ERP / QMS related software standards for Validation

mpfizer

Involved In Discussions
#1
Hi,

We manufacture Medical Devices viz Orthopedic Implants.

We use an inhouse developed software for ERP and QMS related procedures and store all data in it , we would like to know what is to be done to prove that this software is 21CFR 820 compliant?

Also would like to know is there are any ISO / ASTM or other standards which we need to comply with .

Thanks
Michelle
 
Elsmar Forum Sponsor

William55401

Quite Involved in Discussions
#2
I would suggest you look up GAMP 5 for input on how to approach validation. Google is your friend. This is a common approach to s/w validation in the Life Sciences space.
 

Tidge

Trusted Information Resource
#3
Hi,

We manufacture Medical Devices viz Orthopedic Implants.

We use an inhouse developed software for ERP and QMS related procedures and store all data in it , we would like to know what is to be done to prove that this software is 21CFR 820 compliant?

Also would like to know is there are any ISO / ASTM or other standards which we need to comply with .
IEC 62304 only applies to medical device software, although the scalability of practices is applicable to all projects involving software development (and assessment). GAMP 5 is a similarly scalable approach to software validation that originates from the pharmaceutical industry... but don't hold that against it.

My simple advice is this:

1) Go through 21 CFR 820 section-by-section (this will be faster than it sounds) and identify the functions of part 820 that the software is going to be asked to perform. This will help you construct an Intended Use statement and a (high level) User Requirements document.

2) If you intend to record signatures/approvals and the like, take a good look at CFR Part 11 for some specific (low level) Functional Requirements that will need to be implemented for (US) compliance. These practices are generally applicable outside the US as well.

2b) Depending on the data in the system, you may have Confidentiality concerns which will add specific Functional Requirements as well. IMO This is slightly better defined from European sources, but generally you shouldn't encounter something from a European authority on Cybersecurity that would not be applicable in the US. (check for specific HIPAA details to be certain)

3) Develop and perform testing against those sets of requirements to establish confidence that the software is meeting its Intended Use.

4) Document the installation characteristics of the software and protect it against unauthorized changes, so that you can maintain the validated state.

You should also establish a policy for maintenance activities as well as a potential retirement plan. There are more subtleties, but I think that covers the large points.
 

Tidge

Trusted Information Resource
#5
Good advice above. One more reference: FDA's guidance on software validation. A bit less bulky than GAMP5. :)
Any year now, we should be getting a modern update to that guidance document! I think the pre-release draft has been circulating for something like four years!

Re: the "new draft": If there is one important item that I would like players in this arena to be aware of, it is the following: The FDA never intended for manufacturers to assume full responsibility of commercial software; the FDA's interest is that the manufacturer's responsibility to understand that a software package meets the manufacturer's needs is commensurate with the risks to patients and users of the medical device/treatment being manufactured.

In practice, the FDA has internally trained their inspectors to avoid digging deep into computerized systems that don't directly impact patients or users. I work in ME devices, my face-to-face time with FDA auditors has 100% been regarding ME device software. The FDA does not want manufacturers avoiding modern software solutions because the burden of validation of those systems would be too high, irregardless of intended use.

However: Non-FDA bodies, particularly those who employ ex-FDA auditors of a certain generation (keep reading) have and will leverage the 2002 guidance to extrapolate that a manufacturer needs to apply the full suite of validation activities and expect to see 'complete' documentation sets for almost ANY piece of software they come across during an audit.

As I wrote above, the FDA has not (independent of executive branch control) 'worried' so much about non-product software (NPS) validation. I personally was very surprised to see that in the circulated draft they specifically propose that software which tracks employee training would fall into the lowest category of risk! I have never encountered a non-FDA auditor which would agree, but until the new guidance draft is formally released we all will be somewhat at the mercy of these auditors. I can't speak to the exact timeline of when the FDA formally began trying to reign in their own auditors to focus on more important areas (vis-a-vis the FDA mandate to assure safe and effective treatments) than NPS, but it is clear that many ex-FDA auditors left before they received that training... or otherwise have not internalized it. I've spent days working with non-FDA auditors reviewing the validation of NPS systems (including employee training systems!)
 

mpfizer

Involved In Discussions
#6
Any year now, we should be getting a modern update to that guidance document! I think the pre-release draft has been circulating for something like four years!

