Regulatory Compliance through Computer System Validationipapharma.org/events/presentation/Presentation by Mr. Arjun Guha.pdf · Regulatory Compliance through Computer System Validation

Regulatory Compliance through Computer System Validation

Arjun Guha Thakurta M. Pharm., CISA, SAP

Director of Operations

31 Jan 2014

Computerized systems are used extensively to capture, analyze, store data, report information and to control equipment and processes in life sciences industry at laboratories and manufacturing facilities. Internal and external audit of pharmaceutical and biopharmaceutical industry has consistently indicated a lack of validated computer control in the industry. Computer systems validation has become one of the key areas of strong emphasis for regulatory agencies.

Background

By: Arjun Guha Thakurta CONVALgroup Program 2

Center Name 483s Issued

Food 3057

Devices 1090

Drugs 787

Human Tissue for Transplanta>on

138

Biologics 237

Others 1097

Total 6406

The Business Case for CSV USFDA 483s Worldwide

(01-10-2011 to 30-09-2012 )


Center Name NAI VAI OAI

Drug Quality Assurance

107 222 11

Food 67 122 6

Devices 2 17 2

Others 28 22 2

Total 204 383 21

The Business Case for CSV USFDA Inspections in India (01-10-2008 to 31-03-2013)


•  NAI - (No Action Indicated) meaning that there were no significant deviations from the rule observed during the inspection.

•  VAI - (Voluntary Action Indicated) meaning that significant deficiencies were observed, but the establishments should be able to correct deficient practices without any official action by FDA.

•  OAI - (Official Action Indicated) meaning that the objectionable conditions observed are egregious and warrant an official action by FDA, such as a Warning Letter to these establishments.

Ref No. Short Desc Frqncy

21 CFR 211.22(d) Procedures not in wri>ng, fully followed 169

21 CFR 211.192 Inves>ga>ons of discrepancies, failures 119

21 CFR 211.100(a) Absence of WriSen Procedures 116

21 CFR 211.160(b) Scien>fically sound laboratory controls 115

21 CFR 211.110(a) Control procedures to monitor and validate performance

89

21 CFR 211.67(b) WriSen procedures not established/followed 73

21 CFR 211.68(a) Calibra>on/Inspec>on/Checking not done 69

21 CFR 211.25(a) Training-‐opera>ons, GMPs, wriSen procedures 65

21 CFR 211.67(a) Cleaning / Sani>zing / Maintenance 65

21 CFR 211.100(b) SOPs not followed / documented 64

21 CFR 211.165(a) Tes>ng and release for distribu>on 62

The Business Case for CSV USFDA Inspections Top 10 Citations


The Business Case for CSV USFDA Inspections India Citations in 2011-12



21 CFR 211.22(d) Procedures not in wri>ng, fully followed 0

21 CFR 211.192 Inves>ga>ons of discrepancies, failures 1

21 CFR 211.100(a) Absence of WriSen Procedures 4

21 CFR 211.160(b) Scien>fically sound laboratory controls 3

21 CFR 211.110(a) Control procedures to monitor and validate performance

1

21 CFR 211.67(b) WriSen procedures not established/followed 1


21 CFR 211.25(a) Training-‐opera>ons, GMPs, wriSen procedures 4

21 CFR 211.67(a) Cleaning / Sani>zing / Maintenance 3

21 CFR 211.100(b) SOPs not followed / documented 2

21 CFR 211.165(a) Tes>ng and release for distribu>on 1



21 CFR 211.68(b) Computer control of master formula records 19

21 CFR 211.68(a) WriSen calibra>on / inspec>on records not kept 9

21 CFR 211.68(b) input/output verifica>on 6

21 CFR 211.68(b) Backup data not assured as exact and complete 4

21 CFR 211.68(b) WriSen record not kept of program and valida>on data 2

The Business Case for CSV USFDA Inspections 21 CFR 211.68 Citations


The Business Case for CSV USFDA 483s India 2013


CDER LeAer Issued Data Integrity Issue

xyz Limited 25-‐11-‐2013 Yes










The Business Case for CSV EMA (EU-GMP) Non-Compliance Reports (2013)


EU-‐GMP LeAer Issued Data Integrity Issue

Xyz Ltd (MHRA) 18-‐09-‐2013

Data falsifica>on, PQR data fabrica>on, HPLC electronic data manipula>on, Stability -‐ products not covered

Xyz Ltd. (MHRA) 26-‐07-‐2013

Data Integrity, dele>on of electronic files, valida>on & qualifica>on, failure to to record cri>cal data, failure to raise devia>ons

