Computer Systems Validation

Definition of Raw Data

2012-01-09T20:30:00.000Z

Within EU Chapter 4 – Documentation there is a clear definition of Raw Data and the requirements to retain the raw data. Records: Provide evidence of various actions taken to demonstrate compliance with instructions, e.g. activities, events, investigations, and in the case of manufactured batches a history of each batch of product, including its distribution. Records include the raw data which

FDA Warning Letter - Alarm Management

2011-12-10T10:17:00.000Z

Date: 25 May 11 Link FDA 483 (PDF - New Window) Obsevationb. During routine operations, if there is an alarm event (e.g., time out, high and low temperature for washing and siliconizing, instrument line failure, jacket gauge failure and steam header failure) during the wash and depyrogenation process, the [redacted] Stopper Washer captures the alarm condition via a print out and the data is

EU Annex 11 - Computer System Inventory

2011-12-07T18:36:00.000Z

EudraLex - Volume 4 Good manufacturing practice (GMP) Guidelines Annex 11 for computerised systems includes the requirement for the regulated company to maintain an up to date listing of relevant systems (GMP Computerised Systems) and their GMP functionality (inventory). This is also a Japanese regulatory requirement and also an expectation of the FDA although not included within the

FDA Warning Letter - Change Control

2011-09-14T18:09:00.000+01:00

Date: 25 Aug 11 Link: FDA Warning Letter (New Window) ObservationThis observation relates to the revalidation following changes of a Cutting and Packing Machine, however it could be applied to any computerised system. 2. Your firm failed to ensure that the automatic, mechanical, or electronic equipment, or other types of equipment including computers or related systems, will perform a function

FDA Warning Letter - Secure Desktop

2011-05-18T18:35:00.030+01:00

ObservationDate: 25 April 11 Link FDA Warning Letter (New Window) 4. Your firm has failed to exercise appropriate controls over computer or related systems to assure that changes in master production and control records, or other records, are instituted only by authorized personnel [21 C.F.R 211.68(b)]. For example, your firm lacks control of the (b)(4) computer system which monitors equipment,

Risk Management – A Continuous Process

2011-04-18T20:47:00.001+01:00

Introduction As discussed in previous posts the regulatory expectation is that risk management will be applied to all lifecycle phases of a computerised system. The recent issue of EU Annex 11 includes risk management at all stages of the computer system lifecycle. GAMP 4 first introduced the concept of risk management and risk assessments and following the issue of the ASTM E52500 Specification

FDA Warning Letters - Risk Assessments

2011-04-13T19:13:00.023+01:00

IntroductionAlthough to date I have not found any references within the FDA warning letters directly relating to computerised systems and risk assessments within the pharmaceutical / biotechnology industry it is interesting to review inspection findings where risk assessments have been detailed. In this post there is a review of two FDA warning letters which reference the use of documented risk

Applying Computer System Security (GAMP)

2011-04-11T16:06:00.021+01:00

It is a regulatory requirement that access to computerised systems is limited to authorised users. This not only limited to systems that contain electronic records but all systems that are used to fulfil regulated activities. This post focuses on the FDA and MHRA / EU requirements regulatory requirements for security management of computerised systems within the pharmaceutical and biotech

EU Annex 11 - Electronic Signatures

2011-03-28T19:54:00.003+01:00

Electronic Signatures This is a continuation of a review of the update to EU Annex 11 and Chapter 4 (Documentation) that was issued in January 2011 to become effective on the 30 June 2011. As stated in the previous article the EU Annex 11 update does not directly reference Electronic Records this is included in the update to EU Chapter 4 (Documentation). The update to EU Annex 11 however does

CSV FDA Warning Letters : Electronic Records

2011-03-04T21:07:00.015Z

Date: 28 Jan 11 Link: FDA Warning Letter (New Window) ObservationIn addition, we remain concerned that your (b)(4) adverse drug experience reporting system has not been fully validated, and may have resulted in inaccurate assessment and untimely submission of 15-day alerts. The current application was released into production on November 9, 2009 using an Interim Validation report (IVR) that is

