Soft Computer Consultants, Inc.
Product: Class I/II software systems
Date: 4/30/2015
1. Failure to adequately establish procedures for CAPA as required by 21 CFR 820.100(a). Specifically,
A. Product Change Controls (PCCs) which are corrective and preventive actions for handling software coding defects do not always include investigating the cause of all nonconformities relating to product, processes and the quality system, and identifying action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems. For example;
i. PCC-54168 dated 4/25/14 was a CAPA for investigating a software defect in (b)(4) for clients using the Results Reporting interfaces to send results to an (b)(4) or (b)(4)
system. The defect was that the interface fails to send the abnormal flags for Reference Lab test results. This affects the flag that indicates the result is abnormal. Caregivers, who rely on the abnormal flag rather than the results may come to an incorrect conclusion. The PCC- 54168 identified a software coding error as the assignable cause of this problem. Your firm also identified that the software interface between your software and other software was not fully tested. A mandatory software Hot Fix was created due to the severity of the failure mode. The mandatory Hot Fix led to a correction and removal (1058332-10/13/2014-002- C). This PCC did not include the following:
a. An analysis to determine if other software products manufactured have had similar failure modes due to lack of testing of software interfaces.
b. Software testing that was created for verifying this corrective action was not included in the repository of tests known as (b)(4) tests as required by your (b)(4) Testing Procedure, SOP TST_P005, to allow these tests to be run for future software changes.
http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2015/ucm448655.htm 2/8
6/3/2015 2015 > Soft Computer Consultants, Inc. 4/30/15
ii. PCC-52730 dated 12/31/13 was a CAPA for investigating a software defect in (b)(4) version (b)(4) when used with (b)(4) version (b)(4). The problem was that when an isolate is resulted without a SNOWMED code, the isolate information in the downstream system may be incomplete or missing. As a result, there is a potential for the delay or omission of patient treatment updates. Your firm identified a software error as the assignable cause of this problem. Your firm also identified that the software interface between the (b)(4) system and (b)(4) was not fully tested which would have identified the software defect. A mandatory software Hot Fix was created due to the severity of the failure mode. The mandatory Hot Fix led to a correction and removal (1058332-10/13/2014-001-C). This PCC did not include the following:
a. An analysis to determine if other software products manufactured have had similar failure modes due to lack of testing of software interfaces.
2. Failure to adequately establish procedures to ensure that all purchased or otherwise received product and services conform to specified requirements as required by 21 CFR
820.50. Specifically,
A. Quality contracts for the design contractors ((b)(4) & the (b)(4)) who perform design of software do not include a provision that the design contractors agree to notify your firm of changes in the product code or service so that your firm may determine whether the changes may affect the quality of the product provided.
B. According to the VP of Administration and the VP of Genetics and Anatomic Pathology (AP) who are both responsible for conducting supplier audits of the contractors in (b)(4) and in the (b) (4), the supplier audits of the facilities are reportedly to be conducted (b)(4). The supplier audits are divided into two categories Administrative and Technical. Administrative audits covered reviewing the Quality contract, verifying employee training and experiences are suitable at the respective contract facilities. Technical audits include auditing design projects, adherence to design control requirements, and adherence to standard operating procedures. Review of the documents provided identified the following:
i. There is no documented evidence that Technical supplier audits for the (b)(4) contract facility were conducted for 2012 and 2013. The Technical supplier audit conducted for September 2014 for the (b)(4) facility has not been reviewed or approved as required by your Conducting External Quality Audits Procedure, SOP AUD_P003.
ii. There are no corresponding Quality Audit Plans as required by SOP for any Technical supplier audits for the (b)(4) contracting facility for 2012, 2013, or 2014.
3. Failure to establish and maintain procedures for design change, as required by 21 CFR 820.30(i). Specifically,
A. The software changes made by your firm and the (b)(4) and (b)(4) contractors are not assessed by your firm to confirm that the design changes meet their intended use and conform to all of your requirements including all verification and validation activities. The following are examples:
i. The Hot Fixes used to correct design defects for (b)(6) that were part of the correction and removal submitted to FDA on or about 12/10/14. The software changes were made by the (b)(4) contractor.
ii. The Hot Fixes used to correct design defects for (b)(6) that were part of the correction and removal submitted to FDA on or about 11/4/14. A portion of the software changes were made by the (b)(4) contractor.
iii. The Hot Fixes used to correct design defects for (b)(6) that were part of the correction and removal submitted to FDA on or about 2/17/14. The software changes were made by your firm.
B. User requirements (design inputs) are not required by either your firm or any of your contracting organizations for any software custom scripts created that can be used as part of a software Hot Fix (software correction made to a customer). Hot fixes are used as an emergency or high priority change that needs to be made when the client or your firm cannot wait for the normal patch process for any product manufactured by your firm.
For example, the Hot Fix utility used to identify the design defects for (b)(6) did not include documentation of user requirements (design inputs) for the Hot Fix utility 1.18021.1. This Hot Fix utility for the (b)(4) software was used to identify defective records in the customer’s database and was a part of the correction and removal submitted to FDA on or about 12/11/14. Your Hot Fix Process, SOP G01D072, does not include any requirements for documenting design inputs for
http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2015/ucm448655.htm 5/8
6/3/2015 2015 > Soft Computer Consultants, Inc. 4/30/15
custom scripts.
4. Failure to establish and maintain procedures for design review as required by 21 CFR 820.30(e). Specifically,
There was no evidence to demonstrate that the Release notes for Hot Fix utility 1.18021.1 used to identify defective records in the customer’s database for software package (b)(4) were reviewed and approved. Under section 5.2d of your Release Note Processing Workflow Procedure, G04S1082, the product specialist or designee is required to review the release notes and place them in the published status prior to going live (release). This Hot Fix utility was part of a correction and removal submitted to FDA on or about 12/11/14. The Release notes are provided to the customer or your personnel for all software changes.
FDA District Office: Florida District
