Software validation processes have always been important; yet, they acquired a special sense of urgency and added importance following the announcement in August 2010 by the FDA in this regard, in which it stated that it “…will be conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003 ‘Part 11, Electronic Records; Electronic Signatures – Scope and Application’ guidance (Guidance).” Why this added emphasis on action?
The FDA accentuated its action on software validation processes for two important reasons:
1) in the industry, there were diffuse and subjective interpretations about the understanding and application of Part 11
2) perceptions that this statute could have the effect of restricting the use of electronic signatures and discouraging innovation.
Following this action from the FDA; a series of problems that the software validation processes had, are coming to light of late.
So, which are the most common problems of software validation processes?
The following common problems are being observed in the industry:
• Information gone missing:
• Incomplete details in the requirements documents: This has been true especially in relation to data, key processes that go into the internal software, as well as the interactions of the software with the user
• Necessary detail not found
• Traceability: This was the most important problem found in Part 11. The traceability matrix either did not account for a traceable specification or an observation step in a test script, or was incomplete, or the trace was broken.
• Incomprehensible wording in the documentation
• Several GDP-related bungling
• Difficulty in identifying the impugned documents and records
The FDA has enacted several pharmaceutical cGMP regulations. These are key concepts that are critical to quality systems. Some of the concepts by which the FDA and other regulatory bodies ensure cGMP regulations are Quality, Quality by Design (QbD) and product development, Quality Risk Management, Corrective and Preventive Action (CAPA), Change Control, and the Six Systems Approach.
Of these, the six-system inspection approach is a systems-based approach to cGMP and is aimed at ensuring a robust quality system model for pharmaceutical products.
It consists of the following:
Packaging & Labeling System
Quality system is the fulcrum
It needs to be borne in mind that the whole system centers round the organization’s quality system. The quality system is the pivot around which the systems approach revolves. It is the core and the very foundation for the manufacturing systems that are linked and function within it.
The FDA does not consider the quality system as different or separate from the five elements. In this sense, it the quality system model may be considered the root from which the five elements branch out.
In other words, the five manufacturing systems integrate themselves them into the respective and appropriate sections of the model. The order of interplay and interdependence may vary slightly from one organization to another, but to those in the knowhow of the six-system inspection approach; the rationale by which the inter-relationship plays out is quite readily apparent.
State of control –the crux of the matter
The criticality of auditing to the field of medical devices can never be understated, because medical devices play a direct role in human safety. Supplier and internal auditing are separate, but related aspects of the supply chain and quality aspects of medical devices. It is a common practice in the industry to have medical devices from other companies, or what are called suppliers, by agreeing to the required specification and other terms. It is also common to use already manufactured devices from other companies. Sometimes, pharmaceutical and life sciences industries use their own devices. In all these scenarios, auditing is the key, because whichever of these pathways an organization may choose; it is bound by the same rules of compliance as set out by the regulatory authorities.
Need to keep up to prescribed standards
In order to meet regulatory requirements; medical device and related businesses need to keep a few important parameters in mind in order to ensure that supplier and internal auditing are up to prescribed standards.
The following are the important factors for carrying out internal auditing:
• To assess the current and potential risks in any process being undertaken by the organization;
• To bring about improvement in the business processes and practices;
• To help meet regulatory demands;
• To help them understand the changes in the marketplace and other external factors that affect the business.
Benefits of a supplier auditing program
Somewhat allied to this is the supplier auditing program. This is a means for ensuring that devices from external vendors or suppliers meet set standards and specifications.
These may be considered the important benefits of a good supplier audit program:
• It helps to implement an overall quality system in the organization
• It helps establish documentation and business record control
• Helps in the control of the company or its business operations
• Paves the way for business management review
• Helps identify non-conforming product control
• Calibration control and contract review can be achieved.
Hazard Analysis Critical Control Point (HACCP) is a mechanism meant for ensuring food safety. It is a comprehensive set of guidelines that straddles across the food supply chain, right from harvest till the time it is consumed.Being such a systematic and total approach; HACCP attaches utmost importance to prevention of problems arising at any point in the food chain. The established method by which HACCP seeks to accomplish this is what is called verification and validation.
Let us get to a verbatim understanding of what these mean in HACCP lingo. Based on the definition of the word “verify” as meaning a way of establishing the truth or accuracy of something; HACCP defines “verification” in this context as “…those activities other than monitoring, that determine the monitoring, that determine the validity of and compliance with the HACCP Plan”.
Logically following on this, since to validate is to corroborate or substantiate or confirm something, HACCP seeks to establish the validity of the HACCP plan by requiring participants to provide actual, factual proof of compliance to HACCP guidelines.
