Assessing SaaS Vendors in Clinical Research: Best Practices to Ensure Compliance

Contributed by:

Anu Virkar, VP, Quality and Compliance, Merge, an IBM Company, eClinical Division

NOTE: The content below contains the first few paragraphs of the printed article and the titles of the sidebars and boxes, if applicable.

PV0616_AnuVirkarMergeAs the adoption of digital technology such as cloud-based data capture and management into clinical research has increased, the scope and complexity of conducting – and, therefore, preparing for – regulatory audits have become more complex. This trend, coupled with the expansion of trials across time zones and languages, has made it more critical than ever that sponsors, research organizations, and sites understand from the start how to manage compliance and audit preparation.

The roots of the cloud-based model (also known as “Software as a Service”, or SaaS) stretch back to the 1960s when IBM and other mainframe companies offered shared computing capabilities and data storage. As the Internet expanded in the 1990s, Application Service Providers (ASPs) emerged that provided hosting and managed business applications through a more cost-efficient centralized model. That concept matured into today’s SaaS model in which centrally hosted software is licensed for use on a subscription basis and accessed via Web-enabled devices.

Risks and Rewards

Two key benefits of the SaaS model are 24/7/365 access to trial data and centralized updates, so researchers can use the most current software releases. SaaS applications also are scalable and configurable so clients can tailor the software to their needs, workflows and operational growth.

These benefits, however, do not come without risks. Because the research sector is so highly regulated, SaaS exposes a sponsor to risks that are rarely present when data sets are managed onsite in closed platforms; chief among these is that the sponsor gives control of its data to a third party over which it has no control regarding infrastructure, staff, security or software updates.

The ability to access the software and data from any Web-enabled device also limits a sponsor’s control over what, when, where, how and by whom those devices are used. Login security, access to audit trails, data recovery and data storage are less manageable in a cloud-based environment.

Who Owns the Compliance Burden?

Wherever its data are hosted, however, the sponsor is ultimately responsible for ensuring the system is validated, compliant, and performs as intended in a GxP-regulated environment. Because regulators typically do not directly oversee or inspect SaaS vendors, sponsors must audit current and potential vendors themselves.

The sponsor must be prepared to demonstrate that the SaaS application and the data management process and workflows meet all applicable standards. Strict SOPs must be in place to manage data collection, entry, access and reporting, and all software users must be fully trained on the system’s use and security measures.

Evaluation Criteria

When assessing SaaS vendors for clinical data management, it is important to know how many of their current clients are running GxP applications, what their experience has been, and whether validated templates for the hosted application(s) are available. Be sure to identify which companies offer 24/7/365 technical support — including design assistance, testing and trouble-shooting — in the languages you need, and determine if their staffs are fully trained and qualified.

Other questions to ask when assessing a SaaS vendor include:

Where will data be stored and processed?
If the vendor uses a third-party data center, can it be audited and what access will you have?
What physical and electronic security is in place? How and when was it verified?
Are all software changes documented and analyzed for risk to live systems?
What process exists to allow for UAT testing prior to release?
Are staff trained on HIPPA, PHI, and security standards?
Are data communications and passwords encrypted?
Are recent SSAE-16 or SAS-70 audit reports available?
How are clients’ data sets and applications isolated from one another?
What are the vendor’s data backup procedures?
What is the vendor’s crisis response/recovery plan?
Will your data remain secure and accessible in the event of a contract dispute?
How much experience has the vendor team had with regulatory audits?

If possible, sponsors should conduct onsite audits to assess vendors’ systems and operations and verify answers provided in the pre-qualification stage. Any provider that cannot properly answer compliance questions, will not produce required documentation or refuses to allow an audit should be disqualified immediately.

Leveraging the power of IT to meet regulatory requirements is not only good for compliance, it is good business practice. To avoid compliance issues down the road, however, sponsors should expect their SaaS vendors to demonstrate the same levels of experience, expertise and commitment to compliance as they have themselves. (PV)

The eClinical division of Merge Healthcare, an IBM Company, is a leading provider of cloud-based software solutions for the clinical research industry. Our flagship products include eClinicalOS (eCOS) and CTMS for Investigators (CTMSi).
For more information, visit

Posted in:

Post a Comment

You must be logged in to post a Comment.