Computerised Systems. Inspection Expectations. Paul Moody, Inspector. 18/10/2013 Slide 1. ISPE GAMP COP Ireland Meeting, Dublin, 17 th October 2013

Similar documents
Computerised System Validation

COMPUTERISED SYSTEMS

CUSTOMER AND SUPPLIER ROLES AND RESPONSIBILITIES FOR 21 CFR 11 COMPLIANCE ASSESSMENT. 21 CFR Part 11 FAQ. (Frequently Asked Questions)

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

Regulatory Overview Annex 11 and Part 11. Sion Wyn Conformity +[44] (0)

EU GMP - Annex 11 Computerised systems Versione corrente Nuova versione per commenti (emessa 8 aprile 2008)

References Concept. Principle. EU Annex 11 US FDA , (g), (i), 11 Orlando Lopez 2/15/11. Old Annex 11.

Computerised Systems. Alfred Hunt Inspector. Wholesale Distribution Information Day, 28 th September Date Insert on Master Slide.

EU Annex 11 US FDA 211, 820, 11; other guidelines Orlando López 11-MAY-2011

EU Annex 11 US FDA , (g), (i), 11 Orlando López 09-APR

Computer System Validation Perform a Gap Analysis of your CSV Processes

EU Annex 11 update. An ISPE interpretation

ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER TUUSULA FINLAND. Timo Kuosmanen STERIS Finn-Aqua

Implement Effective Computer System Validation. Noelia Ortiz, MME, CSSGB, CQA

Electronic Systems - Regulators Observations

GAMP5 Validation for Dynamics 365

GAMP Guideline & Validation Documentation

Validation of MES and Manufacturing Automation systems

Contents. Contents (13) 1 Qualification (21)

Data Integrity: Production Environment

Develop a Roadmap for the Implementation of a Global CSV Program. Eileen Cortes April 26, 2017

Summary of Significant Changes. Policy

Oracle Tech Cloud GxP Position Paper December, 2016

LEVERAGING YOUR VENDORS TO SUPPORT DATA INTEGRITY:

Data Integrity Why is it important? DADM Conference - 22 August 2017

New Data Integrity Regulations and Practical Advice for Life Science Laboratories. we prove it.

Could Poor Temperature Data Management be Putting Your GxP Facility at Risk for Data Integrity Violations? we prove it.

GUIDE TO GOOD MANUFACTURING PRACTICE FOR MEDICINAL PRODUCTS

COMPUTERIZED SYSTEM VALIDATION

General European OMCL Network (GEON) QUALITY MANAGEMENT DOCUMENT

[ WHITE PAPER ] A Basic Overview: Meeting the PIC/S Requirements for a Computerized System INTRODUCTION GOOD MANUFACTURING PRACTICES

Validation and Automated Validation

Risk-based Approach to Part 11 and GxP Compliance

OECD Working Group on Good Laboratory Practice. Template for submission of comments on draft GLP Guidance Documents. Instructions for Use

Manufacturing Optimisation Inside the Pharmaceutical Supply Chain. Business System Compliance

SIMATIC IT. SIMATIC IT R&D SUITE V7.1 Compliance Response ERES. Introduction 1. The Requirements in Short 2

Clarity CDS since version 7.2 supportive tools for compliance with Title 21 CFR Part 11, EudraLex Chapter 4, Annex 11 and other similar legislation

White paper: Code of GMP Chapter 4 Documentation - PIC/S versus EU

Current Trends in Data Quality and Integrity Issues in Inspections and Risk Based Approach to Investigations; EU perspective

PTC s Windchill Product Lifecycle Management (PLM) System Facilitates Part 11 / Annex 11 Compliance

VALIDATION OF MANUFACTURING EXECUTION SYSTEMS (MES)

Latino America Consultores Innovation & Technology to make your Business Compliant

Strategies for Risk Based Validation of Laboratory Systems

COMPUTERIZED SYSTEM VALIDATION (CSV) IMPLEMENTATION, DEMARCATION AND STRUCTURATION

DATA INTEGRITY ASSURANCE AS KEY FACTOR FOR SURVIVING CORPORATE AUDITS AND REGULATORY INSECTIONS

Outsourcing - managing risks and opportunities over which you now have less control

Enterprise and Industry Directorate-General European Commission B-1049 Brussels Belgium BY TO and

