I believe these questions are extremely valuable in scoping the validation effort. However, in the context of “How to Validate a Cloud-based Solution”, there are many other things to consider.
Depending on the organization and their particular guidance around validation of software (i.e. internal policies, procedure, work instructions, etc.), there may not be a mechanism for identifying “supplier/vendors” for this particular type of service. This then would require the organization to develop a means for vetting this service provider with the intent to satisfy validation. If validation has never been done against such a solution, then a means would have to be established - which may impact supplier quality, the audit team, and any sponsors/users of the proposed solution.
Consequently, executing validation may be a considerable challenge.
In some cases, the desire to consider a cloud-based solution may be due to the “total cost of ownership” for certain client/server-based solutions (or in-house maintained). Updating or developing support guidance for a new Document/Content Management System (as well as the specialized administrative staff required) may be a less appetizing approach when comparing ROI. At least, at a glance.
Then comes the rub…how, then, to “validate” something the organization doesn’t control??? Historically, an organization will develop a Validation Plan. From the Plan: the scope, approach, deliverables, etc. Perhaps the validation is done per a “lifecycle” and certain phases/stages are followed to effectively execute particular tasks commensurate with the phase. All this should culminate in a report which “releases” the system for use (assuming the report is the gating item).
I can’t imagine any reason why this overall approach would not be followed for a cloud-based solution. The inherent difference is in the details. Further, once the system is in the Maintenance phase of its lifecycle, how are Change Controls implemented? Particularly if change requests might exist outside of any existing in-house change management process/system???
Here’s a laundry list of things to consider:
identify/specify intended use.
- Does/will the system support existing business processes, or will new processes be developed?
- Have workflows been identified/established?
- User-base defined?
- Support staff for configuration and maintenance (in-house)?
- Policies/procedures for use and administration?
- Access to data/records/archives/back-up: who, when, how?
- Does the vendor have a Quality system?
- Does it have guidance affecting change management? Configuration management? Patches, upgrades, updates?
- Hardware maintenance and management (servers)?
- Does the solution allow for different environments (e.g. Sandbox, Development, QA, Production)?
- How are these environments different?
- How is data maintained across environments?
Answers to these questions may assist in appropriately scoping/defining the level-of-effort for validation. The verification methods and objective evidence will most-likely be quite different from anything anyone has seen to-date; however, can they satisfy the expectations of the validation effort and (ultimately) support the prescribed Intended Use?