10 Information Technology (IT) Compliance FAQs
Friday June 1, 2018
FDA compliance entails various aspects, in this blog we will explore questions and answer related to Information Technology (IT) compliance.
Q. What is the definition of Software Validation?
A. Software Validation consist of (1) documented evidence that software has been successfully tested for its intended uses (2) procedural controls are in place that govern the use of the system and protection of data, (3) training of users as evidenced in records and (4) maintenance of Change Control.
Q. Is validation required for all Life Sciences companies?
A. Yes, it is required of all companies that submit their products to the FDA or other international regulatory authorities for approval. Validation produces test evidence that software operates to its intended uses.
Q. How long does it take to validate software?
A. The usage of the software will determine the length of time it takes to validate. A more robust usage will require additional time to develop and execute test scripts.
Q. Is software that is in the cloud already validated?
A. No, whether software is installed on a private server or deployed in the cloud, it still needs to be validated for its intended uses.
Q. Who provides security for my software in the cloud?
A. The primary security is the responsibility of the host provider; however, verification of security remains the responsibility of the Market Authorization Holder (MAH). For more information about the cloud and pharma companies, refer to our blog here: Why Pharmaceutical Companies Should Transition to The Cloud.
Q. Is FDA 21 CFR Part 11 the universal standard for IT Compliance?
A. No, FDA 21 CFR Part 11 applies to regulated products manufactured outside of the United States and shipped in, as well as products manufactured and distributed within the United States. IT Compliance regulations are have become increasingly harmonized. However, each country’s specific regulations will apply.
Q. Is it required that a third party does my validation or can a company do this internally?
A. You do have the option to conduct this internally. However, it is considered a best practice to use a third party to ensure objectivity.
Q. Are Contract Manufacturing Organizations (CMO) subject to validation?
A. Yes, CMOs that manufacture regulated products are required to validate their software. However, the FDA places responsibility on the MAH to ensure validation of CMO software is completed and maintained.
Q. What is the FDA requirement for validation of Excel Spreadsheets?
A. Excel Spreadsheet data must be validated for accuracy of the data as well as adequacy of security and access controls.
Q. When completing software validation are all functional uses of the software required to be validated?
A. No, certain functions such as financials are not required by FDA regulations to be validated. The functional processes related to product quality records are the scope of FDA regulations, e.g., sales orders, inventories, lot traceability, etc.
The Arbour Advantage
Arbour Group is a trusted regulatory advisor to over 250 pharmaceutical, medical device and biotechnology companies worldwide. Let us demonstrate how we can prove ourselves as a valuable business partner by delivering effective services that reduce compliance costs.