Upload
lexuyen
View
239
Download
14
Embed Size (px)
Citation preview
1
US FDA and GlobalGuidance for Computer and
Software Validation
Orlando LópezGAMP Data Integrity SIG SME
April 27, 20151
Disclosure
The opinions expressed during thispresentation are those of the presenter.
2
2
Objectives
How do US FDA drug and device relatedcomputer system regulations compare?
Review US FDA and global computersystems compliance regulatoryrequirements and guidelines.
Present a “new” approach to computercompliance.
3
References
Fry, Edmund M, “FDA Regulation of ComputerSystems in Drug Manufacturing,” PharmaceuticalEngineering, Sep/Oct, 1988.
López, O., “FDA Regulation of Computer Systems inDrug Manufacturing – 13 Years Later,”Pharmaceutical Engineering, May/Jun 2001.
López, O., “Regulations and Guidelines of ComputerSystems in Drug Manufacturing – 25 Years Later,”Pharmaceutical Engineering, Jul/Aug 2013.
4
3
References
http://www.computer-systems-validation.net/annex11crosswalk.html
The Crosswalk relates Annex11 guidelines to other officialregulations, standards and guidancedocuments.
5
References
López, O., “EU Annex 11 and the Integrity ofErecs”, Journal of GxP Compliance, Volume18 Number 2, May 2014.
López, O., “A Computer Data IntegrityCompliance Model”, PharmaceuticalEngineering, March/April 2015.
López, O., “Trustworthy Computer Systems”,Pharmaceutical Engineering, xxx/xxx 2015.
6
4
References
O. López, “EU Annex11 Guide to ComputerValidation Compliancefor the WorldwideHealth Agency GMP”,CRC Press, April 2015.
http://www.crcpress.com/product/isbn/9781482243628
ISBN 9781482243628
7
REGULATIONS ANDGUIDELINES TIMELINE
8
5
Relevant Regulations andGuidelines
21 CFR Part 211.2(b), June 1963.
21 CFR Part 211.68 (1976) and820.70(i) (1997).
CDER Guide to Inspection ofComputerized Systems in DrugProcessing, January 1983.
FDA CPGs (1982-87).
9
Compliance Policy Guides
• CGMP Applicability To Hardwareand Software (CPG 7132a.11) ’84
• Input/Output Checking(CPG 7132a.07) ’82
• Identification of "Persons" on BatchProduction and Control Records(CPG 7132a.08) ‘82
• Vendor Responsibility(CPG 7132a.12) ‘85
• Source Code for Process ControlApplication Programs
(CPG 7132a.15) ‘87
Relevant Regulations andGuidelines
21 CFR Part 211.2(b), June 1963.
21 CFR Part 211.68 (1976) and820.70(i) (1997).
CDER Guide to Inspection ofComputerized Systems in DrugProcessing, January 1983.
FDA CPGs (1982-87).
Annex 11 (Rev 0), January 1992.
PDA’s Technical Report 18, Validationof Computer-Related Systems,January-February 1995.
GAMP 1, March 1995.
APV Guideline "ComputerizedSystems" based on Annex 11 of theEU-GMP Guideline, April 1996.
10
6
Relevant Regulations andGuidelines
21 CFR Part 211.2(b), June 1963.
21 CFR Part 211.68 (1976) and820.70(i) (1997).
CDER Guide to Inspection ofComputerized Systems in DrugProcessing, January 1983.
FDA CPGs (1987).
Annex 11 (Rev 0), January 1992.
PDA’s Technical Report 18,Validation of Computer-RelatedSystems, January-February 1995.
GAMP 1, March 1995.
APV Guideline "ComputerizedSystems" based on Annex 11 of theEU-GMP Guideline, April 1996.
21 CFR Part 11, March 1997.
General Principles of SoftwareValidation; Final Guidance for Industryand FDA Staff, January 2002.
Guidance for Industry Part 11,Electronic Records; ElectronicSignatures — Scope and Application,August 2003.
PIC/S, PI 011-3, Good Practices forComputerised Systems in Regulated“GXP” Environments, September2007.
21 CFR Part 211.68 (2008).
Annex 11 (Rev 1), January 2011.
MHRA, GMP Data Integrity Definitionsand Guidance for Industry, March2015.2008
GAMP 5
2002 FDARisk Based Approach
11
MAXIMS
7
Computer ComplianceMaxims
FDA doesn’tregulate computersystem performingGMP functions.
