How to Survive an FDA Computer Validation Audit



Similar documents
ComplianceSP TM on SharePoint. Complete Document & Process Management for Life Sciences on SharePoint 2010 & 2013

This interpretation of the revised Annex

FDA Software Validation-Answers to the Top Five Software Validation Questions

Computer System Validation - It s More Than Just Testing

INTRODUCTION. This book offers a systematic, ten-step approach, from the decision to validate to

WHY ISN T EXCEL GOOD ENOUGH INTRODUCTION THE COMPARISON: EXCEL VS. PRIMAVERA S CONTRACT MANAGER EXECUTIVE SUMMARY MICROSOFT OFFICE EXCEL OPTION

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

The FDA recently announced a significant

Schweppes Australia Head Office Level 5, 111 Cecil Street South Melbourne Victoria

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

Preparing for an FDA Pre-Approval Inspection (PAI)

OMCL Network of the Council of Europe QUALITY ASSURANCE DOCUMENT

Documenting Distribution Operations: FDA Validation Beyond the Laboratory and Manufacturing Facility

Considerations When Validating Your Analyst Software Per GAMP 5

Manual 074 Electronic Records and Electronic Signatures 1. Purpose

CONTENTS. List of Tables List of Figures

Task Manager. Task Management

Pharma IT journall. Regular Features

Adoption by GCP Inspectors Working Group for consultation 14 June End of consultation (deadline for comments) 15 February 2012

GOOD DOCUMENTATION AND QUALITY MANAGEMENT PRINCIPLES. Vimal Sachdeva Technical Officer (Inspector), WHO Prequalification of Medicines Programme

The SaaS LMS and Total Cost of Ownership in FDA-Regulated Companies

Validating Enterprise Systems: A Practical Guide

Computer System Configuration Management and Change Control

LANDesk Service Desk. Outstanding IT Service Management Made Easy

Computerized System Audits In A GCP Pharmaceutical Laboratory Environment

A Pragmatic Approach to the Testing of Excel Spreadsheets

Welcome Computer System Validation Training Delivered to FDA. ISPE Boston Area Chapter February 20, 2014

COTS Validation Post FDA & Other Regulations

Validation Consultant

Audits must be conducted with due concern for employee safety and environmental protection.

OECD DRAFT ADVISORY DOCUMENT 16 1 THE APPLICATION OF GLP PRINCIPLES TO COMPUTERISED SYSTEMS FOREWARD

Regulatory Asset Management: Harmonizing Calibration, Maintenance & Validation Systems

IFS Food Safety and Quality Management System

TRANSACTION MANAGEMENT IN ARIZONA

ORACLE PROCESS MANUFACTURING QUALITY MANAGEMENT

PHARMACEUTICAL TRAINING GUIDELINE

Managing Compliance Risks with EAM / CMMS

Testing Automated Manufacturing Processes

Computer System Configuration Management and Change Control

Overview of EAM Services. A Fully Integrated Global EAM Service Provider

European Forum for Good Clinical Practice Audit Working Party

Risk-Based Validation of Computer Systems Used In FDA-Regulated Activities

Back to index of articles. Qualification of Computer Networks and Infrastructure

Considerations for validating SDS Software v2.x Enterprise Edition for the 7900HT Fast Real-Time PCR System per the GAMP 5 guide

Validated SaaS LMS SuccessFactors Viability

QUESTIONS FOR YOUR SOFTWARE VENDOR: TO ASK BEFORE YOUR AUDIT

How to implement a Quality Management System

QUALITY CONTROL AND QUALITY ASSURANCE IN CLINICAL RESEARCH

GOOD PRACTICES FOR COMPUTERISED SYSTEMS IN REGULATED GXP ENVIRONMENTS

Effective Asset Management for Life Sciences

The Impact of 21 CFR Part 11 on Product Development

Scanning and Tossing. Requirements for Scanning and the Destruction of Paper Based Records

Review and Approve Results in Empower Data, Meta Data and Audit Trails

Clinical database/ecrf validation: effective processes and procedures

Introduction. Editions

Eclipsys Sunrise Clinical Manager Enterprise Electronic Medical Record (SCM) and Title 21 Code of Federal Regulations Part 11 (21CFR11)

Off-the-Shelf Software: A Broader Picture By Bryan Chojnowski, Reglera Director of Quality

Standardizing Best Industry Practices

Qualification Guideline

Validation and Part 11/Annex 11 Compliance of Computer Systems

Implementation of ANSI/AAMI/IEC Medical Device Software Lifecycle Processes.

Overview. Disasters are happening more frequently and Recovery is taking on a different perspective.

