What are they thinking?

MEDICAL DEVICE 21 CFR PART 820 (The Regulations)
1

In a world where some of us are trying to encourage a common sense
approach to validation- and believing that the FDA supports such
thinking- why would the FDA issue a Warning Letter yesterday
containing this little gem?

"2. Failure to assure that when computers or automated data
processing systems are used as part of the production or quality
system the manufacturer shall validate computer software for its
intended use according to an established protocol, as required by 21
CFR 820.70(i). For example, electronic records are used, but there
was no software validation. No procedures are established to
validate for its intended purpose the Microsoft Word or Microsoft
Excel software used in creating and maintaining nonconformance
records, product return records, internal audit corrective action
records, or preventive action records.

We have reviewed your response and have concluded that it is
inadequate because off-the-shelf software must be validated for its
intended purpose. You have stated that a review will be conducted of
the existing forms and an implementation of a new record control
system to meet FDA requirements will be pursued. A new system may
not be necessary; however, no procedures have been submitted for
review and no timetable for corrective action and response was
indicated. "

Now- maybe it is just poorly worded. Maybe the device manufacturer
had lots of complex macros that had not been validated. Maybe they
had not recorded the installation details for these apps…
but, anyone could be forgiven for thinking that the FDA want
legions of consultants sitting about at every company (i.e. multiple
repetitions of testing) verifying that B1+B2=B3, that Word is able
to print accurately and other redundant nonsense.

Word and Excel are probably the most tested software applications in
history. If the cliche “risk-based validation” means anything- it
has to mean that we accept these platform applications as being of
negligible risk in 99.9% of situations.
Perhaps the agency meant something more subtle than I am
interpreting, but if so- they missed a golden opportunity to either
be explicit or to say nothing.

Money diverted towards such non-productive activity, is money
diverted away from addressing real concerns. Such statements from
the FDA encourage cynicism that this validation stuff IS a waste of
time. Does the agency management not realize the extent to which
Warning Letters are examined to predict future enforcement behavior?
Are they deliberately trying to undo 4 years of effort to try to
encourage risk-averse companies/individuals to embrace pragmatism?

2

[quote=orlando]In a world where some of us are trying to encourage a common sense
approach to validation- and believing that the FDA supports such
thinking- why would the FDA issue a Warning Letter yesterday
containing this little gem? [/quote]

Yes, I have to agree, this is extremely VERY poor. I suspect the quality, training and experience of inspectors, varies tremendously… maybe they were trainees? I have seen them [trainees] used in the past myself!

3

The FDA has made it clear, time and time again, that any application running on an operating system must be validated - no matter how large or small.
They also require you to log the operational system identity (Title - Author - Date of Issue and Issue level - as available) and hold it subject to change control. Meaning that as fixes come through for the operating system; the implications for the application programs must be reviewed and documented.
Alex

4

So if you have a pacemaker implanted and the software needs to be upgraded, you would not care if the changes were validated?

I don’t want to get totally defensive of the FDA but there are valid reasons for at least most of their policies. I think industry tends to jump to worst case rather than understanding the spirit. Unfortunately, that’s where things break down - on both sides of the fence. Plenty of auditors don’t try to see if the spirit is being met.

It’s my understanding that a thorough risk analysis goes a long way for supporting whatever you choose to do. For example, if you have an OS change on a product that is not life sustaining, you might do a risk analysis to show that the OS changes pose no threat to use. Then, you do a very minimal validation, say, just verify key requirements are not impacted. The combination of the risk assessment and the minimal validation should give you pretty solid footing.

5

After thinking about the issue, i think what FDA has said is a in a very rulebook following dictum. Common sense will show that this is very absurd but FDA is all about rules and regulations. I agree that MSWord and MSExcel are pprobably the most tested applications in human history.

A middle way approach will be doing some black box functional testing for the MSWord and MSExcel so as to show that the reports or calculations or any other function they are fulfilling is being done accurately… period. I would not suggest validating them but only validating their functions. This can atleast avoid warning letters.