CSV FDA Warning Letters : Laboratory Systems Security

2011-03-02T18:12:00.013Z

Date: 20 April 2010 Link: FDA Warning Letter (New Window) ObservationThis is a follow up letter from an inspection in 2009 where the security of laboratory systems had been raised within the FDA 483. 6. Your firm has failed to exercise appropriate controls over computer or related systems to assure that changes in master production and control records, or other records, are instituted only by

EU Annex 11 – Electronic Records

2011-02-28T18:10:00.005Z

This is a continuation of a review of the update to EU Annex 11 and Chapter 4 (Documentation) that issued in January 2011 to become effective on the 30 June 2011. Electronic Records have for so long only taken guidance from the FDA, however it has always been an expectation of the MHRA / EU that electronic records, including raw data must have the same integrity as paper records. EU Annex 11

EU Annex 11 – Supplier Audits

2011-02-24T16:02:00.003Z

This is a continuation of a review of the impact of the update to EU Annex 11, issued in January 2011 to become effective on the 30 June 2011. Supplier AuditsThe supplier audit process for software suppliers including IT systems, automation systems, etc has been around for quite some time within the guidance documents, but never directly referenced within cGMPs for pharmaceutical companies (e.g.

EU Annex 11 – Risk Management

2011-02-23T18:02:00.004Z

As stated in the earlier post EU Annex 11 has been updated and becomes effective on the 30 June 2011. This is part of a series of reviews detailing what has changed and the impact on Computer Systems Validation. Risk Management now underpins the whole process of Computer Systems Validation. This has been a driving force since the introduction of GAMP4 and even more so through GAMP5. In the

EU Annex 11

2011-02-11T17:00:00.010Z

In January 2011 the European Commission (EudraLex) released Annex 11 Computerised Systems (revision 1) which comes in to effect on 30 June 2011. This has been a long awaited release of the GMP Guideline for Computerised Systems which was first issued for comment in April 2008 for public consultation. The final release of Annex 11 has been reduced considerably to that put out for public

Deleting Electronic Data

2010-12-06T19:46:00.023Z

Image via WikipediaHybrid Systems (Deleting Electronic Data)In Hybrid systems the computerised system is used to generate a record which is printed and hand signatures applied. The decision for the regulated company is whether the electronic record (or raw data) should be kept or deleted from the system. In the FDA Guidance “Part 11, Electronic Records; Electronic Signatures — Scope and

CSV Periodic Review

2010-12-01T20:11:00.028Z

Regulatory requirement Both the FDA and EU GMP’s detail the requirement for demonstrating that a computer system remains in a validated state throughout its operating history. FDA 21 CFR 211.68(b) States: “Input to and output from the computer or related system of formulas or other records or data shall be checked for accuracy. The degree and frequency of input/output verification shall be based

Spreadsheet Validation

2010-08-19T20:08:00.000+01:00

Spreadsheets have become commonly used within a wide range of applications within the pharmaceutical and biotechnology industries. These range from the management of documentation lists through to complex algorithms used to support batch release. This post provides a description of a risk based approach to the validation of spreadsheets. As with all posts comments are welcome. The approach to

FDA Announce Part 21 CFR 11 Inspections

2010-07-21T19:23:00.004+01:00

Image via WikipediaAs detailed within the post 21 CFR Part 11 Warning Letters the FDA are planning to start conducting part 11 inspections soon. Published on the FDA website the agency states: The Agency (FDA) will be conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003

Software Validation

2010-07-10T19:11:00.000+01:00

The validation of computer software within the Pharmaceutical Industry is providing documented evidence that the software and computer system is fit for its intended purpose. Quality can not be tested in to the system it must be designed. This is why developing a lifecycle approach to software validation should be taken, to design in quality from concept, through the requirements, design and

Auditing Software Suppliers (Part 1)

2010-06-23T18:20:00.001+01:00

Introduction to Software Supplier AuditsThis blog is the first of a series of planned articles on the process for quality system auditing suppliers of software and computerised systems. This blog concentrates on the GMP and Regulatory requirements for performing supplier audits, future posts are planned for discussing the auditing process. A supplier quality audit can be a critical phase of any