Life Sciences Product Development Artifacts Survey Results

Product Lifecycle Management in the Medical Device Industry. An Oracle White Paper Updated January 2008

codebeamer INTLAND SOFTWARE codebeamer Medical ALM Solution is built for IEC62304 compliance and provides a wealth of medical development knowledge

Reflection paper on the Use of Interactive Response Technologies (Interactive Voice/Web Response Systems) in Clinical Trials

security in the cloud White Paper Series

Software as a Service: Guiding Principles

(COMPANY LOGO) CGMP COMPUTERIZED SYSTEM VENDOR AUDIT QUESTIONNAIRE

Working Party on Control of Medicines and Inspections. Final Version of Annex 16 to the EU Guide to Good Manufacturing Practice

OPERATIONALIZING EXCELLENCE IN THE GLOBAL REGULATORY SUBMISSIONS PROCESS

Sage ERP The top five reasons to deploy your ERP Solution in the cloud

Title:: Effective GMP AUDITS for APIs and Formulation Pharma Companies By G.Sundar-Director/Consultant PharmQA Compliance solutions

Balancing cgmp vs. SOX. Compliance Guidances

1. Scope This SOP covers requirements for PHARMCO-AAPER s Quality Management System

Enterprise Information Management for the Food and Beverage Industry

How To Run A Cloud Based Data Centre

Using the ISPE s GAMP Methodology to Validate Environmental Monitoring System Software

NetSuite. Goes Natural. We have spoken to dozens of small business executives about their move to adopt technology.

Laboratory Information Management System

TOTAL QUALITY MANAGEMENT II QUALITY AUDIT

Water, Environmental and Pharma LIMS Solution Transforms Information Management Solution at Nova Biologicals

SaaS Adoption Lifecycle in Life-Sciences Companies

Accounts Payable Invoice Processing. White Paper

ACDM GUIDELINES TO FACILITATE PRODUCTION OF A DATA HANDLING PROTOCOL

Monitoring the autoclaving process in the pharmaceutical industry

ITIL A guide to service asset and configuration management

INTRODUCTION. 1.1 The Need for Guidance on ERP System Validation

ORACLE MANUFACTURING EXECUTION SYSTEM FOR DISCRETE MANUFACTURING

Transcription:

How to Survive an FDA Computer Validation Audit The Myth Within the pharmaceutical, biotech, and medical device industry there is much fear and concern over approaching FDA audits. The FDA strikes fear in the hearts and minds of employees all over the world. More than any other regulatory body in these industries, the FDA rules with an iron fist. But is that true? How much of this gut wrenching is really necessary to survive an FDA audit of your computer systems successfully? What can you do to mitigate the emotional impact of the event? You can PREPARE! There is life after an FDA audit that focuses in part on your computer systems. The Truth The FDA has approximately 1100 inspectors. They work for the United States federal government. They have been well trained in Good Manufacturing Practices (GMP) and are well educated. Most inspectors have a speciality and tend to feel more comfortable when dealing with those areas. However, most of the FDA inspectors are not computer information specialis ts. They may know the acronyms and ask about your LIMS (Laboratory Information Management System), ERP (Enterprise Resource Planning) system, DMS (Document Management System) or MES (Manufacturing Execution System). The trend over the last years has been that they are becoming more computer literate and now they have a mandate to inspect computer systems in every domestic and foreign audit at least two per audit. They are being trained in what to look for in an increasingly computerised world. They will focus on how you handle materials, how you label product, how your environmental and water systems work, and how your labs work. If you can give a brief overview of your IT (Information Technology) environment it will be helpful as a first start. You only need to provide the picture of the systems you consider GMP relevant. The FDA will not ask about how you calculate product cost, for instance. They will ask about how you receive materials and give them a status via the computer. Practical Proactive Approach Computer validation is nothing more than good business practice. There is nothing unreasonable in the GAMP guidelines, for example. To maintain your computer environment over the years and to reap the benefits from electronic data capture, good documentation is necessary. In order to prepare for an successful FDA audit there are steps to take hopefully not two weeks before they arrive. Who will explain the systems in use? Determine who will be able to articulate well the computer systems you already use. Everyone is not a good candidate to put in front of an inspector. It is important to analyse the personality of your staff. Quality assurance (QA) employees are well schooled in what to say and what not to say. But IT