Armed with a strong set of actions, HACCP seeks to strengthen the food supply chain with its set of safeguards.
Purposes of verification and validation
The HACCP has clear-cut expectations in mind about the purposes of these twin mechanisms. The purpose of verification is defined in the following:
Components of the food chain need to determine if HACCP Plan is working. They need to check periodically if hazards are being reduced by the HACCP Plan. They also need to ensure that operations are in compliance with the HACCP Plan, and make sure HACCP is being implemented properly.
On the validation aspect, HACCP seeks to ensure that all the scientific and technical information is collected and evaluated to make sure that the HACCP Plan is working effectively, and when done so, is effective in controlling the hazards.
What needs to be evaluated?
HACCP attaches importance to what needs to be evaluated for Verification and Validation. Primarily, lethality and stabilization factors, referred to as “cook and chill”, and processing room temperatures that may be above 50° F need to be evaluated.
Asking why Computer System Validation (CSV) is important in FDA-regulated industries is like asking why an engine is important to a vehicle.
Before going on to get an understanding of this issue, let us understand that there is a difference between the ways in which the term “validation” is used in the general area of computers and that used in FDA-related circles. In the field of computer science, the term means the ability of software to meet its stated requirements. For the FDA, validation of a computer system incorporates all activities that go into a computer system and these should be documented and made available to the FDA. We could use the word “verification” to associate the same meaning and understanding of what “validation” means to the FDA.
The critical importance of computer system validation in FDA regulated industries can be learned from at least two perspectives:
1. When a company is carrying out systematic CSV; it nips potential serious problems in the bud by preventing software problems from reaching production stages and environments. When a problem in a Life Science software application reaches the production environment, this can lead to serious adverse consequences. On the one side, there is the human element of getting the CSV validation wrong, which can result in serious product consequences, which can be disastrous to the patient’s health; on the other, businesses that get their CSV wrong can also face anything from lawsuits and heavy penalties to having to shut shop permanently. Long drawn out court cases can result in serious problems including bankruptcy.
2. FDA’s regulations requiring companies to carry out systematic CSV have the effect of law, which means that companies that come under the ambit of the FDA are legally bound to follow the guidelines set out by FDA’s regulations. When companies fail during an FDA audit; it can invite inspectional observations (“483s”) and warning letters.
The most important element of CSV that companies need to bear in mind is that they need to get their validation right alright; they also need to get it right stage by stage. Some companies have tried the short cut method of overlooking or circumventing a step or two. While this may give them short term savings; their long term costs are far higher than these savings.
The ISO 13485:2003 Standard relates to quality management systems in the field of Medical Devices. Its requirements ISO 13485:2003 specifically relate to organizations that are in the business of medical devices, no matter what its size or type. At its core, ISO 13485:2003 is all about quality management systems in medical devices.
This standard specifies requirements for a quality management system. Accordingly, it requires an organization to demonstrate the ability to produce medical devices and related services that have to consistently meet both –a) customer requirements and b) regulatory requirements –that are applicable to the file of medical devices and related services.
Harmonization at the core
It thus becomes clear that quality management systems, which are the means to ensuring these requirements, constitute the heart of ISO 13485:2003. This Standard’s essential objective is to foster and bring about harmonization among medical device regulatory requirements for meeting quality management systems. This Standard superseded the earlier version, the ISO 9001. It did away with some of the requirements of that Standard.
When a medical device company deals with medical devices it may not manufacture; it is its responsibility to ensure that processes applicable to the medical device(s) required by ISO 13485:2003, are accounted for in the organization’s quality management system.
In a nutshell, these are some of the requirements set out from Part 4 of ISO 13485:2003 onwards, the Part at which quality requirements begin:
4.1: Establish a quality system for medical devices;
4.2: Document your medical device quality system;
5.1: Support Quality;
5.2: Focus on customers;
5.3: Establish a Quality Policy;
5.4: Perform Quality Planning;
5.5: Control your Quality Management System;
5.6: Carry out management reviews;
6.1: Provide quality resources;
6.2: Provide Quality personnel;
6.3: Provide quality infrastructure;
6.4: Provide quality environment
8.2: Monitor and measure quality;
8.3: Control your nonconforming products;
8.5: Take required remedial actions
Thanks & Best Regards,
161 Mission Falls Lane, Suite 216, Fremont, CA 94539, USA.
Ever since the sensational arrival of cloud computing on the IT industry horizon, it has made life different in more ways than could be imagined, to make an understatement. With organizations realizing the enormous advantage cloud computing offers; almost every conceivable type of document is being pushed to the cloud.