Xyz Ltd. (MHRA) 22-‐03-‐2013 Data falsifica>on, Devia>on Management,

hygiene, No Sr. QA on-‐site

Xyz Ltd. (MHRA) 15-‐05-‐2013 Cross-‐contamina>on, Data falsifica>on,

traceability

Xyz Ltd. (MHRA) 26-‐04-‐2013 Data Integrity, misleading data, Sterility

assurance

Xyz Ltd. (Spain) 06-‐02-‐2013 Fraudulent Data, Traceability of RM, R&D

out of QA

The Business Case for CSV EMA (EU-GMP) Non-Compliance Reports (2013)


EU-‐GMP LeAer Issued Data Integrity Issue

Xyz Ltd. (France) 01-‐02-‐2013 QA documenta>on, traceability, sanita>on,

analysis

Xyz Ltd. (France) 11-‐10-‐2013 OOS/CAPA/Change Control/Training/VMP

Xyz Ltd. (Finland) 13-‐04-‐2013 Fraudulent Data, traceability of RM, Criminal

ac>vity

Xyz Ltd. (MHRA)

14-‐11-‐2012/ 15-‐11-‐2012

Data Integrity and Quality Management, QRM, Fraudulent data Refusal to inspec>on to shared site

Constant Compliant State Reactive Approach Compliance-Driven

Approach Risk-Based Approach Business-Oriented

Approach

•  CSV is seen as necessary evil.

•  Silo-based monitoring.

•  Reactive and tactical.

•  Check-box mentality. •  Tactical defence

supported with SOPs and uncontrolled CSV documentation.

•  Pro-active, interconnected and continuous monitoring and assessment.

•  Closed-loop, risk-based validation based on defined methodology.

•  Connected to overall Enterprise Validation Management Processes.

•  Cross-department participation across finance, operations and QA.

èObjective is to defend during FDA audits and somehow ‘Manage’ the show for the time-being.

èObjective is to achieve point-in-time Compliance Certification from FDA.

è Preventive Mentality. Better prepared long before the FDA audits and managing ‘Steady-State Compliance’

è’Constant-Compliant State’ resulting in increased business efficiency and effective business decision.

Strategic TacJcal


Project - References


Why computer systems require validation? •  Defects are unintentionally built into software •  Manufacturer testing is limited •  Software is released with known defects. •  Many defects reported after release are not corrected. •  The software might not work properly in a given

enterprise IT architecture.

Why CSV?


(1)  Systems to make decisions on market release of drugs and quasi-drugs, and to create and retain market distribution records

(2)  Systems to create and retain manufacturing orders and manufacturing records, etc.

(3)  Systems to control/manage manufacturing processes and to retain relevant data

(4)  Systems to manage storage and inventory, etc. of raw materials and products (including intermediates; the same shall apply hereinafter)

Where CSV is applicable?


(5) Systems to control/manage laboratory instruments used for QC tests and systems to retain QC test results and relevant data

(6) Systems to control/manage equipment and facilities, including HVAC and water supply systems, etc., which may have a significant impact on quality of products, and systems to retain relevant data

(7) Systems to create, approve and retain documents (SOPs, Quality Standard Code, Product Standard Code, etc.)

Where CSV is applicable? Contd.


CSV Misconceptions?


•  Misconceptions of Computer Validation –  We bought a “validated” system!

–  Partial Validation of the System

–  Long-term Use equals Validation

–  Validation is one-off activity

–  Validation does not need documentation

–  GMP (Giant Mass of Paper)

–  Validation equals software testing

–  Validation is a job for IT (QA unsure)

–  This is for Pharma Majors and not for SMEs

A complex maze of inter-dependent regulations across major markets. •  US FDA Compliance Policy Guidelines (CPGs) •  Drugs

–  21 CFR Part 211 (211.68) – Automatic, Mechanical or Electronic Equipment (cGMP for Finished Pharmaceuticals)

–  Guide to Inspection of Computerized Systems in Drug Processing, Feb 1983

–  Guide to Inspection of Pharmaceutical Labs (July 1993) –  21 CFR 314 (314.70) – Supplements and other changes to an

approved application (Applications for FDA Approval to Market a new Drug)

–  Computerized System in Drug Establishments (Feb, 1983) By: Arjun Guha Thakurta CONVALgroup Program 17

CSV Regulations & Guidelines

•  Food –  Guide to Inspections of Computerized Systems in the Food

Processing Industry (April, 2008)

•  Blood Establishments –  Reviewer Guidance for a Pre-Market Notification Submission

for Blood Establishment Computer Software –  Blood Establishment Computer System Validation in the User’s

Facility –  Blood Establishment Computer Cross-match –  PIC/S PE-005-3 – Guidance on Parametric Release

CSV Regulations & Guidelines contd.


