The continued rise in the use of cloud-based and SaaS (software as a service) tools adds further challenges to the already complex domain of medical device software development that needs to adhere to regulations. How can medical device software developers and healthcare providers benefit from cloud computing while being compliant with regulations that require full control over the software products they use?
The features, configuration and settings of externally managed cloud-based software systems can (and usually do) change with little if any notification at all to the users. Furthermore, these changes can happen so frequently that it is practically impossible for users with a regulated QMS environment to keep track of them, let alone keep their validation status up to date. However there are also many benefits to using cloud-based tools such as lower effort and cost to develop and maintain tools; and constant and timely cybersecurity updates – which are increasingly important.
A traditional approach to QMS software validation in this situation has been to control the vendor of the software tool to ensure that adequate procedures are in place to manage changes appropriately. The changing tide of cloud-based solution tools and their Agile development has made this approach increasingly impractical due to the speed of the feature update cycle. Additionally, most of the developers of these tools do not have a Quality Management System in place that would meet the requirements of medical device regulations. This is evident when these tool providers may not be keen to provide their users with significant assurance regarding the change process nor be willing to be audited themselves.
Where available, the use of a private server-based solution of these tools simplifies the outlined issues enormously. The user has complete control over the version and configuration of the software tool, as well as the timing and implementation of udpates. This also leads to improved opportunities for maintaining QMS system validation. On the other hand, this approach comes with the overhead of having to manage the software, and in the case of hosting the server on site, also managing the server itself.
SoftComply provides both cloud-based and server-based software tools to assist in various aspects of QMS provision & medical device regulatory compliance. These tools sit within the Atlassian software platform as add-ons for JIRA and Confluence.
Some companies, particularly the smaller ones, may still opt for externally managed cloud-based tools but how can they ensure compliance without sufficient controls over the vendor?
Here are a few ways to ensure a minimum level of compliance with medical device regulations when using cloud-based tools such as the SoftComply Risk Manager:
1. Verification or Validation?
If the output of the tool can be comprehensively verified, then it may not be necessary to have a stringent validation. An example of this can be demonstrated with the use the SoftComply Risk Manager. Using this tool, risk tables and risk matrices can be exported to common file formats, printed and manually reviewed and approved, or managed through other software tools (e.g. a server-based instance of Confluence SoftComply eQMS with additional e-signatures module).
2. Integrity checks
With many Atlassian tools it is possible to implement custom, automated test routines that periodically (e.g. daily or manually prompted) check the key functionalities of the software tools. Other common tools such as Python or Javascript also provide easy to use test automation. If properly designed and validated, these automated test tools can provide sufficient evidence to demonstrate the required control over the software tool.
