TWME8 Limited

iRIS Health Simulation Authoring Platform

iRIS is a unique web-based platform to help you design high quality health simulation scenarios and offer the best learning experience possible, as well as helping you get the best value from the investments you have made in manikins and other resources.


  • Standardised web development template for simulation scenarios
  • Step by step template and guidance to improve quality
  • Collaborative authoring
  • Develop a centralised repository of simulation scenarios
  • Sharing of simulation scenarios across departments and organisations
  • Access with any web browser on any device


  • Ensure scenarios are developed in a standardised, high quality manner
  • Reduce the time required for designing scenarios
  • Reduce the time and effort required to train colleagues
  • Build engagement with a wider range of clinicians
  • Drive interprofessional collaboration/sharing of content with other simulation professionals


£250 per user per year

Service documents


G-Cloud 11

Service ID

6 8 2 4 5 3 5 3 9 1 2 2 8 1 9


TWME8 Limited

Gary Taylor

07976 908934

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
System requirements
None. Only a web browser is required

User support

Email or online ticketing support
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support is included to the administration team of iRIS. This is typically managed remotely. Onsite support is available from a consultant at a cost of £850 + VAT per day plus expenses at cost.
Support available to third parties

Onboarding and offboarding

Getting started
Each client signing up to iRIS receives support from the Product Management Team through a serious of online inductions. This includes supporting the client in the development of their first scenarios.
Service documentation
Documentation formats
End-of-contract data extraction
All scenarios can be explorted as Microsoft Word files
End-of-contract process
At the end of the contract exporting of scenarios is included. Contracts may be renewed. All access to the solution will be revoked on the date of expiry, but not permanently deleted for a period of 90 days to allow late renewal if required.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
None. iRIS is built using a responsive design.
Service interface
What users can and can't do using the API
IRIS utilises Microsoft SharePoint meaning that the SharePoint APIs are available to access the information held. This means that integration with other solutions is possible and we are happy to explore with clients.
API documentation
API sandbox or test environment
Customisation available


Independence of resources
IRIS is held on virtual servers with Rackspace to ensure that the solution can be easily scaled as required.


Service usage metrics
Metrics types
Metrics can be requested by clients to understand which users have accessed iRIS. The system automatically records and notifies teams of content changed by team members.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Scenarios can be exported by the user as Microsoft Word files
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
The target for 24/7 Service Availability is 99.00% of the time in any given month. The target for Service Hours availability is 99.5%.

Downtime exists when all or a significant number of customers are unable to access the application and is measured from the time the issue ticket is opened until the downtime condition as defined here no longer exists.

Service hours for this service are 8.30 to 17.30 on normal business working days (excluding bank holidays and public holidays).

Contract terms may be renegotiated if we failed to meet this level of availability
Approach to resilience
IRIS is hosted by Rackspace, within their SharePoint Cloud.

Rackspace are a Tier 4, ISO27001 compliant datacentre in the UK.

The technical resilience of the service is supported through:
• Use of an established data-­‐centre, Rackspace, registered to ISO27001
• Multiple data-­‐lines and ISPs to the data-­‐centre
• High specification Cloud server for the application and data.

Each night an image of the whole server is fully replicated to a second virtual server so this can be fully restored to another virtual server. This
is an automated process.

Each Sunday, an image of the whole server is fully replicated to a third
virtual server so this can be fully restored to another virtual server.
This is an automated process.

At any point in time there are therefore two complete images of the server
– a daily and the most recent weekly image. These two methods provide a
robust and secure backup process should a rebuild of the services ever be

Prior to software upgrades we take a full backup of the SharePoint Farm.
This enables complete recovery of a previous version if required.
Outage reporting
Clients will be notified of an outage by email from our support team in the event of any problems. We will always strive to rectify problems as soon as possible.

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
We utilise SharePoint Claims Authentication
Access restrictions in management interfaces and support channels
Support is given administrators only and identity is confirmed via security questions.

Management interface access is restricted through a permissions model incorporated in to the iRIS solution. Access is via username and password using SharePoint Claims Authentication.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
BSI accredited Rackspace. Certificate IS 636168
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
Visa accredited Rackspace
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Other security certifications
Any other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
Security is included in all staff induction and regular briefings are held with all staff.

All staff credentials are recorded securely
Any breach is recorded in a security incident log
The log and improvement are reviewed quarterly
Information security policies and processes
All information security is overseen by Alex Clark, Managing Director and Product Director in collaboration with Rackspace, our ISP used for hosting. Information security policies form part of all staff inductions. Any breach is reported directly to Alex Clark.

All client data falls into two categories
Restricted – disclosure causes significant risk to clients and/or TWME8
Private – disclosure causes moderate risk to clients and/or TWME8
We are responsible for ensuring the security of data held
Access to systems:
- Auto-secure of unattended workstations
- Auto-secure of TFS Server
- User Authentication for each Developer
- All code changes tracked
- All versions of code maintained
- Rackspace – RDP Autosecure

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
A defined SDLC process is followed. All tasks are tracked and managed via project management software. Strict quality guidelines and followed for all aspects of the solution development process including development, Testing, code review, code management, etc. Code is managed and stored in Team Foundation Server with scheduled backups.

All client driven change requests are controlled and managed using Vivantio and Wrike is used for internal change requests. Before client server update, backups are taken to ensure complete reversibility in case of any unexpeceted issues.
Regular Daily and Weekly cloud servers backups are automated
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Logs are reviewed on a monthly basis to identify any potential threats. Should a vulnerability be detected, it is treated as urgent and prioritised over all other development and hotfixes issued as quickly as possible.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Logs are reviewed on a monthly basis to identify any potential threats. Should a vulnerability be detected, it is treated as urgent and prioritised over all other development and hotfixes issued as quickly as possible. Should an incident be identified or reported, we aim to respond to incidents within 4 hours.
Incident management type
Supplier-defined controls
Incident management approach
Whether incidents are internal or external, users are asked to complete our Incident Response Report Form which is then added to our Incident Log. Information captured includes a summary, notifications made and action taken.
For each incident there is a post incident analysis which generates a lessons learnt. Processes are then updated accordingly.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£250 per user per year
Discount for educational organisations
Free trial available

Service documents

Return to top ↑