"Previously published on www.MedicalDeviceSummit.com, Copyright: Innovative Publishing Company, LLC. Reprinted with permission"
While there is extensive guidance and documentation available for the development and validation of proprietary software, there is relatively little guidance available for the validation of commercial off-the-shelf software (OTS). The FDA's guidance document for software development, while somewhat dated (2002), provides some general guidance (including reference to general principles of software development) and references to additional guidance documents for software used in production and processes.
Unfortunately there is no single defined set of user requirements for medical devices, tissues or any other product. The good news is that there are some well-documented requirements in the form of the FDA 21 CFR regulations.
For the medical device manufacturer or for a tissue bank, finding and applying this information is a daunting task which leaves most users frustrated—so frustrated in fact that they may not even begin the validation process in the first place! The purpose of this article is to provide device and tissue manufacturers with guidance and a useable structure that will help to simplify the process of OTS software validation in order to satisfy FDA regulations and user requirements.
The First Step
The first step, as with most software or hardware purchases is to properly define a set of user requirements. Without user requirements, it is unlikely that proper software will be purchased—let alone validated. Unfortunately there is no single defined set of user requirements for devices, tissues or any other product. The good news is that there are some well-documented requirements in the form of the FDA 21 CFR regulations.
For example, user requirements for a document control system must include the basic requirements of 21 CFR Part 820 Section 820.40, Document Controls. This section has two main requirements, a) document approval and distribution and b) document changes. These two sections must be significantly expanded to include all the user requirements of the FDA that are related to document control; this is an excellent starting point for manufacturers. Similarly, if we were going to validate a Quality System Record management system, a good starting point would be Section 820.186, Quality System Record.
Obviously, the regulations would just be the starting point. The user would certainly have many unique requirements which would also fall into the User Requirements section. These might include old and new versions of software documentation, such as Microsoft® Word or Excel. Most users also have existing documents, files or databases which must be converted to the new software system with complete accuracy and no loss or corruption of data.
Rest of the Validation
Once the User Requirements are defined, the Validation process for OTS should not be much different than the validation of a piece of equipment in a regulated process. Consider the following general steps:
Before we start running the test scripts to show that all of the User Requirements have been met, we have some important tasks to accomplish, which should be performed in conjunction with the software supplier as they are relatively technical in nature.
What would validation be without a validation report? The validation report is used to summarize all the testing performed, the equipment used (as well as the calibration status, if appropriate), signatures, approvals, results and conclusions. The validation report should specifically state that specified equipment has been validated to perform as expected, or if not, what improvements must be made. The software should not be used until the validation report has been approved and made effective according to company procedures.
Don't forget about FDA 21 CFR Part 11, the FDA's electronic signature and records regulation. Most companies might need a little help with this one. Make sure you address electronic signatures and any quality data that is stored by the system.
In summary, commercial off-the-shelf software validation, while complicated, is not impossible and is certainly not beyond the abilities of most companies as long as companies work with the software supplier and follow the guidelines identified above. Don't forget! Make sure everything is documented and properly filed and archived.
David S. Brown is the President of David S Brown LLC, a consulting firm specializing in Medical Device and Tissue Bank Process Improvement, compliance and quality. David has over 20 years experience serving the medical device and tissue banking industry sectors. He is also an associate of Jim Colyn Consulting and works with other device/tissue consulting firms such as Barile and Associates. For more information, visit, http://www.davidsbrownllc.com.