FDA and Global Guidance for Computer and Software ... · PDF file1 US FDA and Global Guidance for Computer and Software Validation Orlando López GAMP Data Integrity SIG SME April

1

US FDA and GlobalGuidance for Computer and

Software Validation

Orlando LópezGAMP Data Integrity SIG SME

April 27, 20151

Disclosure

The opinions expressed during thispresentation are those of the presenter.

2

2

Objectives

How do US FDA drug and device relatedcomputer system regulations compare?

Review US FDA and global computersystems compliance regulatoryrequirements and guidelines.

Present a “new” approach to computercompliance.

3

References

Fry, Edmund M, “FDA Regulation of ComputerSystems in Drug Manufacturing,” PharmaceuticalEngineering, Sep/Oct, 1988.

López, O., “FDA Regulation of Computer Systems inDrug Manufacturing – 13 Years Later,”Pharmaceutical Engineering, May/Jun 2001.

López, O., “Regulations and Guidelines of ComputerSystems in Drug Manufacturing – 25 Years Later,”Pharmaceutical Engineering, Jul/Aug 2013.

4

3

References

http://www.computer-systems-validation.net/annex11crosswalk.html

The Crosswalk relates Annex11 guidelines to other officialregulations, standards and guidancedocuments.

5

References

López, O., “EU Annex 11 and the Integrity ofErecs”, Journal of GxP Compliance, Volume18 Number 2, May 2014.

López, O., “A Computer Data IntegrityCompliance Model”, PharmaceuticalEngineering, March/April 2015.

López, O., “Trustworthy Computer Systems”,Pharmaceutical Engineering, xxx/xxx 2015.

6

4

References

O. López, “EU Annex11 Guide to ComputerValidation Compliancefor the WorldwideHealth Agency GMP”,CRC Press, April 2015.

http://www.crcpress.com/product/isbn/9781482243628

ISBN 9781482243628

7

REGULATIONS ANDGUIDELINES TIMELINE

8

5

Relevant Regulations andGuidelines

21 CFR Part 211.2(b), June 1963.

21 CFR Part 211.68 (1976) and820.70(i) (1997).

CDER Guide to Inspection ofComputerized Systems in DrugProcessing, January 1983.

FDA CPGs (1982-87).

9

Compliance Policy Guides

• CGMP Applicability To Hardwareand Software (CPG 7132a.11) ’84

• Input/Output Checking(CPG 7132a.07) ’82

• Identification of "Persons" on BatchProduction and Control Records(CPG 7132a.08) ‘82

• Vendor Responsibility(CPG 7132a.12) ‘85

• Source Code for Process ControlApplication Programs

(CPG 7132a.15) ‘87


21 CFR Part 211.2(b), June 1963.

21 CFR Part 211.68 (1976) and820.70(i) (1997).


FDA CPGs (1982-87).

Annex 11 (Rev 0), January 1992.

PDA’s Technical Report 18, Validationof Computer-Related Systems,January-February 1995.

GAMP 1, March 1995.

APV Guideline "ComputerizedSystems" based on Annex 11 of theEU-GMP Guideline, April 1996.

10

6


21 CFR Part 211.2(b), June 1963.

21 CFR Part 211.68 (1976) and820.70(i) (1997).


FDA CPGs (1987).


PDA’s Technical Report 18,Validation of Computer-RelatedSystems, January-February 1995.

GAMP 1, March 1995.

APV Guideline "ComputerizedSystems" based on Annex 11 of theEU-GMP Guideline, April 1996.

21 CFR Part 11, March 1997.

General Principles of SoftwareValidation; Final Guidance for Industryand FDA Staff, January 2002.

Guidance for Industry Part 11,Electronic Records; ElectronicSignatures — Scope and Application,August 2003.

PIC/S, PI 011-3, Good Practices forComputerised Systems in Regulated“GXP” Environments, September2007.

21 CFR Part 211.68 (2008).


MHRA, GMP Data Integrity Definitionsand Guidance for Industry, March2015.2008

GAMP 5

2002 FDARisk Based Approach

11

MAXIMS

7

Computer ComplianceMaxims

FDA doesn’tregulate computersystem performingGMP functions.

