Embed Size (px)
Citation preview
Saba Cloud –Validated Environment Managed
Services (VEMS)
Saba Cloud – Validated Environment Managed Services (VEMS) | 2© 2020 Saba Software. All Rights Reserved.
Companies operating in highly regulated GxP markets such as pharmaceuticals, medical
device manufacturers, biotech companies, biologics developers, life science companies and food
manufacturers are subject to rigorous compliance requirements set forth by the regulatory bodies in the
countries in which they operate. These compliance requirements dictate (among other things) how
electronic records and related e-signatures should be maintained within validated computerized systems.
GxP refers to a set of guidelines put in place to ensure products and services are safe. It ensures that regulated industries adhere to very specific and secure processes and procedures.
Saba Cloud – Validated Environment Managed Services (VEMS) | 3© 2020 Saba Software. All Rights Reserved.
U.S. FDA – Title 21 CFR Part 11In the United States, Title 21 of the Code of Federal
Regulations (CFR) Part 11 defines the criteria under
which electronic records and signatures are
considered to be trustworthy, reliable, and equivalent
to paper records and handwritten signatures. Part 11
requires controls, including audits, system validations,
electronic signatures, and documentation for software
and systems involved in processing electronic data
that is (a) required to be maintained by the FDA
predicate rules or (b) used to demonstrate compliance
to a predicate rule. Requirements include, for example,
certain provisions of the Current Good Manufacturing
Practice regulations (21 CFR Part 211) or the Quality
System regulation (21 CFR Part 820). Specific to a
Learning Management System (LMS) or Assessment
Management System (AMS), given they are only
used in support of the implementation of regulated
industries’ Quality Systems, they may or may not need
to be validated to the same degree as, for example,
software used as components in the product design
and manufacturing processes.
EU Regulatory GuidanceIn the European Union, the latest guidance from the
European Commission’s Directorate-General for Health
and Consumers on “Annex11: Computerized Systems”
infers that manufacturers should be able to justify their
standards, protocols, acceptance criteria, procedures
and records based on their risk assessment. Together
with the stipulation that LMS/AMS applications have
an indirect impact on life sciences product quality and
consumer safety, it would stand to reason that they
should not be treated (from a risk-based perspective)
like firmware/software used in direct control of design
and manufacturing processes. Accordingly, some
manufacturers might subscribe to the notion that their
LMS/AMS validation might be exercised in a somewhat
discretionary manner, given that the competence and
reliability of a supplier can be established by assessing
the supplier’s established procedures that produce
“change tracking” records accumulated within time
sequenced documentation.
Saba ExperienceSaba, founded in 1997, decided as part of its
initial market segmentation to satisfy 21 CFR Part
11 requirements for those customers that needed
electronic signatures and as such developed its
software platform to support trustworthy and reliable
electronic records with associated audit trails. As a
result, Saba has attracted a significant portion of top
global Fortune 50 life sciences organizations as its
customers and, more importantly, has sustained them
as longterm customers. Some of these customers have
started to migrate into the cloud by moving their Saba
implementations from behind their corporate firewalls
into Saba Cloud, Saba’s SaaS offering.
Saba Cloud is a software application suite that is
rendered as “Software as a Service” (SaaS) (see Figure
1 below). As its core functionality, the application stores
user profiles and training compliance information
such as transcripts and certifications, and it meets
the relevant provisions set forth in 21 CFR Part 11
by sustaining a “closed system” by implementing
functionalities that guarantee user account uniqueness,
native password administration controls, and silent or
verbose audit trails, as well as e-signatures triggered
by end-user actions that require user confirmation to
complete tasks within application workflows. Another
requirement that the FDA imposes on its regulated
industries is that it puts the impetus on organizations
to “validate” whether software applications are
developed and tested according to “current Good
Manufacturing Practices” (CGMPs) defined by the FDA.
