Thanks everybody for your input. I had a quick call with one of the (very helpful) authors of the CSA draft guidance and he basically echoed Randy's comments (but it was still reassuring to hear it directly from the FDA). The main concern I raised was around the '
must be validated before issuance' bit in 820.70(i) in light of rolling updates from cloud service providers. We discussed the option of employing regular (
but after-the-fact) assessment/testing as a way to ensure that the overall system maintains a validated state. He didn't consider this approach to conflict with 820.70(i) provided it was part of a pre-defined risk-based validation strategy for the system. Obviously, if the potential for product/user risk exists, then this approach wouldn't be acceptable, but there was nothing in the application as described to him to suggest that level of concern.
So for the application I'm thinking of (Google Drive or similar for Doc Storage + DocuSign or similar for eSignatures + accompanying work instruction) a validation approach might look something like the following. And Karen, I don't believe your application of Google Docs for maintaining logs would be much different:
- A once-off documented Validation plan justifying the risk associated with the application and outlining the validation strategy through its lifetime. This would include risk-based justification as to why periodic review/testing is sufficient in lieu of conducting a prospective validation at each update.
- Full validation initially. Because this isn't a high risk application, I think a User Requirements document, a protocol with specified test scripts (per Randy's suggestions above), and a final report would suffice.
- Periodic review (e.g. monthly) to ensure changes pushed out by the service provider haven't broken the system. Ideally this could be done via an automated test script to minimise the effort involved (my next problem to figure out, hopefully it doesn't scupper the whole approach). And in line with the CSA guidance, no detailed reporting, just a simple record of the review would be filed.
- Full revalidation annually or when aware of major updates.
So if you're thinking of doing something similar, I hope this is of some help. And please let me know if you'd recommend anything different in the approach?