Ruling out the Confusions in Validating COTS (Commercial Off-The-Shelf) Software to meet the Regulatory Requirements

Many personnel in the medical device and pharmaceutical industries are confused about the regulatory requirement for validation of Commercial-Off-the-Shelf (COTS) software. Why is validation required? What systems are considered as quality systems? What do the auditors like to see in the quality system validation? This article discusses the answers. 

Why is validation of COTS software required?

  • 21 CFR B’11.10(a) validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
  • 21 CFR 820.30 requires that design control must be followed.
  • General principles of software validation: Manufacturers have the ultimate responsibility for the software they use, whether the software is developed in-house, by a contractor, or purchased from a vendor. They should also have documented evidence of cGMP.

The FDA aside, Validation supports the successful use and Maintenance of the software. The cost of compliance is low compared to the cost of potential losses if no validation is done. 

What are the Quality Systems that should be validated?


According to the FDA, it is mandatory that Systems intended for human use should be validated. These include software used for the design, manufacture, packaging, labeling, storage, installation, and servicing of all finished devices. It is important to include the list of systems which require validation in your initial assessment list. 

What Documents are required for regulatory validation?


Every Business is a little different from the other. So is the validation documentation. The verification and validation activities should cover how a system is configured in the customer’s environment. While vendors may try to sell their pre-written documents, it might not exactly fit into your environment. Hence it is important to avoid purchasing validation documentation. Knowing what documents are required can help you ensure that you meet the regulatory validation requirements.

Software Validation Protocol (Validation Plan):
Document outlining project deliverables and responsibilities
System /Software Requirements Specification
System requirements, description of the components that make up the system, physical hardware requirements, physical software requirements, client user requirements, training requirements, and detail of any customizations and integrations with other systems.
Network Diagram:
The Visual layout of how the system is configured on the network, a demonstration of your understanding of system configuration for your implementation.
Risk Analysis:
A document that evaluates application safety, identifies potential hazards, the causes and the effect that each hazard has on the application safety and use. The risk assessment should focus on the business processes managed by the system vs. a more traditional FMEA risk assessment for software programs which are part of a device and pose a direct patient risk.
21 CFR Part 11 Compliance:
A document that evaluates system applicability/requirements for the use of electronic signature as required by the FDA in 21 CFR, Part 11. Analysis
Design Specification:
This document may be deemed appropriate if major integration or customization is to be performed as part of the project.
Verification Protocol (Test Plan):
A document defines the type of testing to be completed along with the procedures and schedules for those tests.
Test Specifications (Test Cases):
System level test cases, based on the functional requirements set forth in the Requirements Specification.
Requirements Traceability Matrix:
A Document that contains system requirements including Requirements ID, and links them to the Test Case IDs.
Final Validation Report:
A summary of all documentation associated with the validation of the software and test case results.

To learn more about the verification and validation of technology controls and procedures to ensure compliance, you may wish to attend the webinar How to Buy COTS Software, and Audit and Validate Vendors The instructor David Nettleton is an industry leader, author, and teacher for 21 CFR Part 11, Annex 11, HIPAA, software validation, and computer system validation. He is involved with the development, purchase, installation, operation and maintenance of computerized systems used in FDA compliant applications.

Remembering Our Men in Uniform

memorial dayOld Glory flying half-mast till noon. The silent moment at 3 p.m. to remember the fallen. The beginning of summer. Indy 500. Barbeques. As the day wears on, the significance of Memorial Day cascades from being a stoic remembrance of history to reminding you of the warmer days ahead.

Take up our quarrel with the foe:
To you from failing hands we throw
The torch; be yours to hold it high.
If ye break faith with us who die
We shall not sleep, though poppies grow
In Flanders fields.

The symbolic poppies that dot the Memorial Day landscape is a sign we bear the torch, and with it more than summer’s blithe spirit – a day of remembrance of family, friends and comrades who have fallen in service.



