CSV Inspection Readiness through Effective Document Control. Eileen Cortes April 27, 2017

Transcription

1 CSV Inspection Readiness through Effective Document Control Eileen Cortes April 27, 2017

2 Agenda Background CSV Readiness CSV and Change Management Process Inspection Readiness Do s and Don ts Inspection Response and Reports Open Discussion

3 Background Agencies will inspect your Facility at certain point CSV will not be the primary reason of the inspection, but it will be as electronic systems govern many of the business processes

4 CSV Readiness - Pre-Audit Inventory List Organize by: 1. GxP Area and Criticality With corresponding system ID s and description 2. System Owner Responsible for presenting the system 3. Document Location E-DMS, File Storage, Outside Storage

5 CSV Readiness - Pre-Audit Standard Operating Procedure Governing SOPs Computer System Validation SOP Software Development Lifecycle SOP Change Control SOP Good Documentation Practices SOP Security Access SOP Vendor Audit SOP Others

6 CSV SOP Lifecycle Adherence CSV SOP KEY POINTS: Must outline and detail the Validation Lifecycle Must include requirements for key areas Intended Use, Validation Master Plan, User and Functional Requirements Specification, System Design Specification, Traceability Matrix, Installation Qualification, Operational Qualification, Performance Qualification, Validation Summary Report, System Release Memo Investigators will want to see that the requirements were detailed/defined for all deliverables in the Validation Lifecycle. Furthermore, they will look to ensure the deliverables have the right dependencies and are in the correct order

7 CSV SOP - SDLC Software Development Lifecycle (SDLC) SOP KEY POINTS Must outline the steps needed to perform the SDLC for custom applications Must handshake with the Computer System Validation SOP

8 CSV SOP Change Control Change Control SOP KEY POINTS Must describe the process for controlling both software and hardware in the production environment Should require a Change Control Board that is responsible for reviewing and approving all changes Must include a classification of change i.e. there should be three classifications: Minor, Major, and Emergency. Note: Assembling a Change Control Board and classifying changes gives inspectors a good sense that your process is in control, as it shows you are well organized when assessing changes.

9 CSV SOP - GDP Good Documentation Practices SOP Provides structure on how the evidence of validation activities are documented. Deploying good documentation practices helps ensure the integrity of your computer system validation and change control documentation. Note: Investigators are quick to point out documentation errors when reviewing documentation, therefore, it would be prudent to have a sound Good Documentation Practices SOP in place.

10 CSV SOP Security Access Security SOP Must address physical access to buildings and data centers, networks, and password policy. Note1: FDA investigators are inspecting the security of buildings; data centers, and networks more frequently. Note2: Investigators are digging deep into data centers. i.e. They are asking questions about servers and if they are shared between regulated and non-regulated systems. Investigators like to see dedicated servers to regulated systems; therefore, it would be wise to be careful when using the same server for multiple systems regardless of whether or not virtual environments are used.

11 CSV SOP Vendor Audit Vendor Audit SOP Must include a checklist of items that are used to evaluate a software supplier. i.e. 21 CFR Part 11 Requirements, Security, Software Development Lifecycle (SDLC), Training, and Organization Chart and Personnel Responsibilities. Must include Frequency of audits, Audit Team Responsibilities, Corrective Action Details and Timelines, and audit checklist. Note: FDA investigators are asking more and more questions about the integrity of software vendors and their respective quality systems. Investigators are asking to see objective evidence of audits so it is therefore important to document all of your audits as well as any follow-up corrective actions. They are reviewing: Training records of software suppliers Corrective actions, their details and timelines for closure. Corrective actions from audits must be monitored and regulatory risk associated. The integrity of the electronic records of the application the software supplier is providing may be compromised.

12 CSV SOP - Others Other SOPs that are considered to be an important part of any Computer System Validation Program: Disaster Recovery, Backup and Restore, Deviation, Documentation Management.

