Guide to Buying COTS Software - How to Audit and Evaluate Vendors

  • By: Staff Editor
  • Date: August 07, 2018
Webinar All Access Pass Subscription

When the internet was not as ubiquitous as it is today, Life Sciences Companies maintained documents manually. Submitting truckloads of paper records to the FDA was a norm when the U.S. Food and Drug Administration (FDA) issued 21 CFR Part 11 back in 1997.

With the evolution of the internet, more companies joined the inevitable movement toward the use of electronic systems. This article is a ready reckoner for Companies that are looking to buy COTS (Commercial Off-The-Shelf) software to automate their document and business process management. It guides buyers through the process and helps Companies maintain constant inspection readiness.

Getting started:

Before diving into the evaluation, audit, and buying of COTs Software for automation, it is critical to know the regulations and advantages of shifting from manual to automated processes. It is also crucial to understand the areas of compliance to ensure you make the right COTS software choice.

The Regulations

The advantages of making the 21 CFR Part 11 Compliance shift


Areas of compliance for Inspection readiness

The 21 CFR Part 11 that was released 2003, recommends using risk assessment in 4 areas to help companies avoid overdoing part 11 applications. Risk assessment refers to “a determination of the potential effect of a system on product quality and safety; By adhering to the 4 compliance areas

*The four areas of compliance are

  1. Validation
  2. Audit trail
  3. Copies of records
  4. Record retention

Auditing and Evaluating Software and Vendors

By taking a deep dive into the purpose of FDA 21 CFR part 11 and checking how systems and vendors match up with the needs will help buyers make the right choices.

The purpose of FDA 21 CFR part 11 is to ensure that:

  • Users know how to use the computer system, and know when it isn’t working correctly
  • Data is not corrupted or lost
  • Data is secure
  • Approvals cannot be repudiated
  • Changes to data can be traced
  • Attempts to falsify records are made difficult and can be detected


CFR Part 11 Requirement Does the System and vendor meet the need?
Requires an assurance of the authenticity of electronic records     Are the system administrators provided with a system that offers the ability to delineate user permissions for every document vault in the system? Is the system able to generate an audit trail for any captured document?  
The potential for a signer to repudiate an approval must be minimized.
  Does the automated system allow users to enter two passwords to approve any type of document collaboration for login and approval?
Requires that the electronic system must be validated     Does your Company have internal corporate policies and risk evaluations for validation? Are validation documentation, tools or solutions available with the vendor?  
Requires all users who have been approved to use the electronic system be sufficiently trained to perform their assigned duties.
  Does the system incorporate automated training capabilities that provide automatic triggers when an essential quality document is revised?
Does the system allow automation of follow-ups and escalations of past-due training tasks?
Does it create audit trials for all training data?
Document controls must provide revision controls, change controls, and time-based system modifications.     Is the vendor capable of working with the client’s internal processes and protocols to determine individualized 21 CFR part 11 compliance?  
Mandates that signed electronic records include the following data: name, date and time of signing, and meaning of signature.
  Does the system provide fields for all such required information as well as for supplementary information?
Electronic (and handwritten) signatures must be able to be linked to their corresponding electronic records.     Does the system allow linking every signature to a specified record?  

*Compliance areas:

Compliance area #1: Validation:  Computer systems such as “records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations” need to be validated.

Compliance area #2: Audit Trail: “Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails, or other physical, logical, or procedural security measures in place to ensure trustworthiness and reliability of the records.

Compliance area # 3: Copies of records: Electronic systems should be able “to generate accurate and complete copies of records in both human readable and electronic form for inspection, review, and copying by the agency.”

Compliance area # 4: Record retention: The guidance document suggests that the record retention decision to be based on “how to maintain records be based on predicate rule 307 requirements and that you base your decision on a justified and documented risk assessment and 308 a determination of the value of the records over time.”

“In addition, paper and electronic record and signature components can co-exist (i.e., a hybrid8 317 situation) as long as 318 predicate rule requirements are met and the content and meaning of those records are preserved.”

More help

Given the ever-evolving nature of the industry trends and complex regulations, it is crucial for professionals in the life sciences industry to stay current with the regulatory requirements, and the technologies that support its implementation. Professional development helps you and your organization maintain constant inspection readiness.

To know more, you might wish to attend the webinar ‘How to Buy COTS Software, and Audit and Validate Vendors’. The instructor, David Nettleton is Computer System Validation’s principal, an industry leader, author, and teacher for 21 CFR Part 11, Annex 11, HIPAA, software validation, and computer system validation.

You may also wish to browse through our library of webinar resources for the life sciences industry.

Best Sellers
You Recently Viewed