:) Hi Folks,

This is my first posting here. As a Medical Device manufacturer we currently have several internally created Access databases that we use for our Quality System. One manages our CAPA system, another Internal Audits and the other for Nonconformance reports. It is a hybrid system in the sense that while the data resides in the databases we print out the records, sign them, have them on file and consider them to be the primary record. As such the databases I have created do not use a true electronic signature system. I have security enabled on both the backends (data on network) and frontend databases (on users PC's). People need to enter their user name and password to logon and I have a VBA Audit Trail to record any and all changes to the records by user including time and date.

I've read and re-read the "General Principles of Software Validation" from the FDA and still cannot determine a clear method of exactly how to validate these databases. I know I need to come up with a Software Requirements Specification for each database and have downloaded several templates from the Internet for use. The next steps I believe would be to come up with the validation protocol, acceptance criteria, test cases with results and finally a validation summary. I was wondering what others here might have done to validate their databases (especially those created with off the shelf software like Access) and if anyone could point to somewhere on the Internet I could go to to look at an actual example validation from start to finish. Any and all help would be very welcome. Thanks in advance. :agree1:

Roger Tregelles
Quality Assurance Engineer

I can't share actual validations due to proprietary concerns, but if you do a search on Google for either "COTS Software Validation Report" or "Commercial off the Shelf Software Validation Report" you will get numerous hits. The extent of the validation depends on the risks associated with the application. So keep this in mind when reviewing the examples. The validation you perform should show that you get the expected results based on your requirements including the user interface (input screens etc.).

Al - Thanks for the reply. I didn't find too much searching for COTSS on Google. Oh well, I'll figure it out I suppose. :confused:

Hi Speed Racer

You are in a similar situation that I am in. I am piling up Access Databases like CAPA, change controls, stability, internal audits etc. We operate on a hybrid system. i.e. generation of paper records using access databases and using paper record to take any action or perform approvals. I believe, we do not fall into Part 11 regulations as we do our approvals and decision making using paper record, though I have secured login, audit trail and back end security.

I am planning to validate these databases next year. I am currently writing SOPs and will be soon writing protocols. What I would suggest is to validate input, process and output. If you perform any calculations, you need to validate them based on input, validate fields on the form (s) or any input masks, I would suggest error messages, warnings etc.

If you designed the database you know its working very well. I would suggest laying down inputs and outputs (messages, reports/queries etc.) in the protocol and validate those items.

Again, I am not an expert, but its better to have some sort of validation than none.

Regards,

CT

It is always best to have at least three parties involved
1) The writer
2) The executor
3) The reviewer

We all know how easy it is to execute something we have written ourselves, as well as how easy it is to accept/except performance when no one else is involved

I'm no expert but here are my thoughts...

If the record is paper, even if printed from Excel, Part 11 Electronic Signatures doesn't apply but... if the record contains numbers that are the results of Excel calculations, I think you'll need to show you've validated those calculations - so it depends on the content of the record.

For example, if you calculate some CAPA statistics in Excel that are later used to drive, say, a risk analysis, you would need to validate that part I think but if you only use Excel as a kind of template to speed up data capture then I think you're fine.

It's a bit like using MS Word to create a paper record - the FDA shouldn't require you to validate Word as the content is reviewable and approvable from the paper printout. If the same is true of the Excel printout, you're fine; if it has calculations, you should validate that use of Excel.

If I've got this completely wrong, please let me know folks; like I say I'm not expert.

:) Hi Folks,

This is my first posting here. As a Medical Device manufacturer we currently have several internally created Access databases that we use for our Quality System. One manages our CAPA system, another Internal Audits and the other for Nonconformance reports. It is a hybrid system in the sense that while the data resides in the databases we print out the records, sign them, have them on file and consider them to be the primary record. As such the databases I have created do not use a true electronic signature system. I have security enabled on both the backends (data on network) and frontend databases (on users PC's). People need to enter their user name and password to logon and I have a VBA Audit Trail to record any and all changes to the records by user including time and date.

I've read and re-read the "General Principles of Software Validation" from the FDA and still cannot determine a clear method of exactly how to validate these databases. I know I need to come up with a Software Requirements Specification for each database and have downloaded several templates from the Internet for use. The next steps I believe would be to come up with the validation protocol, acceptance criteria, test cases with results and finally a validation summary. I was wondering what others here might have done to validate their databases (especially those created with off the shelf software like Access) and if anyone could point to somewhere on the Internet I could go to to look at an actual example validation from start to finish. Any and all help would be very welcome. Thanks in advance. :agree1:

Roger Tregelles
Quality Assurance Engineer

Of course, the fact that this thread is nearly three years old probably means you've already solved the problem - must start checking the dates before replying! :notme:

Oh well - it still might help someone I suppose...

Of course, the fact that this thread is nearly three years old probably means you've already solved the problem - must start checking the dates before replying!

Jimmy - Thanks for the input. I actually totally forgot about this thread. We actually ended up moving our CAPA system database to the Datasweep CAPA system and now to a SAP solution that we validated. We also moved our nonconformance system into the Quality Module of SAP and validated that as well. We still need to look at our Internal Audit Access database but with the recent "workforce reductions" here it's not too high on the priority list. Thanks again for sharing your thoughts which make great sense to me. :)

So what was the result of the Access Database validation? I have inherited a series of systems that are in Access and are not validated. Currently the owner is not inclined to spend more money at this time.

Thanks for any help.

So what was the result of the Access Database validation? I have inherited a series of systems that are in Access and are not validated. Currently the owner is not inclined to spend more money at this time. Thanks for any help.

rlbate - We never validated the CAPA database as we moved to other systems. Maybe one day we'll validate our Internal Audit database, but I highly doubt it. :frust:

Hmm- I guess that the owner just needs a little nudge from FDA or a Notified Body. Don't you just love reactive, not proactive managers? For them, the borrom line is $$$ not a TQS!

Its helping me now :)