Introduction
A software vendor audit is a prerequisite to using a software application for regulatory purposes. In this article, I will explain the importance of performing software vendor audits, some of the challenges, and what areas to target during an audit. Software vendor audits are an integral part of your quality system. There are two reasons why software vendor audits are an integral part of your quality system. First, software vendor audits are a requirement of the quality system. Secondly, software applications either have a direct impact to patient safety or an indirect impact to patient safety. The second point leads us into why software vendor audits are so crucial.

Importance of software vendor audits
The main reason why software vendor audits are so important is ultimately patient safety. As mentioned earlier, software applications used for regulatory purposes can have a direct impact or indirect impact on patient safety. Therefore, it is essential that we not only validate them for their intended use, but evaluate the software development behind the finished product. Software applications used for regulatory purposes must be reliable and perform consistently in order to avoid data integrity issues. The integrity of the data created, processed, stored, and archived in these regulated software applications is paramount. Furthermore, the security of the software application is just as important. 21 CFR Part 11, Electronic Records and Electronic Signatures helps ensure both data integrity and adequate security. 21 CFR Part 11 leads me into the next section of common challenges with software vendor audits.

Common challenges with software vendor audits
The biggest challenge associated with software vendor audits is verifying 21 CFR Part 11 compliance. Often times software vendors claim their application is 21 CFR Part 11 compliant because they have an audit trail or because they know Part 11 is a buzzword that attracts potential clients. I find that in most cases, software vendors that claim their respective application is Part 11 compliant simply do not understand Part 11. Consequently, they end up with a software product that is not 21 CFR Part 11 compliant. Here is a very important point to consider. Although a software vendor may have all of the 21 CFR Part 11 functionality built into their application, it is invalid if the software vendor does not show objective evidence. In other words, the vendor must test all of the 21 CFR Part 11 functionality and provide objective evidence. An example of objective evidence is a screenshot of a test result. Time and time again, software vendors fail to test their Part 11 functionality.

Another crucial point is that just because the vendor tested for Part 11 in their environment, does not preclude you from testing 21 CFR Part 11 requirements in your environment. The same holds true for the reciprocal. If the vendor has not tested for Part 11, does not mean that your testing will suffice. At the end of the day, the FDA wants to see 21 CFR Part 11 requirements tested by both parties in their own environments.

Read More....