Re: the "new draft": If there is one important item that I would like players in this arena to be aware of, it is the following: The FDA never intended for manufacturers to assume full responsibility of commercial software; the FDA's interest is that the manufacturer's responsibility to understand that a software package meets the manufacturer's needs is commensurate with the risks to patients and users of the medical device/treatment being manufactured.

In practice, the FDA has internally trained their inspectors to avoid digging deep into computerized systems that don't directly impact patients or users. I work in ME devices, my face-to-face time with FDA auditors has 100% been regarding ME device software. The FDA does not want manufacturers avoiding modern software solutions because the burden of validation of those systems would be too high, irregardless of intended use.

However: Non-FDA bodies, particularly those who employ ex-FDA auditors of a certain generation (keep reading) have and will leverage the 2002 guidance to extrapolate that a manufacturer needs to apply the full suite of validation activities and expect to see 'complete' documentation sets for almost ANY piece of software they come across during an audit.

As I wrote above, the FDA has not (independent of executive branch control) 'worried' so much about non-product software (NPS) validation. I personally was very surprised to see that in the circulated draft they specifically propose that software which tracks employee training would fall into the lowest category of risk! I have never encountered a non-FDA auditor which would agree, but until the new guidance draft is formally released we all will be somewhat at the mercy of these auditors. I can't speak to the exact timeline of when the FDA formally began trying to reign in their own auditors to focus on more important areas (vis-a-vis the FDA mandate to assure safe and effective treatments) than NPS, but it is clear that many ex-FDA auditors left before they received that training... or otherwise have not internalized it. I've spent days working with non-FDA auditors reviewing the validation of NPS systems (including employee training systems!)
Thanks
is there any link for new draft?
 

Tidge

Trusted Information Resource
#7
is there any link for new draft?
I don't believe the proposal is being shared publicly, but the team behind it wasn't shy about letting folks participate... at least not several years ago. The proposal didn't really lay any new ground, except that it was making it clear that the FDA thought the industries (both manufacturing and audit industries) had gone overboard with NPS validation efforts.

IMO: The real benefit of the draft being published would allow manufacturers to push back on non-FDA auditors who have a tendency to simply ask for "too much". Everything a manufacturer needs to know (and follow) is in the 2002 guidance, it is just that much of the terminology in that guidance reads (to a layman) as if it is near-identical to medical-device software (including a description of a development process that a buyer would never have visibility towards)... but medical device software has its own consensus standard for development (62304) which derives from a consensus standard for patient/user safety (14971).

There is no consensus standard for "compliance risk management", as a result 3rd parties have created a cottage industry industry where they interject themselves between business software developers and manufacturers who could buy (and benefit) from business software. I'm not trying to downplay the business risks from a misbehaving ERP system, but appropriate business risk controls are very different than necessary risk controls when human safety is involved.
 