CSV FDA Warning Letters : Security / Audit Trail

2010-06-17T20:37:00.000+01:00

Date: 12 August 2008 Link: FDA Warning Letter (New Window) Observation6. Failure to establish appropriate controls over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel as required by 21 CFR 211.68 (b). For example, the [redacted] data acquisition system for the [redacted] UV/Visible

CSV FDA Warning Letter : Periodic Review

2010-06-15T11:58:00.001+01:00

Date: 21 May 2010 Link: FDA Warning Letter (New Window) Observation6. Your firm failed to check the accuracy of the input to and output from the computer or related systems of formulas or other records or data and establish the degree and frequency of input/output verifications [21 CFR § 211.68(b)]. For example, the performance qualification of your (b)(4) system software (Validation No. 4000-

21 CFR Part 11 Warning Letters

2010-06-07T17:51:00.000+01:00

From the review of the FDA Warning Letters I could not find any observations for pharmaceutical or biotechnology companies directly citing non compliance against 21 CFR Part 11. 21 CFR Part 11 - The next stepFrom the review of the published FDA Warning letters the observations relating to the security and electronic records have not been cited against 21 CFR part 11 however the agency selected

CSV FDA Warning Letter : Security Controls

2010-06-05T11:51:00.000+01:00

Date: 14 Jan 2008 Link: FDA Warning Letter (New Window) Observation3. Failure to have a validated and secure computerized system. Additionally, there were no written protocols to assign levels of responsibilities for the system. It was noted that the [redacted] instrument model [redacted] used for the analysis of [redacted] failed to have password control for the analysts and the supervisor.

FMEA for Computer Systems

2010-06-04T12:10:00.004+01:00

I have published an article on the Computer Systems Validation web site (www.csv-qa.com) for performing Failure Mode Effect Analysis (FMEA) for automation and process control equipment. This article provides an introduction to performing a FMEA risk assessment for computer system validation as part of a quality risk management process. The process details application of the approach included

CSV FDA Warning Letters : Security

2010-06-02T19:34:00.002+01:00

Date: 16 April 2007 Link: FDA Warning Letter (New Window) Observation 6. Appropriate controls are not exercised over computers or related systems to assure that changes in analytical methods or other control records are instituted only by authorized personnel [21 CFR 211.68(b)]. Specifically, a) There was a failure to validate the [redacted] software to assure that all data generated by the

What is a risk based approach?

2010-05-31T15:47:00.001+01:00

As discussed in a previous article (Changes in Validation) a risk based approach to computer systems validation has change the way validation is performed. Spend LessMany in the pharmaceutical and biotech industries miss understood the message of a Risk Based Approach as an opportunity to take quality risk and spend less on the introduction of new equipment; that is to take a risk. However this

CSV FDA Warning Letters : Audit Trail

2010-05-26T20:31:00.002+01:00

Date: 14 January 2010 Link: FDA Warning Letter (New Window) Observation6. Your firm has not exercised appropriate controls over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel [21 CFR 211.68(b)]. For example, your firm lacks systems to ensure that all electronic data generated in your

CSV FDA Warning Letters : Operational Compliance

2010-05-24T19:11:00.000+01:00

Date: 21 December 2009 Link: FDA Warning Letter (New Window) Observation19. Automatic, mechanical, or electronic equipment is not routinely calibrated, inspected, or checked according to a written program designed to assure proper performance [21 CFR 211.68(a)]. For instance, the mixer, scales, filling/dispensing machine, water distiller, foil heat sealing machine, drying chamber, and tablet

CSV FDA Warning Letters : Qualification

2010-05-21T19:38:00.002+01:00

Date: 27 April 2009 Link: FDA Warning Letter (New Window) Observation8. Failure to maintain a written record and appropriate validation data of computer or other automated processes used to perform calculations in connection with laboratory analysis [21 CFR 211.68(b)]. Refer to FDA 483, Observation 12. For example, the accuracy of calculations performed by the [(b)(4)] Spectrophotometer has not

