Prepare Your Computer System for Inspection

BioPharm International, BioPharm International-02-01-2005, Volume 18, Issue 2

Organizations can mitigate the risk of failure during regulatory inspections by identifying and correcting deficiencies before an inspection occurs.

The need to comply with regulatory requirements is a continuous process for companies under FDA oversight. The need to discover, produce, and market safe and effective products forces the industry to comply with regulatory requirements. The use of computerized systems and related governance processes are regulated by the Food, Drug, and Cosmetic Act,1 the Public Health Service Act,2 and other FDA regulations for overall conduct of R&D, manufacturing, and commercialization. Additionally, 21 CFR Part 11 specifically addresses the use of computerized systems in regulated industries.

Table 1. FDA Warnings Related to Computerized Systems

This article analyzes FDA warning letters concerning computerized systems from inspections conducted in 2003 and 2004 and discusses preventative and remediation techniques organizations can implement in preparation for agency inspections.3

Table 1. FDA Warnings Related to Computerized Systems

REGULATORY FRAMEWORK

Computerized systems are instrumental in assuring the quality, safety, and integrity of FDA-regulated products. Determination of exactly which processes and functions are under computer control enables FDA field investigators to identify those processes most critical to drug, biologic, or medical device quality.

4

It is extremely important for the agency to verify that proper controls are employed to assure the correct performance of the computer system prior to its implementation and for the maintenance and monitoring of the system once it has been installed.

5

Table 2. FDA Warning Letters 2003 — Compliance Issues Related to Computerized Systems

In its 2003 guidance on 21 CFR Part 116, FDA suggested that an organization's decision to validate computerized systems, and the extent of the validation, should take into account the impact that the systems have on the organization's ability to meet predicate rule requirements. An organization should also consider the impact those systems might have on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures. Even if there is no predicate rule requirement to validate a system, in some instances it still may be important to validate the system.7 Organizations should base their approach on a justified and documented risk assessment - a determination of the potential of the system to affect product quality, and safety and record integrity.

Table 3. FDA Warning Letters 2004 — Compliance Issues Related to Computerized Systems

ANALYSIS

FDA's warnings pertain to violations in the validation of computerized systems and related governance processes such as standard operating procedures (SOPs) for system operation and maintenance, document control, change control, quality audits, problem investigation, records retention, system security, and training. It appears that the agency is consistently enforcing computer validation requirements. The areas of observation and the number of observations are shown in Table 1. The compliance issues related to computerized systems are tabulated in Tables 2 and 3 for 2003 and 2004, respectively. The tables indicate whether the issues pertain to medical devices, drugs, or biologics, by noting the relevant code of federal regulation. For example, 21 CFR Part 820 concerns medical devices, 21 CFR Part 606-680 concerns biologics, and 21 CFR Part 211 concerns drugs.

Table 4. Checklist for Perioidic System Review and Audit

FDA WARNINGS 2003

A selection of observations (

in italics

) followed by our commentary (using the regular typeface) will be instructive. FDA uses the word [redacted] to avoid mentioning proprietary information.

"There were no established procedures for the control and distribution of software fixes to assure that all revised programs required for a particular fix were included and installed on a customer's system..."11

FDA sees changes made to correct errors and faults in the software as corrective maintenance. Procedures for the control and distribution of software fixes must be in place to assure that portions of the software involved in the change are implemented properly and that the portions of the software not involved in the change are not adversely impacted.

Figure 1. Master Flowchart for Internal Reviews

"Failure to validate computer software for its intended use according to an established protocol, when computers or automated data processing systems are used as part of the quality system ... Your firm lacks documentation of software requirements and specifications and documentation for software verification and validation activities ..."12

The Quality System Regulation - 21 CFR Part 820.70(i)8 - requires manufacturers to validate software for its intended use according to an established protocol for computers or automated data processing systems used as part of a production or quality system. Organizations must document functional, performance, and safety requirements of the system. Software requirement specifications should clearly identify the potential hazards that can result from a software failure. The results of the verification and validation tasks must be documented to demonstrate that the software meets the stated requirements.

