Software As A Service (SaaS): Is outsourcing IT a Good Idea?

• Date: May 14, 2010
• Source: By David Nettleton, FDA Compliance Specialist, Computer System Validation

Software As A Service (SaaS): Is outsourcing IT a good idea?

For more than a decade, companies have added more and more computer systems and productivity has steadily increased. Today, the state of the economy exerts pressure to reduce costs and downsize the workforce. This includes the once sacred Information Technology (IT) budget.

Outsourcing now affects every area of a company. Server rooms have become bloated with multiple servers for each system environment: production, testing, training, and development. Server rooms require ample physical space, a great deal of electricity, a 24/7 monitoring staff and disaster recovery safeguards. Perhaps outsourcing IT would be a viable solution; but is IT outsourcing the answer?

Several years ago, software vendors tried to help their customers by employing the Application Service Provider (ASP) model. The software vendor hosts the application and users connect remotely. Since the software vendor needs to continually maintain and upgrade the software, IT was quick to support this model. It seemed like a good idea and the cost estimate was about the same as having IT host the servers within the company. In many cases, what actually happened was less than ideal. These are the questions or points to be addressed:

• Do software vendors excel at hosting servers and providing IT services?
• Do software vendors do the best job of controlling maintenance and upgrades to software applications used in GxP and other critical applications?

With the software vendor controlling the software and the hosting, systems were constantly changing which caused breakdowns and work disruptions. The FDA and other regulatory groups audited many of the ASP systems and found compliance was poor. There are no guarantees of passing an FDA inspection with non-regulated software vendors. Many companies neglected to inspect the ASP, as they did their own internal IT departments. A regulated company, when outsourcing, still carries 100 percent of the responsibility and liability with respect to regulatory compliance. Perhaps out of sight out of mind is the thinking.

Almost all of the ASP models failed and were stopped or evolved into a third party hosting model. In this model, another company hosts the servers in a location separate from the software vendor. The questions and points are the same:

• Are third parties the best at providing IT services and hosting servers?
• Do third parties excel in controlling the software vendors who maintain and upgrade software applications used in GxP and other mission critical applications?

This ASP model definitely cost more than the previous two tier model, but the systems were changing and breaking less. There still were work disruptions, but they were less frequent. When audited by the FDA and other regulatory groups, compliance was still found to be poor. The regulated companies still didn’t inspect the third party host, as they did their own internal IT departments.

Today, we have a third evolution of the hosting model called Software As A Service (SaaS). This is a three tier approach which often costs considerably more that the internal IT system. The term ASP has been re-branded to SaaS and at first look seems to have great potential. SaaS is purported to have these characteristics: vault-like data center rife with redundancy, outstanding staff monitor the servers, secure backup, immediate hardware maintenance, logic and physical security. Despite the vastly improved model, the regulated companies still do not do their due diligence and perform inspections of the host. The host company is a surrogate IT department and as such, the same regulatory requirements apply. Take a closer look at these host companies:

• Do they have Standard Operating Procedures and documented training?
• Do they test their disaster recovery processes?

Most companies are easily impressed by the claims found in the SaaS marketing materials, especially the offering of redundant servers and alternate locations in other cities. Many companies think the SaaS software runs in a cluster – or cloud – so that a failure of their server will be taken over by another. Often, these companies are not advised there is an additional expense for this and other features such as an automatic failover to another server to an alternate datacenter.

How does the SaaS model actually control how the software vendor maintains and updates the software? Controlling software versions is relatively simple when the servers are in the local IT server room. However, this is not the case in the ASP and SaaS models.

In practice SaaS really only works well when the users of the software control the hosting service separate from the software vendor. When the servers were located in the local server room it was the users of the software that controlled upgrades. It is obvious that it is more difficult to control a remote host versus a local host reporting to the same management as yourself. Again, is outsourcing and SaaS really the best solution?

Where can SaaS be of benefit? When there isn’t a mature IT infrastructure and mission critical applications are in use SaaS seems to have the potential for immediate improvement. However, the end users of the application must manage the software vendor and host properly. If the IT infrastructure is already in place, technologies like VMware can be used to eliminate most of the physical servers and provide failover redundancy at a lower cost and with more control.

There is really not much difference between outsourcing IT and any other kind of outsourcing. The caveat – Buyer Beware applies. Compliance is almost always more difficult when multiple non-regulated companies are involved. If cost is the primary concern, why do these companies often invest and spend more dollars in SaaS solutions? Why not invest in their own IT departments? In the final analysis, it is essential for these companies to control their intellectual property, data, and documents – any and all information that is the core of their business.

In the past couple of years I worked on more than a dozen SaaS projects. I have found little regulatory compliance originating from the hosting companies. The regulated companies purchasing these services demonstrated little compliance too. That is, they did not perform inspections of the software implementations nor did they have system change control methods in place. In many cases SaaS was chosen without the involvement of local IT.

In my opinion, SaaS was being utilized to relinquish responsibility, which is completely contrary to regulatory requirements. A company cannot transfer liability to a hired third party. Outsource IT is not a fad that will quickly fade. My experience is: regulated companies who get into big trouble and don’t pass audits will be forced to put processes in place that ensure the third party is delivering the equivalent of what they would have from their own internal IT departments. Time will tell if it really was worth outsourcing IT at all.

During this same period of time VMware implementations grew dramatically. The costs savings, local control, and continued regulatory compliance suggest it beats SaaS for most regulated applications. Now that Microsoft has the Hyper-V virtualization product, I think the race is on. I’m excited to be working on both sides and learning something new about these solutions every day.

About the author

Computer System Validation’s principal, David Nettleton is an industry leader, author, and teacher for 21 CFR Part 11, Annex 11, HIPAA, software validation, and computer system validation. He is involved with the development, purchase, installation, operation and maintenance of computerized systems used in FDA compliant applications. He has completed more than 192 mission critical laboratory, clinical, and manufacturing software implementation projects. His most popular book is Risk Based Software Validation - Ten easy Steps (Davis Horwood International and PDA - www.pda.org, 2006) which provides fill-in-the-blank templates for completing a COTS software validation project.

Services are available to guide companies to create and maintain the systems and procedures required to pass regulatory audits: product features, vendor audits, software validation, SOPs, training, gap analysis, remediation plans, and project management.

Projects involve: medical devices, blood bank, clinical trial, corrective action, document control, electronic data capture, Excel spreadsheets, laboratory instruments, laboratory information management (LIMS), manufacturing, enterprise resource planning, toxicology systems, and VMWare.

David Nettleton is also the co-author of:

Managing the Documentation Maze – Answers to Questions You Didn’t Even Know to Ask
(Wiley – www.wiley.com) 2010;

Electronic Record Keeping; Achieving and Maintaining Compliance with 21 CFR Part 11 and 45 CFR Parts 160, 162, and 164
(Interpharm/CRC - www.crcpress.com, 2004);

Commercial Off-the-Shelf (COTS) Software Validation for 21 CFR Part 11 Compliance
(Davis Horwood International and PDA - www.pda.org, 2003).