employees generally have not been so trained. It is advisable for the person who speaks about the computers in use to be confident and self-assured and someone who knows the business very well. Ideally that person has a background that includes an element of quality assurance and thus knows what sorts of things an inspector may look for. The FDA inspector probably will not ask why a program was written with C++ versus Java, for example, but will be concerned about the quality of the code. The questions may focus on specifics like Is there an audit trail when labels in the warehouse are reprinted because they got damaged before they were applied to the containers? Many IT professionals did not grow up in the pharmaceutical, biotech or medical device world. It is not an easy task to find someone who comes from the industry. Thus it is important to train these IT people in the art of dealing with an inspection. Just because the bits and bytes of the system fascinate them does not mean the inspector will care. However, the inspector will care that the system is well documented. Unfortunately documentation is typically not the favourite task of software developers or system maintainers. The ideal IT person to explain the systems in use should be familiar with GAMP or PDA guidelines for computer systems and software lifecycle development practices, should be able to walk an inspector through the company s policies for computer validation and general system maintenance, and should be able to field questions from a business and QA perspective. It is important that the person not over-explain the systems in place. What about software vendor audits? There is a precedent in the pharmaceutical, biotech and medical device industry to conduct vendor audits. From a software perspective this is becoming increasingly complex. There are so many products in use that it is not feasible to audit every vendor. So it is important to take a practical approach. From a business perspective vendor audits are time-consuming and expensive for both the software vendor and the pharmaceutical manufacturer perspective. There is a lack of expertise on both sides for these audits unless the software is industry specific (e.g. LIMS) or there is a large customer base (e.g. SAP). For out-of-the-box software like Microsoft Word it should be considered a de facto standard. It would be pointless to think you need to audit Microsoft. It is what you do with the tool that counts. Some applications (like SAP and Documentum) are now in such wide use by this industry that an audit is almost not necessary. However, it is important to have a quality verification. This verification could be simply that the parent company or an affiliate is using the product in a GMP environment or that a reference visit to a similar company was conducted. This quality verification should be documented via a memo to file or report. For less well-known or smaller software vendors conducting an audit is advisable. If you do not have the ability to conduct the audit yourself, hire an independent contractor who specialises in audits to do it. There are many sets of standard questions available. It is not recommended to merely send the questionnaire to the vendor for written

answers. For bespoke (homegrown) sys tems it is more important to consider the tools used for development and their robustness rather than the company who produced the tool. Microsoft Access and Excel, for example, were not developed for regulated industries but were made available for general use. In the case of web-based tools like SilverStream it is important to consider the built-in features that do make the product suitable for use in a highly regulated industries (banking, insurance, pharmaceutical, etc.). Thus, for bespoke systems, it is important to document your selection of the tools and their use. Bespoke systems require more scrutiny than others do because they are developed in house. Obviously you cannot audit yourself. Because you are not a software development company it is extremely important that if you develop applications yourself that you have a software lifecycle methodology in place and follow it. This includes having sufficient and documented source code guidelines and reviews, configuration management, testing procedures and change control in place. What documentation will you show an auditor? It is important to be able to navigate between a huge variety in terms used for the various documents. The FDA merely wants to verify that the system has been well documented. A glossary helps immensely. No two software vendors or consultancies use the same terms for very similar documents. The glossary should include all the terms of reference for the various documents in use. Because so many software projects include outside contractors it is imperative for the person explaining the documentation to have a frame of reference. At the very top of the documentation list is a Validation Plan. This document may be the first one the auditor looks at and it should provide a direction of the documentation to follow. It should clearly indicate what documents to expect for any given system. For complex ERP systems it is important to have a clear indication of what functions are GMP critical and how was it decided. For example, posting the receipt of a material into quarantine until testing is complete is GMP critical versus posting an account receivable, which is not. Typical computer validation documentation includes a User Requirements Specification. Hopefully this is a true reflection of what the business requires and is not a wish list that was used for software selection. The wish list approach could include such things as sub-second response time that is patently stupid and no system will achieve. An FDA inspector will typically ask to see how the requirement has been fulfilled and where is it documented. So, if the requirement is that you receive a raw material and it must be sampled where is the documentation for the sample plan? It could be on paper or in LIMS (Laboratory Information Management System) or in ERP. The documentation includes a Functional Design Specification that explains how the computer system satisfies the user requirements. For configurable software like SAP and Documentum (well known applications for Enterprise