– Hardware itself issubject to the GMPrequirements thatapply to equipment.
– Software itself issubject to the sameGMP requirementsapplicable to SOPs.
FDA regulates drugmanufacturers anddrug products.
Any computer canbe used as long asthe intended use isdemonstrated.
Fry, Edmund M, “FDA Regulation ofComputer Systems in DrugManufacturing,” PharmaceuticalEngineering, Sep/Oct, 1988.
CGMP Applicability To Hardwareand Software (CPG 7132a.11)
Data Compliance Maxim
Regulatory requirements for data do notchange whether data are captured onpaper, electronically, or using a hybridapproach.
8
HOW DO US FDA DRUG AND DEVICEREGULATIONS COMPARE?
15
GMP
Medical Devices
– Quality SystemSoftware
– Device ProductionSoftware
– Medical DevicesSoftware
Pharma/Bio
– Quality SystemSoftware
– Pharma/BioProduction Software
16
9
US MEDICAL DEVICESREGULATIONS
17
GMP Medical Devices
Quality System Software and DeviceProduction Software
– 21 CFR 820.70(i), Automated Processes
– 21 CFR 11
Medical Devices Software
Medical Device Data Systems
820.30(c) 820.30(g)
820.30(i) 820.40
18
10
Requirements
21 CFR 820.70(i)– Validate computer software for its intended use
according to an established protocol.
– All software changes shall be validated beforeapproval and issuance.
– These validation activities and results shall bedocumented.
– US FDA, “General Principles of SoftwareValidation; Final Guidance for Industry and FDAStaff”, CDRH and CBER, Jan 2002.
21 CFR 11 (See Pharma/Bio)19
Requirements
21 CFR 820.30(c)
– Design Inputs
– Requires a mechanism for addressingincomplete, ambiguous, or conflictingrequirements.
20
11
Requirements
21 CFR 820.30(g)
– Design Validation
– The device software (embedded software)in a medical device is validated to assure itperforms as intended.
21
Requirements
21 CFR 820.30(h)
– Design Transfer
– Manufacturers are prepared to provideevidence that the software used forduplicating the device software, and thesoftware used in automated manufacturingor QA, meet the software designspecifications.
22
12
Requirements
21 CFR 820.30(i)
– Design Changes
– Any changes to a computer systemincluding system configurations shouldonly be made in a controlled manner inaccordance with a defined procedure.
23
Requirements
21 CFR 820.40
– Document Control
– Any changes to a computer systemincluding system configurations shouldonly be made in a controlled manner inaccordance with a defined procedure.
24
13
Requirements
21 CFR 880
– Feb 2011
– Medical Device Data Systems
» are intended to transfer, store, convert fromone format to another according to presetspecifications, or display medical device data.
» perform all intended functions withoutcontrolling or altering the function orparameters of any connected medical devices.
» is not intended to be used in connection withactive patient monitoring.
25
MEDICAL DEVICESGUIDELINES
26
14
US FDA Medical DevicesGuidelines
Off-The-Shelf Software Use in Medical Devices, Sep1999.
General Principles of Software Validation; Final Guidancefor Industry and FDA Staff, CDRH and CBER, Jan 2002.
Radio Frequency Wireless Technology in MedicalDevices, Aug 2013.
Mobile Medical Applications, Feb 2015.
Medical Device Data Systems, Medical Image StorageDevices, and Medical Image Communications Devices,Feb 2015.
27
US FDA Medical DevicesGuidelines
Cybersecurity
– Cybersecurity for Networked Medical DevicesContaining Off-the-Shelf (OTS) Software, Jan 2005.
– US FDA, Content of Premarket Submissions forManagement of Cybersecurity in Medical Devices, Oct2014.
28
15
US FDA Medical DevicesGuidelines
Blood Establishments
– Blood Establishment Computer Crossmatch, Dec2011.
– Blood Establishment Computer System Validation inthe User's Facility, Apr 2013.
29
International Medical DevicesGuidelines/Standards
http://ec.europa.eu/enterprise/policies/european-standards/harmonised-standards/medical-devices/index_en.htm
http://www.emergogroup.com/resources/regulations
IEC 62304 Medical Device Software DevelopmentLifecycle.
ISO 14971-2012 Medical Devices - Application of RiskManagement to Medical Devices.
.