13 CSV Readiness - Pre-Audit Documentation Management All Critical Systems Validation Documentation must be identified Qualification / Validation Documents Deviations Associated Change Control Associated CAPAs Associated Traceability Matrix Demonstrate that the intended use have been tested through test scripts that map to approved requirements Systems Release Memos Evidence of system release to product Note: Dates must be in accordance with VSR, make sure that dates are in alignment, if not proceed with deviation to document the why s on release not following SOP

14 CSV and Change Management

15 Configuration Management and Change Control Configuration management is a mechanism to identify and control a system over its lifetime Change control is a process for evaluating, performing, and documenting changes at a given point in time Note: If you have no change and configuration control, your system is un-validated as soon as the validation is complete

16 Regulations and Change Management ICH Q10 Change Management: A systematic approach to proposing, evaluating, approving, implementing, and reviewing changes. (ICH Q10) FDA Change control: is another well-known CGMP concept that focuses on managing change to prevent unintended consequences. The CGMP regulations provide for change control primarily through the assigned responsibilities of the quality control unit. Certain major manufacturing changes (e.g., changes that alter specifications, a critical product attribute or bioavailability) require regulatory filings and prior regulatory approval (21 CFR , 514.8, and ) Change control: with regard to pharmaceuticals is addressed in more detail in the CGMP regulations. A firm may want to revisit the adequacy of the design of the manufacturing facility ( ), the design of the manufacturing equipment ( ), the design of the production and control procedures ( ), or the design of laboratory controls ( )

17 Change Management Main Components Change Proposal Regulatory Assessment Impact Assessment Implementation Plan Change Evaluation Implementation Process Closure Effectiveness Check

18 Engineering Change Management Engineering Good Practices ASTM 2500

19 Computer System Validation Validation is "confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled. (FDA General Principles of Software Validation)

20 Computerized System Validation Program CSV program may be documented in a SOP, a Validation Master Plan or both Key Elements of a CSV Program - Lifecycle System Identification Validation Assessment User Requirements Function and Design Requirements Supplier Evaluation Validation Plan Risk Analysis Design Documentation Installation Qualification Operational Qualification Procedures Performance Qualification Requirements Traceability Matrix Production Release/Validation Summary Report Maintenance and change control Periodic Review Retirement

21 CSV Testing Expectation Applicable software testing include: The expected test outcome is predefined; A good test case has a high probability of exposing an error; A successful test is one that finds an error; There is independence from coding; Both application (user) and software (programming) expertise are employed; Testers use different tools from coders; Examining only the usual case is insufficient; Test documentation permits its reuse and an independent confirmation of the pass/fail status of a test outcome during subsequent review.

22 Quality as a support system Management support Empowerment of employees and departments Formalized, mature, and consistent methodologies through procedures and policies Effective training program Employees qualified to perform their job Effective communications Continuous improvement efforts

23 FDA s Key Regulations Validation Example GMPs Key Words: perform a function satisfactorily according to a written program 21 CFR (a) Validation Example Medical Devices Key Words (not limited to): shall be validated, perform a function satisfactorily 21 CFR (i) Record Keeping Examples Key Words (not limited to): must maintain, records shall be kept, records shall include 21 CFR (b), 21 CFR (c)

24 FDA s Key Regulations Audit Trail Examples Key Words (not limited to): shall include complete, must be complete 21 CFR (a), 21 CFR (a) & (b) Retention Period Examples Key Words (not limited to): retention period 21 CFR (b) & (c) Electronic Signatures Key Words (not limited to): shall be verified, shall approve or reject, shall be signed and dated 21 CFR , 21 CFR (a), 21 CFR (c), 21 CFR (b) SOP Examples Key Words (not limited to): must follow written procedures 21 CFR (a), 21 CFR (a)

25 Pre-Audit Summary Computer System Validation Program must be in place Change Management Program must be in place Engineering Good Practices and ECM are supporting systems Be Prepared CSV Inventory List Knowledge of your Process Knowledge of Regulations List of Change Controls, Deviations and CAPA s of your CSV Training

26 During Inspection: Behaviors & Responses

27 Inspection Do s Be prepared to show to which process or SOP the work you are performing is tied. ONLY answer questions related to your position and study role. Answer only questions you know the answer to. Otherwise, say I don t know, but will follow up. Restrict conversations in common areas. Answer questions politely and truthfully. Know your job responsibilities, based on your job description. Refer to pertinent documentation, if possible. Ensure you understand the questions before answering.

28 Inspection Don ts Do NOT: Volunteer additional information. Instead, you should answer questions to the point. Ever lie or deny the obvious. Promise things if you are not sure you can deliver. Provide direct access to any electronic systems, not even read-only access. Allow the FDA Inspectors to freely do any of the following: 1) look through documents, 2) walk through the facility unescorted, or 3) take photos or videos. Provide audit reports of sites and vendors, personnel records, or financial information. Comment on quality or admit non-compliance. Read or sign statements or affidavits. Argue with the FDA or your peers. Forge someone else s signature. Recopy documents just to make them neat or impress the FDA or management. Fabricate documents. Assume anything when dealing with the FDA inspector.

