During our recent webinar, Understanding, Achieving and Maintaining 21 CFR Part 11 Compliance, Shannon Roznoski, Director of Product Management at Forte, and Stuart Cotter, Product Manager at Forte, shared ways organizations can work with their vendors to successfully implement a validated system and maintain a compliant status throughout each upgrade. Here, Shannon and Stuart answer attendee questions on vendor audits, validation process requirements, how to determine when validation is necessary and more.
How do I determine if a system requires 21 CFR Part 11 compliance and validation?
Shannon: It is difficult to give specific advice because it depends on the regulated activities that you undertake and your planned use of the software. In general, a documented process for assessing and evaluating applications is a good idea. You can develop a worksheet or set of questions to evaluate the applicability and need for validation/part 11 compliance and document that assessment to provide during an audit. Some questions might include:
- Does the application store records electronically?
- Does it include electronic signatures?
- What records are being stored in the application?
- Will the application be the source for those records?
- Are the records considered required documentation under another FDA regulation?
- Are the studies being conducted and documented in the application under an IND or IDE?
Can a vendor audit be done remotely or does it need to be done in person?
Stuart: The vendor audit can be done onsite, however the audit can also be done as a bench audit, commonly referred to as a postal audit. If you’re doing the audit remotely, a lot of organizations will start with questionnaires that they send to the vendor to get any documentation and information about certifications the vendor does have. There’s typically some formal management meeting that is conducted to review the quality management system and SDLC documentation that the vendor does have. In speaking to that, it is common practice to allow auditors to view quality system documents and policies on-site; however, most organizations will not allow copies of these documents off-site. Vendors may allow viewing of such documents remotely via a web meeting. Regardless, they should be able to speak to those documents, as well as highlight items such as the table of contents and identify that they do have a process in place for SDLC processes, training their users, personnel management, etc. so you can satisfy that requirement. So, it’s really your organization’s decision based on risk to identify if you do want to have an in-person audit, onsite, or if you do a remote visit. Both are applicable when creating those audits for a vendor.
If I am implementing more than one validated system, can I reuse anything from the validation process?
Shannon: Many of our processes and procedures should be able to be written to apply to all systems that you validate. Processes such as training requirements, backup/recovery, and validation processes can apply to multiple products. You will likely also have some processes that are application specific, such as operational procedures for use of the specific system.
If I buy two products from the same company, do I have to validate twice?
Stuart: This goes back to the due diligence aspect of the validation process. If you’re purchasing two products that both fall under the 21 CFR Part 11 compliance regulation, the due diligence of the vendor is really at the vendor level, so you’re really identifying the processes that the vendor has across their software development lifecycle. Typically, that vendor audit is going to be something that you use across products, so that will be a one-time audit that you need to do initially to ensure the vendor has the correct SOPs in place and their manuals and procedures are up-to-date and all of them are applicable to your intended use of the system. From there, you can refer back to that vendor audit and ensure that’s what you’re using for the next product you purchase from that vendor.
Of course, there’s always a time component to any type of audit. So, it’s always good to review those audits, especially if you’re purchasing a new product, to ensure you’re linking the new validation packet to the previous audit you had conducted in some traceability matrix or traceability form. It’s also good to conduct an annual review to ensure you’re notified of any process changes for items like their back up and disaster recovery plan, so you both stay on the same page.
Want more answers?
Watch the free, on-demand webinar, Understanding, Achieving and Maintaining 21 CFR Part 11 Compliance, to learn more about the roles both organizations and vendors play during the validation process. Watch the recording today!