Validation of VCS software for document control? Small medical start-up

S

SterileField

#1
I'm working with a small medical start-up to assist them in implementing a 13485 and 21 CFR 820 compliant QMS. As is usual, timelines are compressed and budgets are tight.

Because of the latter we're looking at "open source" version control software and, at the moment, SubVersion in particular for document control. Trac is also being looked at for the software-development side of things. It is likely that the repository holding the documents would also be the repository holding records as well and that SubVersion would thus be used for both documents and records.

My question(s) centres around the validation requirements of the FDA (21 CFR 11) and ISO 13485 (if any) for such software. How does this work? What's needed for such validation to show efficacy? Has anyone used SubVersion with or without Trac (or Trac with any other open-source VCS) and obtained approval from the FDA after demonstrating validation results?

Any assistance to nudge/shove me along the right direction would be greatly appreciated.

:thanx:

Mike
 
Elsmar Forum Sponsor
G

Gert Sorensen

#3
Depending on whether you intend to use Electronic Signatures the requirements are a bit different. So, please tell us that.

In general, when validating software it is IMHO not that different to validating other processes. You need to:
Define your User Requirements up front
Create a validation plan
Test that the software meets your User Requirements - IQ, OQ and PQ (combine them if the validation is simple).
For your own benefit make a matrix of where the requirements are documented in your protocols.
Create a validation report that sums it up.

Make sure that you take into consideration the requirements in part 11 - they include things like: Access control, backup, audit trail etc. The tricky part is the need for a access log, and the requirements regarding E-signatures. But, they can be handled in most - or some - cases.

STAY AWAY from any thing that is not of the shelf software. That makes it so much more difficult to handle.

ISO 13485 adresses the need to perform software validation in 7.5.2.1

:bigwave:
 
S

SterileField

#4
STAY AWAY from any thing that is not of the shelf software. That makes it so much more difficult to handle.
Thanks for the considered reply. With respect to the above, can I assume that you do not recommend, say, Subversion for this use due to validation concerns? If so, can you offer any recommendations with cost-sensitivity in mind?
 
G

Gert Sorensen

#5
Depending on the size of your company and the number of users that you intend to be using the system then you may actually find that the cost of using well reputed systems for document control is not all that expensive. Most of the accepted systems have a validation package that is optional which will be of value when performing validation to Part 11. The validation package is not a "fail safe" thing, you need to evaluate the software according to your requirements, but even so you may save a lot of time and the documentation will be a lot better than what most of us is able to conjure on our own.
When you talk about cost effectiveness of systems like these don't just look at initial cost. Look at the entire life cycle of the system, and look at the time that you save on your operations - that's also a cost.
 

yodon

Leader
Super Moderator
#6
I would not completely agree that you should avoid open source software. Our clients have used CVS for SW CM and various other open source tools for other aspects without any regulatory issues arising. (Unfortunately, none have used Subversion, though.) Often times, open source tools are more stable than commercially-available tools. You do have to be aware of what you're getting into. If you have a problem, for example, you likely have nowhere to turn for quick resolution. There are some service companies that can provide such support, but then it's more like going the COTS route.

I do agree that, if you're using such tools, validation is the right approach. As Gert pointed out, you'll need to define your requirements in order to validate. Remember that you're not validating the entire tool, only as it relates to your requirements. You should also do a risk analysis. You can extend the scope of your efforts and should be able to wrap up any Part 11 questions / concerns in the same analysis & validation.

I believe that if you have a good CM process, can show that Subversion is meeting your needs (requirements), and any risks are sufficiently identified and mitigated, that you would have a strong enough story for the FDA.
 
M

mafjensen - 2011

#7
For software development you should consider Rational Team Concert (www.jazz.net). This is free if you have a team of up to 3 software developers, and after that the it is very expensive. But it is a pretty solid software (IBM) and you should be able to define a development process that will fullfill the requirements of IEC 62304.

For the rest of the documents, and the final release of software, a paper-system could be considered.
 
C

curryassassin

#8
Check out Q Pulse. Although we have no experience of using this software, we had a demo and were extremely impressed with its capabilities for all types of document control, including audits, CAPAs, deviations. We could not fault it. It is marketed and used widely at the small to medium life sciences companies. It was also relatively inexpensive.
 
I

icare2much

#9
I have also looked at SubVersion for document control but it falls short meeting the electronic signature requirements for 21 CFR 11.

From 21 CFR 11:
Sec. 11.200 Electronic signature components and controls. (a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.


The issue is that SubVersion remembers your identity when you check-in or check-out a document. So subsequent check-ins do not prompt you for your password again.

I have heard of people "unchecking" the "remember me" option and making this action part of their SOP to get around this issue, but I can't see how that passes muster as it leaves no audit trail whether it was checked or unchecked.

Perhaps someone else has experience here in the Cove with it...
 
J

Jerome

#10
We are a small (40 empl.) company (in the Netherlands) which also makes some medical devices.
For our document control I am also looking into Subversion as our software dept. is piloting with that as a replacement of Visual Source Safe.
For the software part it looks promissing and we'll be implementing it soon.
For the documentation of our entire QMS and product/project documentation I'll be investigating this tool in particular (don't want to many different systems which can do the same). Next week I'll get a crash course on the what-how-and-where of this tool.
I want to use it to move from our (explosively growing) paper archive to a digital one.
We want to use the digital signing capebilleties of Adobe Acrobat 9 Pro to do the signing of the documents.
Only a few key persons can then prep a document with acrobat for digital signing and all involved can then sign using acrobat reader (with user specific ID certificate) to sign of on the documents.
These will go into the Subversion to keep track of the documents and their history trail.

