I don't often write about Food and Drug Administration regulations, but IT Business Edge's Ann All brought Frank Scavo's The Enterprise Spectator to my attention recently. And earlier this month, Scavo had a word of warning for IT departments in companies regulated by the Food and Drug Administration. He said:
A recent U.S. Food and Drug Administration (FDA) letter [warned] a medical device firm for "failure to validate computer software for its intended use" under 21 CFR section 820.70(i). The systems in question are based on packaged enterprise software. The letter is a reminder that when such systems are implemented in regulated industries, it is incumbent on the user organization to ensure that such use is validated.
The packaged software at issue in this particular instance included Microsoft's SharePoint and a help desk support system by Front Range Solutions called HEAT. The FDA said the company had not adequately validated the software as it was being used in that environment.
It's not enough for the vendor selling the packaged software to say it is validated or to market it as FDA-compliant, Scavo said. In fact, if you see those terms in vender literature, they should be red flags. More than likely, the vendor is clueless as to what the FDA validation requirement really involves. He explained:
Technically, it is not the software itself that is validated, it is the software in its intended use that should be validated...Although a software vendor can support its customers' compliance -- by providing evidence of software quality, for example -- ultimately it is the responsibility of the user to ensure that the system itself, and how it is implemented, are appropriate.