Introduction
Although to date I have not found any references within the FDA warning letters directly relating to computerised systems and risk assessments within the pharmaceutical / biotechnology industry it is interesting to review inspection findings where risk assessments have been detailed.In this post there is a review of two FDA warning letters which reference the use of documented risk assessments.
Observation 1
Date: 28 May 10Link FDA Warning Letter (New Window)
3. Your firm has not established separate or defined areas or such other control systems as necessary to prevent contamination or mix-ups during aseptic processing. [21 CFR. 211.42(c)]. For example,
Observation 2
Date: 28 Dec 10Link FDA Warning Letter (New Window)
1. Your firm has not established appropriate written procedures designed to prevent microbiological contamination of drug products purporting to be sterile, including procedures for validation of all aseptic and sterilization processes [21 C.F.R. § 211.113(b)]. For example:
In your response, your firm states that you have amended your Standard Operating Procedure (SOP) (b)(4) to “bracket” the container sizes by utilizing both the (b)(4) and (b)(4) volumes. Your response, however, is inadequate because you have not provided a risk assessment that examines the effects of differences between product fill sizes (i.e., fill speed, operating methods, container opening size, mass) to determine if bracketing is appropriate.
Comment
As stated in the introduction these observations do not relate directly to a computer system. However the approach is worth noting. The FDA encourages sound risk assessment approaches to address hazard identification, exposure consequences, and implement controls designed to prevent and detect cross-contamination .
The second post could fit to the functional aspects of a computerised control system. The identification of critical attributes and validated range would support the risk assessment process.
The point of interest is the level of controls should be based on (documented and justified) risk assessment, which can be applied to many areas of computer systems validation.
During the design and implementation phase of the project risk assessments should be used to identify the critical attributes and determine the controls required to assure product quality, patient safety and record / data integrity. In the initial design phases this should identify technical controls and improvements in the design to reduce risk, later to support the level of validation that should be performed and the operational (procedural) controls that must be established.
The risk assessments in the operational phases should be performed to ensure the continual compliance of the system. This includes:
- security controls
- controls required to assure the integrity of electronic records
- levels of back up processes and the testing of restoration procedures
- proposed changes to the system
Risk assessments should form part of the lifecycle documentation of the computerised system. They should not just be filed away at the end of the implementation part of the project but referenced and updated throughout the operation of the computerised system.
All GMP decisions made throughout the lifecycle of the computerised system should be based on documented and justified risk assessments. This ensures that at all times product quality, patient safety and data integrity are assessed throughout the lifecycle. Risk Assessments provide a sound rationale to the decisions made throughout the operation of the computerised system and ensure that the appropriate controls established to operate the system in compliance.
No comments:
Post a Comment
All comments on the computer systems validation blog are welcome.