Guide to Buying COTS Software - How to Audit and Evaluate Vendors

• By: Staff Editor
• Date: August 07, 2018

When the internet was not as ubiquitous as it is today, Life Sciences Companies maintained documents manually. Submitting truckloads of paper records to the FDA was a norm when the U.S. Food and Drug Administration (FDA) issued 21 CFR Part 11 back in 1997.

With the evolution of the internet, more companies joined the inevitable movement toward the use of electronic systems. This article is a ready reckoner for Companies that are looking to buy COTS (Commercial Off-The-Shelf) software to automate their document and business process management. It guides buyers through the process and helps Companies maintain constant inspection readiness.

Getting started:

Before diving into the evaluation, audit, and buying of COTs Software for automation, it is critical to know the regulations and advantages of shifting from manual to automated processes. It is also crucial to understand the areas of compliance to ensure you make the right COTS software choice.

The Regulations

• The 21 CFR Part 11 that was released 2003 sets ground rules for automated record keeping systems. The FDA Guidance is entitled “Guidance for Industry: Part 11, Electronic Records; Electronic Signatures—Scope and Application.”
• The Predicate Rules are GxP regulations other than Part 11 (cGMP, GCP, GLP). Part 11 allows any predicate rule that calls for a record to be satisfied with an electronic record. They also allow any predicate rule that calls for a signature to be satisfied with an electronic signature.

The advantages of making the 21 CFR Part 11 Compliance shift

Areas of compliance for Inspection readiness

The 21 CFR Part 11 that was released 2003, recommends using risk assessment in 4 areas to help companies avoid overdoing part 11 applications. Risk assessment refers to “a determination of the potential effect of a system on product quality and safety; By adhering to the 4 compliance areas

*The four areas of compliance are

1. Validation
2. Audit trail
3. Copies of records
4. Record retention

Auditing and Evaluating Software and Vendors

By taking a deep dive into the purpose of FDA 21 CFR part 11 and checking how systems and vendors match up with the needs will help buyers make the right choices.

The purpose of FDA 21 CFR part 11 is to ensure that:

• Users know how to use the computer system, and know when it isn’t working correctly
• Data is not corrupted or lost
• Data is secure
• Approvals cannot be repudiated
• Changes to data can be traced
• Attempts to falsify records are made difficult and can be detected

*Compliance areas:

Compliance area #1: Validation:  Computer systems such as “records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations” need to be validated.

Compliance area #2: Audit Trail: “Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails, or other physical, logical, or procedural security measures in place to ensure trustworthiness and reliability of the records.

Compliance area # 3: Copies of records: Electronic systems should be able “to generate accurate and complete copies of records in both human readable and electronic form for inspection, review, and copying by the agency.”

Compliance area # 4: Record retention: The guidance document suggests that the record retention decision to be based on “how to maintain records be based on predicate rule 307 requirements and that you base your decision on a justified and documented risk assessment and 308 a determination of the value of the records over time.”

“In addition, paper and electronic record and signature components can co-exist (i.e., a hybrid8 317 situation) as long as 318 predicate rule requirements are met and the content and meaning of those records are preserved.”

More help

Given the ever-evolving nature of the industry trends and complex regulations, it is crucial for professionals in the life sciences industry to stay current with the regulatory requirements, and the technologies that support its implementation. Professional development helps you and your organization maintain constant inspection readiness.

To know more, you might wish to attend the webinar ‘How to Buy COTS Software, and Audit and Validate Vendors’. The instructor, David Nettleton is Computer System Validation’s principal, an industry leader, author, and teacher for 21 CFR Part 11, Annex 11, HIPAA, software validation, and computer system validation.

You may also wish to browse through our library of webinar resources for the life sciences industry.