IT organizations in the medical device industry take note. A business associate calls my attention to a recent U.S. Food and Drug Administration (FDA) warning letter to a medical device firm for "failure to validate computer software for its intended use" under 21 CFR § 820.70(i). The systems in question are based on packaged enterprise software. The letter is reminder that when such systems are implemented in regulated industries, it is incumbent on the user organization to ensure that such use is validated.
This is all in the public record, so I have no problem providing the specifics.
The letter, dated May 29, 2009, is addressed to UltraRad Corporation
, a provider of picture archiving and communication systems (PACS). PACS are regulated by FDA as medical devices, because they are "intended for use in the diagnosis of disease or other conditions or in the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or function of the body." As a medical device, UtraRad's products must comply with the Quality System Regulation (21 CFR Part 820) or QSR for short.The ViolationFDA's warning letter
, based on an inspection carried out in February and March of this year, points to a number of violations of the QSR. From the perspective of enterprise software, however, the most interesting citation is the one concerning software validation:
4. Failure to validate computer software for its intended use according to an established protocol when computers or automated data processing systems are used as part of production or the quality system as required by 21 CFR § 820.70(i). This was a repeat violation from a previous FDA-483 that was issued to your firm. For example:Implications for IT
A) Your firm uses off-the-shelf software (HEAT Help Desk) to manage customer support service calls and to maintain customer site configuration information; however, your firm failed to adequately validate this software in order to ensure that it will perform as intended in its chosen application. Specifically. your firm's validation did not ensure that the details screen was functioning properly as intended. The details screen is used to capture complaint details and complaint follow-up information which would include corrective and preventative actions performed by your firm when service calls are determined to be CAPA issues.
B) Off-the-shelf software (Microsoft SharePoint) is being used by your firm to manage your quality system documents for document control and approval. However, your firm has failed to adequately validate this software to ensure that it meets your needs and intended uses. Specifically. at the time of this inspection there were two different versions of your CAPA & Customer Complaint procedure, SOP-200-104; however, no revision history was provided on the SharePoint document history. Your firm has failed to validate the SharePoint software to meet your needs for maintaining document control and versioning.
Note that the two software packages--HEAT and Sharepoint--are widely implemented across various industries. HEAT, from Front Range Solutions
, is a commonly-used system for help desk support. Sharepoint, of course, is Microsoft's collaboration and content management server. Neither of these systems are specific to the medical device industry. As such, IT professionals--especially those without a background in regulatory affairs--may not recognize the risk they incur when implementing these systems in a regulated environment. In fact, the software vendors themselves may be unfamiliar with the compliance needs of their customers in regulated industries.
One common misunderstanding is that the customer's responsibility for compliance can be met by the vendor somehow "validating" its software. Vendor claims notwithstanding, vendors cannot sell you "compliant software" or "FDA validated software." Terms like this in vendor marketing literature should be a red flag that the vendor does not have a clue.
Technically, it is not the software itself that is validated, it is the software in its intended use
that should be validated. One customer may be using the software in a way that is altogether inappropriate in a regulated environment, while another customer may be using the software in a way that fits its intended use. Although a software vendor can support its customers' compliance--by providing evidence of software quality, for example--ultimately it is the responsibility of the user
of the system to ensure that the system itself, and how it is implemented and used, are appropriate. UltraRad, according to the FDA warning letter, failed to do so.
FDA warning letters citing failure to validate commercial off-the-shelf software (COTS) are not an everyday occurrence. This one, which so clearly cites this violation is a good reminder of the responsibility of regulated organizations that implement such systems.
For more guidance on this subject, see Validation of Software for Regulated Processes
(TIR-36) from the Association for the Advancement of Medical Instrumentation (AAMI)
. I served on the AAMI committee that wrote this report in 2007, and it provides a good overview and recommendations to industry on an approach to comply with FDA regulations for these types of systems.Related postsTurning software validation into a meaningful exerciseA quality systems view of 21 CFR Part 11Oracle unveils new electronic signature functionality for FDA regulated manufacturersFDA finalizes guidance for 21 CFR Part 11FDA drops the other shoe on Part 11FDA signals change in approach to Part 11Possible solution for FDA electronic record audit trail complianceBusiness success is more than regulatory complianceBuzzword alert: "Part 11 compliance"