Enterprise System Spectator blog: ERP and enterprise system vendor evaluation, selection, and implementation.

The Enterprise System Spectator

Wednesday, August 05, 2009

FDA still enforcing regulations for validation of enterprise software

IT organizations in the medical device industry take note. A business associate calls my attention to a recent U.S. Food and Drug Administration (FDA) warning letter to a medical device firm for "failure to validate computer software for its intended use" under 21 CFR § 820.70(i). The systems in question are based on packaged enterprise software. The letter is reminder that when such systems are implemented in regulated industries, it is incumbent on the user organization to ensure that such use is validated.

This is all in the public record, so I have no problem providing the specifics.

The letter, dated May 29, 2009, is addressed to UltraRad Corporation, a provider of picture archiving and communication systems (PACS). PACS are regulated by FDA as medical devices, because they are "intended for use in the diagnosis of disease or other conditions or in the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or function of the body." As a medical device, UtraRad's products must comply with the Quality System Regulation (21 CFR Part 820) or QSR for short.

The Violation
FDA's warning letter, based on an inspection carried out in February and March of this year, points to a number of violations of the QSR. From the perspective of enterprise software, however, the most interesting citation is the one concerning software validation:
4. Failure to validate computer software for its intended use according to an established protocol when computers or automated data processing systems are used as part of production or the quality system as required by 21 CFR § 820.70(i). This was a repeat violation from a previous FDA-483 that was issued to your firm. For example:
A) Your firm uses off-the-shelf software (HEAT Help Desk) to manage customer support service calls and to maintain customer site configuration information; however, your firm failed to adequately validate this software in order to ensure that it will perform as intended in its chosen application. Specifically. your firm's validation did not ensure that the details screen was functioning properly as intended. The details screen is used to capture complaint details and complaint follow-up information which would include corrective and preventative actions performed by your firm when service calls are determined to be CAPA issues.

B) Off-the-shelf software (Microsoft SharePoint) is being used by your firm to manage your quality system documents for document control and approval. However, your firm has failed to adequately validate this software to ensure that it meets your needs and intended uses. Specifically. at the time of this inspection there were two different versions of your CAPA & Customer Complaint procedure, SOP-200-104; however, no revision history was provided on the SharePoint document history. Your firm has failed to validate the SharePoint software to meet your needs for maintaining document control and versioning.
Implications for IT
Note that the two software packages--HEAT and Sharepoint--are widely implemented across various industries. HEAT, from Front Range Solutions, is a commonly-used system for help desk support. Sharepoint, of course, is Microsoft's collaboration and content management server. Neither of these systems are specific to the medical device industry. As such, IT professionals--especially those without a background in regulatory affairs--may not recognize the risk they incur when implementing these systems in a regulated environment. In fact, the software vendors themselves may be unfamiliar with the compliance needs of their customers in regulated industries.

One common misunderstanding is that the customer's responsibility for compliance can be met by the vendor somehow "validating" its software. Vendor claims notwithstanding, vendors cannot sell you "compliant software" or "FDA validated software." Terms like this in vendor marketing literature should be a red flag that the vendor does not have a clue.

Technically, it is not the software itself that is validated, it is the software in its intended use that should be validated. One customer may be using the software in a way that is altogether inappropriate in a regulated environment, while another customer may be using the software in a way that fits its intended use. Although a software vendor can support its customers' compliance--by providing evidence of software quality, for example--ultimately it is the responsibility of the user of the system to ensure that the system itself, and how it is implemented and used, are appropriate. UltraRad, according to the FDA warning letter, failed to do so.

FDA warning letters citing failure to validate commercial off-the-shelf software (COTS) are not an everyday occurrence. This one, which so clearly cites this violation is a good reminder of the responsibility of regulated organizations that implement such systems.

For more guidance on this subject, see Validation of Software for Regulated Processes (TIR-36) from the Association for the Advancement of Medical Instrumentation (AAMI). I served on the AAMI committee that wrote this report in 2007, and it provides a good overview and recommendations to industry on an approach to comply with FDA regulations for these types of systems.

Related posts
Turning software validation into a meaningful exercise
A quality systems view of 21 CFR Part 11
Oracle unveils new electronic signature functionality for FDA regulated manufacturers
FDA finalizes guidance for 21 CFR Part 11
FDA drops the other shoe on Part 11
FDA signals change in approach to Part 11
Possible solution for FDA electronic record audit trail compliance
Business success is more than regulatory compliance
Buzzword alert: "Part 11 compliance"

by Frank Scavo, 8/05/2009 03:44:00 PM | permalink | e-mail this!