– Hardware itself issubject to the GMPrequirements thatapply to equipment.

– Software itself issubject to the sameGMP requirementsapplicable to SOPs.

FDA regulates drugmanufacturers anddrug products.

Any computer canbe used as long asthe intended use isdemonstrated.

Fry, Edmund M, “FDA Regulation ofComputer Systems in DrugManufacturing,” PharmaceuticalEngineering, Sep/Oct, 1988.

CGMP Applicability To Hardwareand Software (CPG 7132a.11)

Data Compliance Maxim

Regulatory requirements for data do notchange whether data are captured onpaper, electronically, or using a hybridapproach.

8

HOW DO US FDA DRUG AND DEVICEREGULATIONS COMPARE?

15

GMP

Medical Devices

– Quality SystemSoftware

– Device ProductionSoftware

– Medical DevicesSoftware

Pharma/Bio

– Quality SystemSoftware

– Pharma/BioProduction Software

16

9

US MEDICAL DEVICESREGULATIONS

17

GMP Medical Devices

Quality System Software and DeviceProduction Software

– 21 CFR 820.70(i), Automated Processes

– 21 CFR 11

Medical Devices Software

Medical Device Data Systems

820.30(c) 820.30(g)

820.30(i) 820.40

18

10

Requirements

21 CFR 820.70(i)– Validate computer software for its intended use

according to an established protocol.

– All software changes shall be validated beforeapproval and issuance.

– These validation activities and results shall bedocumented.

– US FDA, “General Principles of SoftwareValidation; Final Guidance for Industry and FDAStaff”, CDRH and CBER, Jan 2002.

21 CFR 11 (See Pharma/Bio)19

Requirements

21 CFR 820.30(c)

– Design Inputs

– Requires a mechanism for addressingincomplete, ambiguous, or conflictingrequirements.

20

11

Requirements

21 CFR 820.30(g)

– Design Validation

– The device software (embedded software)in a medical device is validated to assure itperforms as intended.

21

Requirements

21 CFR 820.30(h)

– Design Transfer

– Manufacturers are prepared to provideevidence that the software used forduplicating the device software, and thesoftware used in automated manufacturingor QA, meet the software designspecifications.

22

12

Requirements

21 CFR 820.30(i)

– Design Changes

– Any changes to a computer systemincluding system configurations shouldonly be made in a controlled manner inaccordance with a defined procedure.

23

Requirements

21 CFR 820.40

– Document Control

– Any changes to a computer systemincluding system configurations shouldonly be made in a controlled manner inaccordance with a defined procedure.

24

13

Requirements

21 CFR 880

– Feb 2011

– Medical Device Data Systems

» are intended to transfer, store, convert fromone format to another according to presetspecifications, or display medical device data.

» perform all intended functions withoutcontrolling or altering the function orparameters of any connected medical devices.

» is not intended to be used in connection withactive patient monitoring.

25

MEDICAL DEVICESGUIDELINES

26

14

US FDA Medical DevicesGuidelines

Off-The-Shelf Software Use in Medical Devices, Sep1999.

General Principles of Software Validation; Final Guidancefor Industry and FDA Staff, CDRH and CBER, Jan 2002.

Radio Frequency Wireless Technology in MedicalDevices, Aug 2013.

Mobile Medical Applications, Feb 2015.

Medical Device Data Systems, Medical Image StorageDevices, and Medical Image Communications Devices,Feb 2015.

27


Cybersecurity

– Cybersecurity for Networked Medical DevicesContaining Off-the-Shelf (OTS) Software, Jan 2005.

– US FDA, Content of Premarket Submissions forManagement of Cybersecurity in Medical Devices, Oct2014.

28

15


Blood Establishments

– Blood Establishment Computer Crossmatch, Dec2011.

– Blood Establishment Computer System Validation inthe User's Facility, Apr 2013.

29

International Medical DevicesGuidelines/Standards

http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/medical-devices/index_en.htm

http://www.emergogroup.com/resources/regulations

IEC 62304 Medical Device Software DevelopmentLifecycle.

ISO 14971-2012 Medical Devices - Application of RiskManagement to Medical Devices.

