SaaS vs on premise GxP software hosting: Risks, controls & questions

Graham Parker, one of the UK's leading technical compliance management consultants, recently talked at the Qualsys Quality in Life Science event in Saffron Walden on: "Software as a Service: Is it a silver bullet?". 

In this presentation, Graham discussed the risks, controls, considerations and questions to ask for both on premise and SaaS hosting. 

Below, we've shared a video recording of his presentation and the transcript - highlighting some of the top tips. 

Graham parker

About Graham:

Graham is a member of the ISPE GAMP SIG on cloud computing. The group is currently writing guidance for SaaS in GxP environments.

There are fundamentally two streams:

  • Series of case studies: These will be features in ISPE pharma engineering magazines.
  • Quality agreement: They are also looking at producing a quality agreement which will be a set of guidance useful for customers and vendors of SaaS.

ISPE GAMP SIG cloud computing



Most businesses will have Software as a Service in your domestic and your business environment. Salesforce, Xero, Zendesk, Batchline, Spotify, Microsoft Office, EQMS by Qualsys. There are lots of places where SaaS is in use.

1SaaS providers

Why is SaaS so prevalent?

It’s a silver bullet for your IT department.

However, there is a big difference in the risk profile of an on premise solution and a cloud solution.

In this presentation, I'm going to share with you some of the risks of each.

Nothing is completely black and white. There's not one size fits all approach. There’s a huge number of greys in this sector.

Your job is to use the information available to evaluate what's the best option for your business. 

Why SaaS

What are the benefits of a hosted software tool? 

When the hosting is provided by your supplier, your IT department don’t have too worry about servers, technology refreshes every 3-4 years, or asking their finance team for another £100,000 to get some new servers where there is no business benefit. 

SaaS offers less IT burden, reduced costs, more resilience, improved disaster recovery

In fact, even your finance team will like SaaS. You get reduced costs. You don’t have to buy a million licenses at £1000 each. You just pay yearly. As your business is bringing an income stream in, you just pay as you go.

You can argue, and software service companies do argue, and I do agree, that the service they offer will be more resilient. It’s their bread and butter to ensure  the service is available and they don’t damage their reputation. And if you said who is going to be better at disaster recovery, this company specialise in this activity day-in, day-out. Or my local IT man who may have to do it once in their lifetime if they are unlucky, I know where I would want to place my money.

There is a huge amount of benefits. I welcome SaaS, even in the pharmaceutical industry. Even though its got a risk profile.

I’ve worked with several pharmaceutical businesses over the past 5 years using SaaS and they’ve been great.

But it is a case of going in with your eyes open!

SaaS Risk profile

There is a different risk profile and there are different ways to mitigate the risks.

When I came in today, I picked up the Qualsys brochure and there are some of their blog articles.

The first bit says “Is your system fit for purpose?”

That's a great question.

If you’re on premise – that’s about all you need to ask.

If it’ software as a service, you ask “Is your vendor fit for purpose?” This is because they are the ones who are going to take your data. They have the crown jewels. You’re effectively putting your head in the lions mouth, where your head is the data, and they are the lion!


8 Software updates evaluating the benefits

Software updates
Check the update frequency and know whether you can reject updates

When you install a new software tool in house, you’re going to do an installation qualification. You’re going to document what version you put in, test it. Then you’re going to leave it at that version for the next 4 or 5 years.

When you opt for a SaaS tool, your software vendor is highly unlikely to allow you to leave the software at that version for several years.

From their point of view, the software vendor will prefer everyone to be on the same current version. They have a support team looking after the software. By having everyone on the same version, it means there aren’t any of the bugs from previous versions.

Your ideal scenario as a pharmaceutical company, is to keep the validated software, subject to security patches. 

But you’re both going to need to meet in the middle.

How often you get upgrades will depend on what you signed up to buy.

If you signed up to SAP by Design in Cloud, you get an upgrade every four months. You don’t get a choice. You can review so you can test it before they release it, but if your processes don’t work with it – you had better learn how to adapt them and put your procedures in place quickly.

In a current regulated environment, depending on how critical the software is, that might be acceptable. If it is acceptable, you will still need to have a team geared up to do testing every four months.

You might also have the opportunity in your contract to choose whether you take a new version of the software every year but won’t have to take one until every 18 months. This way, you can define what that basis is.

You don't want to take two weeks completing the validation report, then someone says “They’ve just emailed to say we need to take a new version of the software."

