Q: As you know, off-the-shelf coding tools are used during various stages of software development. Among them are some tools used to manage quality standards as defined in the organization QMS. An example would be SonarQube, used to manage code quality.
Does FDA treat these coding tools as GxP-regulated? Could the output generated from these tools be within the scope of regulatory inspections?
A: FDA does indeed treat these coding tools as GxP-regulated.
And yes, the output generated from these kind of tools could be within the scope of regulatory inspections.
Even tools that are off-the-shelf must be validated for their intended uses.
Even tools that are off-the-shelf must be validated for their intended uses. You or the company defines the intended uses; then you must assure that the tools — as used in your systems — meet those intended uses.
Be careful about looking at validation too narrowly. Remember that proper validation includes not only the software but also the hardware, processes, and people who are part of the computerized system.
Answered by Jan Olson, Vice President of Regulatory and Quality Services for EduQuest, who served 22 years at the U.S. FDA as an expert field investigator and was the Director of Information Management Resources for FDA’s Atlanta regional office. Jan is the co-instructor of EduQuest’s FDA Auditing of Computer Systems and Part 11/Annex 11 Compliance training class.