Keeping your Cloud-Based eTMF in a Valid State

September 3, 2015

  • eTMF Resources

There are many advantages to organizations using a cloud-based solution for eTMF.  One significant benefit is realized when the vendor takes on responsibility for major portions of the validation process.  Vendors are generally responsible for Installation Qualification (IQ) and Performance Qualification (PQ) as they are responsible for infrastructure and installing.  Some vendors provide UAT packages that streamline the process of preparing and executing User Acceptance Test.

Wingspan is among the vendors who provide UAT packages.   We provide an extensive package that includes a User Requirements Specification, UAT Plan, UAT Scripts, and a template for a UAT Report.  We anticipated that this would be a big help to our clients in streamlining both their initial roll-out and subsequent upgrades (as with most cloud vendors, we issue new releases several times a year).

Furthermore, we (Wingspan) internally execute a UAT on our out of the box system, and provide our clients with the plan, executed scripts and final reports.  Sounds like everything should be covered!

Recently, we’ve realized that the whole concept of maintaining a cloud system in a validated state is new to many of our clients.  They often find it challenging to break away from the level of validation they have done in the past with custom systems or heavily configured products – or at least to justify to their QA group why they do not need to do the same type and level of validation they have done in the past.  In other words, it’s our job to ensure that our system has been tested against specifications and is free from defects.  It’s their job to ensure that the system, as configured for them, meets their users’ requirements.

To assist with focusing our clients’ resources where they are providing the most benefit, we’ve recently added a risk-based analysis tool that provides a framework for making decisions about the nature and extent of UAT that they will perform.  This tool allows a number of factors to be specified to determine the risk associated with each use case and its associated UAT script.  Some examples of factors that affect risk include:

  • Has the client enabled this functionality or is it still “turned off”?
  • Is the functionality new in this release?
  • Does the functionality affect a GCP process, or is it related to 21 CFR Part 11?
  • Is the functionality read-only or does it change documents or data?

Each of these factors is rated, and the result is an overall assessment of the risk associated with the functionality.  This will allow our clients to determine a strategy for testing the function.  This may range from do nothing/reference the vendor’s testing for a very low risk area to actually enhancing our test scripts for a very high risk area.

The benefit of this approach is that it is repeatable and creates a documented “paper trail” for the decisions that were made.  It can be incorporated into the UAT plan to provide justification for the specifics of the plan, and ultimately allows our clients to use less resources to produce higher quality results at a lower risk level.

Although we provide the risk analysis “pre-filled” for each release, the tool allows our clients to make their own decisions based on their risk tolerance.  For example, we might consider the fact that functionality is new to be a medium-low risk, but they may choose to regard it as a medium-high risk.

We’ll continue to ask our clients for feedback on how well this tool works for them as we work together towards achieving the highest levels of quality and compliance with the most efficient use of resources.

If you have any questions on our UAT approach or risk-based assessment tool, please contact us at