30
16
Other Computer relatedMedical Devices
Regulations/Guidelines EC, Green Paper on mobile Health ("mHealth“), Mar 2014.
TGA Regulation of medical software and mobile medical'apps‘, Sep 2013.
MHRA
– MHRA - Blood Bank Electronic Issues
– Guidance on medical device stand-alone software
– Guidance on the regulations for electronic instructions foruse of medical devices
31
US GMP PHARMAREGULATIONS
32
17
GMP Pharma
Quality System Software andProduction Software
– 21 CFR 211.68, Automatic, mechanical,and electronic equipment, Sep 2008.
– ICH Harmonized Tripartite Guideline,“Good Manufacturing Practice Guidancefor Active Pharmaceutical Ingredients, Q7”,Nov 2000.
– 21 CFR 11, Mar 1997.
33
211.68(a) Requirements
– Automatic, mechanical, or electronic equipment orother types of equipment, including computers, orrelated systems that will perform a functionsatisfactorily, may be used in the manufacture,processing, packing, and holding of a drug product.
– If such equipment is so used, it shall be routinelycalibrated, inspected, or checked according to a writtenprogram designed to assure proper performance.Written records of those calibration checks andinspections shall be maintained.
34
18
211.68(b) Requirements
– Appropriate controls shall be exercised over computeror related systems to assure that changes in masterproduction and control records or other records areinstituted only by authorized personnel.
– Input to and output from the computer or relatedsystem of formulas or other records or data shall bechecked for accuracy.
– The degree and frequency of input/output verificationshall be based on the complexity and reliability of thecomputer or related system.
Data IntegrityClause
35
211.68(b) Requirements
– Appropriate controls shall be exercised over computeror related systems to assure that changes in masterproduction and control records or other records areinstituted only by authorized personnel.
– Input to and output from the computer or relatedsystem of formulas or other records or data shall bechecked for accuracy.
– The degree and frequency of input/output verificationshall be based on the complexity and reliability of thecomputer or related system.
Original clause1978 GMPs
CPG 7132a.071982
36
19
211.68(b) Requirements
– Appropriate controls shall be exercised over computeror related systems to assure that changes in masterproduction and control records or other records areinstituted only by authorized personnel.
– Input to and output from the computer or relatedsystem of formulas or other records or data shall bechecked for accuracy.
– The degree and frequency of input/output verificationshall be based on the complexity and reliability of thecomputer or related system.
1995 GMPs
37
211.68(b) Requirements
– A backup file of data entered into the computer orrelated system shall be maintained except wherecertain data, such as calculations performed inconnection with laboratory analysis, are eliminated bycomputerization or other automated processes.
– In such instances a written record of the program shallbe maintained along with appropriate validation data.Hard copy or alternative systems, such as duplicates,tapes, or microfilm, designed to assure that backupdata are exact and complete and that it is secure fromalteration, inadvertent erasures, or loss shall bemaintained.
38
20
211.68(c) Requirements
– Such automated equipment used for performance ofoperations addressed by 211.101(c) or (d), 211.103,211.182, or 211.188(b)(11) can satisfy therequirements included in those sections relating to theperformance of an operation by one person andchecking by another person if such equipment is usedin conformity with this section, and one person checksthat the equipment properly performed the operation.
2008 GMPs
39
ICH RequirementsAPI Q7
Section 5.4
– Nov 2000
– 10 Requirements
– Risk Assessment, Security, Operation andMaintenance
– CEFIC, “Computer Validation Guide”, APICommittee of CEFIC, Dec 2002.
40
21
ICH RequirementsAPI Q7
Section 6.60
– Complete data derived from all testsconducted to ensure compliance withestablished specifications and standards,including examinations.
Data IntegrityClause
41
21 CFR Part 11
21 CFR 11
– Mar 1997.
– Guideline – Aug2003.
42
22
21 CFR Part 11
Narrowed Scope
– The 2003 FDA guidance on Part 11 redefinesthe scope of records subject to Part 11 asfollows:
» [Electronic] records that are required to bemaintained under predicate rules, provided theyare relied on to perform regulated activities.
» Electronic records submitted to FDA underpredicate rule requirements
21 CFR 11(Scope)
Records that are required to be maintainedby predicate rules and that are maintained inelectronic format in place of paper format.
Records that are required to be maintainedby predicate rules, are maintained inelectronic format in addition to paper format,and are relied on to perform regulatedactivities.
