Current Computer Industry Trends in Regulated Environments Michael L' Rutherford Manager Global Qual

1
Current Computer Industry Trends in Regulated
EnvironmentsMichael L. Rutherford Manager
Global Quality Laboratories Equipment/
Automation/ Lab Informatics
2
Presentation Overview

• Brief Historical Perspective
• Current Thinking and Trends
• ER/ES
• Regulatory Inspections

3
Regulatory History

• Computer System Validation - Not a New Regulatory
  Requirement
• 1979 FDA issued 483s for faulty control of
  computerized systems
• 1983 Drug Blue Book published
• 1987 Compliance Policy Guide (CPG) on Source
  Code issued
• 1994 Agency published proposed 21 CFR Part 11
  rule
• 1995 Good Automated Manufacturing Practices
  (GAMP) published
• 1997 Draft of General Principles of of Software
  Validation released
• 1997 21 CFR Part 11 Electronic Records
  Electronic Signatures
• 1998 Guide to Inspections of Computerized
  Systems in the Food Industry released
• 1999 Guidance on Computerized Systems Used in
  Clinical Trials issued
• 2001 Good Automated Manufacturing Practices 4
  (GAMP 4) published
• 2002 General Principles of of Software
  Validation Final Guidance for Industry and FDA
  Staff
• 2003 Part 11 Guidance Electronic Records
  Electronic Signatures Scope and Application
• 2005 GAMP Good Practice Guide A Risk-Based
  Approach to Compliant Electronic Records and
  Signatures

4
In The Beginning

• February 1983 (the Blue Book)
• Guide to Inspection of Computerized Systems in
  Drug Processing
• to provide the field investigator with a
  framework upon which to build an inspection of
  drug establishments which utilize computer
  systems

5
Computer System Validation

• a means of avoiding defects
• FDAs analysis of 3140 medical device recalls
  conducted between 1992 and 1998 reveals that 242
  of them (7.7) are attributable to software
  failures.
• General Principles of Software Validation, Jan
  11, 2002, CDRH
• to ensure accuracy, reliability and consistent
  intended performance and the ability to discern
  invalid or altered records.

6
The Early Years, 1983-1996

• Relatively little computer system oversight from
  FDA
• Small number of experienced inspectors
• Focused on GMP and GLP systems

7
A Turning Point

• 1997 Part 11 Electronic Records Electronic
  Signatures
• 1999 The Guidance for Industry Computerized
  Systems Used in Clinical Trials
• Due to Y2K, FDA gives industry a grace period
  until 2000

8
Industrys Reaction

• Since the part 11 regulation was published,
  concerns were raised by industry and vendors that
  some interpretations of the part 11 requirements
  would
• unnecessarily restrict the use of electronic
  technology
• significantly increase the cost of compliance to
  an extent not contemplated at the time the rule
  was drafted
• discourage innovation and technology advances
  without providing a significant public health
  benefit
• The Clinical Guidance Document took Part 11 even
  further
• data tags
• reconstruction of study

9
Increased Oversight, 2000-2002

• Major training program for FDA inspectors
• Computer system related 483 observations more
  than tripled in 3 years
• Main Part 11 citations
• Security
• Audit Trails

10
2002 a Change of Direction

• As part of an effort to improve and streamline
  the regulatory process to maximize public health
  protection and promotion, a two-year initiative,
  the Pharmaceutical cGMPs for the 21st Century a
  Risk-Based Approach was announced on 21 August,
  2002. The goals of this initiative are
• to ensure that regulatory review and inspection
  policies are based on state-of-the-art
  pharmaceutical science and to encourage adoption
  of new technological advances by the
  pharmaceutical industry
• to implement risk-based approaches that focus
  both industry and Agency attention on critical
  matters
• to make enhancements to the consistency and
  coordination of Agency drug quality regulatory
  programs

11
2003 Part 11 Turning Point

• Guidance for Industry Part 11, Electronic
  Records Electronic Signatures Scope and
  Application
• explains FDAs current thinking regarding the
  requirements and application of part 11
• Compliance Policy Guide (CPG 7153.17) was
  withdrawn
• All previously published draft guidance documents
  were withdrawn
• Draft guidance on Validation
• Draft guidance on Glossary of Terms
• Draft guidance on Time Stamps
• Draft guidance on Maintenance of Electronic
  Records
• (Draft guidance on Electronic Copies of
  Electronic Records had been withdrawn in early
  February)

12
Part 11 Turning Point (cont.)

• FDA is embarking on a re-examination of Part 11
  as it applies to all FDA regulated products
• FDA plans to revise provisions of Part 11 as a
  result of this reexamination

