Title: Current Computer Industry Trends in Regulated Environments Michael L' Rutherford Manager Global Qual
1Current Computer Industry Trends in Regulated
EnvironmentsMichael L. Rutherford Manager
Global Quality Laboratories Equipment/
Automation/ Lab Informatics
2Presentation Overview
- Brief Historical Perspective
- Current Thinking and Trends
- ER/ES
- Regulatory Inspections
3Regulatory History
- Computer System Validation - Not a New Regulatory
Requirement - 1979 FDA issued 483s for faulty control of
computerized systems - 1983 Drug Blue Book published
- 1987 Compliance Policy Guide (CPG) on Source
Code issued - 1994 Agency published proposed 21 CFR Part 11
rule - 1995 Good Automated Manufacturing Practices
(GAMP) published - 1997 Draft of General Principles of of Software
Validation released - 1997 21 CFR Part 11 Electronic Records
Electronic Signatures - 1998 Guide to Inspections of Computerized
Systems in the Food Industry released - 1999 Guidance on Computerized Systems Used in
Clinical Trials issued - 2001 Good Automated Manufacturing Practices 4
(GAMP 4) published - 2002 General Principles of of Software
Validation Final Guidance for Industry and FDA
Staff - 2003 Part 11 Guidance Electronic Records
Electronic Signatures Scope and Application - 2005 GAMP Good Practice Guide A Risk-Based
Approach to Compliant Electronic Records and
Signatures -
4In The Beginning
- February 1983 (the Blue Book)
- Guide to Inspection of Computerized Systems in
Drug Processing - to provide the field investigator with a
framework upon which to build an inspection of
drug establishments which utilize computer
systems
5Computer System Validation
- a means of avoiding defects
- FDAs analysis of 3140 medical device recalls
conducted between 1992 and 1998 reveals that 242
of them (7.7) are attributable to software
failures. - General Principles of Software Validation, Jan
11, 2002, CDRH - to ensure accuracy, reliability and consistent
intended performance and the ability to discern
invalid or altered records.
6The Early Years, 1983-1996
- Relatively little computer system oversight from
FDA - Small number of experienced inspectors
- Focused on GMP and GLP systems
7A Turning Point
- 1997 Part 11 Electronic Records Electronic
Signatures - 1999 The Guidance for Industry Computerized
Systems Used in Clinical Trials - Due to Y2K, FDA gives industry a grace period
until 2000
8Industrys Reaction
- Since the part 11 regulation was published,
concerns were raised by industry and vendors that
some interpretations of the part 11 requirements
would - unnecessarily restrict the use of electronic
technology - significantly increase the cost of compliance to
an extent not contemplated at the time the rule
was drafted - discourage innovation and technology advances
without providing a significant public health
benefit - The Clinical Guidance Document took Part 11 even
further - data tags
- reconstruction of study
9Increased Oversight, 2000-2002
- Major training program for FDA inspectors
- Computer system related 483 observations more
than tripled in 3 years - Main Part 11 citations
- Security
- Audit Trails
102002 a Change of Direction
- As part of an effort to improve and streamline
the regulatory process to maximize public health
protection and promotion, a two-year initiative,
the Pharmaceutical cGMPs for the 21st Century a
Risk-Based Approach was announced on 21 August,
2002. The goals of this initiative are - to ensure that regulatory review and inspection
policies are based on state-of-the-art
pharmaceutical science and to encourage adoption
of new technological advances by the
pharmaceutical industry - to implement risk-based approaches that focus
both industry and Agency attention on critical
matters - to make enhancements to the consistency and
coordination of Agency drug quality regulatory
programs
112003 Part 11 Turning Point
- Guidance for Industry Part 11, Electronic
Records Electronic Signatures Scope and
Application - explains FDAs current thinking regarding the
requirements and application of part 11 - Compliance Policy Guide (CPG 7153.17) was
withdrawn - All previously published draft guidance documents
were withdrawn - Draft guidance on Validation
- Draft guidance on Glossary of Terms
- Draft guidance on Time Stamps
- Draft guidance on Maintenance of Electronic
Records - (Draft guidance on Electronic Copies of
Electronic Records had been withdrawn in early
February) -
12Part 11 Turning Point (cont.)
- FDA is embarking on a re-examination of Part 11
as it applies to all FDA regulated products - FDA plans to revise provisions of Part 11 as a
result of this reexamination
13Part 11 Turning Point (cont.)