Celebrating the Women in the Workforce Today

Women in professional workplace- Gender DiversityAs the millennials settle into the workforce, there has been a paradigm shift in how employers create a diverse space for their workforce. Gender equality, or to put it in context, gender diversity remains a leading factor in determining an organization’s stance in creating this diverse culture. The opportunities available for the fairer sex then comes pushing forward.

Do women have the same opportunities as men to propel their career? Or does the threat of observing her family ties as much as her professional accomplishments act as the cumulative factor in deciding those opportunities? The figures are persuasive:

  • 77% of women in a dual-career couple earn more than or equal to their spouse
  • Women left individual organizations at identical or lower rates than men did in 2014
  • 60% of women worked well past the birth of their second child

So then have the barriers been breached? Another area you can look into to gauge that – international mobility for women at the workplace.

71% of female millennials said they want to work outside their home country in a PWC study. In contrast, only 20% women found their place in international assignments.

The disparities here can seem troubling – until you realize that these percentiles also represent employers who have not created strategies to promote a diverse workforce.

Women in the workforce today, though, have created a distinct impact. “We stand on the shoulders of the women who came before us, women who had to fight for the rights that we now take for granted,” says Sheryl Sandberg in her book, Lean In: Women, Work and the Will to Lead.

But the course has been chartered. Female millennials, for instance, are storming the workforce – talented, with impressive educational credentials, and firm in their career objectives – a mix of things that cannot go wrong. So here we go – another year closer to achieving what the years are building to – a level playing field.

This Holiday Season…Make Merry With FCPA Compliance!

FCPA Compliant ChristmasThe holidays are when blurred lines and merriment come together to take the edge off validating kickbacks, and in some cases, just plain bribery. Going beyond season tickets to ball games, the scope for corruption and bribery has breached borders and taken an international stage. The argument that it’s impossible to operate your business without some leeway on kickbacks and bribery in countries that are on the road to economic progress, but not quite there yet, is one that the FCPA renounces loud and clear.

The stats support the FCPA’s unflinching stand on the matter: in 2009, the total penalties imposed by the Department of Justice and the SEC stood at $622 million. The figures marched up to $1.8 billion dollars in 2010. The math here is a huge indication of FCPA’s enforcement not just within the U.S. but in American global ventures as well.

When the Obama administration pushed for an increase in U.S. exports, businesses both big and small reached out to other markets and for more offshore support services. The challenge, as always when working with countries that have a developing economic ecosystem, is sustaining in those markets where the modus operandi for a business is very different from what it is within U.S shores.

Countries that are highly prone to bribery in government offices: India, Mexico, China, Brazil. Countries where the corruption quotient would turn the radar haywire: Russia, Nigeria, Vietnam, Iraq, Afghanistan. The Foreign Corrupt Practices Act does not restrict itself to businesses alone – the length and breadth of the Act encompass third party service providers and business partners who may be acting on your behalf elsewhere. In which case, you run the dire risk of being stranded in an unknown realm.

If you are staring with some confusion at the bottle of wine that a vendor dropped off for you, here are a few other areas of broader concern you should get to at the earliest:

  • Kicking off the list with the most essential – an FCPA compliance program for your business – one that is well-acknowledged from the top down.
  • Hire an external firm to do risk assessments where the market is not a familiar one and to find out areas where your company could be at risk.
  • Third party FCPA non-compliance is a huge threat, so understand the channels that you function through and your international distribution systems.
  • Don’t fall prey to the facilitating payments exception that the FCPA allows – delegating decisions about working within FCPA’s parameters to your sales staff onsite may not be a good idea.
  • Small and mid-sized businesses with little understanding of conducting international internal investigations need to get up to speed fast.
  • International contracts need to clearly cite FCPA compliance terms.

Whether your operations remain within the country or go global, the FCPA regulations are a huge part of your business ethics and compliance. But with that in place, a glass of wine may not be a bad idea after all. Cheers! Merry Christmas and here’s to a compliant New Year!