Sanji Bhal talks to Karim Kassam (Senior Director, Customer Success)
Every year, we speak with hundreds of scientists worldwide working in validated environments. And over and over, we’ve seen some compliance misconceptions arise.
When it comes to 21 CFR Part 11, many scientists’ experience with software deployment falls into two categories:
- Software was installed alongside new hardware (e.g., a new LC/MS instrument comes with a CDS)
- Informatics systems were integrated into the entire development workflow to directly submit regulatory reports and data (e.g., LIMS)
From experiences with these specific types of software, certain myths develop. We at ACD/Labs often advise clients about compliance as it relates to our software, so let’s use this post to bust some myths once and for all.
Myth #1—the vendor supplies validated software out-of-the-box
Validation is environment-specific. Hear it from the FDA: validation is “confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses in their environment” (italics ours).
Thus, software cannot be validated by the vendor. Instead, it must be validated:
- In the user’s environment
- Within their intended workflow
- As outlined in their organization’s standard operation procedures (SOPs)
Further, the entire system must be validated—not just each individual piece of software, but also interactions between software packages. The validation process includes:
- Installation qualification (IQ)
- Operational qualification (OQ)
- Performance qualification (PQ)
All these processes are documented to ensure that the software specifications conform to the user’s needs. The user may also audit the software vendor to confirm that they have a quality management system (QMS) and process.
Some vendors advertise “validated” or “pre-validated systems” on the basis that the customer can validate the system “as-is.” But this only works if the system is not specially configured or customized. Even then, the equipment must still be validated in the user’s environment and workflow. Thus, pre-validation mostly streamlines the process with readily available documentation.
Myth #2—software validation is performed by the vendor
This is an extension of Myth #1. Just as software cannot be validated outside of its use case, it cannot be validated without its users.
Vendors can certainly assist in validation by providing documentation and technical assistance for IQ, OQ, and PQ. They may also offer validation services like consultations, documentation, or more active involvement. Still, it is the ultimate responsibility of the user to validate that the system meets their requirements.
Like many vendors, we offer services to smooth the validation process. We partner with our customers, who remain a crucial part of the work. Read more about how we help you with software validation.
Myth #3—software used in a GxP environment must be 21 CFR Part 11 compliant
Software used in Good Laboratory Practices (GLP), Good Manufacturing Practices (GMP), and Good Clinical Practices (GCP) must have:
- An audit trail at the point in time when a record is first saved to durable media
- The audit trail must contain the date and time stamp of the change, the description of the change, the reason for the change, and the name of the person making the change
- The audit trail must not obscure previous values. Both the old and new values of a parameter must be recorded.
- Specific user accounts
- Forward compatibility for all files generated by the software
- Tamper protection for all records, including audit trail records
GxP compliance of software requires validation as discussed earlier, and 21 CFR Part 11 requires compliance with the established rules (i.e., GxP).
But not all software must be compliant. 21 CFR Part 11 compliance is only necessary for software that generates data submitted electronically in regulatory (e.g., FDA) filings. Such software must also include electronic signatures.
Software not directly involved in generation and submission of such data doesn’t require the same validation procedures. By distinguishing between necessary and unnecessary validation, you can save time while still producing compliant data and rigorous science.
Better understanding compliance
Compliance can be complicated. We hope we’ve dispelled some myths in this blog post, and helped you get a clearer idea of what you need the next time you deploy software in your laboratory.
We provide compliance-ready software for use in both GxP (good laboratory practice—GLP, good manufacturing practice—GMP) and 21 CFR Part 11 compliant environments. We have supported many customers through the complicated process of validation and managed successful software audits.
Compliance for laboratory software systems means consistent and reliable results to assure quality, traceability, integrity, and validity.
We can help you with installation of our software and solutions in regulated environments and are happy to provide an advisory level of support based on our experience.
Validation of Software on Spectrus® & Percepta® Platforms
- A quality management system (QMS) and processes are in place for self-directed validation of our software
- We can assist with the creation of installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) scripts
GxP Compliance Features in Spectrus Applications
- Audit trail with date and time stamp, description of the change, and the name of the person making the change
- Specific user accounts
- Forward compatibility of files generated by the software
- Data storage in a secure database environment with protection against tampering
21 CFR Part 11 Compliance Features in Spectrus Applications
21 CFR Part 11 compliance is only necessary when you are sending electronic information directly from ACD/Labs software to regulatory authorities. The following feature is present and necessary to do so, from our software:
- Electronic signatures
Have questions or expertise to share? Leave us a message in the comments. ⬇