Documenta tion and Records

SESSION 14. Documentation Requirements and Management for Validation. 30 March Frits Vogt

Annex IV to guidance for the conduct of good clinical practice inspections sponsor and CRO

Validation Documentation. Presented by John Montalto 27 March, 2013

Ensure Data Integrity Compliance Enterprise-Wide

COMPUTER SYSTEMS VALIDATION

PLA Product Overview. PLA 2.1 Overview

Validation Best Practices Jeb Bullis Senior Account Executive

Managing Validation. Paperless Recorders

The Role of the LMS in 21 CFR Part 11 Compliance

Cross-walk between EU Annex 11 and US FDA 211, 820, 11; other guidelines and regulations Orlando López Rev19Dec14

System Requirements (URS)

á1058ñ ANALYTICAL INSTRUMENT QUALIFICATION

ISPE-FDA 3 rd Annual CGMP Conference 2 4 June 2014 Baltimore, MD. Detecting GMP Data Integrity Issues

Process ERP, an ideal software solution for Life Science industries

GLP Computerized Systems Updates from OECD Guidance. Dr. Michael Regehr, BASF Corporation 28 JAN 2016, NAICC, Orlando

Overview of Amgen s CQP Commissioning and Qualification Program Steve Wisniewski Principal Compliance Consultant, CAI Past Chairman ISPE C&Q COP

Primary Distribution Activities

Good Laboratory Practice GUIDELINES FOR THE VALIDATION OF COMPUTERISED SYSTEMS. Release Date:

Deficiencies found in Inspections and QP Responsibilities

Regulatory Expectations, Standards & Guidelines

Quality Assessment & GMP Similarities & Differences

WARNING LETTER AUG 3, 2016

GUIDANCE NOTE 37 MEDICAL GASES DATA INTEGRITY

Page 1 of 35 ATTACHMENT B

Risk-Based Approach to Software Quality and Validation

Data Integrity Compliance Project

Good Automated Manufacturing Practices (GAMP)

Introduction to 21 CFR 11 - Good Electronic Records Management

GOOD PRACTICES FOR COMPUTERISED SYSTEMS IN REGULATED GXP ENVIRONMENTS

Installation Qualification Equipment (Reference SOP: )

Compliance Response Electronic Records / Electronic Signatures (ERES) for SIMATIC PCS 7 V8.1

GAMP 4/5 Prospective / retrospective Qualification of water treatment plants) P. Dony

Addressing the Paradigm Shift in Regulatory Inspections

Team L5 Automation Practices in Large Molecule Bioanalysis

Implementing Compliant Medical Device Best Practice Business Processes Using Oracle E-Business Suite

CSV Inspection Readiness through Effective Document Control. Eileen Cortes April 27, 2017

Preparing for a Software Quality Audit

Materials Management Traceability, CEPs and managing non-conforming sites

PLA 2.0. Software for Analyzing Parallel-Line and Parallel-Logistics Assays

Inspection of API Manufacturers & Update on Registration Process

Jean Guichard. Introduction to Good Process Record Management (GxP) #: Internet-WP Version: e1.00 /EN

Regulations and guidance for the pharmaceutical industry

Computer. Systems Validation (CSV) Full Time Part Time Online.

Compliance Response Electronic Records / Electronic Signatures for COMOS V10.0

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL

Testing 2. Testing: Agenda. for Systems Validation. Testing for Systems Validation CONCEPT HEIDELBERG

GCP Basics - refresher

Laboratory Data Integrity Issues Found in Audits and Inspections

GxP Compliance for Computerized Systems

Compounding Pharmacies and the Contract Testing Lab

UNIFI 1.5 : Simplifying Qualification and Validation June 2012

Transcription:

Computerised Systems Inspection Expectations ISPE GAMP COP Ireland Meeting, Dublin, 17 th October 2013 Paul Moody, Inspector Slide 1

Presentation Contents Brief Introduction to the IMB Regulatory References Changes to Annex 11 Considerations for Validation Annex 11: Assessments to new Annex Common Deficiencies 2

Brief Introduction to the IMB 3

Mission Statement To protect and enhance public and animal health through the regulation of medicines, medical devices and health care products 4

Irish Medicines Board -Summary Competent Authority in Ireland for medicinal products for human use medicinal products for veterinary use medical devices blood and tissues & cells Cosmetics Organs Licensing and Inspection of Controlled Drugs in conjunction with Department of Health & Children 5

