Inc. Soft Computer Consultants

Soft Computer Consultants, Inc.
Product: Class I/II software systems
Date: 4/30/2015

1. Failure to adequately establish procedures for CAPA as required by 21 CFR 820.100(a). Specifically,
A. Product Change Controls (PCCs) which are corrective and preventive actions for handling software coding defects do not always include investigating the cause of all nonconformities relating to product, processes and the quality system, and identifying action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems. For example;
i. PCC-54168 dated 4/25/14 was a CAPA for investigating a software defect in (b)(4) for clients using the Results Reporting interfaces to send results to an (b)(4) or (b)(4)
system. The defect was that the interface fails to send the abnormal flags for Reference Lab test results. This affects the flag that indicates the result is abnormal. Caregivers, who rely on the abnormal flag rather than the results may come to an incorrect conclusion. The PCC- 54168 identified a software coding error as the assignable cause of this problem. Your firm also identified that the software interface between your software and other software was not fully tested. A mandatory software Hot Fix was created due to the severity of the failure mode. The mandatory Hot Fix led to a correction and removal (1058332-10/13/2014-002- C). This PCC did not include the following:
a. An analysis to determine if other software products manufactured have had similar failure modes due to lack of testing of software interfaces.
b. Software testing that was created for verifying this corrective action was not included in the repository of tests known as (b)(4) tests as required by your (b)(4) Testing Procedure, SOP TST_P005, to allow these tests to be run for future software changes.
http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2015/ucm448655.htm 2/8
6/3/2015 2015 > Soft Computer Consultants, Inc. 4/30/15
ii. PCC-52730 dated 12/31/13 was a CAPA for investigating a software defect in (b)(4) version (b)(4) when used with (b)(4) version (b)(4). The problem was that when an isolate is resulted without a SNOWMED code, the isolate information in the downstream system may be incomplete or missing. As a result, there is a potential for the delay or omission of patient treatment updates. Your firm identified a software error as the assignable cause of this problem. Your firm also identified that the software interface between the (b)(4) system and (b)(4) was not fully tested which would have identified the software defect. A mandatory software Hot Fix was created due to the severity of the failure mode. The mandatory Hot Fix led to a correction and removal (1058332-10/13/2014-001-C). This PCC did not include the following:
a. An analysis to determine if other software products manufactured have had similar failure modes due to lack of testing of software interfaces.

2. Failure to adequately establish procedures to ensure that all purchased or otherwise received product and services conform to specified requirements as required by 21 CFR
820.50. Specifically,
A. Quality contracts for the design contractors ((b)(4) & the (b)(4)) who perform design of software do not include a provision that the design contractors agree to notify your firm of changes in the product code or service so that your firm may determine whether the changes may affect the quality of the product provided.
B. According to the VP of Administration and the VP of Genetics and Anatomic Pathology (AP) who are both responsible for conducting supplier audits of the contractors in (b)(4) and in the (b) (4), the supplier audits of the facilities are reportedly to be conducted (b)(4). The supplier audits are divided into two categories Administrative and Technical. Administrative audits covered reviewing the Quality contract, verifying employee training and experiences are suitable at the respective contract facilities. Technical audits include auditing design projects, adherence to design control requirements, and adherence to standard operating procedures. Review of the documents provided identified the following:
i. There is no documented evidence that Technical supplier audits for the (b)(4) contract facility were conducted for 2012 and 2013. The Technical supplier audit conducted for September 2014 for the (b)(4) facility has not been reviewed or approved as required by your Conducting External Quality Audits Procedure, SOP AUD_P003.
ii. There are no corresponding Quality Audit Plans as required by SOP for any Technical supplier audits for the (b)(4) contracting facility for 2012, 2013, or 2014.

3. Failure to establish and maintain procedures for design change, as required by 21 CFR 820.30(i). Specifically,
A. The software changes made by your firm and the (b)(4) and (b)(4) contractors are not assessed by your firm to confirm that the design changes meet their intended use and conform to all of your requirements including all verification and validation activities. The following are examples:
i. The Hot Fixes used to correct design defects for (b)(6) that were part of the correction and removal submitted to FDA on or about 12/10/14. The software changes were made by the (b)(4) contractor.
ii. The Hot Fixes used to correct design defects for (b)(6) that were part of the correction and removal submitted to FDA on or about 11/4/14. A portion of the software changes were made by the (b)(4) contractor.
iii. The Hot Fixes used to correct design defects for (b)(6) that were part of the correction and removal submitted to FDA on or about 2/17/14. The software changes were made by your firm.
B. User requirements (design inputs) are not required by either your firm or any of your contracting organizations for any software custom scripts created that can be used as part of a software Hot Fix (software correction made to a customer). Hot fixes are used as an emergency or high priority change that needs to be made when the client or your firm cannot wait for the normal patch process for any product manufactured by your firm.
For example, the Hot Fix utility used to identify the design defects for (b)(6) did not include documentation of user requirements (design inputs) for the Hot Fix utility 1.18021.1. This Hot Fix utility for the (b)(4) software was used to identify defective records in the customer’s database and was a part of the correction and removal submitted to FDA on or about 12/11/14. Your Hot Fix Process, SOP G01D072, does not include any requirements for documenting design inputs for
http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2015/ucm448655.htm 5/8
6/3/2015 2015 > Soft Computer Consultants, Inc. 4/30/15
custom scripts.
4. Failure to establish and maintain procedures for design review as required by 21 CFR 820.30(e). Specifically,
There was no evidence to demonstrate that the Release notes for Hot Fix utility 1.18021.1 used to identify defective records in the customer’s database for software package (b)(4) were reviewed and approved. Under section 5.2d of your Release Note Processing Workflow Procedure, G04S1082, the product specialist or designee is required to review the release notes and place them in the published status prior to going live (release). This Hot Fix utility was part of a correction and removal submitted to FDA on or about 12/11/14. The Release notes are provided to the customer or your personnel for all software changes.

FDA District Office: Florida District

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

Being Agile & Yet Compliant (Public)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for registration!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

3 days virtual (Zoom) with group exercises, quizzes, examples, Q&A.

Lead Instructor: Mike Russell

Next public offering: Dec 3, 4, & 5, 2024 – 12:00 pm to 5:00 pm CET

Register Now


 

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Call or email now to schedule a private, in-house class. The fall schedule is filling up!

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.