Validation & CFR Part 11 - FDA

I think the following article should be required reading for any quality control manager or auditor in the medical vertical dealing with Validation protocols and CFR Part 11 requirements and cloud based ERP systems:

As you know, Cetec ERP is a web-based “SaaS” ERP system that is particularly well suited for medical device manufacturing. As such, we regularly get requests related to software “validation” requirements of CFR Part 11.

As background, the above article is very helpful to understand how these requirements come to bear on newer “SaaS” models of software delivery.

Short summary on the message of the article: a lot of the computer systems validation standards (e.g. CFR Part 11) were written around the constraints of older technology and archaic models of software delivery and maintenance. Delivering ERP as a SaaS model somewhat changes fundamentally the entire thing.

Per CFR Part 11, every time there is a software change or upgrade, it must be validated (so that “inputs” generate expected “outputs” in the software).

However, with a SaaS model, upgrades are continual, i.e. part of the service. New releases happen constantly (every 12 weeks) and indefinitely as long as you are a Cetec ERP subscriber. (unless of course you are resident hosted on a local server or dedicated cloud instance outside of our normal multi-tenant Google Cloud Compute environment).

Thus, the idea with SaaS is that validation should be constant and continuous and indefinite as well.

Fortunately, along with the SaaS model, this is a more modern and efficient and flexible technology based ERP system. One of the things that go along with modern software development and maintenance are called “Unit Tests” - - more information on this can be found in response to your question about “installation method” and “installation procedure” below.

The way we forsee the future of solving this requirement for medical/FDA companies is:

  • deploy unit tests (many of which already exist as part of our software code base) on a regular basis (nightly, weekly, or only after new releases)

  • write the results of those tests (i.e. inputs tested and results/outputs logged) to a text file

  • deploy the text file to somewhere you can access it in your Cetec ERP system

Caveats! Notably, we may deploy unit tests on what we would consider the most business critical actions and transactions across the ERP system. However, what’s still missing from this is an FDA auditor to sign off on whether the range of actions being tested/logged by the unit test suites have sufficiently broad/through coverage. (It’s possible we could extend our unit test coverage and reporting according to feedback from an auditor on that as needed).

The benefit there is that you aren’t having to internally manually go through the process of validating test transactions and their results, nor having to pay a third-party to manually go through a series of transactions and systematically manually log their inputs/outputs every time there’s a new release to Cetec ERP. This was formerly what was effectively the overhead of maintaining 21 CFR Part 11 compliance for validation.

Ideally, with modern unit tests and the scripting/deployment of their results, we would be able to go above and beyond the standards of manual computer systems validation, i.e. something auditors would be even more happy with than the manual route.

We believe an auditor would be very pleased to see automatically provisioned unit tests logged in the software as extensive validation points, regular and recurring (automatic).

However, even with the new unit test input/output documentation auto-posting features, we do NOT want to assert that those unit tests will constitute what qualifies as FDA approved. We would envision that our automated test writing inputs/outputs would represent a piece of your validation portfolio; Cetec ERP recommends that you have a test structure in place to validate necessary processes dictated by your auditor any time a new release occurs (e.g. when Cetec ERP does new releases every 12 weeks, we release first to your “beta” environment a few weeks before “live”).

Furthermore, it’s also important that you and your FDA / CFR Part 11 auditor understand that upgrades happen fluidly and consistently, and that our releases are occasions for more major changes, not restrictions on when changes will be deployed. For more information on this, please see below “installation method and installation procedure” section.

We would love to know your thoughts and experience with software validation and CFR Part 11. Comment on this thread!

One more quick note on installation method and installation procedure insofar as it relates to CFR Part 11 requirements.

Cetec ERP leverages modernized “continuous integration” and “continuous deployment” to install new updates to Cetec ERP.

Here is some background reading on that technology:

Continuous Integration and Delivery
Continuous Integration (CI) is the practice of building and testing the application on each update. By working in small increments, errors are detected earlier and promptly resolved.

Once integration is complete and all tests have passed, we add Continuous Delivery (CD) to automate the release and deployment process.

A project that uses CI/CD can make more frequent and reliable releases. We use Continuous Integration and Delivery (CI/CD) to automate the whole process:

  1. Install project dependencies.
  2. Run unit tests.
  3. Build a Docker image.
  4. Push the image to Hub.
  5. Kubernetes deployment.

We do not have any documented processes for the performance and maintenance of the Cetec ERP software application itself.