In this regard, too, Saba has well-documented internal
quality standard operating procedures (SOPs) for
software development, and we have had many of our
life sciences regulated customers audit us against our
application “Software Development Life Cycle” (SDLC)
SOPs. Saba Services can support customers with their
audit requirements for Operational and Performance
Qualification (IQ/OQ/PQ) activities pertaining to our
customers’ “Deployed Application Environments.” Saba
publishes customer facing documentation to support
Installation Qualification (IQ) for each release. Saba
Cloud application suite and its core LMS functionality is
Saba Cloud – Validated Environment Managed Services (VEMS) | 4© 2020 Saba Software. All Rights Reserved.
rendered via a shared infrastructure SaaS model as depicted in the National Institute of Standards and Technology
(NIST) abstractions. Current FDA IQ/OQ/PQ guidelines only pertain to computerized systems with infrastructure
dedicated to a single organization and hosted in-house or via an external “IaaS” provider. As of the time of this
writing, FDA guidelines have not been updated to define best practices for validating Cloud SaaS deployments,
so Saba has put forward the following proposed framework.
Pursuant to NIST definitions, SaaS on shared infrastructure, in Figure 1, implies the Cloud Consumer would entrust
the Cloud Provider to sustain the four infrastructure tiers below the Application tier as long as the Cloud Provider
internal change control procedures are assessed by third-party American Institute of Certified Public Accountants
(AICPA) accounting firms and produce annual attestations of Cloud Provider compliance to SSAE18 or similar
internal frameworks for security, confidentiality and availability. Accordingly, infrastructure (the bottom four tiers
below Application) changes are not subject to Cloud Consumer approval or review, and where a change cannot
be fully verified by the Cloud Consumer, it shall be validated with a high degree of assurance and approved by the
Cloud Provider according to established procedures.
Cloud Provider
Application
Hardware
Facility
Platform Architecture
Cloud Infrastructure
Cloud Consumer
Figure 1: Differences in Scope and Control among Cloud Services Models
Saba Cloud – Validated Environment Managed Services (VEMS) | 5© 2020 Saba Software. All Rights Reserved.
...and the stipulation that an LMS application has an indirect impact on life sciences product quality and patient safety, some life sciences organizations might agree that LMS validation activities might be viewed as somewhat discretionary, especially since an LMS is not used to perform the transactions below:
Control data supporting regulatory safety and efficacy submissions
Control or provide data for product release
Control data required in case of product recall
Control critical parameters or data used at any stage, including pre-clinical, clinical, development and manufacturing
Control adverse event or complaint recording or reporting
With the above framework in mind...
Saba Cloud – Validated Environment Managed Services (VEMS) | 6© 2020 Saba Software. All Rights Reserved.
Saba Cloud – Validated Environment Managed Service (VEMS)With the recent demand for transition into the cloud
and in keeping with our ongoing strategy and success
in leading the market, Saba has developed a new set
of services that helps our regulated GxP customers
maintain validation compliance for their Saba Cloud
SaaS environment via a comprehensive set of
Application-tier pre-go-live validation services and
post-go-live change tracking documentation. This new
program is called “Validated Environment Managed
Service” (VEMS) and is described in more detail below.
Saba Cloud VEMS is designed to help our regulated
GxP customers maintain ongoing validation
compliance for their Saba Cloud shared infrastructure
SaaS environments. Saba Cloud customers who
use discretion about validation of their LMS may
choose to defer some aspects of pre-go-live
“Initial Implementation Validation” and post-go-live
“Application Change Tracking” to the Cloud Provider.
The Saba Cloud Multi-Tenant Application Validation
model is comprised of:
• New implementation support services including
Application validation (IQ/OQ/PQ). (Refer to table
below)
• Post-go-live “Continuous Validation” of Application
changes. (Refer to table below)
Specific to post-go-live “Continuous Validation,” the
proposed deferred validation model relies on Saba
to validate all application software updates before
approval for production use. Essentially, Saba performs
“Installation Qualification” (IQ) with a high degree
of assurance according to established procedures,
providing prospective and proactive accountability.
A few months prior to a Saba Cloud VEMS Update,
the customer is provided application software
“Functionality Change” training followed by an
opportunity to review net application changes inside
a Staging site before their VEMS Non-Production and
Production Saba Cloud sites are upgraded to the latest
Saba Cloud VEMS version.