.

30

16

Other Computer relatedMedical Devices

Regulations/Guidelines EC, Green Paper on mobile Health ("mHealth“), Mar 2014.

TGA Regulation of medical software and mobile medical'apps‘, Sep 2013.

MHRA

– MHRA - Blood Bank Electronic Issues

– Guidance on medical device stand-alone software

– Guidance on the regulations for electronic instructions foruse of medical devices

31

US GMP PHARMAREGULATIONS

32

17

GMP Pharma

Quality System Software andProduction Software

– 21 CFR 211.68, Automatic, mechanical,and electronic equipment, Sep 2008.

– ICH Harmonized Tripartite Guideline,“Good Manufacturing Practice Guidancefor Active Pharmaceutical Ingredients, Q7”,Nov 2000.

– 21 CFR 11, Mar 1997.

33

211.68(a) Requirements

– Automatic, mechanical, or electronic equipment orother types of equipment, including computers, orrelated systems that will perform a functionsatisfactorily, may be used in the manufacture,processing, packing, and holding of a drug product.

– If such equipment is so used, it shall be routinelycalibrated, inspected, or checked according to a writtenprogram designed to assure proper performance.Written records of those calibration checks andinspections shall be maintained.

34

18

211.68(b) Requirements

– Appropriate controls shall be exercised over computeror related systems to assure that changes in masterproduction and control records or other records areinstituted only by authorized personnel.

– Input to and output from the computer or relatedsystem of formulas or other records or data shall bechecked for accuracy.

– The degree and frequency of input/output verificationshall be based on the complexity and reliability of thecomputer or related system.

Data IntegrityClause

35





Original clause1978 GMPs

CPG 7132a.071982

36

19





1995 GMPs

37


– A backup file of data entered into the computer orrelated system shall be maintained except wherecertain data, such as calculations performed inconnection with laboratory analysis, are eliminated bycomputerization or other automated processes.

– In such instances a written record of the program shallbe maintained along with appropriate validation data.Hard copy or alternative systems, such as duplicates,tapes, or microfilm, designed to assure that backupdata are exact and complete and that it is secure fromalteration, inadvertent erasures, or loss shall bemaintained.

38

20

211.68(c) Requirements

– Such automated equipment used for performance ofoperations addressed by 211.101(c) or (d), 211.103,211.182, or 211.188(b)(11) can satisfy therequirements included in those sections relating to theperformance of an operation by one person andchecking by another person if such equipment is usedin conformity with this section, and one person checksthat the equipment properly performed the operation.

2008 GMPs

39

ICH RequirementsAPI Q7

Section 5.4

– Nov 2000

– 10 Requirements

– Risk Assessment, Security, Operation andMaintenance

– CEFIC, “Computer Validation Guide”, APICommittee of CEFIC, Dec 2002.

40

21

ICH RequirementsAPI Q7

Section 6.60

– Complete data derived from all testsconducted to ensure compliance withestablished specifications and standards,including examinations.

Data IntegrityClause

41

21 CFR Part 11

21 CFR 11

– Mar 1997.

– Guideline – Aug2003.

42

22

21 CFR Part 11

Narrowed Scope

– The 2003 FDA guidance on Part 11 redefinesthe scope of records subject to Part 11 asfollows:

» [Electronic] records that are required to bemaintained under predicate rules, provided theyare relied on to perform regulated activities.

» Electronic records submitted to FDA underpredicate rule requirements

21 CFR 11(Scope)

Records that are required to be maintainedby predicate rules and that are maintained inelectronic format in place of paper format.

Records that are required to be maintainedby predicate rules, are maintained inelectronic format in addition to paper format,and are relied on to perform regulatedactivities.

44

23

21 CFR 11(Scope)

Records submitted to FDA in electronicformat, under the predicate rules (even ifsuch records are not specifically identified inAgency regulations)…

…assuming the records have been identifiedin the docket as the types of submissions theAgency accepts in electronic format

Electronic signatures that are intended to bethe equivalent of handwritten signatures,initials, and other general signings requiredby predicate rules.

