There are many benefits to off-the-shelf software, but companies should be aware that they are also relinquishing control in some critical areas.

In the past decade, there has been a sea of change in the business software domain. Many companies are no longer expending significant internal resources to develop software from scratch. Instead, they are opting for software that meets most or all of the business requirements as delivered “off the shelf” by a third party.

Commercial off-the-shelf (COTS) software is an extremely broad category that encompasses software that can be purchased and used with minimal or no configuration. There are virtually unlimited types of COTS software.

Some examples include resource planning applications, customer relationship management tools, and quality system databases for CAPA, complaint handling, auditing, and document control. It also comprises laboratory information systems, accounting software, and software embedded in medical devices.

There are many benefits to using COTS software. Foremost, it is the vendor that expends the resources to design, develop, test, and support the software. Often, the software vendor also has extensive expertise in the target market for the software and thus is able to incorporate functionality into the software to support best-practice methodologies. For certain types of

COTS software, the vendor will also provide hosted software, which eliminates the need for the buyer to purchase and maintain servers and supporting hardware. Altogether, this can allow a company to implement tailored software more quickly and cost-effectively. But there are potential downsides to using COTS software as well.

One of the fundamental limitations of implementing COTS software is that a company typically does not have direct control over the software’s feature set, including what functionality is added, changed, or removed with each release. As a result, the company may not be able to dictate the schedule for the incorporation of business- or compliance-critical functionality in the system. In addition, the release schedule of the software is also usually determined by the software vendor. The timing could lead to a forced upgrade of the software, either because the prior version is no longer supported or because the latest version will be pushed to all clients simultaneously, such as in a multi-tenant, hosted environment.

Lastly, the company is reliant on the vendor for the software system’s technical details, which can be critical to successful application integration and interfacing. Such details are also important for the troubleshooting and resolution of software issues that arise.

Although COTS software can virtually eliminate internal software development activities for a business, it presents a unique set of challenges and does not obviate the need to ensure compliance through software validation and procedural controls. One of the more common compliance challenges for businesses in the medical device industry is in the validation of COTS software. This article focuses on the validation of business and quality system COTS software. It also discusses other aspects of implementing such COTS systems that can have a significant effect on a company’s business.