•  Medical Devices –  21 CFR Part 820 – Quality System Regulation (Medical

Devices)

•  Guidance Documents –  General Principles of Software Validation (Jan, 2002) –  Review of 510(k) for Computer Controlled Medical Device –  Compliance on Off-The Shelf Software Use in Medical Devices

(Sept, 1999) –  Cybersecurity for Networked Medical Devices Containing Off-

the-Shelf (OTS) Software (Jan, 2005) –  Medical Device Data Systems



•  Guidance Documents (contd.) –  General Principles of Software Validation (Jan, 2002) –  Review of 510(k) for Computer Controlled Medical Device –  Compliance on Off-The Shelf Software Use in Medical Devices

(Sept, 1999) –  Cybersecurity for Networked Medical Devices Containing Off-

the-Shelf (OTS) Software (Jan, 2005) –  Medical Device Data Systems –  ISO 14971 – Application of Risk Management to Medical

Devices –  ISO IEC 62034 – Medical device software – Software lifecycle

processes



•  Guidance Documents (contd.) –  7341.002A – Compliance Program Guidance Manual Inspection

of Tissue Establishments (ER/ES requirements) –  21 CFR 1271 (1271.160(d)) – Establishment and maintenance of

a quality program (Current Good Tissue Practice)

•  Other Reference Regulations –  21 CFR Part 58 GLP for Non-Clinical Laboratories –  21 CFR Part 312 – Investigational New Drug Application



•  EU Regulations –  EC Annex 11 – Computerized Systems (2011) –  PIC/S PI 011-3 – Good Practices for Computerised Systems in

Regulated ‘GXP’ Environments –  European Medicines Agency answers to FAQs on Annex 11 as

agreed by the GMP/GDP Inspectors Working Group –  The APV Guideline “Computerized Systems” based on Annex

11 of the EU-GMP Guideline.

•  API –  Q7A GMP Guidance for APIs (Aug 2001) –  CEFIC – Computer Validation Guide (Jan 2003)



•  Clinical Trials –  USFDA Guidance: Computerized System used in Clinical

Investigations (May 2007) –  USFDA Compliance Program 7348.810 – Sponsors, CROs and

Monitors (March, 2011) –  USFDA Guidance: Electronic Source Data in Clinical

Investigations (Nov, 2012) –  USFDA Information Sheet Guidance for IRBs, Clinical

Investigators, and Sponsors FDA Inspections of Clinical Investigators

–  EMEA Procedure for conducting GCP Inspections requested by the EMEA (Sept 2007)



•  GAMP (Good Automated Manufacturing Practices, ISPE) –  GAMP5 – A Risk Based Approach to Compliant GxP

Computerized System –  GAMP GPG – Calibration Management –  GAMP GPG – Testing of GxP Systems –  GAMP GPG – GxP Compliant Lab Computerized Systems –  GAMP GPG – GxP Process Control Systems –  GAMP GPG – Electronic Data Archiving –  GAMP GPG – Global Information Systems Control and

Compliance –  GAMP GPG – IT Infrastructure Control and Compliance –  GAMP GPG - MES



Definition of CS


Quality Plan


The Quality Plan should address the following topics: •  Introduction, Scope, and System Overview •  Organizational Structure •  Quality Risk Management •  Supplier Assessment •  Validation Strategy •  Deliverables, and Acceptance Criteria •  Deviation Management (project and operational) •  Change Control (project and operational) •  Configuration Management (project and operational) •  Standard Operating Procedures •  Supporting Processes (Training, Document Management)

System development – Validation approach

V-Model is used as validation approach for establishing validated state for IT Applications


Validation Principles •  Lifecycle approach to Validation

–  Validation of the CS is not a one time activity. It should begin with the User Requirements Phase and should end as the last record generated from that system retires.


Validation Principles •  Lifecycle approach to Validation

–  Create and sign-off the VMP at the Project Initiation and managed it throughout the lifecycle of the system with revisions.

–  Verify that User Requirements, Functional Requirements & Specifications and Detailed Design Specifications are created and enforced.

–  Develop and execute IQ, OQ, PQ protocols

–  Ensure that the validated system is under Change Control.

–  Ensure that the preventive maintenance system includes the validated CS


•  Americas Office 11 CaNord Road Suite: 324 Toronto, Ontario Canada, M3J 1P9 e: [email protected]

•  Europe Office Ekinciler Cad. Ertürk Sok. Mehmet Özçelik İs Merkezi No: 5 K: 1 PK: 34810 Kavacık – Beykoz – İstanbul/Turkey e: [email protected]

•  Asia Office Life Science ConsulJng Pvt Limited D-‐67, Rahul Complex, Paud Road, Kothrud, Pune 411038, Maharashtra, India e: [email protected] Contact: Mr. Madan Joshi [email protected] M: 9920912162

Contact us


Page 31

Q&A


Page 32

Thank you

