COTS Software – 5 Essential Items to Consider

COTS or Commerical Off-the-Shelf Software is commonly use in the life sciences today, but what are the pitfalls when it comes to validation of this software?

Can you trust the vendor’s qualification and validation documentation or do you end up doing your own validation before you go-live.

Below are some of the things you need to look out for before signing the PO!

1. User Requirements

Generally this document is not available or expectations are not defined thoroughly. Who is actually going to take responsibility for this document the vendor or the client? Of course the client should be the one driving comprehensive user requirements but in some cases the vendor is asked to generate a URS as the client “doesn’t have the time”.

PLEASE NEVER LET THE VENDOR DICTATE THE USER REQUIREMENTS THIS WILL LEAD TO INADEQUATE TESTING THAT WILL COME TO BACK TO BIT YOU IN THE ASS!

2. Configuration Management

Another common pitfall is that configuration documents are not available either from vendor’s commissioning engineer or from user’s implementation team. This again leads to a mismatch of expectation and implementation. Also, it will affect any change management and further requalification issues that arise in the future.

A lot of needless validation can be avoided if you focus on clear configuration management.

3. Standard Operating Procedures (SOP’s)

SOPs are not available or they do not cover such systems adequately.

4. Auditing Your Vendors Quality Management System (QMS)

Have you audited you vendor to ensure that their QMS is up to scratch and that they have built the application to the highest of quality standards.

Remember this software is going to be used to assist in the production of life saving medicines and medical devices.

Refer to GAMP 5 for assistant as to what you need to look out for before you audit.

REMEMBER YOUR VENDOR SHOULD BE AUDITED ON A REGULAR BASIS TO ENSURE THAT THEY ARE MAINTAINING THEIR QUALITY STANDARDS. THIS IS HUGELY IMPORTANT, AS THE SOFWTARE WILL BE CONTINAULLY CHANGED ON A REGULAR BASIS TO ADD NEW FEATURE AND FIX BUGS ETC.

5. Certificate from Vendors

Generally vendors provide two different certificates.

The first one is called the “CONFORMANCE CERTIFICATE” this certificate is supplied by the vendor as reassurance that the vendor has internally audited their system and as a result are giving it the green light.

The other one is the “21 CFR PART 11 COMPLIANCE CERTIFICATE”, which details exactly how the technology conforms to the regulations laid down by the FDA. This certificate should also state that the software has the necessary controls in place to pass the controls laid down by the EU regulations Annex 11.

The Part 11 certificate is particularly misleading as the software can be sold by the vendor as being 21 CFR Part 11 compliant.

Part 11 compliance means the system has the capability to be configured correctly, this is generally misunderstood and you will be in for a rude awakening during an audit if you have not configured and tested this adequately.

References

Author

Graham O'Keeffe

General Manager - Veeva LearnGxP