Figure 2. Governance Procedures and History Review

"Your facility failed to check input to and output from its computer and related systems for accuracy. For example, your facility did not evaluate the [redacted] computer system to assure its proper performance ..."13

FDA expects that computer and related systems must be validated according to pre-determined and documented requirements. Typical requirements must specify all software inputs, software outputs, all functions that the software will perform, and all performance requirements that the software must meet.

"....numerous validation records and forms pertaining to the validation of the computer system were incomplete and/or did not note the signatures of the personnel who had performed or reviewed the validation....you failed to document the approval of the performance qualification protocol for the performance qualification of the [redacted] system. The system is in use without the validation being complete."14

FDA expects that test procedures, test data, and test results should be documented in a manner permitting objective pass or fail decisions to be reached. Results should also be suitable for review and objective decision-making after running the test and should be suitable for use in regression analysis. Signatures form an important part of complete documentation and signify formal approval.

Figure 3. System Development Process and History Review

"Your firm has change control procedures with engineering control orders that are vague in description, incomplete in risk assessment, and allow changes to be made to your firm's software packages without any management approval until after the changes have been completed. For example, changes to the [redacted] software were made prior to any documented description, risk analysis assessment, or approval of the changes."15

FDA expects that the specific validation effort needed for each software change must be determined by the type of change, the development of the configuration items that make up the affected software, risk identification, and the impact of those products on the operation of the software. Change requests must be approved before they are implemented in the system.

Figure 4. System Support Process and History Review

"Failure to exercise appropriate controls over computers or related systems to assure that changes in records are instituted only by authorized personnel, in that passwords for the [redacted] computer system have not been changed since the initiation of the system in December 1997..."16

The Electronic Records; Electronic Signatures Rule - 21 CFR Part 11.300(b) - requires that identification codes (user IDs) and passwords be periodically checked, recalled, or revised (to cover such events as password aging).9 Such controls ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

Figure 5. Review of Other Elements Related to Computerized Systems

"Microsoft 2000 Excel spreadsheet software used for manufacturing has not been validated for the purpose of generating a worksheet for formulation of reagents. No documentation was found to establish or verify corrections made to the program."17

FDA considers commercial applications, such as spreadsheets, used to automate regulated processes subject to the requirements of software validation. Such applications must follow the basic principles of software validation.

FDA WARNINGS 2004

"Failure to maintain records that establish appropriate specifications standards and test procedures ... For example, test records to support the installation and validation performed on the [redacted] system, which was conducted by a [redacted] representative, were not maintained at your firm."

18

FDA acknowledges that a manufacturer may conduct validation using its own personnel, or may depend on a third party such as a software vendor or a consultant. In any case, the manufacturer retains the ultimate responsibility for ensuring that the computerized system is validated according to a written procedure for the particular intended use, and that the corresponding documentation can be produced. This includes defined user requirements, validation protocol, acceptance criteria, test case results, and validation summary.

"....the software configuration management plan, including the software design document and the software unit integration test document had not been completed per the system verification and validation plan."19

FDA looks for these deliverables as part of the quality plan: configuration management plan, design document, and developer testing documentation.

"Your firm failed to establish adequate procedures for quality audits ...for example, audits performed of your firm's quality system failed to determine that the [redacted] electronic data management system lacked validation ... your firm has no documented validation activities and results for the [redacted] electronic data management system."20

Procedures to conduct internal quality audits must be in place. One periodic task is to review an organization's quality system (including computerized systems used to automate the processes). Such internal quality audits must properly assess the deficiencies or non-compliance within computerized systems that may affect the quality and safety of the regulated product.

"Failure to establish and maintain procedures for the control, approval, and distribution of all documents ..."21

Document management procedures must be in place for control, approval, and distribution of all documents that are developed and maintained to support validation activities. Failure to follow established document management practices reduces the organization's confidence in providing demonstrable evidence of validation throughout the life of any system. Moreover, such failure can significantly increase the level of effort and expense of revalidating the software after a change is made.