29 During Inspection Discuss findings with the investigator, so it is clear what the investigator understands. Ask questions. At the end of each day: request an oral list of all observations. Internal meeting with key team players to go over audit process, execution and any observations End of Inspection Investigator will present findings at the closing meeting on a FDA 483, List of Observations If the findings are minor, the investigator may choose to do nothing and advise the QA or Regulatory representative of concerns

30 Post-Audit: Lesson Learns and Improvements If Findings are observed, your company will: Respond in writing to the Form 483 with a corrective action plan NOTE: Corrective Action Plan must be discussed within key players and functional teams Response must be quick but effective Corrective actions must address specific observations, systemic corrections and time frame for implementation

31 Q&A Open Discussion

32 Thank You!

33 Backup Slides

34 Change Proposal Develop Change Proposal Description of Change Includes a detailed description of the proposed change including the current state (pre- change) and the future state (post-change) with a summary of planned outcome (as left operating state of control). Define change boundaries, which is what is in scope of change. A gap assessment of current vs. proposed may be used to highlight change points when current state of change is being revised/optimized and aid with construction of risk identification. Justification of Change: Provides the circumstances that prompted the change proposal, giving rationale and expected benefit of the proposed change and assessment of past released lots to ensure equivalency of lots released.

35 Regulatory Assessment Regulatory Affairs will determine impact on: Regulatory Risks Regulatory Licensing Policies Regulatory Submissions Product Labeling

36 Risk / Impact Assessment Risk Assessment must be performed to assess potential impact of change. The facility in which will accommodate the change should be considered under a facility assessment that assesses the change relative to the capability of the classified facility to uphold product safety, identity, strength and/or quality that is at least comparable to the state prior to change or intended state. Changes to specifications, sample plans test methods, product controls, reference standards, standard curve standards, etc. should be assessed for comparability to state prior to change and equivalency risks should be identified. Changes initiated at contract manufacturing organizations, contract laboratory or suppliers should be assessed for comparability to state prior to change and equivalency risks should be identified. Assessors are to assess impact to Documentation, Trainings, Validation, Equipment/Systems, Product, Product License/Dossier, Product Hold Times, Stability, GMP Processes or Computerized Systems (Functionality, Security, Integration and Interfaces)

37 Implementation Plan & Target Dates The Implementation Plan Key Areas are: Target Implementation Date Date that Change will be employed. Be realistic! Implementation Plan The implementation plan should list all steps required to implement change Contingency Plan Rollback plan, as applicable

38 Change Evaluation and Approval for Implementation The Change Owner employs implementation tasks according to approved plan. The Change Owner ensures completion of the implementation actions outlined in the parent record by the implementation due date and begins routing for approval. If target implementation date cannot be met, owner is to request an extension and provide justification. The Quality task approver ensures completion of the assigned tasks by the date due. The Change Owner confirms required data, evidence of performance of the implementation plan (QC data summary, validation summary report, work orders, etc.) are attached to the change record, as necessary.

39 Implementation Process Implementation Process minimum checks: The Owner and/or Task Owners employ implementation tasks according to approved plan. The Owner ensures completion of the implementation actions outlined in the record by the implementation due date and begins routing for approval. If target implementation date cannot be met, owner is to request an extension and provide justification. The Quality approver ensures completion of the assigned tasks by the date due. The Owner confirms required data, evidence of performance of the implementation plan (QC data summary, validation summary report, work orders, etc.) are attached to the record, as necessary.

40 Closure Summary Summary, results and deliverables of the changes that are implemented as part of the implementation plan Identify whether the change is executed to plan. If No, provide justification Route The owner routes the change record for closure to department Approvers who are manager level and above and Quality with all supporting documentation by target implementation due date Approvals The record approvers and Quality ensures that the Change Completion is approved within XXX calendar days of the completion of the implementation plan (XXX: recommended - 30 days)

41 Effectiveness Check What is an Effectiveness Check? Predetermined criteria to assess the effectiveness of the change Ensures there are no other unforeseen consequences on other classified areas or state of control (which might not have been apparent with change proposal approval) Owner Opens the Effectiveness check record, identifies acceptance criteria and targets completion date Quality Quality approver reviews the Effectiveness Check Summary to confirm satisfactory completion of the Effectiveness Check by ensuring all acceptance criteria are met and the adequate objective evidence is referenced and attached