Auditing Software Suppliers (Part 1)

Introduction to Software Supplier Audits

This blog is the first of a series of planned articles on the process for quality system auditing suppliers of software and computerised systems. This blog concentrates on the GMP and Regulatory requirements for performing supplier audits, future posts are planned for discussing the auditing process.

A supplier quality audit can be a critical phase of any project.

The audit should be performed at the earliest possible stage in the project and should support vendor selection. A supplier with a strong Quality Management System (QMS) is likely to require less governance than one without, therefore reducing costs to the regulated business.

The output of the supplier audit should

• Determine the level of governance by the regulated company
• Identify potential risks to the project due to gaps in the vendor QMS
• Build a common quality understanding / partnership between the supplier and the vendor.

The software development lifecycle is key to ensuring the success of any automation or computer related software project.
Determining which suppliers require a quality audit should be determined on a risk analysis of the system to be purchased and installed and should consider:

• use of the system and risk to patient safety
• importance of the system to the business (business risk)
• complexity
• need for modify (maintenance and development by those other than the original developers

Industry Guidance for Software Supplier Audits

The Good Automation Manufacturing Practice (GAMP) has long provided the guidance to industry on Computer Systems Validation (CSV) and including supplier audits for software systems.
In GAMP4 the guidance was clear that for Firmware (Category 2) and Commercial Off the Shelf Software (Category 3) supplier audits were not a requirement. GAMP5 moves away from relating the auditing process from categories of software but to be determined on risk.
ASTM2500-7 guidance states:
"6.8.1 Vendor documentation, including test documents may be used as part of the verification documentation providing the regulated company has assessed the vendor, and has evidence of (6.8.2.1) an acceptable vendor quality system,"

Regulatory Requirements

EU Annex 11
The software is a critical component of a computerised system. The user of such software should take all reasonable steps to ensure that it has been produced in accordance with a system of Quality Assurance.
FDA
Regulatory documents from the FDA for the pharmaceutical / biotechnology industry (21 CFR 211, 21 CFR part 11, etc) do not have a specific requirement for auditing suppliers of computerised systems. However in the guidance to industry for medical device there are references to supplier audits.
However ICH Q9 (Quality Risk Management), adopted by the FDA provides guidance for determining the level of qualification based on risk. Risk can be identified and mitigated through the supplier audit process.