Trick or Treat! Do you know what is really scary? It is when the Chief Jailable Office (CJO) is on the receiving end of an eight-Form 483 observation warning letter. It really does give new meaning to the word BOO! Or maybe the boo quickly turns into boo-hoo as the tears of anguish begin streaming down the cheeks of an unfortunate CJO on the receiving end of an agency warning letter. Regardless, warning letters can be scary events. For this week’s guidance Dr. D will dive into the validation requirements for computers and automated data processing systems used in support of production activities or the quality management system (QMS). As the recipients of the warning letter referenced in this week’s guidance quickly found out, validation of computers and automated data processing systems is a salient requirement of the quality system regulation (QSR). When our friends from FDA appear in the lobby for that friendly cup of coffee and an inspection, there is a reasonably probability 21 CFR, Part 820.70(i) might come into play. Enjoy!
Warning Letter – August 3, 2016
Now granted, 21 CFR, Part 820.70(i) is not frequently cited in warning letters; however, if your establishment has an automated document control system or employs software for the management of calibration, the expectation is that these systems be validated for their intended use. Premised on the warning letter excerpt, it appears the recipients of this warning letter may have failed to validate their commercial-off-the-shelf (COTS) software. Unfortunately, COTS counts, depending upon its use.
Warning Letter Excerpt
Observation Four (4) “Failure to ensure that when computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol, as required by 21 CFR 820.70(i). For example: your firm uses (b)(4) use.
We reviewed your firm’s response and conclude that it is not adequate. The response indicates your firm will follow the guidance of “Off-The-Shelf Software Use in Medical Devices” (b)(4), and if necessary, perform a validation. However, your firm did not provide sufficient details describing its corrective actions for assessment.
21 CFR, Part 820.70 – Production and Process Controls
(i) Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.
Compliance for Dummies
The good news for device establishments is that most software companies selling COTS into the device industry for document control, CAPA, calibration, etc. also provide appropriate validation tools. In many cases, the validation support comes with the software; however, sometimes device establishments will have to pay for the validation support. Please keep in mind, many options available for QMS software and pricing for necessities, such as validation packages, are negotiable.
Regardless, software used for managing the QMS, CAPA, complaint management, calibration, router generation, procurement activities, etc. require validation. That means someone will need to create the test script (validation protocol) and someone will have to execute the test script. Once all validation testing is complete, someone will have to write the validation report, and the report will require the review and approval by appropriate organizational personnel.
The same type of rigor also holds true for measuring and monitoring equipment that employs a computer, software, and/or firmware in support of a measuring and/or monitoring function. It is not acceptable to tell an investigator it is not your establishment’s responsibility to validate equipment use because the manufacturer has completed their validation. The position of an FDA investigator during an inspection is one of collecting evidence or simply stated, “Prove it!” Most of the time an effective test method validation (TMV) may suffice, depending upon the measuring and monitoring equipment used.
For this week’s guidance, Dr. D will leave the readers with one takeaway. If your establishment is using computers, software, and/or firmware to manage any aspect of your QMS, then the application of that computer, software, and/or firmware will require some level of validation. Working in industry for a few decades now, the doctor can firmly state that the number of pure-paper quality management systems is rapidly declining in favor of advancing technology. The availability of computer-based systems and QMS software are abundant. As the abundance of products grow, so will the need for validation. In closing, thank you again for joining Dr. D, and I hope you found value in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.
- Code of Federal Regulation. (April 2015). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
- Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation–21 CFR, Part 820. Charleston, SC: Amazon.
- Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
- FDA. (August 2016). Inspections, Compliance, Enforcement, and Criminal Investigations. Spiegelberg Gmbh & Co. KG. Accessed October 31, 2016. Retrieved from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2016/ucm515340.htm
Just to mention that the validation of non-device software has finally also found its way into ISO 13485 as per the below two clauses from the 2016 revision :
4.1.6 The organization shall document procedures for the validation of the application of computer
software used in the quality management system. Such software applications shall be validated prior to
initial use and, as appropriate, after changes to such software or its application.
The specific approach and activities associated with software validation and revalidation shall be
proportionate to the risk associated with the use of the software.
Records of such activities shall be maintained.
In § 7.5.6 : The organization shall document procedures for the validation of the application of computer software used in production and service provision. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk
associated with the use of the software, including the effect on the ability of the product to conform to
Ary, great comment. Thanks for reading DG. Be Well, Dr. D