SaaS

SaaS (Software as a Service) is a software delivery and licensing model in which an application is hosted by an external provider and accessed by users over a network, most often through a web browser. The provider operates and maintains the underlying infrastructure, platform, and application, and customers typically pay via a subscription model.

In industrial and regulated manufacturing environments, SaaS can include systems such as quality management tools, MES extensions, data historians, maintenance systems, supplier portals, document control solutions, or analytics platforms that run in a provider’s cloud rather than on local infrastructure.

Key characteristics

• Hosted by a provider: The vendor manages servers, storage, networking, basic security controls, and application updates.
• Network access: Users connect over the internet or private links, commonly through a browser or light client.
• Multi-tenant or single-tenant: Many SaaS offerings share infrastructure among customers, while some provide isolated environments.
• Subscription-based: Pricing is commonly per user, per site, or based on usage, with ongoing fees for access and support.
• Configuration over customization: Customers usually configure features and workflows rather than modifying source code.

Operational meaning in manufacturing

When used in manufacturing operations and regulated environments, SaaS is treated as part of the overall production and quality system landscape. Typical considerations include:

• System boundaries: Defining what parts of a process are executed in the SaaS application versus on-premises OT/IT systems.
• Integration: Exchanging data with MES, ERP, LIMS, equipment controllers, or data lakes via APIs or connectors.
• Validation and lifecycle control: Treating the SaaS application as part of the validated stack, with controlled changes, documented testing, and configuration management as appropriate to the regulated process.
• Access control and identity: Integrating with enterprise identity providers (e.g., SSO) and enforcing role-based access aligned with plant and quality procedures.
• Data residency and retention: Ensuring manufacturing and quality data stored in the SaaS environment meet internal and regulatory requirements for location, retention, and retrieval.

SaaS and security / control frameworks

In the context of security and compliance frameworks such as NIST SP 800-53, SaaS is typically addressed through a shared responsibility model. The SaaS provider implements and documents certain technical and organizational controls, while the customer organization remains responsible for how the service is configured, used, integrated, and governed.

For regulated manufacturing, this often includes:

• Identifying which controls are implemented by the SaaS provider and which must be implemented by the customer.
• Obtaining evidence from the provider (for example, security reports or contractual commitments) to support inherited controls.
• Defining internal procedures for user management, data classification, incident handling, and change control related to the SaaS application.

Common confusion

• SaaS vs. on-premises software: On-premises software is installed and operated on infrastructure controlled by the customer. SaaS is operated by the provider and accessed remotely.
• SaaS vs. IaaS/PaaS: Infrastructure as a Service (IaaS) provides raw compute, storage, and networking; Platform as a Service (PaaS) provides managed runtimes and databases. SaaS provides a complete application, with limited need for the customer to manage underlying infrastructure or runtime components.
• SaaS vs. private cloud hosting: Hosting a traditional application in a cloud environment does not automatically make it SaaS. SaaS implies a provider-operated, service-oriented offering, not just the use of cloud infrastructure.

Context in regulated manufacturing

In regulated manufacturing, SaaS applications that support production, quality, maintenance, or data analysis are typically handled as part of the validated and governed system landscape. Organizations define clear responsibilities with the SaaS provider, manage integrations with plant systems, and maintain documentation and evidence to demonstrate how the SaaS service is controlled over its lifecycle.