Hello all! :bigwave:

I have some questions that I hope you can help me with. I work as a quality manager for a software company specializing in solutions for process control, quality management and business intelligence. Recently we have begun to expand our client base into the medical device field, with possibly pharma companies to follow. As a result, we have started to take the relevant FDA regulations into account in our applications (e.g. CFR 21 Part 11). Another consequence is that due to these customers' requirements we may need to alter some of the ways in which we carry out and document various processes, and this is where my need for help comes in:

Since we provide software which is used in production and as part of the quality system it needs to be validated, and also that we will need to meet "...the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants" established by our customers as per 21 CFR Part 820.50(a).
As I do not yet have experience on what these requirements might be, it would be a great help to me in figuring out how we might need to change if any of you could shed some light on what kinds of requirements companies in FDA regulated fields may place on their software providers. Also, what processes do you cover when you audit these suppliers?

Thank you in advance for any advice!

Welcome to the Cove :bigwave:

Pl note that I have moved your question to this section that is more directed towards Qualification and Validation and includes the requirements for 21 CFR Part 11.

Thank you, Ajit Basrur.

I have a feeling I did not explain myself very well in my first post, perhaps I can clarify my question a little better. What I really would like to know is not the FDA requirements per se, but rather what processes/activities do medical device companies look for when choosing and approving a software company as their supplier.

For example, is having established appropriate procedures for the following sufficient?:
• Compiling, reviewing and authorizing detailed product specifications
• Documentation of the review and approval processes
• Change control and configuration management
• Documentation of test plans and results
• Control and appropriate maintenance of the operational systems


Must the company have an ISO 9001 certificate? Or would it be enough that for the above processes the procedures are in accordance with other relevant standards (e.g. ISO 12207)?

What I am trying to do right now is to anticipate what our potential future customers might expect of us and then try to make sure that the way we operate and document our work fulfils those requirements.

It gets gray pretty quickly but I'll take a shot. Look at something like MS Windows. You're not going to get all that from them but that OS is used extensively.

First off, no, the supplier is not required to be 9001 certified. Doing so, though, helps make life a little easier since that should imply a stable process.

The list you provide is quite good. A few other considerations might include:
* Defined software development life cycle (SDLC) that you follow
* Installation guidelines (memory, RAM, compatible OSs / patches, DB engines, etc.)
* Known problems (should fall out of the process, but I thought I'd mention it)
* Validation procedures

The last one is gaining traction among vendors, especially if part 11 is in play. You, as supplier, can't validate the software - that has to be done as installed at the user's site, with the user's equipment. You can, however, provide protocol templates that help give your clients a boost in their validation efforts.

One other thing, as long as I'm building my wish list. When you receive problem reports, possibly from other clients, it would be great if these could somehow be disseminated to the other clients.

If I could get all that from all software vendors, I'd be a pretty happy camper.

That's all I can think of for now. Glad to see a software vendor interested in this topic!

That is excellent information, thank you very much! :)

Out of the items you mentioned, the big one we're currently working on is providing the validation protocol templates for our customers, which I understand can save them a considerable amount of time. With regards to these, is some external verification required to confirm that the validation protocols are comprehensive enough?

The other ones you mentioned we have pretty much covered, although I do need to to make sure that the procedures are documented sufficiently well.

Hi there
I have just come across your question.

Go onto the FDA website and download
21 CFR Part 820

This details all the quality system requirements. If you do go into the medical device market, anyone using your company will audit you against the requirements in this Part 820. Then down load 21 CFR part 11 and study the requirements for storing regulated data. The requirements in Part 820 and 11, are mandatory.

This will give you a good insight to what is required.

You may be workiing to a quality system that uses different titles and different methods, no matter what wording is used the part 820 requirements must be complied with.

Regards
Alex Kennedy
Validation Online