IMB Some Facts and Figures Formerly National Drugs Advisory Board (NDAB) Established under IMB Act 1995 (No. 29 of 1995) Region of 260 staff members Assess & monitor over 6,700 Human Medicines 1,200 Veterinary Medicines 500,000 Medical Devices on the Irish market 6

Regulatory References 7

Regulatory References EU GMP Annex 11 (2011) Free http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf EMA Questions and Answers on Annex 11 Free http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/ general/gmp_q_a.jsp&mid=wc0b01ac058006e06c#section8 PIC/S PI 011/3 (2007) Free http://www.picscheme.org/pdf/27_pi-011-3-recommendation-oncomputerised-systems.pdf 8

Changes to Annex 11 9

Annex 11: Changes Principle: Computerised System: Software and Hardware components which together fulfill certain functionalities No resultant decrease in product quality, process control or quality assurance This is what is to be achieved 10

Annex 11: Changes Scope has increased Now includes everything from Electronic Batch Record Systems Manufacturing Control Systems Building Management Systems Lab Management Systems Document Management Systems Training Management Systems 11

Annex 11: Scope To Small devices e.g. Temperature loggers IT Incident Tracking Systems (for GMP systems) Electronic Request Systems (e.g. user account requests) In other words. All systems engaged in GMP activities! Applications: Validated Infrastructure: Qualified 12

Annex 11: Changes Annex 11 is written in three sections General Project Phase Operational Phase 13

Annex 11: General Risk Management Required throughout the lifecycle Roles and Responsibilities Process Owner: Responsible for the Business Process System Owner: (Typically) Responsible for Availability of system Maintenance of system Security of the data on the system 14

Annex 11: General Personnel appropriate level of access and defined responsibilities to carry out assigned duties Have they access to enough? too much? How is this maintained with corporate/multisite systems? 15

Annex 11: General Something to consider... Do sister site personnel have access to your elements of a multisite system which is beyond their responsibility and duty? If so, are they trained (within your QMS) and authorised to access your elements? 16

Annex 11: General Suppliers and Service Providers Who is supplying the system? Who is maintaining it? Agreements as per Chapter 7 Even with internal IT departments Assessment of supplier/service providers Appropriate Standards used? e.g. ISO 12207, ISO 25010 as appropriate Audit required? justify decision 17

Annex 11: Project Phase Validation of Systems Annex 11 Assessments Considerations for Validation 18

Project Phase: Validation Up to date listing of all relevant systems and GMP functionality Critical Systems System description data flows, interfaces with other systems, processes. Software/Hardware pre-requisites Security measures User Requirements: Based on risk assessment and GMP impact Traceable throughout the lifecycle 19

Project Phase: Validation Generally follow the lifecycle of equipment validation: IQ, OQ, PQ with quality gates at the appropriate points. Level of validation depends on the criticality of the system This should be justified 20

Project Phase: Validation What do you test? Process (parameter) limits Values Logic User Accounts Configuration Multiple connections Simultaneous requests 21

Project Phase: Validation Data limits Include negative testing (from risk assessment) Error handling System recovery mid transaction? Database corruption Hardware buffers etc Data Transfer Checks that data are not altered in value and/or meaning Level of checking should be statistically sound 22

Annex 11: Assessment Current Annex 11 effective 30 th June 2011 It is now 2013 Expectation that company s have assessed their systems against the updated Annex. What should this assessment cover? 23

Annex 11: Assessment Gap analysis of the quality management system elements relating to computerised systems: Policies and SOPs Agreements Listing of Systems Categorisation of Systems (critical/non-critical) Assessment of Legacy Systems 24

Annex 11: Legacy Systems For each Legacy System: Define the user requirements Perform a gap analysis to determine the validation effort for retrospective validation. Verify user requirements 25

Considerations for validation 26

Small Device Validation Usually widely used off-the-shelf pieces of equipment Temperature logger Development life-cycle is mainly controlled by the vendor. A vendor assessment is required 27

Small Device Validation Generate Requirements Definition for the intended use including process limitations. Is data are stored or transferred to another system. Parameter data influencing the device's behaviour should not be altered without suitable permission Risk assessment consideration for the intended use and patient risk 28

