Blog

Cloud Computing and Medical Device Software – Maintaining Validation

By Marion Lepmets, CEO of SoftComply* & Tom Stamp, CEO of Blue Curve

.

Cloud computing involves the delivery of computing as a service rather than a product. In a cloud computing solution, shared resources, software, and information are provided much like a utility, over a network to computers and other devices.
Three years ago Gartner predicted that by 2016 the use of cloud computing has grown to become the bulk of new IT spend as private cloud begins to give way to hybrid cloud and nearly half of large enterprises will have hybrid cloud deployments by the end of 2017.
“Virtualization, service orientation and the Internet have converged to sponsor a phenomenon that enables individuals and businesses to choose how they’ll acquire or deliver IT services, with reduced emphasis on the constraints of traditional software and hardware licensing models,” said Chris Howard, research vice president at Gartner. “Services delivered through the cloud will foster an economy based on delivery and consumption of everything from storage to computation to video to finance deduction management.”
How can medical device software developers and healthcare providers keep up with these trends and benefit from cloud computing while having to adhere to regulations that require full control over software products they use?
The recent release of the updated ISO standard for medical device quality assurance, ISO13485:2016, has again highlighted the requirement to validate software tools to be used for QMS purposes. This is also recommended practice within the FDA GXP framework.
Whilst there is a variance in understanding and practice across industry when it comes to QMS software validation, the core principles are quite simple:
a) Identify the items under validation (or to be validated)
b) Undertake the validation activities
c) Control and monitor the same items after closure of the validation activities.
The continued rise in the use of cloud-based and SaaS (software as a service) tools adds further challenges to this landscape. The features, configuration and settings of externally managed software systems can (and usually do) change with little if any notification at all to the users. Furthermore, these changes can happen so frequently that it is practically impossible for users with a regulated QMS environment to keep track of them, let alone keep their validation status up to date.
However there are also many benefits to using cloud-based tools such as lower effort and cost to develop and maintain tools; and constant and timely cybersecurity updates – which are increasingly important.
A traditional approach to QMS software validation in this situation has been to control the vendor of the software tool to ensure that adequate procedures are in place to manage changes appropriately. The changing tide of cloud-based solution tools and their Agile development has made this approach increasingly impractical due to the speed of the feature update cycle. Additionally, most of the developers of these tools do not have a Quality Management System in place that would meet the requirements of medical device regulations. This is evident when these tool providers may not be keen to provide their users with significant assurance regarding the change process nor be willing to be audited themselves.
Where available, the use of a private server-based solution of these tools simplifies the outlined issues enormously. The user has complete control over the version and configuration of the software tool, as well as the timing and implementation of udpates. This also leads to improved opportunities for maintaining QMS system validation. On the other hand, this approach comes with the overhead of having to manage the software, and in the case of hosting the server on site, also managing the server itself.
SoftComply provides both cloud-based and server-based software tools to assist in various aspects of QMS provision & medical device regulatory compliance. These tools sit within the Atlassian software platform as add-ons for JIRA and Confluence.
Some companies, particularly the smaller ones, may still opt for externally managed cloud-based tools but how can they ensure compliance without sufficient controls over the vendor?
Here are a few ways to ensure a minimum level of compliance with medical device regulations when using cloud-based tools such as the SoftComply Risk Manager:
1. Verification or Validation?
If the output of the tool can be comprehensively verified, then it may not be necessary to have a stringent validation. An example of this can be demonstrated with the use the SoftComply Risk Manager. Using this tool, risk tables and risk matrices can be exported to common file formats, printed and manually reviewed and approved, or managed through other software tools (e.g. a server-based instance of Confluence SoftComply eQMS with additional e-signatures module).
2. Integrity checks
With many Atlassian tools it is possible to implement custom, automated test routines that periodically (e.g. daily or manually prompted) check the key functionalities of the software tools. Other common tools such as Python or Javascript also provide easy to use test automation. If properly designed and validated, these automated test tools can provide sufficient evidence to demonstrate the required control over the software tool.

* SoftComply is a developer of Cloud and Server based tools that help companies manage their software risks and implement their quality systems in compliance with medical device software regulations. www.softcomply.com This article has been co-published on the SoftComply Website Blog: http://www.softcomply.com/blog/