Cloud-Based SaaS Tools & Software Validation Compliant with Medical Device Regulations

November 16, 2016

The continued rise in the use of cloud-based and SaaS (software as a service) tools adds further challenges to the already complex domain of medical device software development that needs to adhere to regulations. How can medical device software developers and healthcare providers benefit from cloud computing while being compliant with regulations that require full control over the software products they use?

The features, configuration and settings of externally managed cloud-based software systems can (and usually do) change with little if any notification at all to the users. Furthermore, these changes can happen so frequently that it is practically impossible for users with a regulated QMS environment to keep track of them, let alone keep their validation status up to date. However there are also many benefits to using cloud-based tools such as lower effort and cost to develop and maintain tools; and constant and timely cybersecurity updates – which are increasingly important.

A traditional approach to QMS software validation in this situation has been to control the vendor of the software tool to ensure that adequate procedures are in place to manage changes appropriately. The changing tide of cloud-based solution tools and their Agile development has made this approach increasingly impractical due to the speed of the feature update cycle. Additionally, most of the developers of these tools do not have a Quality Management System in place that would meet the requirements of medical device regulations. This is evident when these tool providers may not be keen to provide their users with significant assurance regarding the change process nor be willing to be audited themselves.

Where available, the use of a private server-based solution of these tools simplifies the outlined issues enormously. The user has complete control over the version and configuration of the software tool, as well as the timing and implementation of udpates. This also leads to improved opportunities for maintaining QMS system validation. On the other hand, this approach comes with the overhead of having to manage the software, and in the case of hosting the server on site, also managing the server itself.

SoftComply provides both cloud-based and server-based software tools to assist in various aspects of QMS provision & medical device regulatory compliance. These tools sit within the Atlassian software platform as add-ons for JIRA and Confluence.

Some companies, particularly the smaller ones, may still opt for externally managed cloud-based tools but how can they ensure compliance without sufficient controls over the vendor?

Here are a few ways to ensure a minimum level of compliance with medical device regulations when using cloud-based tools such as the SoftComply Risk Manager:

1. Verification or Validation?

If the output of the tool can be comprehensively verified, then it may not be necessary to have a stringent validation. An example of this can be demonstrated with the use the SoftComply Risk Manager. Using this tool, risk tables and risk matrices can be exported to common file formats, printed and manually reviewed and approved, or managed through other software tools (e.g. a server-based instance of Confluence SoftComply eQMS with additional e-signatures module).

2. Integrity checks

With many Atlassian tools it is possible to implement custom, automated test routines that periodically (e.g. daily or manually prompted) check the key functionalities of the software tools. Other common tools such as Python or Javascript also provide easy to use test automation. If properly designed and validated, these automated test tools can provide sufficient evidence to demonstrate the required control over the software tool.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Compliance Workshop cover page
Picture of Marion Lepmets

Marion Lepmets

CEO
October 15, 2025

During Atlassian Team25 Europe, the Compliance Alliance hosted the 4th Compliance Workshop in Barcelona. Despite a wild thunderstorm, nearly 30 compliance enthusiasts braved the rain to join the workshop – a session packed with insights on AI in regulated industries, Atlassian Isolated Cloud, Cybersecurity of Marketplace Cloud apps, and selling...

Vendor Security Risk Assessment in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
October 1, 2025

Every company depends on others to survive. From your cloud provider to your payroll processor, your business is connected to a web of vendors. But here’s the reality: over 60% of data breaches originate from third-party vendors. This is why managing your vendor security risks has become more important than...

31000
Picture of Marion Lepmets

Marion Lepmets

CEO
September 22, 2025

Most companies have informal risk discussions in meetings. You know the type – “What happens if our lead developer leaves?” or “What if this big deal doesn’t close?”. These conversations usually end without any real action plan and you find yourself talking about the same risks over and over again....