The above, together with open access to
Sabaproduced application validation records, serves
as both reactive and retrospective accountability that
our customers can demonstrate to regulators at any
time. Moreover, the proposed model enables our
customer project teams to reduce their reliance on
in-house validation support resources, hence
eliminating the risk of losing application support (from
vendor/supplier) due to inability to update their LMS as
a result of IT and quality control resource scarcity.
Saba Cloud – Validated Environment Managed Services (VEMS) | 7© 2020 Saba Software. All Rights Reserved.
APPLICATION CHANGE TRACKING PHASE
Monthly Fee; Co-terminus With SaaS Subscription
• Formal processes track application functionality changes via change management request and approval records which are maintained within Saba’s release planning system of record
• A few months leading up to each Saba Cloud update
− Application “What’s New” training delivered to customers
− VEMS subscribers are afforded a 10 week validation period of the latest Saba Cloud Update prior to upgrade of VEMS Non-Production and Production sites
• Pursuant to each update to Saba Cloud, Saba performs summary “Change Documentation,” using Saba GDP-based change tracking forms, which include evidentiary summary of:
− Application “Release Notes”
− 21 CFR Part 11 product compliance test results
− Saba Cloud VEMS Validation Summary
• Saba facilitates periodic requests for operational verifications, including third-party annual attestations for SaaS platform and operational compliance to Trust Services Principles (TSP) for security, confidentiality and availability, which include third-party reviews of Saba’s Operating Controls
IMPLEMENTATION PHASE
Fixed-fee Consulting Service
• Pre-go-live Audit: Saba facilitates requests to verify application software SDLC, product release methodology, and production support operations
• Validation Package Creation: Performed by Saba Consulting and Customer Team, utilizing Saba “Good Documentation Practices” (GDP)
− Application Configuration Blueprint document suite (includes Traceability Matrix linking Requirements, Configuration Specifications and UAT scripts)
− IQ Documentation: Executed by Saba Cloud Ops, using Saba
− IQ templates and GDP
• OQ/PQ Documentation:
− Documented evidence that software components and integrated system perform as required and expected (including UAT execution/sign-offs by customer project team)
• Saba Professional Services provides optional Release Validation services to assist customers in re-validating OQ/PQ with each new software release
Saba Cloud – Validated Environment Managed Services (VEMS) | 8© 2020 Saba Software. All Rights Reserved.
✓ Rigorous Saba SDLC processes
✓ Standardized validation criteria
✓ Verified by independent third party
✓ Access to meticulous documentation
✓ Lower overall operating cost
✓ Significantly reduced customer resource requirements
✓ Benefits of the Cloud with the flexibility to stage and validate
✓ Addresses risk of losing application support from Cloud Provider
Value to VEMS Subscribers
© 2020 Saba Software Inc. All rights reserved. Saba, the Saba logo, and the marks relating to Saba products and services referenced herein are either trademarks or registered trademarks of Saba Software, Inc. or its affiliates. All other trademarks are the property of their respective owners.
(+1) 877.SABA.101 | www.saba.com 02/20
Your success starts here!
24/7 customer support
Collaborative online customer community
Value-added strategic services
Regular user group meetings
Standard or customized implementation services
Dedicated customer success rep
The Saba Experience:
Saba Partner Marketplace
Recruiting & Onboarding
Performance & Coaching
Learning & Skill Development
People Insight & Analytics
At Saba, we know that the success of any organization starts with its people.
At Saba, we know that every organization has the potential
to be a great place to work, and no matter what your
business does, or who you serve, or what you sell, success
starts with your people. But in today’s diverse, mobile, social
world, successful organizations must deliver an experience
at work that’s more connected, and more personal than
ever before. And the most successful do this with Saba.
Because we combine the science of talent with intelligent
technology to deliver a “just-for-me” talent experience for
every individual - in the moments that matter most. With
powerful tools and insights talent leaders need to prove the
experience makes an impact on business success.
So from attracting candidates who are the perfect fit, to
designing paths for personal growth, to creating a culture
that nurtures the unique talents of every individual, Saba
helps you give your people and teams the message: Work
to your strengths. Work like you envision. Work like it’s
personal. Work like you.
About Saba
Ready to learn more? Connect with us!