This might sound farfetched but at the GAMP digest forum 3 months ago, someone said the vendor said we have to have an upgrade – what shall we do? Well, you should have prepared for this in your contracts at an earlier date.

Know whether you will be hosted on a single-tenancy or multi-tenancy server

You may be sharing your software hosting platform with 20+ other companies. This means your data is all in the same database, it’s just segregated. It’s secure. It’s just in the same platform. This is a multi-tenancy server. 

You might have a single tenancy. In which case you will be able to say “We’re unhappy with our API from our ERP system” or our deviation system isn’t working properly. In that case, you have the choice of going back to your vendor and asking them to upgrade you again and you can test it.


Check the vendor's release notes documentation and process

If this is a good vendor, they should be providing you with release notes. Check that they have that process. You can’t do an impact assessment if you don’t know what’s changed between the version they gave you and what you’ve validated and what you’re about to get.


Check you will have a UAT environment for testing

Will the vendor give you a UAT environment so you can check and test updates?

Will they allow you to have that UAT environment?

Will that UAT environment be refreshed so it’s a sensible place to actually do your testing on?

You need communications in place to support the upgrade.

How EQMS works in a cloud landscape

Know how your data will be backed up 

One of the things I have noticed when working with vendors they say: “We are so resilient. The data is replicated in geo-physically separate data centres almost instantly.”

That’s fabulous. So if I place my data in Dublin, it’s then replicated in Singapore and California in the space of 5 minutes. 

But what about backing up the database?

They say: “Well we don’t do that! We just take everything and chop the data."

But, if we get corruption in our database, what happens is you have copied the corruption in the database within 5 minutes in three places and you don’t accept the backups?

They say “That can’t happen”

Are you feeling lucky?

It is up to you to make the call. You may find this is an acceptable risk, but you do need to critically think about it. You need to either implement controls (procedural, technical or mitigate it) or accept it and make sure your managers know!

Your vendor will probably be better at maintaining the service and at ensuring it is resilient than your own IT department. They’ll have a data centre where they can just swap banks of servers, but you need to know what they are doing.

Do they test backup and recovery?

Kate Armitage said that you should be able to rely on your vendor and their documentation. If you have an inspection, and they ask you “How secure is your data in the event of an IT disaster?” You need documentary evidence that you can always do a live, accurate retrieval of the data. If your vendor does it for you, you need to be able to show them your evidence.

You need to have an SLA or contract so that your vendor will support you when you have an inspection.

Quite often I've audited my suppliers and they've showed me how they backup test bots. But that doesn't show how they are backing up my data.

Is the business robust? 

The MHRA are asking this question about software as a service vendors. Can they prove their financial viability? What happens in the event of a financial breakdown with your provider? 

For example, I'm using batchline for my batch records. I want to know what their financial viability is. I get their financial report audit back and it says they are in the A++ category. But is that the answer that we need? 

They are a software company. They have a platform as a service taken off of somewhere else - maybe Amazon cloud, Azure, or some other smaller platform hosting provider. My data sits with that provider, not the software company. What do you do if the regulator turns up and wants to see their records? Everyone thought Carillion would never go bankrupt. What would you do in that situation? It's really important we assess the risks and have a plan. The probability of them going bankrupt is very low, but the impact of it happening is very high. 


SLA Annex 11

Annex 11 requires an SLA

If the system goes down, you need to know how long it's going to take to get back up. 

You can ask your vendor to view the statistics from their helpline. For some types of systems, such as a document management system, you may not be too worried about getting an SOP back instantly, the risks will be lower. If it's a real-time software LIMS tool, and you're using it for your QC testing, and you need it to get your products and other software tools working, the financial risks will be much higher. 


IT security

Has the vendor got robust information security controls in place?

From a technical perspective, a vendor is probably going to have much better controls and systems in place for dealing with information security than your IT department. But it's not always about technical controls. It's about people, processes and technology.  

It's usually the ransomware issues that hit the headlines. But the majority of the time there are real issues which happen all the time and could put your business at a serious risk if there aren't the processes in place. For example, your help desk gets an email from a new starter who needs their password and login ID. How do you know that the email is really from them? The name might be familiar, but what processes are in place to verify their identity? 


Will the vendor provide SOC2  reports? 