45

21 CFR 11

Out of Scope

– Records (and any associated signatures) that arenot required to be retained by predicate rules, butthat are nonetheless maintained in electronicformat.

46

24

International PharmaGuidelines/Standards

ISO 90003-2004 Software Engineering -Guidelines for the Application of ISO9001 2000 to Computer Software.

ISO 12207 Systems and softwareEngineering - Software Life Cycle.

ISO 12119-1994 Information technology- Software packages - Qualityrequirements and testing.

47


ISO 17025 General Requirements forthe Competence of Testing andCalibration Laboratories.

ASTM E2500-07R12 Standard Guidefor Specification, Design, andVerification of Pharmaceutical andBiopharmaceutical ManufacturingSystems and Equipment.

48

25


ICH Harmonized Tripartite Guideline, “GoodManufacturing Practice Guidance for ActivePharmaceutical Ingredients, Q7”, Section 5.4,Nov 2000.

CEFIC, “Computer Validation Guide”, APICommittee of CEFIC, Dec 2002.

WHO, Technical Report Series No. 937,Annex 4. Appendix 5, “Validation ofcomputerized systems”, 2006.

49

Other Computer-RelatedGuidelines

Official Medicines Control Laboratories(OMCL) Network of the Council of Europe,Validation of Computerized Systems, CoreDocument.

– ISO 17025

– In-house and commercial software for calculation.

– Database computer systems.

– Laboratory Information Management Systems(LIMS), Electronic Laboratory Notebooks (ELN).

– Computers as part of test equipment.

50

26


MHRA

– MHRA expectation regarding self inspection anddata integrity

– GLP Guidance – Archiving

– MHRA Good manufacturing practice data integritydefinitions

– Pre-Inspection Compliance Report Document

51


EudraLex Volume 4, “EU Guidelines to GoodManufacturing Practice, Medicinal Productsfor Human and Veterinary Use, Annex 11 -Computerised Systems,” Jun 2011.

EMEA's answers to FAQ on ComputerizedSystems.

PI 011-3. “Good Practices for ComputerisedSystems in Regulated “GXP” Environments”,Pharmaceutical Inspection Co-operationScheme (PIC/S), Sep 2007.

52

27

US FDA MEDICAL DEVICES VSPHARMA

53

Raw Data vs Results

Q: Must all data maintained, even if the data ismanipulated automatically to provide informationin “pass or fail” format?

A: Not for devices. See part 820 preamble pp.52631 and 52646. Part 820 requires that“results” of acceptance activities be recorded butnot necessarily all raw data. “Results” must haveaudit trails. Be sensitive to need for raw dataduring failure investigations under CAPA.

54

28

NEW APPROACH COMPUTERCOMPLIANCE

55

New Approach ComputerCompliance

Trustworthy System

– It is one that produces consistent reliableand authentic records. The focus of allcontrols and IT security mechanism shouldbe the assurance that this trustworthycondition is maintained.

56

29


Trustworthy System– Are reasonably suited to performing their intended

function (21 CFR 11.10(a)).

– Provide a reasonably reliable level of availability,reliability and correct operation (21 CFR 11.10(a)).

– Are reasonably secure from intrusion and misuse.

– Adhere to generally accepted security principles.

Da

ta

In

te

gr

it

y

11.10(d) 11.10(g) 11.10(j)(1) 11.10(e)

211.68(b) Section 5.4ICH

57


Trustworthy System (Main Proponents)

58

Authority Regulation / Guideline

US FDA Sub Part B in 21 CFR Part 11

ICH Q7 Section 5.4

Australia TGA Medical Products: Chapter 4 section 4.9 in the Codeof GMP

China SFDA draft GMP Annex 2 (2014)

WHO Technical Report Series, No. 937, 2006. Annex 4Appendix 5.

Japanese MHLW Guideline on Management of Computerized Systems for MarketingAuthorization Holders and Manufacturers of Drugs and Quasi-Drugs

Brazil ANVISA Title VII Resolution of the Executive Board No. 17, ComputerizedInformation System

EMA Annex 11

30

EMA ANNEX 11

59

EMA Annex 11

European Medicines Agency GMPguideline applicable to computersystems.

Two (2) revisions: 1992 and 2011.

