Cloud Computing Validation in a Regulated Environment

Cloud Computing plays an essential role in the digital revolution that most companies are now experiencing.

In the Life Sciences Industry, one of the points that has gained prominence is the validation of cloud-based applications. How do computerized system validation guides, such as GAMP5, treat the subject, and how have companies in this sector adapted?

What is Cloud Computing?

One may not realize it, but cloud computing is already part of the routine.

One proof of this is that the applications that we carry on our smartphones, provide everything from traffic information to how much medication one should take.

These applications work and store data on an online server, so that they can be accessible from anywhere, and at any time. The allusion to the term "cloud" is made precisely because of these characteristics.

Cloud service provisioning falls into three categories, which are:

  • SaaS - Software as a Service - the supplier is responsible for the entire structure that will be used, and the client has access for a monthly fee.
  • PaaS - Platform as a Service – client is responsible for the application and the supplier is responsible for the entire structure to keep this application running.
  • IaaS - Infrastructure as a Service - the infrastructure is provided by the supplier and the client is responsible for managing the purchased server space.

The Validation of Cloud Systems

The first question that arises is whether it is necessary to validate some sort of cloud computing-based application and how the validation should be performed.

The Cloud Systems approach goes through the same evaluation criteria as the validation of regular software outside the cloud.

Initially, if the application impacts patient health, product quality, and data integrity, then that platform needs to be validated.

Let’s take, as an example, an app that makes a set of data available, such as drug leaflets (either in paper or digital format), or even applications that monitor a patient’s diabetes and glycemic index.

These applications store the personal and treatment data of a registered patient in the cloud, and even calculate the required insulin dose based on the information entered into the system.

This falls under “sensitive personal data” which refers to a patient's health and therefore is addressed under Good Manufacturing Practices.

How to Validate Cloud Systems

The FDA treats the cloud service structure as a system, so it requires compliance with the same standards, geared toward validating systems outside the cloud, as already mentioned before.

The first recommendation is to involve the validation team as soon as possible, before any commitment with a cloud vendor.

During the documented supplier assessment phase, the validation professional must have access to the technical and quality management system information about the vendor.

This advance planning aims to ensure the inclusion of the validation process in sensitive situations, such as server version upgrades, and to avoid the lack of access to important information during the validation in the production environment, which would potentialize non-conformities.

After this first stage of participation in the hiring of the service, the validation phase begins, with functional tests in a quality environment before the release of the production environment.

It should be remembered that even in the cloud, there exists a quality environment and a production environment.

If the supplier offers database customization, then the existence of a development environment is also considered.

Points to note when hiring cloud services

There are market certifications or proof of conformity for cloud service providers that demonstrate the quality and ability to meet important requirements for service and for validation, such as NIST, ISO 27001, ITIL, Cloud Security Alliance (CSA), etc., that guarantee the quality of the service.

Another important issue is the choice of a provider that allows access to the server. Performance testing and collection of information are needed to complete the validation.

In general, large cloud providers have repository portals for their client’s access to important compliance information that can be used by validation professionals to document the vendor’s best practices.

Another interesting choice is that there are cloud providers with teams specifically focused on the Life Sciences Industry, to meet GxP needs.

This improves the relationship between the vendor and the validation team and ensures access to essential information for the validation process.

Challenges in Validating Cloud Systems and Final Considerations

The validation professional should not necessarily know the in-depth technology used by cloud service providers. Rather that this technology meets the requirements of the validation guidelines when implementing Good Manufacturing Practices (GMPs).

The professional needs to monitor the decisions made to choose confidently a service provider and broaden the professional’s expertise in technological innovations.

With the evolution of the market and the entry of more and more companies into the digital era, cloud systems validation is a global trend and has already been adopted by large companies in the Life Sciences sector, for reducing costs and increasing productivity.

This reality has already become part of the routine of most validation professionals.


Would you like to be more efficient with your validation activities? Please, check:

Would you like to schedule a meeting with us? Please, click here or send us an e-mail at [email protected].

GAMP5® is a guide that has its intellectual rights reserved by ISPE™. Available for purchase at