You could get SOC 2 reports on your vendor. Kate Armitage was saying in her presentation that she is quite open about providing access to their management system, internal audits etc. SOC 2 reports work in the same way. I feel with SOC 2 reports that there's the same comments year after year, and I'm not convinced they delve into the finer details of how things change. 


Does the vendor have stage one or stage two ISO 27001? 

Some businesses can say they have ISO 27001. But stage one is not much more than a self assessment. It's stage two you want to check. Make sure they have been independently audited and that they have certification.


Ensure the vendor does penetration testing

Find a vendor who does periodic penetration testing. You don't want to have to do it yourself. 


Check the vendor's internal security processes 

If you go and audit someone and you are buying software, if they've got your data. You want to check they have robust processes. They may not  have to comply with ALCOA+,  but they should accept that they are accountable. Check they aren't sharing passwords, are locking their screens when not at their desk, check they vet their human resources etc. 


System retirement

Check the system retirement and decommissioning process

Do not enter into a software as a service agreement unless you have an exit strategy. That might seem a bit perverse that at the same moment as you are entering a relationship (hopefully for the next 10 - 15 years), you need to have your plan ready. For GMP data, you need to have a retention strategy. You can't just have a system for a year, then turn it off and go somewhere else. You've got to retain and pull that data back. 


Know how you will extract and migrate data from your system 

If your software is on premise, you probably have a technical team who will pull the data out of your system. They might be able to write some validation scripts for you. But a vendor is not going to let you go into the back end of a database. Find out what they provide you at the end of a contract to get your data out of the system. Most will have APIs. Check they are complete. If only 10% of their customers are in the pharmaceutical industry, they might not be overly familiar with the ALCOA+ and your needs for a full audit trail. You need to preserve the data, it's accuracy and it's meaning.

Also, find out what their standard reports and will they offer custom extract scripts. 


Download all these questions as a spreadsheet: 




Instance and data destruction 

If you've got sensitive data in your system, you will need procedures for destroying it / backing it up. Check all of their processes.

Inspecton support

Ensure the vendor provides regulatory support during an inspection 

Regulators do not care whether your system is hosted in the cloud or on premise. They just want you to have documentary evidence that the system is validated and the required controls in place. 

Your vendor should be able to provide this documentary evidence. 

Don't fall into the trap of thinking you need to recreate it all. In fact, in many cases, it will be impossible for you to recreate all of the documentation.  

On of the top FDA auditors is adamant that he can walk into any pharmaceutical business using software as a service, platform as a service or infrastructure as a service, and request access to their data centre or hosting facility. But if you're using Amazon, you won't be able to simply arrange a data centre inspection. You need to think about this and the risks. 


Supplier audit

Mitigating risk
Audit your suppliers, their providers and assess their quality management system 

You will probably want to implement some controls. One of these is the supplier audit. You will want someone with IT and SaaS domain expertise to check over the details. You need to have good people who you can rely on. 

Assess the vendor's quality management system. Find out what due diligence, audits and compliance assessments your supplier does with their providers. 


Set in place quality agreement controls 

You need to have your quality agreements in place with a focus on addressing and documenting agreed quality related arrangements and controls.

The GAMP SIG on Cloud Computing is planning to put together a QA template for vendors and pharmaceutical companies to make the process a lot simpler. 

In the GAMP GPG section 18 (appendix 11) there are three very long tables on infrastructure. There is a table for software, infrastructure and service. This guidance can really help to enhance some of your key areas. 

Periodic review and audit

Your vendor might change their platform. Schedule periodic reviews and audits to find out whether: 

  1. The SaaS provider's financial circumstances changes?
  2. The application's platform changed? 
  3. Provider maintained their standards? 
  4. Data been backed up and restored on a regular basis? 
  5. The provider maintained certifications?



The key takeaway:

Businesses and users considering utilising a SaaS solution must fully understand the model within which they will engage and understand the implications thereof. 

It is only when the potential contract giver is aware of these considerations that they are able to fully investigate and assure themselves of adequate service provision for the contract acceptor. 

When such assurances are received, it is imperative that the associated controls and assurance are embedded in the associated contract, SLA and quality agreements before any legally binding obligations are agreed. 



What you should do now: 

1. Connect with Graham on LinkedIn 

2. If you're planning whether to host your EQMS on premise or in the cloud, Qualsys can provide expert GxP implementation and maintenance services. Schedule a discovery call here:

3. For more information about GxP compliance, download our toolkit:

Gxp Compliance training materials










Topics: EQMS Technical

Share your thoughts on this article