The advantages are obvious, but let us repeat them at the cost of sounding banal: on-demand availability of data, flexibility, scalability, pay-for-use, and the choice of usages.
For the life sciences
So, why should life sciences, medical devices and pharmaceutical companies leave out documents pertaining to regulatory mechanisms, such as 21 CFR Part 11 and related regulations like Annex 11, and the cGMP’s?
It certainly makes immense sense to have these documents on the cloud. Or does it? Let us look at it this way: having 21 CFR Part 11 and related regulations on the cloud is not going to cost the company anything more; on the other hand, there is no headache involved in having to maintain them on the company premises.
It’s compliance, sir!
So, when companies decide to indeed go on the cloud for 21 CFR Part 11 and related regulations, what should they bear in mind? First of foremost, compliance! This is the mantra that they need to drill into their very being. Nothing moves forward without compliance. Compliance comes first, and everything else follows. Naturally, companies ought to ensure that compliance is built into every step of the planning, delivery and maintenance of their hosted solution.
There has always been the apprehension on the part of Part 11-regulated companies that using third party providers for hosting applications and data is not the wisest of steps to take because these parties may not be able to meet security concerns, audit transparency requirements and privacy laws. Many Part 11-regulated companies also feel that external, third party providers do not have the mechanisms to document policies and procedures in the prescribed manner to satisfy compliance for 21 CFR part 11 hosting.
Companies need to take the following into consideration if they have to satisfy compliance for 21 CFR part 11 hosting:
o Do the providers implement a service level agreement?
o What do they do about handling change control?
o What is their level of knowledge of and expertise in handling installation qualification?
o What is their way of handling encryption?
o What is their approach to handling an inspection or audit?
o What do they do in the event of a disaster?
o Do they have a standard set of SOP’s that the company can see?
The FDA, being what it is; has enormous power over the working of a medical device’s supply chain. It can virtually intercept a medical device at almost any stage through its various mechanisms such as recalls, injunctions, seizures and others. In its enthusiasm to ensure higher quality for medical devices, it has sometimes gone overboard to the extent that it is now a highly mistaken and feared regulatory body.
Making Supplier Audit Program comprehensible
Taking note of this perception, the FDA has been working hard to appear softer. One of the regulatory changes it has made to enforce this thinking has been to clearly state the conditions for meeting its expectations on Supplier Audit Program. The logic for choosing to make changes into the Supplier Audit Program is simple –as we just saw; it does not want to be seen as being arbitrary in selecting and punishing companies during their supply trail. It has set out a number of regulations and directions aimed at making the Supplier Audit Program simple and understandable.
Ask these questions to meet expectations
As a result, if companies have to meet the FDA’s expectations on Supplier Audit Program, they will need to ask themselves and answer questions such as: how do we address the FDA’s stated desire to require “on-site” audit of all Pharma suppliers? What expectations does the FDA have for meaningful, results-driven actions that address and resolve any underlying compliance issues or product problems? How do we reevaluate our vendors and the methods used in selecting, evaluating, auditing, retaining or cutting adrift such regulatory “partners” if we have to meet the new regulatory climate and be competitive?
In line with the aim of accelerating medical device development, the FDA has issued its as-yet latest guideline, entitled “Draft Guidance for Industry, Tool Developers, and Food and Drug Administrative Staff” (called just the “Draft Guidance”) on November 13, 2013.
This guideline is a voluntary process for the qualification of Medical Device Development Tools (MDDT) used in device development and evaluation programs in the Center for Devices and Radiological Health (CDRH). The aim of this qualification process is to foster “the development and timely evaluation of innovative medical devices”. The FDA seeks to do this by putting in place a relatively more competent and predictable way of garnering the necessary information needed to make regulatory assessments.
The Draft Guidance applies to therapeutic and diagnostic devices. It is specifically aimed at biomarker tools, which are considered critical to some personalized medicine diagnostics.
Applications and uses
The Draft Guidance lists the parameters that the CDRH looks for among qualified Biomarker Tests (BT’s) that it considers as being worthy of relying upon for device-related regulatory decision-making for the designated use. To quote some examples, these guidelines may be used to select patients for a device clinical trial. They could also serve as instructions to monitor treatment response. They could also relate to prediction or identification of safety problems related to treatment with a medical device. Or, they could be used to identify patients who are or are not candidates for certain forms of tests or therapies.
The FDA says it has four clear cut goals in setting out these guidelines:
o To enable quicker and more efficient development of devices
o To promote the development of new MDDT’s
o To help optimize the developments in the field of regulatory science into new MDDTs
o To engender faster and more effective communication to stakeholders the MDDT’s that are appropriate for use in development programs.