44
23
21 CFR 11(Scope)
Records submitted to FDA in electronicformat, under the predicate rules (even ifsuch records are not specifically identified inAgency regulations)…
…assuming the records have been identifiedin the docket as the types of submissions theAgency accepts in electronic format
Electronic signatures that are intended to bethe equivalent of handwritten signatures,initials, and other general signings requiredby predicate rules.
45
21 CFR 11
Out of Scope
– Records (and any associated signatures) that arenot required to be retained by predicate rules, butthat are nonetheless maintained in electronicformat.
46
24
International PharmaGuidelines/Standards
ISO 90003-2004 Software Engineering -Guidelines for the Application of ISO9001 2000 to Computer Software.
ISO 12207 Systems and softwareEngineering - Software Life Cycle.
ISO 12119-1994 Information technology- Software packages - Qualityrequirements and testing.
47
International PharmaGuidelines/Standards
ISO 17025 General Requirements forthe Competence of Testing andCalibration Laboratories.
ASTM E2500-07R12 Standard Guidefor Specification, Design, andVerification of Pharmaceutical andBiopharmaceutical ManufacturingSystems and Equipment.
48
25
International PharmaGuidelines/Standards
ICH Harmonized Tripartite Guideline, “GoodManufacturing Practice Guidance for ActivePharmaceutical Ingredients, Q7”, Section 5.4,Nov 2000.
CEFIC, “Computer Validation Guide”, APICommittee of CEFIC, Dec 2002.
WHO, Technical Report Series No. 937,Annex 4. Appendix 5, “Validation ofcomputerized systems”, 2006.
49
Other Computer-RelatedGuidelines
Official Medicines Control Laboratories(OMCL) Network of the Council of Europe,Validation of Computerized Systems, CoreDocument.
– ISO 17025
– In-house and commercial software for calculation.
– Database computer systems.
– Laboratory Information Management Systems(LIMS), Electronic Laboratory Notebooks (ELN).
– Computers as part of test equipment.
50
26
Other Computer-RelatedGuidelines
MHRA
– MHRA expectation regarding self inspection anddata integrity
– GLP Guidance – Archiving
– MHRA Good manufacturing practice data integritydefinitions
– Pre-Inspection Compliance Report Document
51
Other Computer-RelatedGuidelines
EudraLex Volume 4, “EU Guidelines to GoodManufacturing Practice, Medicinal Productsfor Human and Veterinary Use, Annex 11 -Computerised Systems,” Jun 2011.
EMEA's answers to FAQ on ComputerizedSystems.
PI 011-3. “Good Practices for ComputerisedSystems in Regulated “GXP” Environments”,Pharmaceutical Inspection Co-operationScheme (PIC/S), Sep 2007.
52
27
US FDA MEDICAL DEVICES VSPHARMA
53
Raw Data vs Results
Q: Must all data maintained, even if the data ismanipulated automatically to provide informationin “pass or fail” format?
A: Not for devices. See part 820 preamble pp.52631 and 52646. Part 820 requires that“results” of acceptance activities be recorded butnot necessarily all raw data. “Results” must haveaudit trails. Be sensitive to need for raw dataduring failure investigations under CAPA.
54
28
NEW APPROACH COMPUTERCOMPLIANCE
55
New Approach ComputerCompliance
Trustworthy System
– It is one that produces consistent reliableand authentic records. The focus of allcontrols and IT security mechanism shouldbe the assurance that this trustworthycondition is maintained.
56
29
New Approach ComputerCompliance
Trustworthy System– Are reasonably suited to performing their intended
function (21 CFR 11.10(a)).
– Provide a reasonably reliable level of availability,reliability and correct operation (21 CFR 11.10(a)).
– Are reasonably secure from intrusion and misuse.
– Adhere to generally accepted security principles.
Da
ta
In
te
gr
it
y
11.10(d) 11.10(g) 11.10(j)(1) 11.10(e)
211.68(b) Section 5.4ICH
57
New Approach ComputerCompliance
Trustworthy System (Main Proponents)
58
Authority Regulation / Guideline
US FDA Sub Part B in 21 CFR Part 11
ICH Q7 Section 5.4
Australia TGA Medical Products: Chapter 4 section 4.9 in the Codeof GMP
China SFDA draft GMP Annex 2 (2014)
WHO Technical Report Series, No. 937, 2006. Annex 4Appendix 5.