This way we only need a few Acrobat licences (Subversion is free) and can loose a bunch of archive cabinets :)
We think this is the right way for our situation.
For validation purposes we'll use a stable version of Subversion, validate our User requirements and freeze this version.
For the digital signiture in Acrobat, there is a bunch of documentation on the net and at Adobe. I'll need to verify it's integrity but as it is used in a 'closed system' I don't foresee many problems there.
I try to keep u posted on the outcome.

Just my :50cent:

Feel free to share on this matter
 
Thread starter Similar threads Forum Replies Date
I Are suppliers required to hand over process validation reports? ISO 13485:2016 - Medical Device Quality Management Systems 3
N Computerized System Validation ISO 13485:2016 - Medical Device Quality Management Systems 8
M 3D Scanner Software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
E Cybersecurity for Internal Tool Validation Medical Device and FDA Regulations and Standards News 1
B Transport Validation For Non-sterile Medical Devices ISO 13485:2016 - Medical Device Quality Management Systems 4
D Software Validation Question ISO 13485:2016 - Medical Device Quality Management Systems 10
G Pad Printing Validation OR Verification ISO 13485:2016 - Medical Device Quality Management Systems 4
A ETHYLENE OXIDE STERILIZATION VALIDATION Manufacturing and Related Processes 4
C. Tejeda Computer system validation approach for Minitab Statistical software Software Quality Assurance 7
D 8.5.1.2 Validation and control of special processes requirements for Heat Treat External Processor AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
S Performance Qualification and Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 5
L ISO 11607-1 Packaging system validation Design and Development of Products and Processes 9
John C. Abnet ...validation of computer software ISO 13485:2016 - Medical Device Quality Management Systems 14
D Machine rebuilds versus process re-validation IATF 16949 - Automotive Quality Systems Standard 1
R Cloud-based SaMD Validation IEC 62304 - Medical Device Software Life Cycle Processes 8
G Process Validation Before/After Sterilization? Design and Development of Products and Processes 3
D Laboratory Refrigerator Validation ISO 13485:2016 - Medical Device Quality Management Systems 2
T SQL Server 2019 - Master Data Services - Validation needed? ISO 13485:2016 - Medical Device Quality Management Systems 4
G Shipping Validation of Non-Sterile Parts? Other Medical Device and Orthopedic Related Topics 9
J Hardware Validation Qualification and Validation (including 21 CFR Part 11) 1
B ERP software validation - risk assessment vs validation scope ISO 13485:2016 - Medical Device Quality Management Systems 11
blackholequasar Validation of new ERP system ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
G How to Record Informal Testing (Not Verification/Validation) Other Medical Device and Orthopedic Related Topics 15
B Clean room shut down and re-validation or re-qualification? Other Medical Device Related Standards 6
B Vision system process validation Manufacturing and Related Processes 1
R Validation of Software used in Verification Testing ISO 13485:2016 - Medical Device Quality Management Systems 2
D Glassware cleaning validation Qualification and Validation (including 21 CFR Part 11) 3
M Do i need to have equipment validation if 100% testing is completed? Qualification and Validation (including 21 CFR Part 11) 6
R SaMD Verification & Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
B SPECIAL PROCESS VALIDATION & REVALIDATION Qualification and Validation (including 21 CFR Part 11) 4
R Validation of processes Oil and Gas Industry Standards and Regulations 2
L Guidance for validation - mixing homogeneity Qualification and Validation (including 21 CFR Part 11) 0
E DESIGN VALIDATION, USABILITY AND CLINICAL EVALUATION request Medical Device and FDA Regulations and Standards News 0
S In Field Validation Requirements Other Medical Device Related Standards 1
L Validation of mixers Capability, Accuracy and Stability - Processes, Machines, etc. 2
L Validation of mixers Qualification and Validation (including 21 CFR Part 11) 0
B How to satisfy clause 5.7.1.5 process validation for valve production API 6D Oil and Gas Industry Standards and Regulations 13
A Applying agile model for Computer system Validation Medical Device and FDA Regulations and Standards News 3
H Production Validation- CE Mark ISO 13485:2016 - Medical Device Quality Management Systems 3
Watchcat Software validation vs design V&V? Other US Medical Device Regulations 27
M Initial Importer/Distributor and Software Validation IEC 62304 - Medical Device Software Life Cycle Processes 1
P Test Method Validation (TMV) for all Measurement Methods in Rec/Inspection Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
M Validation of Data verification tool per 21 CFR 820 Quality Assurance and Compliance Software Tools and Solutions 1
G Number of Destructively Tested Devices Needed for Ethylene Oxide Validation Other Medical Device Related Standards 4
E ISO 13485 software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
R SAP B1 Computer System Validation Qualification and Validation (including 21 CFR Part 11) 0
A GAGE R&R Binomial with master list (for method validation) Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 0
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 13
N Validation of special processes - thread closed Oil and Gas Industry Standards and Regulations 3
L Validation without Tolerance Qualification and Validation (including 21 CFR Part 11) 0

Similar threads

Top Bottom