- While the reexamination is underway,
- FDA will more narrowly interpret the scope of
Part 11 - Fewer records will be considered subject to
Part 11 - For those records, the FDA will exercise
enforcement discretion with respect to - Validation
- Audit trails
- Record retention
- Record copying
- Legacy systems operational before August 20,
1997 - For those records, FDA does not intend to take
regulatory action to enforce compliance
14Part 11 Turning Point (cont.)
- However,
- FDA will enforce all other provisions of Part 11
- FDA will continue to enforce predicate rule
requirements, i.e, requirements of - The Federal Food, Drug and Cosmetic Act
- The Public Health Service (PHS) Act
- All FDA regulations for
- Drugs
- Devices
- Biologics
15Key Messages
- FDA expects approaches to Part 11 to be based on
- Predicate rule
- Determination of potential impact on product
quality and safety and record integrity - Justified and documented risk assessment
- This reinforces the fact that Part 11 is a
records regulation requiring full engagement of
business owners in close partnership with IT
16What does this Shift mean for Industry?
- Industry must have a deeper understanding of the
predicate rule - It is important to know which records are relied
on to make regulated decisions - Business process and system owners are in the
drivers seat - Risk management must become second-nature
- explicit data-driven decision making
- Impact on product quality, safety and record
integrity - Know where the risks are and manage those risks
based on impact -
17Recent Part 11 Activity
- PhRMA Computerized Systems Risk Management Task
Force - GAMP Good Practice Guide A Risk-Based Approach
to Compliant Electronic Records and Signatures - 21 CFR Part 11 Revision
18PhRMA Computerized Systems Risk Management Task
Force
- PhRMA CSRM has developed a set of risk management
principles and a white paper - Activities are aligned with the International
Conference on Harmonization (ICH) Quality Risk
Management Q9 Consensus Guideline
19GAMP Good Practice Guide
- GAMP Good Practice Guide A Risk-Based Approach
to Compliant Electronic Records and Signatures - Guide provides comprehensive new guidance on
meeting current regulatory expectations for
compliant electronic records and signatures - Supersedes previous guidance published jointly by
ISPE and PDA - Released April 2005
- Concepts will be incorporated into GAMP5 revision
20Whats changes might be expected?
- Revision of 21 CFR Part 11 (??)
- Continued increased focus on risk management and
risk-based approaches - Increased emphasis on computer systems again by
regulatory agencies (??)
21Recent Inspection Activity
- Significant loss of experienced inspectors
- Limited direct focus on computer systems
- Quality System based inspections
- Look at computer systems as part of a given
quality system - Focus on use relative to predicate rules
- Key areas of emphasis
- Data Integrity
- Security
- Audit Trails
- Change Control
- General CSV/ Control
22Recent Inspection Activity
- Examples
- Warning Letter Shelhigh, Inc. December 14,
2005 - Failure to adequately verify or validate the
corrective and preventative action to ensure that
such action is effective and does not adversely
affect the finished device For example - Your firm reported mislabeling of products where
corrective actions taken included changes to your
computer system, data entry forms, and batch
records. Changes to your computer system would
require validation activities, which your firm
failed to document for this incident.
23Recent Inspection Activity
- Examples
- Warning Letter - Care Products, Inc. July 10,
2006 - Because your firm lost its entire electronic
complaint records and lacked adequate design
change records, your firm may not have the
necessary documented and reliable quality data
for its analysis .
24Recent Inspection Activity
- Examples
- Warning Letter Concord Laboratories July 11,
2006 - Failure to maintain complete records of any
modificationsSpecifically, the records of
laboratory methods stored in the computer system
do not include the identity of the person
initiating method changes. - Appropriate controls are not exercised over
computer systems or related systems to assure
changes in analytical methods or other control
records are instituted only by authorized
personnel. Specifically - Laboratory managers (QC and RD) gained access to
the computer system through a common password.
Analysts were not required to use individual
passwords they operated the system following the
login by the laboratory management. - Due to the common password and lack of varying
security levels, any analyst or manager has
access to, and can modify any HPLC analytical
method or record. Furthermore, review of audit
trails is not required.
25Recent Inspection Activity
- Examples
- Warning Letter Quality Aspirators, Inc. May
23, 2006 - Failure to establish and maintain procedures for
monitoring and controlling of parameters for
validated processes to ensure specific
requirements are met, , failure to validate a
process, approve the validation according to
established procedures, and document the
validation activities and results.For example,
your firm has not - Evaluated and documented the equipment
installation of the computerized numerical
control machines (CNC) . To ensure that their
operational and performance specifications are
met. - Validate the milling process, including the
software programming of the CNC machines..
