Sage X3 FDA Compliance Validation
FDA software validation is when an FDA-regulated company “establishes documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality attributes.”
While the FDA provides guidelines regarding software validation, it does not tell companies exactly how to do it. Each company must determine how to do so and provide evidence that is has been done and that the software meets FDA requirements.
And even though most software is purchased from a third-party, the third-party vendor is not responsible for validation. The responsibility lies with the company itself.
Who needs to validate software?
All companies in FDA regulated industries are legally required to validate software if that software could impact product quality, safety, or effectiveness. Sample industries include food and beverage manufacturers, pharmaceuticals, botanicals, medical devices, surgical instruments, dental equipment and supplies, ophthalmic supplies, and orthopedics to name a few (and the parts/ingredients used to produce these goods).
Even if you are not in an FDA regulated industry, validation is still a good idea for businesses that want to improve quality. FDA software validation helps manufacturers reduce risk and ensure their products are produced and distributed according to high quality standards.
How do you validate software?
Validating software involves establishing documented evidence that proves the software consistently meets predetermined specifications and quality attributes—that is satisfies its intended use.
The goal of validation is not only to prove the software works correctly and consistently, but to also identify, document, and mitigate any issues that could negatively impact production of regulated goods or their parts/ingredients.
Computer System Validation (CSV) Use Case with Performance Validation
Our partner, Performance Validation, has been serving the life science industries since 1988, and is a nationwide leader in providing validation, commissioning, and quality services for pharmaceutical, biotechnology, and medical device manufacturers.
Recently, a medical technology company was upgrading their enterprise resource planning (ERP) software system to the latest Sage X3 platform in order to improve their efficiencies in accounting, distribution, and manufacturing. They would be implementing the Sage X3 platform as a SaaS (Software as a Service) with a browser-based interface. The scope of the system implementation was to include warehouse, customer care, field service, purchasing, planning, manufacturing, document control, handheld scanner, and quality control components. Computer System Validation would be required to bring the system into FDA GxP compliance.
The company contracted Performance Validation (PV) to create a Computer System Validation (CSV) package for their new system. As a previous client, the company’s stakeholders were happy with the templates, format, and content of the validation package delivered by PV. At the client’s request, PV worked remotely to develop system documentation that would comply with the client’s internal procedures. The client also requested that on-site test execution would be performed, as necessary, to qualify peripherals and to get additional assistance from the client’s Subject Matter Experts (SME).
The PV Advantage
PV established reoccurring meetings with the client stakeholders to gain information for the creation of a validation plan and to complete assessments (Risk and 21 CFR Part 11). On completion of the system documentation, the PV team accelerated their effort toward writing of the test protocol to ensure adherence to the client’s timeline for implementation.
The following components detail the PV solution:
1. PV created a Validation Plan to outline the validation deliverables and the strategy for qualification testing. This document included:
- A System Risk Assessment was performed and documented following the ISPE GAMP 5 Guide. The software was assessed as a GAMP Category 4 (configured software), with low risk for both likelihood and severity of system component failures. Based on the results of the assessment, PV was able to right-size the qualification phase to focus on integrated testing of standard workflows and configured functionalities, rather than detailed quality testing of individual low-level software component details.
- 21 CFR Part 11 compliance assessment. PV understood the regulations, the FDA Guidance, and the preamble requirements. This assessment outlined areas of the software that needed to be addressed with a procedure (i.e., gaps) and was also used to create user requirements. A summary of how the gaps were addressed was also generated to include with the validation package.
- User roles and responsibilities were defined including limitations, exclusions, and assumptions.
- Requirements for procedural documentation governing security, business continuity, training, and overall validation management were listed.
2. PV created a User Requirements Specification document. The document was develop based on a client-provided spreadsheet list which listed the software requirements to support the business process of each affected department within the organization (example: accounting, warehouse, purchasing, etc..) as well as a list of the “end-to-end” processes.
- Requirements were developed over several rounds of stakeholder reviews and updates to sort out redundancies and refine the specific required software functionality. The PV team’s extensive years of experience in writing requirement documents for computer systems enabled them to write testable, concise, and repeatable requirements.
- At the client’s request, the PV team gave additional focus to requirements for several key user roles within organization. A user roles and permissions table was generated and included with the User Requirements Specification to ensure that system permissions satisfied the customer’s business processes, and that these permissions would be tested.
- Although the Sage X3 software platform is web-based and provided as a Software as a Service “SaaS”, PV identified several peripheral client access components to be included for validation.
3. PV generated initial drafts of the test protocols by exploring the software, help menus, and forums initially. The team then began scheduling time with individual SMEs for respective business areas for support in drafting the test scripts in a manner that ensured that the testing would be reproducible. Final drafts of all test protocols were entered into client’s document management system to be routed for approval.
4. PV sent a team member to the clients’ site to execute testing and to provide guidance, to facilitate review of executed test scripts, and to ensure expedient execution for the remaining user acceptance scripts. A second PV team member simultaneously performed off-site remote testing from the PV office location. It is worth noting that we have since performed several other Sage X3 validations completely remotely, without any onsite execution.
5. PV created a Requirements Traceability Matrix to document where each user requirement was qualified as evidenced by either testing or vendor documentation.
6. Concerns regarding the system and documentation were brought to the attention of the Quality Assurance department in a timely manner to ensure they were appropriately addressed as early as possible to avoid further remediation.
7. PV provided regular project status updates on progress of the validation deliverables, project budget, and risks to the project and schedule.
8. The team delivered a Validation Summary Report to record the delivery of all the planned validation deliverables and to detail how the clients’ documentation satisfied regulatory requirements.
The Sage X3 ERP validation was completed ahead of schedule, meeting the customer’s overall system implementation deadlines. The company gained awareness of gaps in their procedures and security and resolved them. PV completed the validation effort by practicing excellent documentation standards, testing processes, and a focus on the customer needs. This medical device company now has an ERP system that is compliant with FDA regulations for computerized systems.
Performance Validation provided the client with consultation through understanding the software, the stakeholders and their needs, and proposing the best fitting validation strategy for an Enterprise Resource Planning solution. Performance Validation’s experience with creating testable User Requirements from various inputs helped expedite that portion of the project. Experience testing user roles was also valuable to streamline the testing documentation.
For more information on computer system validation for FDA compliance, please contact us.