Thread starter Similar threads Forum Replies Date
W QMS and/or ERP software choices for both US and China Quality Assurance and Compliance Software Tools and Solutions 2
B Using Job Shop ERP Software for a QMS Quality Assurance and Compliance Software Tools and Solutions 2
R ERP/MRP system as part of the QMS (Quality Management System) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 24
M Go Live With New ERP System before Recertification Audit General Auditing Discussions 6
B Oracle Cloud ERP Validation during Quarterly Patch ISO 13485:2016 - Medical Device Quality Management Systems 1
qualprod Assign a name to a home-made ERP system? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
N ERP Software Implementation Manufacturing and Related Processes 3
K ERP System Software Validation - ISO13485 2016 4.1.6 Design and Development of Products and Processes 8
Q Software SOP - Use and maintenance of an ERP system Software Quality Assurance 6
qualprod What is the Normal Flow in an ERP for Manufacturing? Manufacturing and Related Processes 0
K Identification and Traceability with an ERP system - Barcode Labels? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
W ERP Audit Trail audit by FDA? Regular audit trail report template? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 10
L Off the Shelf Software VISUAL ERP system ISO 13485:2016 - Medical Device Quality Management Systems 1
S Where to keep Enterprise Resource Planning software (ERP) Validation Records ISO 13485:2016 - Medical Device Quality Management Systems 1
J PMA Device - Lot # change in New ERP Software - What are the FDA Requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
D eQMS/ERP System Admin Work Instructions - Where do they fit? Misc. Quality Assurance and Business Systems Related Topics 5
S Small Business ERP System - Recommendations wanted Manufacturing and Related Processes 5
S ERP Software and Quality Department Procedures Integration Misc. Quality Assurance and Business Systems Related Topics 4
J ERP Systems and Your Pain Coffee Break and Water Cooler Discussions 5
pbojsen ERP Data Control Requirements ISO 13485:2016 - Medical Device Quality Management Systems 4
G Paper Based Manufacturing with an Unvalidated ERP ISO 13485:2016 - Medical Device Quality Management Systems 3
A Lean and ERP software Lean in Manufacturing and Service Industries 0
R Document Control when an ERP System Produces most Forms and other Paperwork Document Control Systems, Procedures, Forms and Templates 7
L Managing ITP with an ERP system Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
C New ERP System: Any Free Gantt Chart Software Recommendations Out There Quality Assurance and Compliance Software Tools and Solutions 2
A Which ERP system complies to medical device regulations? ISO 13485:2016 - Medical Device Quality Management Systems 4
D AS9100C 4.2.3 - Obsolete Electronic ERP Documents AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
R ISO 13485 - Security and Control of ERP System ISO 13485:2016 - Medical Device Quality Management Systems 1
K Validation of ERP/CRM Software Using Sandbox Qualification and Validation (including 21 CFR Part 11) 4
S Configuration Management System software that can also be linked to our ERP system AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
I ERP Software Validation - required or not? ISO 13485:2016 - Medical Device Quality Management Systems 3
I ERP acronym has double meaning in our company Internal Auditing 6
Stijloor ERP (Enterprise Resource Planning) Manufacturing Software Recommendations Manufacturing and Related Processes 3
P ERP (Emergency Response Plan) for Small Air Operator EASA and JAA Aviation Standards and Requirements 7
T Document Control of ERP Report Format from Software Document Control Systems, Procedures, Forms and Templates 13
smryan M2M (Made2Manage ERP System) newby questions Document Control Systems, Procedures, Forms and Templates 2
I MRP/ERP for small CM/EMS Manufacturing and Related Processes 3
M Is ERP (Enterprise Resource Plannning) software like SAP in scope of AS9100 7.5.1.3 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
C Setting Up Part Masters in ERP Systems - How are others doing it? Document Control Systems, Procedures, Forms and Templates 1
K Any one with experience on 'EPICOR' ERP System? Quality Assurance and Compliance Software Tools and Solutions 14
N Work Instructions for ERP (Enterprise Resource Planning) software Process Maps, Process Mapping and Turtle Diagrams 3
A Naming Convention for our ERP System Purchase Parts Document Control Systems, Procedures, Forms and Templates 4
W Validation of SAP for ERP - Inventory, shipping, and monitoring expiration dates Qualification and Validation (including 21 CFR Part 11) 18
I New ERP system - Need Doc. Numbers for ERP generated PO's, Packing Slips, etc? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T Utilization of new ERP system - (IFS- Industrial and Financial Systems) Quality Assurance and Compliance Software Tools and Solutions 8
M NetSuite ERP and CRM features Validation for a medical device company ISO 13485:2016 - Medical Device Quality Management Systems 4
K Part Naming Convention for SAP ERP Application Document Control Systems, Procedures, Forms and Templates 4
T Any Input on new ERP package? Service Industry Specific Topics 1
A New ERP system Validation ISO 13485:2016 - Medical Device Quality Management Systems 7
P Global Shop Software ERP management system questions Quality Assurance and Compliance Software Tools and Solutions 5

Similar threads

Top Bottom