Cloud-Based SaaS Tools & Software Validation Compliant with Medical Device Regulations

November 16, 2016

The continued rise in the use of cloud-based and SaaS (software as a service) tools adds further challenges to the already complex domain of medical device software development that needs to adhere to regulations. How can medical device software developers and healthcare providers benefit from cloud computing while being compliant with regulations that require full control over the software products they use?

The features, configuration and settings of externally managed cloud-based software systems can (and usually do) change with little if any notification at all to the users. Furthermore, these changes can happen so frequently that it is practically impossible for users with a regulated QMS environment to keep track of them, let alone keep their validation status up to date. However there are also many benefits to using cloud-based tools such as lower effort and cost to develop and maintain tools; and constant and timely cybersecurity updates – which are increasingly important.

A traditional approach to QMS software validation in this situation has been to control the vendor of the software tool to ensure that adequate procedures are in place to manage changes appropriately. The changing tide of cloud-based solution tools and their Agile development has made this approach increasingly impractical due to the speed of the feature update cycle. Additionally, most of the developers of these tools do not have a Quality Management System in place that would meet the requirements of medical device regulations. This is evident when these tool providers may not be keen to provide their users with significant assurance regarding the change process nor be willing to be audited themselves.

Where available, the use of a private server-based solution of these tools simplifies the outlined issues enormously. The user has complete control over the version and configuration of the software tool, as well as the timing and implementation of udpates. This also leads to improved opportunities for maintaining QMS system validation. On the other hand, this approach comes with the overhead of having to manage the software, and in the case of hosting the server on site, also managing the server itself.

SoftComply provides both cloud-based and server-based software tools to assist in various aspects of QMS provision & medical device regulatory compliance. These tools sit within the Atlassian software platform as add-ons for JIRA and Confluence.

Some companies, particularly the smaller ones, may still opt for externally managed cloud-based tools but how can they ensure compliance without sufficient controls over the vendor?

Here are a few ways to ensure a minimum level of compliance with medical device regulations when using cloud-based tools such as the SoftComply Risk Manager:

1. Verification or Validation?

If the output of the tool can be comprehensively verified, then it may not be necessary to have a stringent validation. An example of this can be demonstrated with the use the SoftComply Risk Manager. Using this tool, risk tables and risk matrices can be exported to common file formats, printed and manually reviewed and approved, or managed through other software tools (e.g. a server-based instance of Confluence SoftComply eQMS with additional e-signatures module).

2. Integrity checks

With many Atlassian tools it is possible to implement custom, automated test routines that periodically (e.g. daily or manually prompted) check the key functionalities of the software tools. Other common tools such as Python or Javascript also provide easy to use test automation. If properly designed and validated, these automated test tools can provide sufficient evidence to demonstrate the required control over the software tool.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Medical Device Compliance Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 23, 2024

Introduction This medical device compliance guide focuses on the key requirements and strategies for navigating the regulatory landscape. We will cover the role of major regulatory bodies like the FDA, the classification of devices, and the importance of quality management. We will also discuss the challenges of global compliance and...

CVSS-FDA-cybersecurity-medical-devices-1712x599-c
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
September 16, 2024

This case study describes the experience of a multinational medical device manufacturer meeting the FDA cybersecurity requirements. The company is operating in the MedTech sector developing a class 2/IIb device consisting of hardware and software. The company spent about 2 years working on the security risk management of the device....

Information Security Risk Management Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 13, 2024

Keeping your data safe is vital for every business. One way to do this is by following ISO 27001. But how can we manage these information security risks with a tool like Jira? Let’s dive in! What is Information Security Risk Management Information Security Risk Management is all about identifying,...