 Reader Comments:

I wonder what the new commissioners announcement on Thursday (tomorrow) will lead to for reinvigorating compliance. Will Part 11 be back at full strength before long?
=== One common misunderstanding is that the customer's responsibility for compliance can be met by the vendor somehow "validating" its software. Vendor claims notwithstanding, vendors cannot sell you "compliant software" or "FDA validated software." ===

Does this imply that Open Source(tm) software is not at as much of a disadvantage in the medical marketplace as is often assumed? If an entity designs and executes its own validation tests against an Open Source product, is the resulting system then acceptable under the regulations?

Beltway: my own opinion is that FDA has many issues to deal with that are much higher profile that Part 11 compliance. I don't think appointment of a new commissioner changes that.
Sphealey: I like your question.

I don't know that FDA has taken a position on open source, per se. If anyone knows more about this, I would welcome the feedback.

In the meantime, I don't see why open source would be a disadvantage in terms of suitability in an FDA-regulated environment. This assumes that the user does a proper risk assessment up front, that the system is validated to ensure that it is fit for its intended use, and that the system is under strict configuration management to ensure that all changes to the system are controlled. This is needed regardless of whether the software is open source or proprietary.
Post a Comment

Links to this post:


Powered by Blogger

(c) 2002-2018, Frank Scavo.

Independent analysis of issues and trends in enterprise applications software and the strengths, weaknesses, advantages, and disadvantages of the vendors that provide them.

About the Enterprise System Spectator.

Frank Scavo Send tips, rumors, gossip, and feedback to Frank Scavo, at .

I'm interested in hearing about best practices, lessons learned, horror stories, and case studies of success or failure.

Selecting a new enterprise system can be a difficult decision. My consulting firm, Strativa, offers assistance that is independent and unbiased. For information on how we can help your organization make and carry out these decisions, write to me.

My IT research firm, Computer Economics provides metrics for IT management, such as IT spending and staffing benchmarks, technology adoption and investment trends, IT management best practices, IT salaries, outsourcing statistics, and more.

Go to latest postings

Search the Spectator!
Join over 1,700 subscribers on the Spectator email list!
Max. 1-2 times/month.
Easy one-click to unsubscribe anytime.

Follow me on Twitter
My RSS feed RSS News Feed

Computer Economics
Outsourcing Statistics
IT Spending and Staffing Benchmarks
IT Staffing Ratios
IT Management Best Practices
Worldwide Technology Trends
IT Salary Report


2014 Best Independent ERP Blog - Winner 2013 Best ERP Writer - Winner Constant Contact 2010 All Star Technobabble Top 100 Analyst Blogs

Key References
Strativa: Business strategy consulting, strategic planning
Strativa: IT strategy consulting
Strativa: Business process improvement, process mapping, consultants
Strativa: IT due diligence
Strativa: ERP software selection consulting and vendor evaluation
Strativa: CRM software selection consulting and vendor evaluation
Strativa: Project management consulting, change management
StreetWolf: Digital creative studio specializing in web, mobile and social applications
Enterprise IT News: diginomica

Spectator Archives
May 2002
June 2002
July 2002
August 2002
September 2002
October 2002
November 2002
December 2002
January 2003
February 2003
March 2003
April 2003
May 2003
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
July 2008
August 2008
September 2008
October 2008
November 2008
December 2008
January 2009
February 2009
March 2009
April 2009
May 2009
June 2009
July 2009
August 2009
September 2009
October 2009
November 2009
December 2009
January 2010
February 2010
March 2010
April 2010
June 2010
July 2010
August 2010
September 2010
October 2010
November 2010
December 2010
January 2011
February 2011
March 2011
April 2011
May 2011
July 2011
August 2011
September 2011
October 2011
November 2011
December 2011
January 2012
February 2012
March 2012
April 2012
May 2012
June 2012
July 2012
September 2012
October 2012
December 2012
January 2013
February 2013
March 2013
May 2013
June 2013
July 2013
September 2013
October 2013
December 2013
January 2014
February 2014
March 2014
April 2014
May 2014
June 2014
July 2014
August 2014
September 2014
October 2014
November 2014
December 2014
February 2015
March 2015
April 2015
May 2015
June 2015
July 2015
September 2015
October 2015
November 2015
February 2016
May 2016
June 2016
July 2016
August 2016
September 2016
October 2016
January 2017
February 2017
May 2017
June 2017
October 2017
January 2018
April 2018
May 2018
Latest postings