13
Part 11 Turning Point (cont.)

• While the reexamination is underway,
• FDA will more narrowly interpret the scope of
  Part 11
• Fewer records will be considered subject to
  Part 11
• For those records, the FDA will exercise
  enforcement discretion with respect to
• Validation
• Audit trails
• Record retention
• Record copying
• Legacy systems operational before August 20,
  1997
• For those records, FDA does not intend to take
  regulatory action to enforce compliance

14
Part 11 Turning Point (cont.)

• However,
• FDA will enforce all other provisions of Part 11
• FDA will continue to enforce predicate rule
  requirements, i.e, requirements of
• The Federal Food, Drug and Cosmetic Act
• The Public Health Service (PHS) Act
• All FDA regulations for
• Drugs
• Devices
• Biologics

15
Key Messages

• FDA expects approaches to Part 11 to be based on
• Predicate rule
• Determination of potential impact on product
  quality and safety and record integrity
• Justified and documented risk assessment
• This reinforces the fact that Part 11 is a
  records regulation requiring full engagement of
  business owners in close partnership with IT

16
What does this Shift mean for Industry?

• Industry must have a deeper understanding of the
  predicate rule
• It is important to know which records are relied
  on to make regulated decisions
• Business process and system owners are in the
  drivers seat
• Risk management must become second-nature
• explicit data-driven decision making
• Impact on product quality, safety and record
  integrity
• Know where the risks are and manage those risks
  based on impact

17
Recent Part 11 Activity

• PhRMA Computerized Systems Risk Management Task
  Force
• GAMP Good Practice Guide A Risk-Based Approach
  to Compliant Electronic Records and Signatures
• 21 CFR Part 11 Revision

18
PhRMA Computerized Systems Risk Management Task
Force

• PhRMA CSRM has developed a set of risk management
  principles and a white paper
• Activities are aligned with the International
  Conference on Harmonization (ICH) Quality Risk
  Management Q9 Consensus Guideline

19
GAMP Good Practice Guide

• GAMP Good Practice Guide A Risk-Based Approach
  to Compliant Electronic Records and Signatures
• Guide provides comprehensive new guidance on
  meeting current regulatory expectations for
  compliant electronic records and signatures
• Supersedes previous guidance published jointly by
  ISPE and PDA
• Released April 2005
• Concepts will be incorporated into GAMP5 revision

20
Whats changes might be expected?

• Revision of 21 CFR Part 11 (??)
• Continued increased focus on risk management and
  risk-based approaches
• Increased emphasis on computer systems again by
  regulatory agencies (??)

21
Recent Inspection Activity

• Significant loss of experienced inspectors
• Limited direct focus on computer systems
• Quality System based inspections
• Look at computer systems as part of a given
  quality system
• Focus on use relative to predicate rules
• Key areas of emphasis
• Data Integrity
• Security
• Audit Trails
• Change Control
• General CSV/ Control

22
Recent Inspection Activity

• Examples
• Warning Letter Shelhigh, Inc. December 14,
  2005
• Failure to adequately verify or validate the
  corrective and preventative action to ensure that
  such action is effective and does not adversely
  affect the finished device For example
• Your firm reported mislabeling of products where
  corrective actions taken included changes to your
  computer system, data entry forms, and batch
  records. Changes to your computer system would
  require validation activities, which your firm
  failed to document for this incident.

23
Recent Inspection Activity

• Examples
• Warning Letter - Care Products, Inc. July 10,
  2006
• Because your firm lost its entire electronic
  complaint records and lacked adequate design
  change records, your firm may not have the
  necessary documented and reliable quality data
  for its analysis .

24
Recent Inspection Activity

• Examples
• Warning Letter Concord Laboratories July 11,
  2006
• Failure to maintain complete records of any
  modificationsSpecifically, the records of
  laboratory methods stored in the computer system
  do not include the identity of the person
  initiating method changes.
• Appropriate controls are not exercised over
  computer systems or related systems to assure
  changes in analytical methods or other control
  records are instituted only by authorized
  personnel. Specifically
• Laboratory managers (QC and RD) gained access to
  the computer system through a common password.
  Analysts were not required to use individual
  passwords they operated the system following the
  login by the laboratory management.
• Due to the common password and lack of varying
  security levels, any analyst or manager has
  access to, and can modify any HPLC analytical
  method or record. Furthermore, review of audit
  trails is not required.

25
Recent Inspection Activity

• Examples
• Warning Letter Quality Aspirators, Inc. May
  23, 2006
• Failure to establish and maintain procedures for
  monitoring and controlling of parameters for
  validated processes to ensure specific
  requirements are met, , failure to validate a
  process, approve the validation according to
  established procedures, and document the
  validation activities and results.For example,
  your firm has not
• Evaluated and documented the equipment
  installation of the computerized numerical
  control machines (CNC) . To ensure that their
  operational and performance specifications are
  met.
• Validate the milling process, including the
  software programming of the CNC machines..
  Changes in the tooling and programming parameters
  are not conducted in accordance with any written
  procedures or instructions.