Small Device Validation Documentation from the vendor methodology used and the calculation algorithm (if applicable). Vendor certificate or equivalent detailing the testing performed by the vendor Calibration certificate (if applicable) Develop Validation plan according to the riskassessment results Verification testing (PQ-phase). 29

Third Party Validation Qualification/Validation performed by a Vendor Subject to Chapter 7: Outsourced Activities Site must ensure their user requirements not the Vendors are achieved. Validation is the responsibility of the regulated user... What about Multisite/Corporate Systems? 30

Corporate/Multisite Systems Some examples: ERP System Deviation Management System Validation plan/overview for the approach taken Typically some Corporate core validation Plan, URS, FDS, IQ, OQ etc Site should assess the corporate validation include Site Infrastructure Must meet the requirements of Annex 11 31

Corporate/Multisite Systems Typically Site performs activities to mitigate the risks identified Some Infrastructure Qualification Some software and configuration elements: Mini URS, Mini FDS/Config Spec, Mini IQ, Mini OQ, PQ etc. All documentation may be subject to inspection Includes Corporate core validation and associated assessments, agreements etc 32

Corporate/Multisite Systems Remember: Corporate HQ typically not involved in manufacturing and are therefore not usually regulated Validation is the responsibility of the regulated user... 33

What about Spreadsheets? Assess the situation Do you need to consider the package (Excel) or the spreadsheet? Assess requirement of each spreadsheet generated. Validation is required for spreadsheets that contain custom code. E.g. Visual Basic 34

What about Spreadsheets? Formulas (any algorithms) should be verified Template and Record subject to requirements of Chapter 4 Data integrity should be ensured. Can formulas be accidentally overwritten? Will input of an inappropriate data type be accepted? No input or error message? 'boundary checks 35

Some other things to consider Where certain activities are outsourced by a manufacturer and computerised systems are used: The validation of such hardware and software should be maintained. e.g. Kaye Validators etc Validation is the responsibility of the regulated user... 36

Annex 11: Operational Phase Data Accuracy Checks Data Storage Printouts Audit Trails Change and Configuration Management Periodic Evaluation Security Incident Management Electronic Signature Batch Release Business Continuity Archiving 37

Operational Phase: Data How does the system interface with other systems? Native to the software? Middleware? Custom code? E.g. EBR with Balances, CDS data migration to LIMS 38

Operational Phase: Data Data security includes: Data Integrity Reliability Availability of data. During validation of a database or inclusive system consider: procedures and mechanisms to ensure data security, the meaning and logical arrangement of data load-testing, incorporating future database growth precautions for end of life-cycle data migration 39

Operational Phase: Accuracy Checks How accurate is the data? Electronic Verification e.g. against a database or other system Manual verification of entries e.g. manually on to a calculation spreadsheet The consequence of bad data should be known and assessed. 40

Operational Phase: Data Storage How is it stored? Where is it stored? Who has access? Who should have access? Is Data integrity maintained? 41

Operational Phase: Printouts Ensure that clear printouts of data can be obtained. E.g. calibration schedules. Records supporting batch release should indicate if any data has been corrected. 42

Operational Phase: Audit Trails Audit Trails must be convertible to a generally intelligible form regularly reviewed If system has no functionality showing changes to data since original entry printout of the related audit trail report must be generated and linked manually to the record supporting batch release 43

Change and Config. Management Remember, the system is validated! Changes to a part of the system may pose a risk due to interdependencies. Change management system must be used. Record, assess, approve and document change Separate electronic system used for IT issues/changes? a GMP system in its own right? 44

Operational Phase: Periodic Evaluation Periodic Evaluation frequency must be justified. Criticality of system Complexity of system Consider it like other periodic evaluations e.g. Water System, Env Monitoring etc Some things to consider in the evaluation: Current functionality (any changes? Does it still meet user requirements?) Deviations or Incidents Problems 45

Operational Phase: Periodic Evaluation Some more things to consider in the evaluation Upgrade history Performance Reliability Security Validation Status Reports 46

Operational Phase: Security User Access Levels Definition of levels Management of access control Record of access within software Extent depends on criticality of system 47

Op. Phase: Incident Management All incidents should be reported and assessed. What is an incident? System Failures Data Errors Any unplanned issue affecting product quality or data integrity. Root cause of a critical incident should be identified and CAPAs implemented. 48

