The role of validation and compliancy in vendor selection

IT suppliers who wish to sell software, hardware or services to pharmaceutical companies should be aware of the impact their products or services can have and how this plays a crucial role in vendor selection. The compliance policy guide section 425.200 (as described below) clearly defines the responsibility of IT vendors

  • Ben Claes
  • 9 mei 2014




CPG Sec. 425.200 Computerized Drug Processing; Vendor Responsibility Computer systems used in the production and control of drug products can consist of various devices (hardware) and programs (software) supplied by different vendors, or in some cases by a single vendor. It is important that such computer systems perform accurately and reliably, *and* that they are suitable for their intended use. Questions have arisen as to the vendor's responsibility in assuring computer systems performance and suitability. When an integrated system, composed of elements from several different vendors, fails, it can be especially difficult to attribute the cause of a problem to one particular vendor.

POLICY: The end user is responsible for the suitability of computer systems (hardware and software) used in manufacture, processing or holding of a drug product. *The vendor may also be liable, under the FD&C Act, for causing the introduction of adulterated or misbranded drug products into interstate commerce, where the causative factors for the violation are attributable to intrinsic defects in the vendor's hardware and software. In addition vendors may incur liability for validation, as well as hardware/software maintenance performed on behalf of users.* (*Material between asterisks is new or revised*)               Issued: 1/18/85       Revised: 9/4/87

Consider that software vendors and service providers are also subject to compliance with these strict rules. They must comply with these regulations and need to prepare for possible audits (from their clients or regulatory agencies). Those who build systems or manage ICT for pharmaceutical companies should be aware of their responsibilities as required by the FDA Compliance Policy Guide regarding the “Vendor Responsibility”.

Pharmaceutical companies have been screening suppliers for several years on their knowledge and experience in the areas of validation, qualification and data safety. These elements are playing an increasing role in the vendor selection. The main challenge here is that the pharmaceutical industry expect their vendors to help them achieve their compliance (regulatory) objectives at the lowest possible cost.

Validation/qualification is a crucial component of software implementation or outsourcing of (ICT) services. The FDA considers it as the provision of objective evidence that the system or service meets the specifications and the intended use. Deviations can impair integrity and safety of clinical, health and drug-related data. This could lead to poor decision making which may in turn threaten the consumer and patient safety.

In an ideal world, pharmaceutical companies and their vendors would collaborate on achieving this common goal. In reality however it is a topic that instills fear (auditee versus auditor) which in turn inhibits collaboration on this important topic.

How can a vendor make an important contribution to this process?

  • Support open communication on compliance and validation topics and address these as soon as possible. This could be as soon as the sales negotiations.
  • Data integrity and protection must be considered thoroughly during specification and development
  • An internal quality system for compliance should be in place and take into account the prevailing trends and best practices such as GAMP.
  • The quality way of thinking should become an integral part of the vendor processes
  • Validation documentation should be created for systems that might be implemented in GxP critical environments

 klein  The set of documentation consists of the following documents:
 1)Description of the scope of the project to judge the validation expectations correctly. 
 2)Assessment of the potential GxP, business and operational risks (ex. items that could cause a product recall or the potential impact on the product quality such as the effect   of the active ingredient, purity or other critical parameters.
 3) 21 CFR Part 11 applicability:  does the software store GxP critical data or data that is required by regulators by predicate rule.  

For suppliers that are CMMI and ISO certified, most of the compliance requirements for processes and systems are already in place.
The FDA regulation in this area, the "Principles of Software Validation", is derived from established industry standards in the field of software engineering. The only differences include size, perspective, strict risk management, security, testability, traceability, configuration, change management, control, and, last but not least, the audit trails. It is therefore important to have procedures and methods should be put into place.

It must not be forgotten that when critical defects do emerge (IT) vendors may be considered partly liable according the “Food , Drug & Cosmetic Act” as described above. Blind adherence to mere checklists, misinterpretation of regulatory requirements, and poor and inadequate documentation must be avoided at all cost.