CSV FDA Warning Letters : Security

2010-05-20T18:26:00.021+01:00

Date: 07 May 2009 Link: FDA Warning Letter (New Window) Observation5. Your firm has not exercised appropriate controls over computer or related systems to assure that changes in control records or other records are instituted only by authorized personnel [21 CFR 211.68(b)J. For example, one user account is established for two analysts to access the laboratory instrument's software on the

CSV FDA Warning Letters : ERP and Calibration

2010-05-19T18:23:00.000+01:00

Date: 07 May 2009 Link: FDA Warning Letter (New Window) Observation4. Failure to routinely calibrate, inspect, or check according to a written program designed to assure proper performance of automatic, mechanical, or electronic equipment, including computers, used in the manufacture, processing, packing and holding of a drug product. [21 CFR 211.68] Part A A. The Enterprise Resource Planning

CSV FDA Warning Letters : Qualification

2010-05-18T19:10:00.003+01:00

Date: 08 April 2010 Link: FDA Warning Letter (New Window) Observation7. Your firm failed to routinely calibrate, inspect, or check automatic, mechanical, or electronic equipment according to a written program designed to assure proper performance [21 C.F.R. § 211.68(a)]. For example, your firm has not conducted performance qualification for the (b)(4) unit-dose packaging machine (b)(4)™ to

Computer System Impact / Risk Assessment

2010-05-17T21:21:00.009+01:00

Purpose of Risk AssessmentThe purpose of the risk assessment process is to ensure that the validation (quality) effort is directed at the systems that have the potential to impact product quality, efficacy and data integrity (throughout this article referred to as Product Quality). Initial Risk AssessmentsIn the ISPE Commissioning and Qualification Guide the approach to an initial impact

FDA to Increase Inspections in 2010

2010-05-12T20:53:00.002+01:00

The US Food and Drugs Administration (FDA) have been given a significant budget increase for 2010 as reported on Congresswoman Rosa DeLauro web site. Introduced by Rep. Rosa DeLauro (D-CT), the bill (H.R. 2997) provides the amount that President Obama requested for the agency, which is roughly $373 million more than the FDA’s budget for fiscal 2009 (15% increase). The funds will help the FDA

MHRA Inspection Trends

2010-05-12T07:00:00.002+01:00

Unlike the US Food and Drugs Administration (FDA) the Medicines and Healthcare products Regulatory Agency (MHRA) do not publish individual findings however they have published inspection trends. The result of the trends shows that Computer Systems Validation has a number of Major Observations. Comments or observations from the trended data are welcome. Link to MHRA Inspection Trends

Efficient Software Testing

2010-05-11T18:00:00.006+01:00

Testing, as with all validation activities, is not only performed to demonstrate regulatory compliance but to ensure that the system operates correctly. The level of testing performed should be dependant on the complexity, maturity and criticality of the system. A standard laboratory instrument should not need the same level of testing as a bespoke automated control system. This is where the

ISPE GAMP5

2010-05-11T16:34:00.003+01:00

GAMP 5 was released in 2008 detailing “Risk Based Approach to Compliant GxP Computerised Systems” with the tag line “Enabling Innovation” and was hailed as a major advancement in the industry. This article provides a short review of the GAMP guide and the benefits to the industry. ASTM StandardThe publishing of the ASTM Standard E2500-07 in June 2007 set the scene for

GAMP5 Software Categories

2010-05-11T16:17:00.004+01:00

As discussed in ISPE GAMP 5 the GAMP Categories for hardware and software have been retained in GAMP 5, all be it in a modified format from GAMP4. The software categories identified in GAMP 5 do not fit with determining the risk to product quality, efficacy or data integrity and no longer plays an integral part to determining that a computer system is fit for purpose. The complexity and the

Changes in validation

2010-05-11T14:24:00.001+01:00

There have been many changes to the approach to validation of equipment, including computerised systems over the last few years. This has culminated in the release of GAMP 5 in 2008. The changes in approach started with the publication of the ICH Q9 (Quality Risk Management) in 2005 and adopted by the major agencies. This presented a risk based approach to quality management including validation