3 CSV Questions for COTS Products
Over the past 10 years, the life sciences industry has seen a dramatic increase in commercial off-the-shelf (COTS) products available for use. Validation requirements for maintaining GxP compliance, however, have not much changed. COTS products have been utilized for everything from managing laboratory information to generating and signing electronic records to creating and submitting eTMFs and eCTDs. While COTS products can greatly reduce the burden of creating or outsourcing the creation of customized software, there are continuous questions about how to approach and manage validation requirements when your organization does not have control over every aspect of the product. While industry awaits the FDA’s highly anticipated guidance on computer systems assurance (CSA) to improve GxP compliance, Digiform Solutions can provide you with a starting point for how CSV can move forward with your COTS products. Here are three questions to ask your organization when compiling CSV paperwork to help maximize GxP compliance:
1. What are my business requirements, and how will I translate those into functional requirements for my documentation?
Enumerated requirements for a requirements traceability matrix (RTM) become suddenly and unexpectedly complicated when dealing with a COTS product. Many requirements you would normally include suddenly become irrelevant and untestable in this context. Including too many requirements in the RTM can negate the upside of procuring a COTS product to begin with by generating extensive testing requirements, so it’s important to scrutinize your list repeatedly so as to focus your testing efforts on your business and functional requirements that are gained from testable configuration decisions.
2. How will I handle my IQ and OQ testing requirements?
This is an important question to ask your organization and your product vendor early in the project planning process. It’s likely that the vendor will be conducting IQ and OQ testing, but do you require additional documentation? What are your policies, or what is written within the master validation plan? Do you require your own script, perhaps referencing the vendor’s script? What about documentation for environment promotion? If the vendor conducts copying and installation, what type of documentation is produced and provided during the process? These are details that will make other documentation decisions easier down the CSV road.
3. How am I controlling configuration documentation passed between my organization and the vendor?
It’s likely that configuration documentation is created by the vendor, edited by your organization, shared with others, and altogether cyclically updated. What is the plan for capturing the most recent versions of the documents? Should this process be written down somewhere for clarity, perhaps in a validation plan or project charter? If a key employee were to quit tomorrow, another person should be able to step in and determine where the most updated documentation is and where it’s coming from/where it’s going. There should also come a time when the documentation is locked down, approved, and no longer updated except via change control.
With COTS products becoming more prevalent and helpful, CSV is becoming more complex. These are but three of a multitude of questions that arise when validating and managing COTS products. Check out our free 7 Questions for Validated SaaS Vendors for additional resources, or contact us today for a free consultation!