Q: We recently audited a prominent Electronic Data Capture (EDC) software vendor. We were discouraged to learn they’ve restructured their QA group such that the QA oversight role is greatly diminished.
For example, the vendor no longer schedules annual internal audits across the organization. Nor do they review validation documentation for their software products. Instead, audits are performed on an as-needed basis or only done when a group requests one.
What do you think FDA would say about this approach? Can you give us some information to dissuade the software vendor from taking it, and just as importantly, can you discuss its impact on our own operations?
A: First of all, it’s likely the software vendor is not regulated by the FDA. It depends on the use of the software. For example, if used as an e-medical record in addition to EDC, then it might be considered an FDA-regulated medical device.
But ultimately it’s up to you, the user, to determine the level of quality you expect from your software vendors. If the software isn’t regulated as a device, you should expect the vendor to at least comply with ISO/IEC 90003, the quality system standard for software development and engineering.
Assuming your vendor is not FDA-regulated, I think it comes down to these three considerations:
- If, during your vendor audit, you found no other problems beyond your concerns with their quality management system…
- And if you believe the vendor’s software is well designed, developed and documented…
- And if you believe the vendor is capable of finding and fixing their software bugs and informing their customers when necessary…
… then the vendor probably can justify this new approach, and it’s up to you to decide if you want to continue to do business with them under these conditions.
As a quality specialist yourself, you know that annual internal quality audits are a means to exercise quality control over a quality management system. Throwing out this measure usually results in a loss of control.
For this reason, I would not be surprised if the next time you audit the vendor, you find they have slipped in controlling their processes and products because of their new approach.
“Remind them that if their software somehow causes your product to be adulterated or misbranded, they can be held responsible by the FDA…”
What can you do to dissuade them? You could remind them that if their software somehow causes your product to be adulterated or misbranded, they can be held responsible by the FDA, even if they are not regulated directly by the Agency.
This scenario is covered under “prohibited acts”, Section 331(a) of the Food, Drug & Cosmetic Act:
“The following acts and the causing thereof [my emphasis added] are prohibited: (a) The introduction or delivery for introduction into interstate commerce of any food, drug, device, tobacco product, or cosmetic that is adulterated or misbranded.”
Also, Title 18, which is the U.S. criminal code, prohibits the submission of false information to the government, which could apply in a case where software is uncontrolled.
If your software vendor actually does fall within the FDA’s regulatory oversight, then the vendor’s lack of regular internal audits and software validation certainly would not be acceptable to the FDA.
The vendor might be able to justify a smaller quality unit with a corporate commitment to total quality management (all personnel are responsible for quality, have been trained to understand this responsibility, and have had it added to their job descriptions), but FDA still would likely scrutinize that approach very, very closely.
Answered by Denise Dion, Vice President of Regulatory and Quality Services for EduQuest, who served 18 years at the U.S. FDA as an expert field investigator and who was co-editor of FDA’s Investigations Operations Manual, which is updated annually as a resource for FDA’s own investigators. Denise also is the lead instructor for EduQuest’s training class on QSR Compliance Basics: Complying with FDA’s 21 CFR 820 Quality System Regulation.