Op. Phase: Electronic Signatures E-Signature must have the same impact as a hand written signature Within the boundaries of the company If an e-record is from a third party how do you know that it meets the above? If used, then they are a GMP system and should be validated as such how have you verified this? - Supplier Qualification? Permanently linked to the record Does your system rebuild the signed document or is the signature embedded within the document? Has it been verified? Time and date stamped 49

Op. Phase: Batch Release Only the QP certifies the batch Captured by e-signature EBR Exception Reports considerations Personnel review only exceptions Risk Assessment Assumption that all EBR modules correct Critical times managed within EBR? Indirect information correct? 50

Op. Phase: Business Continuity What happens if the system breaks down? Manual or Alternative system? Risk Assessment for bringing them up Manual/Alternative systems should be tested in their own right 51

Op. Phase: Archiving Is data verified? What is media used and what is its expiration criteria? Is data still retrievable when changes are made to the system? Storage requirements of electronic data and documents the same as paper documents. Ensure electronic signatures applied are valid for the entire storage period for the documents. 52

Sample Deficiencies 53

Sample Deficiencies: General 1/2 A listing of GMP computerised systems was not maintained. The software utilised to control [equipment] had not been categorised. Not all critical GxP systems were present. For example the [Equipment] Program and Review software. The Virtual Private Network software had not been subject to GxP assessment or qualification as appropriate. 54

Sample Deficiencies: General 2/2 The [business continuity process] was not available for use as documented in [a deviation]. The associated investigation did not assess why the contingency procedure and process had failed. The third party audit performed of the software supplier was considered deficient in that the memo describing the qualification or impartiality of the auditors was not physically signed. There was no system description defined despite the system being live. 55

Sample Deficiencies: User Accounts 1/2 It was permitted for [CDS] administrators who had audit trail access to analyse samples. It was possible for administrators to verify their own test result recording in ERP. There were no procedural restrictions around this and was hence considered to increase the overall risk of the associated testing processes. The system owner access level was not described. 56

Sample Deficiencies: User Accounts 2/2 The removal of test accounts had not been considered by the company prior to the system going live. [ERP] access configurations for the job roles within the site was not adequately defined in that there was no documented correlation of local access levels to the user access elements as defined by the Global [ERP] group. System authorisation concepts were not always considered in that Users could be administrators with full system access and also have batch manufacturing responsibilities. 57

Sample Deficiencies: Audit Trail Audit trail comments on [the CDS] were not always sufficiently detailed. For example, a number of changes were observed to have been made to the integration method utilised on [a test] on [a date] and these had a comment of save documented. 58

Sample Deficiencies: Qualification 1/2 The qualification of the ERP system was considered deficient in that: The independent code review was not available for review during the inspection. The actual observed results were not always documented within the qualification records The procedure for electronic signatures data transfer to the ERP system was not described in a procedure and was not qualified. There was no assessment of ERP database integrity. 59

Sample Deficiencies: Qualification 2/2 The decision not to test requirement [Electronic Signatures] documented in [Rationale] was not considered to be justified in that the referenced documents disclaimer stated that the information should not be relied upon. 60

Sample Deficiencies: Assessments The periodic assessment of computerised systems had not been completed for all equipment. For example, [computerised system] was installed [a long time ago] and at the time of the inspection had not been reassessed. The assessment of GxP systems against the requirements of the revised Annex 11 which came into effect 30 th June 2011 had not been completed. 61

Sample Deficiencies: Archiving In relation to the back up and restoration of data There was no process for logging of media used to back up the server systems. The maximum number of uses for the magnetic tapes was not defined or the number of uses controlled. All backup activities on the site were not procedurised. For example back up of the [Program] data from [Equipment] and back up of certain [Equipment] PLC code was performed on an ad-hoc basis using HDDs which were not stored in an appropriate location. 62

In Summary Understand the system and its interactions Risk Assess the system Software should be validated and maintained Infrastructure should be qualified and maintained Data Integrity should be assured E-Signatures should be permanently linked Issues should be appropriately investigated and resolved There should be no resultant decrease in product quality, process control or quality assurance 63

Questions Slide 64

ISPE GAMP COP Ireland Thank You for Listening Paul.Moody@imb.ie Compliance@imb.ie +353 (0)1 676 4971 Slide 65

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback