SaaS 101 for medtech regulatory professionals

Wendy Levine
May 31, 2023
SaaS 101 for medtech regulatory professionals

What is Software as a Service (SaaS)?

SaaS, or Software as a Service, is a software delivery model in which applications are hosted by software vendors and provided to users via the internet.  The use of SaaS software has skyrocketed in recent years, with an estimated 70% of business software being used falling into the SaaS category 2022.  

Also known as a “cloud” delivery model, SaaS solution providers either host the application and related data using their own servers and computing resources or use a cloud service provider, such as Amazon Web Services (AWS) or Microsoft Azure, to host the application in the provider's data center. The hosted application is then accessible to any device with a network connection and is usually accessed via a web browser.  

Many SaaS software systems use a multi-tenant architecture in which a single instance of the software serves many subscribers, or users. Customer data, while stored centrally, is logically separated to ensure security and prevent co-mingling of data. However, for software systems that require validation, such as regulatory information management systems, a single-tenant system can offer greater data security along with the flexibility for teams to fully validate software releases before adopting them.  

What are the benefits of Saas?

  • Reduced hardware costs – SaaS removes the need to install and maintain software locally, which reduces the cost of servers and related infrastructure.
  • Subscription payments – SaaS software is typically billed on a monthly or annual subscription basis. Not only does this allow companies to spread out the cost of the system, but a subscription model also allows for shorter commitment periods vs. a large up-front capital expenditure (CapEx vs OpEx). The SaaS model also holds software providers more accountable than other models given that the user has the option to cancel or not renew a SaaS subscription, leading to higher levels of service and support.  
  • Scalable usage – SaaS service providers automatically scale the resources needed to support users and can provide additional services or features on demand.
  • Seamless software maintenance – SaaS software can be automatically updated with new features and, when necessary, patched with bug fixes. While this simplifies software maintenance from the user’s end, users in the medtech industry should expect to be able to test and validate software updates before they are installed on their system.
  • Accessibility – Accessed via the Internet, SaaS solutions are available from almost any device in any location.
  • Reliability – Because SaaS solution providers have extensive resources, beyond what any individual company would normally have, SaaS software typically has very high reliability and availability in comparison to in-house systems.  
  • Security – SaaS solution providers deliver state-of-the-art security and privacy at a level that is difficult for individual companies to maintain.  

As a regulatory professional, what questions should I ask a SaaS vendor?

How are software updates managed?  

SaaS software providers generally install new features, bug fixes, and other updates automatically. However, medical device regulations, such as the FDA’s 21CFR Part 11 and EU’s MDR, require medtech companies to validate any software that they are using that is integral to their quality system or otherwise might affect the safety or efficacy of the devices which they manufacture.  

Therefore, a SaaS company providing solutions to the medtech industry should offer the ability for subscribers to review and validate software updates before they are installed. This is often done by providing a transition period during which the software vendor allows access to the new version of the software and the existing version. In addition, many software providers, such as Rimsys, will turn off new features by default and allow the user to enable the new feature if and when they want to begin using it. Be sure to understand what, if any, updates will be installed without this review period. Some software vendors will push small bug fixes and minor features automatically.  

Clients should be notified of any updates in a timely manner and, ideally, have access to a non-production version of the software for testing purposes. Be sure to understand how often updates will become available and how often those updates are expected to trigger a re-validation of the system. While every medtech organization will have their own specific policies on this matter, Rimsys communicates the expected impact on software validation of each new release, and the reasoning behind whether an update will or will not require a new validation.

Do you assist with software validation?

While software validation is ultimately the responsibility of the medtech company using the software, there is a lot that a software vendor can do to assist with this process. The software vendor should be able to provide documentation concerning the design, development, and testing of the systems that they are providing. In addition, some vendors will provide test cases that can be used by your own team to test and validate the software. These test cases significantly reduce the burden on the in-house validation team.  

SaaS vendors should also be able to provide medtech companies with their Computer Software Assurance (CSA) plan. In most cases, the FDA and similar regulatory agencies are looking for compliance with a CSA plan in lieu of the more onerous Computer System Validation (CSV) process that was traditionally followed in the past.

How do you handle data security?

This should be an easy question for any SaaS provider to answer. Whether the data is being hosted by a cloud service provider, such as AWS, or by the vendor themselves, there should be a documented data security plan. As part of that plan, the software vendor should be able to demonstrate how data is protected through physical and logical separation within the system and the application of robust encryption to the data both at rest and in transit. Additionally, the vendor should have a well-documented information security management system (ISMS), which can be further evaluated by third parties for adherence to SOC 2 Type 2 and ISO 27001.  

What is your uptime SLA?

SaaS providers should provide uptime guarantees in writing, typically within a Service Level Agreement (SLA). The majority of SaaS business software providers will offer uptime guarantees between 95% and 99%. For mission-critical solutions, such as RIM systems, expect guarantees at, or close to, 99%.

What happens to our data if we leave?

Because you are not storing your data locally, be sure to understand what will happen to your data if you choose to terminate your contract with a SaaS solution provider. You should be able to access your data after termination, download data prior to termination, or both. Ask if you will be charged for this.

Can I access and report on all of my data, all of the time?

It is important to know that you will be able to access all of your data at any point in time, especially during an audit or inspection. Can you create reports that reference any and all data fields in the system? Will older data be archived automatically at any point? Are there API’s available to allow other systems to access the data?

What are your fees based on?

SaaS companies can base their fees on a variety of factors, including data usage, number of users, and features used. Be sure to understand all of the factors that may affect your subscription fees now and in the future.

SaaS terms to know

  • SLA: An SLA is a “Service Level Agreement,” which serves as the contract defining what the SaaS vendor is providing and what the customer expects to receive. Among other things, the SLA will define uptime guarantees, what counts as downtime, the procedures followed in the case of a data breach, and how termination of the contract is handled.  
  • Uptime: Uptime is the percentage of time during which the SaaS software is operational and available to subscribers. The specifics of how uptime is measured should be part of the SLA. Downtime is the converse of uptime.
  • API: API, or Application Programming Interface, is a set of definitions and protocols provided by software applications to allow data sharing and integration between applications.
  • Module: A part of the software platform that is dedicated to a specific function and outcome. SaaS pricing is often organized around the purchase of one or multiple modules.  
  • Feature: Specific functionality in the software that comes together to achieve an outcome.  

Want to learn more about SaaS solutions for regulatory information management? Contact us to schedule a custom demonstration.

Similar posts

FDA’s Final Rule on LDTs: What manufacturers need to know
FDA’s Final Rule on LDTs: What manufacturers need to know
 Introducing Rimsys Intel: A Free, Centralized Global Regulatory Intelligence Hub for Medtech
Introducing Rimsys Intel: A Free, Centralized Global Regulatory Intelligence Hub for Medtech
Evolving global cybersecurity regulations: Challenges and opportunities for medtech teams
Evolving global cybersecurity regulations: Challenges and opportunities for medtech teams