Changes in the tooling and programming parameters
are not conducted in accordance with any written
procedures or instructions.
26Recent Inspection Activity
- Examples
- Warning Letter Agile Radiological Technologies,
Inc. - March 17, 2006 - Failure to identify software errors (bugs) as
a data source for identifying existing and
potential quality problems failure to document
the investigation, the verification and/or
validation of the corrective action,
implementation of the corrective action, and to
asure that the corrective action taken is
effective. For example, the upgrade to version
2.0.7 stated that it fixed the (bug)
problembut it crashes the system. - Failure to have complete procedures to control
the design of the device in order to ensure that
specific design requirements are met. The design
control procedures in your Quality Manual do not - Ensure all design input requirements (labeling,
software requirements, etc.) relating to the
device are identified and will address the
intended use of the device. - Failure to document, validate or where
appropriate verify, review and approve design
changes. Specifically, there have been 4
version updates and 5 service pack updates since
release of the software Your firm did not
document the development, verification/
validation, and review/ approval of these
changes.
27Recent Inspection Activity
- Examples
- Warning Letter Agile Radiological Technologies,
Inc. - March 17, 2006 (cont.) - The design controls for the software are
inadequate because deficiencies including, but
not limited to, the following - A design plan identifying and describing
interfaces with different groups or activities
was not developed - The design outputs that are essential for the
proper functioning of the software are not
identified - The verification testing . Has not been
performed to show that the design output meets
the design input requirements - A risk analysis for this software was not
performed - A formal document review of the design results
has not been conducted and the results have not
be documented - Your firm did not establish design validation
procedures for this software to ensure design
specifications conform with user needs and
intended use(s), and - You did not document that the software was tested
on a computer configured with the minimal
specifications needed for the software function. - Failure to validate software used as part of the
quality system Specifically, the software your
firm uses to document and track complaints on the
software has not been validated for its
intended use according to established procedures.
28Recent Inspection Activity
- Examples
- Warning Letter Neil Laboratories, Inc. - May
31, 2006 - Failure to employ appropriate controls over
computer or relates systems to assure that
changes in master production and control records
or other records are instituted only by
authorized personnel. For example, your firm has
inadequate security measures in place to assure
the integrity and reliability of data generated
by your laboratory. During the inspection.our
investigator observed your laboratory analysts
operating computer systems under different
analysts names. Your analysts told our
investigators that using other laboratory
personnel's names and passwords was a common
occurrence in your firms laboratory while using
your TurboChrom laboratory software.
29Recent Inspection Activity
- Examples
- Warning Letter National Genetics Institute
January 17, 2006 - You failed to validate computer software used as
part of production or the quality system for its
intended use according to an established protocol
and/or failure to document the validation
activities and results and failed to make
adequate provisions for monitoring the
reliability, accuracy, precision, and performance
of laboratory test procedures and instrument. - There is no data to demonstrate that databases
created in xxx computer software program, have
been properly validated (IQ, OQ, and PQ) as
acceptable for their intended use. - Twenty-one (21) of the thirty-three (33)
databases created are identified as pending and
have not been validated. - In addition, validation of one (1) of the
thirty-three (33) databases is identified as
being in progress and validation of two (2) of
the thirty-three (33) databases have been
executed but not completed. - There are not data to demonstrate that the
quality control/ quality assurance spreadsheets
used for tracking and trending various quality
metrics have been properly validated and are
performing as intended.
30Recent Inspection Activity
- Examples
- Warning Letter National Genetics Institute
January 17, 2006 (cont.) - There are no written procedures describing
computer software functional requirements or
descriptions of functions and there is no
computer (user) manual. - We also note that you have failed to establish
an adequate system for authorizing, granting, and
rescinding computer access and adequate
computer security provisions to assure data
integrity. Current users do not use appropriate
access such as passwords and user-ID and
personnel who have changed jobs still have access
to the system.
31Conclusion
- Revision of 21 CFR Part 11 is being considered
and is in process - Regulatory agencies are looking at computer
systems during inspections - It is not as high an area of emphasis as it was
several years ago - Computer systems are evaluated as part of quality
system - Emphasis is on the use of computer systems in
support of predicate rule requirements - There application of risk management and
risk-based approaches is critical
32(No Transcript)