"...the validation of the [redacted] software is incomplete because the software development plan and software validation protocol are inadequate...."22

"You failed to perform or document the verification or validation of the [redacted] software changes ..."23

FDA expects that when any change (even a small change) is made to the software, the validation status of the software needs to be re-established. Validation analysis must go beyond validation of the individual change to determine the extent and impact of that change on the entire system. Appropriate updates in configuration and design controls, testing, and validation documentation provide confidence that the computerized system is maintained in a validated state after the change.

PREVENTATIVE AND REMEDIATION TECHNIQUES

Organizations can mitigate the risk of failure during regulatory inspections by identifying and correcting deficiencies before an inspection occurs - for example, by conducting focused system reviews and audits. We now describe preventative and remediation techniques that can be deployed to prepare for inspections.

Johnson and Walsh explain, "Validation of computer systems used in clinical trials has only become a serious topic within the last 10 years, in contrast to areas governed by Good Laboratory Practice (GLP) and Good Manufacturing Practice (GMP) where validation has been an issue for nearly 20 years. Because of this historical context, some quality assurance auditors and others involved in systems validation within clinical trials rely on terminology that has its roots in GMP guidelines for preparing human and animal drug products. Validation steps such as installation qualification (IQ) and performance qualification (PQ) that are based on the GMP process validation guidelines do not necessarily provide the best framework for validating a GCP system."10

A common - and simpler - approach to validation across functional areas in which computerized systems are deployed would allow regulators and industry to progressively build common understanding and practices.

Organizations should periodically perform focused reviews and audits to ensure that computerized systems remain compliant with applicable regulations and retain their validated state. Internal audits require formal and effective planning and reporting of audit results. The audit activity requires coordination and cooperation between independent, internal auditors and multi-disciplinary auditees of any business function. The five-block checklist in Table 4 can help you organize your efforts.

Elements that should be covered in any audit include, but are not limited to, configuration management, document management, change management, fault management, requirements, code, testing, installation and configuration, system operation and maintenance, training, and the scope and applicability of regulatory requirements. Figures 1-5, a series of flowcharts, break this large job into a series of smaller steps.

PREPARE TO WIN

Effective internal reviews and audits prepare employees from multi-disciplinary groups for regulatory inspections. In-house audit procedures must be established and followed as a control for audit preparedness.

FDA continuously enforces requirements to validate computerized systems and related governance processes that ultimately affect public health. It appears that a significant number of agency observations pertaining to computerized systems in the recent past have been due to failure to validate such systems. This highlights the importance of certain elements of software validation, especially defect prevention, time and effort, plans, procedures, validation after a change, validation coverage, independence of review, user training, flexibility, and responsibility in choosing how to apply validation principles.

REFERENCES

1. Federal Food, Drug, and Cosmetic Act. 42 USC 262.

2. Public Health Service Act. 42 USC 201.

3. FDA's Electronic Freedom of Information Reading Room - Warning Letters and Responses was used in presenting the broad summary of the Agency's observations. Available at www.fda.gov/foi/warning.htm

4. CDER. Guide to inspection of computerized systems in drug processing. 1983 February. Available at www.fda.gov/ora/inspect_ref/igs/csd.html

5. FDA. Technical reference on software development activities.1987 July.

6. FDA. Guidance for Industry Part 11, Electronic Records; Electronic Signatures - Scope and Application. 2003 August. Available at www.fda.gov/ohrms/dockets/98fr/5667fnl.pdf

7. FDA. General Principles of Software Validation, Guidance for Industry and FDA Staff. 2002 11 January. Available at www.fda.gov/ohrms/dockets/98fr/97d0282gd01.pdf

8. Code of Federal Regulations. 21CFR Part 820.70(i). Automated processes. Available at www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm

9. Code of Federal Regulations. 21CFR Part 11:300(b). Controls for identification/passwords. Available at www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/cfrsearch.cfm

10. Johnson GA and Walsh B. Validation: never an endpoint: a systems development life cycle approach to good clinical practice. Drug Information Journal 2001; 35:809-817.

Note: See Tables 2 and 3 for instructions on locating references 11-23 on FDA's Web site.

Abhay S. Joshi, UCA Services, Inc., 3 Stewart Court, Denville, NJ 07834,973.887.2785, ajoshi@ucasystems.com.