Warning Letter – Missing software validation and procedures at endoscopic instrument manufacturer

During an inspection of your firm located in Tuttlingen, Germany, on January 25, 2012, through January 27, 2012, an investigator from the United States Food and Drug Administration (FDA) determined that your firm manufactures non-powered endoscopic grasping/cutting instruments. Under section 201(h) of the Federal Food, Drug, and Cosmetic Act (the Act), 21 U.S.C. § 321(h), these products are devices because they are intended for use in the diagnosis of disease or other conditions or in the cure, mitigation, treatment, or prevention of disease, or to affect the structure or function of the body.

This inspection revealed that these devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System regulation found at Title 21, Code of Federal Regulations (CFR), Part 820.
We received responses from you dated February 7, 2012 and February 24, 2012,concerning our investigator’s observations noted on the Form FDA 483 (FDA 483), List of Inspectional Observations, which was issued to your firm. We address these responses below, in relation to each of the noted violations. These violations include, but are not limited to, the following:
7. Failure to validate computer software for its intended use according to an established protocol, when computers or automated data processing systems are used as part of production or a quality system, according to established procedure, as required by 21 CFR 820.70(i). For example, there are no procedures that describe the qualification and maintenance of the Majesty Enterprise Resource Planning (ERP) software for production planning and maintenance of quality records. There are no software verification and validation requirements defined in your firm’s procedures, and there are no records documenting that the Majesty system is validated or meets user needs and intended uses. The Majesty ERP software was updated to version 28.6 on approximately December 21, 2011, by the vendor; however, the review and approval of the software verification report was not approved until January 26, 2012. There are no procedures or documents that describe changes and version updates to the Majesty ERP system. There are no records that document the installation and first use date of version 28.2 in May 2011. There are no documents that define the system’s features and functions, operating environment, or hardware requirements.
Your firm’s responses dated February 07, 2012, and February 24, 2012, are not adequate. Your firm does not state if there are other software programs in use or if your firm plans to verify and validate other software programs. Your firm has promised to develop a new software verification and validation procedure and validate Majesty ERP software for its intended uses by April 13, 2012.
8. Failure to adequately ensure that, when the results of a process cannot be fully verified by subsequent inspection and test, the process is validated with a high degree of assurance and approved according to established procedure, as required by 21 CFR 820.75(a). For example, a review of your firm’s Quality Manual and other procedures disclosed that there were no references or procedures addressing equipment qualification and validation requirements. When the investigator asked your firm for an explanation, your firm confirmed that it does not have these requirements in its Quality Manual procedure or perform equipment qualification or validation of its in-house equipment or processes.This observation was not cited on the FDA Form 483. During the inspection, the investigator discussed this observation with your firm and your firm promised to correct it. (b)(4) . Your firm’s responses dated February 07, 2012, and February 24, 2012, did not address the creation of a new procedure or the status of the two process qualifications.
9. Failure to establish and maintain adequate procedures to ensure that all purchased or otherwise received product and services conform to specified requirements, as required by 21 CFR 820.50. For example:
a) The procedure, “ (b)(4) (rev 1;20.01.12),” which addresses vendor selection qualification and requalification of suppliers, has not been not implemented.  There is no documentation that (b)(4) , the supplier of Majesty software, was qualified or re‑qualified as a supplier. Your firm has been purchasing software from this vendor since 1996.
b) The requirements to requalify vendors in the purchasing procedure, “ (b)(4) (rev 1;20.01.12),” are based on the percentage of products received by your firm from the vendor. The (b)(4) threshold required by your firm to re-qualify vendors is not based on the vendor’s ability to meet specified requirements, including quality requirements. In addition, the criticality of the purchased product or service is not evaluated for determining the needs to requalify suppliers.
Your firm’s responses dated February 07, 2012, and February 24, 2012, are not adequate. Your firm’s responses do not specifically address the deficiency cited and do not provide copies of revised procedures. Your firm has promised to revise its procedure and to develop a new procedure for supplier re-validation by April 13, 2012. Your firm also plans to re-evaluate suppliers upon completion of its new procedure. In the interim, your firm plans to review records to ensure that all suppliers of products and services have been captured in the system.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.