Hello good people of the world! Today’s post is continuing the series on compliance in the cloud. Today’s post is a simple list of regulations and guidance that you can provide to someone who asks the question: why do we have to assess suppliers of computer systems/software? These are the reasons why!
FDA 21 CFR Part 820 Quality System Regulation (link)
Section 820.50 Purchasing controls
Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.
(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.
EudraLex Volume 4 Annex 11: Computerised Systems (PDF)
Section 3 – Suppliers and Service Providers
3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.
3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.
3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.
Section 4 – Validation
4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.
ICH Guideline Q9 on Quality Risk Management (PDF)
II.4 Quality Risk Management for Facilities, Equipment and Utilities
Computer systems and computer controlled equipment
To select the design of computer hardware and software (e.g., modular, structured, fault tolerance);
To determine the extent of validation, e.g.,
- identification of critical performance parameters;
- selection of the requirements and design;
- code review;
- the extent of testing and test methods;
- reliability of electronic records and signatures.
II.5 Quality Risk Management as Part of Materials Management
Assessment and evaluation of suppliers and contract manufacturers
To provide a comprehensive evaluation of suppliers and contract manufacturers (e.g., auditing, supplier quality agreements).
ICH Guideline Q10 on Pharmaceutical Quality System (PDF)
Section 2.7 Management of Outsourced Activities and Purchased Materials
- Assessing prior to outsourcing operations or selecting material suppliers, the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain (e.g., audits, material evaluations, qualification);
ICH Guidance E6 on Good Clinical Practice (PDF)
Section 5.5 Trial Management, data handling, and record keeping
5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should:
(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e., validation).
That’s it! Are there any I missed? Comment below!
Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!