Resource Planning and Document Management) it is critical that the configuration as it applies to your business be well documented. Because these systems are fairly complex, a validation matrix approach helps. This relates the user requirements to the configuration and any bespoke work that has been done (e.g. interface from ERP to LIMS, forms like labels, numbering sequences done via a user exit, etc.). Any bespoke work requires a detailed design document. Of course, there are the Installation Qualification, Operational Qualification and the Performance Qualification Protocols and their associated executed test scripts and reports. There should be test incident sheets that are clearly traceable and uniquely identified, test instructions for the testers including their signatures and CV s on file, and the resolution of all incidents. Probably most important of all is your software change control procedures. Is it separate from your general change control procedure? Does it include a GMP and validation relevancy assessment? Can you track all changes? What about the control of your system documentation? Are the electronic files open to everyone? Is paper or the electronic version the master? Do you have a check-in and check-out procedure for your documents? Are they kept in a secure cabinet? Who has access to those documents? What about tricky questions? Avoid the use of bespoke systems that some guy decided would be handy in terms of doing his job. They are fraught with danger. People are becoming more and more computer literate and understand the power of the computer in terms of doing their day-to-day work. Like Topsy these systems quickly proliferate and grow. IT and QA should be in control of educating employees in these industries that while it may make you work simpler, there may be difficulties explaining it. Any little desktop system that is allowed to make GMP decisions should be scrutinised and replaced. Excel, for example, can be very powerful but it is a liability application. There are significant issues with it in terms of security, authorisations, etc. If there are these tools in place make sure that you have a paper explanation for the procedure and that the SOPs do not reflect the liability application. Make sure that all new software requirements get channelled through IT so that you preclude the issue of each department deciding which application it wants and suddenly you have 500 software applications to explain rather than less than 10. This is more problematic in large corporations. It truly does help to have a vision and a larger perspective on the software environment. IT professionals at the top of the company should have sufficient background to deal with these sorts of policy issues. Standardising the desktop and the infrastructure is good business practice. This must be documented. What about Part 11? Part 11 came into law in 1997. Therefore it must be obeyed. In order to prove your compliance it is imperative to have a plan for remediation. This

plan must include dates and a true action list for legacy systems. Virtually all current systems should be considered legacy. New systems must be inherently compliant. Included in the compliance is an assessment form that should accompany each system in use from a GMP perspective. Be prepared to talk about both the use of electronic signatures and electronic records. Electronic signatures is relatively straightforward in terms of Part 11 but electronic records is fraught with danger. You should have a clear definition of controlled documents that does not include emails, for example. You should be prepared to discuss what material you archive electronically and how you can access it. In the case of replaced legacy systems you should be able to explain that the system has not been thrown away but is available as read only, etc. How will you train both IT and QA for an audit? Talking and practising for the audit helps. Seminars that educate IT about QA and vice versa are very valuable. More and more IT and QA are linked since software can be used so effectively to manage the business. Topics should include practical information about how is the network and hardware configured, how is it documented, what is the difference between an open and a closed system, what is Part 11 and how does it affect your business, etc. It helps to have a list of potential questions and think about the answers. The questions will most likely come from both the business side of things and the technical side. Questions could include such things as: ERP says there are 17 litres of acetone in Bin 8A. Can I see them? What is the timing of the computer posting? Before or after the physical placement of the goods? The requirement is that LIMS sends a usage decision to ERP for a finished good. How is that documented? What are the triggers? Can I see an audit trail? You change a GMP field in your ERP system for master material data. Who has the authority to do that? How is that documented? Have you tested your disaster recovery procedure and is it documented? Can I see the test incident sheets for your LIMS system? How do I know that they are closed? You just migrated from one ERP system to another. How do you handle recall in a hybrid environment? How did you manage your data conversion when going from an old system to a new system? For areas where there are likely to be lots of questions (warehouse, distribution, material sampling, etc.) having a flow chart to explain the interaction of the computer, people and paper is effective. It is highly advisable to have a physical walkthrough with the business people to verify that it works exactly like you think. You absolutely must all be saying the

same thing about how it works. It helps if the SOPs (Standard Operating Procedures) reflect the exact same thing. Benefit of Experience It seems obvious but practice makes perfect. There is a benefit of getting an outsider to perform a mock audit. Primarily this is because the outsider does not know your operation in detail and will notice things that you never thought about. The outsider can also test the people involved directly in the audit in terms of assessing their skills, their confidence, and their ability to field questions and assist in coaching them. Keep in mind that some people can be coached about how to explain what a computer does and other cannot. It does not mean they are bad employees but you may not want them to be in front of an inspection auditor. It is also important to retain employees who are good in audit situations. There is an art to successful software audits: Have the most relevant documentation readily available (e.g. validation matrix for SAP) Make sure there is enough time to prepare Quality documentation and standardisation are key to good business practice Auditing should only confirm practices already in place After every audit there should be a de-brief that identifies the good, the bad, and the ugly and puts a plan in place to fix what is broken. Audits are always a learning experience. The more that can be done up-front to eliminate the tenseness the better. A well prepared, confident IT professional is highly desired! Success!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information