Japanese MHLW Guideline on Management of Computerized Systems for MarketingAuthorization Holders and Manufacturers of Drugs and Quasi-Drugs
Brazil ANVISA Title VII Resolution of the Executive Board No. 17, ComputerizedInformation System
EMA Annex 11
30
EMA ANNEX 11
59
EMA Annex 11
European Medicines Agency GMPguideline applicable to computersystems.
Two (2) revisions: 1992 and 2011.
Annex 11 (like the rest of EudralexVolume) is a guidance.
60
31
EMA Annex 11
Used as a model to other regulatedapplications and other countries.– PIC/S Guidance on Good Practices for Computerised
Systems in Regulated GxP Environments (PI 011-3)
– EU GCP inspectors and ASEAN use PI 011-3
– Health Canada ( Health Products and Food BranchInspectorate) (Medicinal Products and API)
– China (SFDA) (GMP Annex 2 Computerized System(Draft))
– Australia Therapeutic Goods Administration (TGA)(GMPs and Blood Establishments)
61
EMA Annex 11
Principles– This annex applies to all forms of computerized
systems used as part of a GMP regulated activities. Acomputerized system is a set of software and hardwarecomponents which together fulfill certain functionalities.
– The application should be validated; IT infrastructureshould be qualified.
– Where a computerized system replaces a manualoperation, there should be no resultant decrease inproduct quality, process control or quality assurance.There should be no increase in the overall risk of theprocess.
62
32
General
Risk Management
Personnel
Suppliers and ServiceProviders
Project Phase
Validation
EMA Annex 11
63
EMA Annex 11
Operational Phase
Data
Accuracy Checks
Data Storage
Printouts
Audit Trails
Change andConfigurationManagement
Periodic Evaluation
Security
Incident Management
Electronic Signature
Batch Release
Business Continuity
Archiving
64
33
SUMARY
65
Summary
One of the significant differences betweencomputer systems compliance in 1992 andtoday, is that today’s regulatorymethodologies and guidelines requires a riskbased approach throughout the lifecycle ofthe computer system taking into accountpatient safety, data integrity and productquality.
66
34
Summary
Risk
Complexity and Novelty
Supplier
67
Summary
Computer systems can be used to performoperations covered by the drugs GMP regulation.
These computer systems require a writtenvalidation process.
Computers systems documentation andvalidation documentation shall be maintained.
There must be procedural controls for managingchanges to infrastructure and applicationsoftware, including documentation.
68
35
Summary
Computer systems can be used to performoperations covered by the drugs GMP regulation.(Principle 1)
These computer systems require a written validationprocess. (Principle 2, Annex 11-4)
Computers systems documentation and validationdocumentation shall be maintained. (Annex 11-4.1)
There must be procedural controls for managingchanges to infrastructure and application software,including documentation. (Annex 11-10 and Annex11-4.2)
69
Summary
Computer systems electronic records must becontrolled including records retention, backup, andsecurity.
Based on the complexity and reliability of computersystems there must be procedural controls andtechnologies to ensure the accuracy and security ofcomputer systems I/Os, electronic records and data.
70
36
Summary
Computer systems electronic records must becontrolled (Annex 11-1, 11-4.8, 11-5, 11-6, 11-7, 11-8, 11-9, 11-13, 11-14, 11-17) including recordsretention, backup (Annex 11-7.2), and security(Annex 11-12).
Based on the complexity and reliability of computersystems (Annex 11-1) there must be proceduralcontrols and technologies to ensure the accuracy andsecurity (Annex 11-12) of computer systems I/Os(Annex 11-5), electronic records and data.
71
Summary
Computer systems must have adequate controls toprevent unauthorized access or changes to data,inadvertent erasures, or loss.
There must be written procedural controls describingthe maintenance of the computer system, includingan on-going performance evaluation and periodicreviews.
Verification by a second individual may not benecessary when automated equipment is used.
72
37
Summary
Computer systems must have adequate controls toprevent unauthorized access or changes to data(Annex 11-12), inadvertent erasures, or loss .
There must be written procedural controls describingthe maintenance of the computer system (Annex 11Operational Phase), including an on-goingperformance evaluation and periodic reviews (Annex11-11).
Verification by a second individual may not benecessary when automated equipment is used(Annex 11-6).
73
74
Orlando LópezGAMP Data Integrity SIG SME
38
75
FINFIN