Annex 11 (like the rest of EudralexVolume) is a guidance.

60

31

EMA Annex 11

Used as a model to other regulatedapplications and other countries.– PIC/S Guidance on Good Practices for Computerised

Systems in Regulated GxP Environments (PI 011-3)

– EU GCP inspectors and ASEAN use PI 011-3

– Health Canada ( Health Products and Food BranchInspectorate) (Medicinal Products and API)

– China (SFDA) (GMP Annex 2 Computerized System(Draft))

– Australia Therapeutic Goods Administration (TGA)(GMPs and Blood Establishments)

61

EMA Annex 11

Principles– This annex applies to all forms of computerized

systems used as part of a GMP regulated activities. Acomputerized system is a set of software and hardwarecomponents which together fulfill certain functionalities.

– The application should be validated; IT infrastructureshould be qualified.

– Where a computerized system replaces a manualoperation, there should be no resultant decrease inproduct quality, process control or quality assurance.There should be no increase in the overall risk of theprocess.

62

32

General

Risk Management

Personnel

Suppliers and ServiceProviders

Project Phase

Validation

EMA Annex 11

63

EMA Annex 11

Operational Phase

Data

Accuracy Checks

Data Storage

Printouts

Audit Trails

Change andConfigurationManagement

Periodic Evaluation

Security

Incident Management

Electronic Signature

Batch Release

Business Continuity

Archiving

64

33

SUMARY

65

Summary

One of the significant differences betweencomputer systems compliance in 1992 andtoday, is that today’s regulatorymethodologies and guidelines requires a riskbased approach throughout the lifecycle ofthe computer system taking into accountpatient safety, data integrity and productquality.

66

34

Summary

Risk

Complexity and Novelty

Supplier

67

Summary

Computer systems can be used to performoperations covered by the drugs GMP regulation.

These computer systems require a writtenvalidation process.

Computers systems documentation andvalidation documentation shall be maintained.

There must be procedural controls for managingchanges to infrastructure and applicationsoftware, including documentation.

68

35

Summary

Computer systems can be used to performoperations covered by the drugs GMP regulation.(Principle 1)

These computer systems require a written validationprocess. (Principle 2, Annex 11-4)

Computers systems documentation and validationdocumentation shall be maintained. (Annex 11-4.1)

There must be procedural controls for managingchanges to infrastructure and application software,including documentation. (Annex 11-10 and Annex11-4.2)

69

Summary

Computer systems electronic records must becontrolled including records retention, backup, andsecurity.

Based on the complexity and reliability of computersystems there must be procedural controls andtechnologies to ensure the accuracy and security ofcomputer systems I/Os, electronic records and data.

70

36

Summary

Computer systems electronic records must becontrolled (Annex 11-1, 11-4.8, 11-5, 11-6, 11-7, 11-8, 11-9, 11-13, 11-14, 11-17) including recordsretention, backup (Annex 11-7.2), and security(Annex 11-12).

Based on the complexity and reliability of computersystems (Annex 11-1) there must be proceduralcontrols and technologies to ensure the accuracy andsecurity (Annex 11-12) of computer systems I/Os(Annex 11-5), electronic records and data.

71

Summary

Computer systems must have adequate controls toprevent unauthorized access or changes to data,inadvertent erasures, or loss.

There must be written procedural controls describingthe maintenance of the computer system, includingan on-going performance evaluation and periodicreviews.

Verification by a second individual may not benecessary when automated equipment is used.

72

37

Summary

Computer systems must have adequate controls toprevent unauthorized access or changes to data(Annex 11-12), inadvertent erasures, or loss .

There must be written procedural controls describingthe maintenance of the computer system (Annex 11Operational Phase), including an on-goingperformance evaluation and periodic reviews (Annex11-11).

Verification by a second individual may not benecessary when automated equipment is used(Annex 11-6).

73

74

Orlando LópezGAMP Data Integrity SIG SME

[email protected]

38

75

FINFIN

Documents

FDA and Global Guidance for Computer and Software ... · PDF file1 US FDA and Global Guidance for Computer and Software Validation Orlando López GAMP Data Integrity SIG SME April