26
Recent Inspection Activity

• Examples
• Warning Letter Agile Radiological Technologies,
  Inc. - March 17, 2006
• Failure to identify software errors (bugs) as
  a data source for identifying existing and
  potential quality problems failure to document
  the investigation, the verification and/or
  validation of the corrective action,
  implementation of the corrective action, and to
  asure that the corrective action taken is
  effective. For example, the upgrade to version
  2.0.7 stated that it fixed the (bug)
  problembut it crashes the system.
• Failure to have complete procedures to control
  the design of the device in order to ensure that
  specific design requirements are met. The design
  control procedures in your Quality Manual do not
• Ensure all design input requirements (labeling,
  software requirements, etc.) relating to the
  device are identified and will address the
  intended use of the device.
• Failure to document, validate or where
  appropriate verify, review and approve design
  changes. Specifically, there have been 4
  version updates and 5 service pack updates since
  release of the software Your firm did not
  document the development, verification/
  validation, and review/ approval of these
  changes.

27
Recent Inspection Activity

• Examples
• Warning Letter Agile Radiological Technologies,
  Inc. - March 17, 2006 (cont.)
• The design controls for the software are
  inadequate because deficiencies including, but
  not limited to, the following
• A design plan identifying and describing
  interfaces with different groups or activities
  was not developed
• The design outputs that are essential for the
  proper functioning of the software are not
  identified
• The verification testing . Has not been
  performed to show that the design output meets
  the design input requirements
• A risk analysis for this software was not
  performed
• A formal document review of the design results
  has not been conducted and the results have not
  be documented
• Your firm did not establish design validation
  procedures for this software to ensure design
  specifications conform with user needs and
  intended use(s), and
• You did not document that the software was tested
  on a computer configured with the minimal
  specifications needed for the software function.
• Failure to validate software used as part of the
  quality system Specifically, the software your
  firm uses to document and track complaints on the
  software has not been validated for its
  intended use according to established procedures.

28
Recent Inspection Activity

• Examples
• Warning Letter Neil Laboratories, Inc. - May
  31, 2006
• Failure to employ appropriate controls over
  computer or relates systems to assure that
  changes in master production and control records
  or other records are instituted only by
  authorized personnel. For example, your firm has
  inadequate security measures in place to assure
  the integrity and reliability of data generated
  by your laboratory. During the inspection.our
  investigator observed your laboratory analysts
  operating computer systems under different
  analysts names. Your analysts told our
  investigators that using other laboratory
  personnel's names and passwords was a common
  occurrence in your firms laboratory while using
  your TurboChrom laboratory software.

29
Recent Inspection Activity

• Examples
• Warning Letter National Genetics Institute
  January 17, 2006
• You failed to validate computer software used as
  part of production or the quality system for its
  intended use according to an established protocol
  and/or failure to document the validation
  activities and results and failed to make
  adequate provisions for monitoring the
  reliability, accuracy, precision, and performance
  of laboratory test procedures and instrument.
• There is no data to demonstrate that databases
  created in xxx computer software program, have
  been properly validated (IQ, OQ, and PQ) as
  acceptable for their intended use.
• Twenty-one (21) of the thirty-three (33)
  databases created are identified as pending and
  have not been validated.
• In addition, validation of one (1) of the
  thirty-three (33) databases is identified as
  being in progress and validation of two (2) of
  the thirty-three (33) databases have been
  executed but not completed.
• There are not data to demonstrate that the
  quality control/ quality assurance spreadsheets
  used for tracking and trending various quality
  metrics have been properly validated and are
  performing as intended.

30
Recent Inspection Activity

• Examples
• Warning Letter National Genetics Institute
  January 17, 2006 (cont.)
• There are no written procedures describing
  computer software functional requirements or
  descriptions of functions and there is no
  computer (user) manual.
• We also note that you have failed to establish
  an adequate system for authorizing, granting, and
  rescinding computer access and adequate
  computer security provisions to assure data
  integrity. Current users do not use appropriate
  access such as passwords and user-ID and
  personnel who have changed jobs still have access
  to the system.

31
Conclusion

• Revision of 21 CFR Part 11 is being considered
  and is in process
• Regulatory agencies are looking at computer
  systems during inspections
• It is not as high an area of emphasis as it was
  several years ago
• Computer systems are evaluated as part of quality
  system
• Emphasis is on the use of computer systems in
  support of predicate rule requirements
• There application of risk management and
  risk-based approaches is critical

32
(No Transcript)