the eQMS software. There is a company that says that they can do the validation by clicking some function in their software. Have you come across something like this? Is it acceptable?
No, it's not acceptable, and there's a lot of confusion about this. They might be confusing it with verification, which is just a part of the validation process. Validation involves much more, including planning, defining requirements, and ensuring the system works as intended. Simply clicking a function is not sufficient for validation.
However, there are many SaaS systems where clicking a function generates a detailed report, typically related to the installation or configuration of the system. While these reports can be useful, they are not a substitute for a comprehensive validation process.
To what extent can you reuse the validation done by the vendor in your own validation?
You should reuse as much of the vendor's validation as you can. Review what the vendor provides and utilize everything that aligns with your requirements. Make sure that the documentation is appropriate and meets your specific needs. If any requirements are not covered by the vendor's validation, you will need to create additional test cases to fill those gaps.
Remember, no vendor validation is perfect and will likely require some additional work from your end to ensure it fully meets your requirements.
Can you talk about the difference in the extent of validation - i.e., Category 3 versus 4 and configurations?
Category 3 validation involves simpler configurations that do not require the three components of "plan, actual, and analysis." For instance, consider a fridge that needs to maintain a specific temperature range. If the temperature goes outside this range, an alert must be generated. The configuration here would be setting the acceptable temperature range and ensuring that an alert is triggered in case of an excursion.
On the other hand, Category 4 involves more detailed configurations. For example, in a training system, you need to configure various components such as assigning training modules, determining which departments and individuals need specific training, identifying managers, and setting escalation protocols. Category 4 requires a higher level of detail and complexity in configuration compared to Category 3.
EMEA Office
Louizalaan 489
1050 Brussels
Belgium
US Office
Scilife Inc.
228 E 45th St. RM 9E
New York, NY 10017
EMEA Office
Louizalaan 489
1050 Brussels
Belgium
US Office
Scilife Inc.
228 E 45th St. RM 9E
New York, NY 10017
Copyright 2024 Scilife N.V. All rights reserved.