Understanding, experience and technology for success
21CFR part 11 requires that all systems that govern any cGXP process - including Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs), and Good Clinical Practices (GCPs), should be validated. FDA issued a very comprehensive guidance on systems validation. This white paper uses that FDA guidance as an input to define an “easy-to-implement” framework for systems validation. Finally, the paper identifies a best practice, which calls for IT organizations and software vendors to proactively audit their software development and implementation processes on an ongoing basis to identify and correct any systemic issues to lower the cost of compliance.
Why System Validation?
Current Good Manufacturing Practices (cGMP) are mandated by the FDA to ensure that the products manufactured by the industries such as pharmaceutical, biotech and medical devices, meet specific requirements for identity, strength, quality, and purity. In order to comply with cGMP, companies are required to record, track, manage, store and easily access various production documents and their detailed change history including Standard Operating Procedures (SOPs), Master Production Batch Record (MPBR), Production Batch Record (PBR), Equipment log books etc. Historically, all such documents have been maintained on paper by companies in order to comply with FDA's cGMP. Even as companies automated their production and quality processes, they were still being forced to maintain and track paper records for FDA acceptance. The code of Federal Regulations (CFR) Part 11 was implemented in 1997 to let the FDA accept electronic records and signatures in place of paper records and handwritten signatures for compliance. The regulation outlines controls for ensuring that electronic records and signatures are trustworthy, reliable, and compatible with FDA procedures and as verifiable and traceable as their paper counterparts.
Hence, 21 CFR Part 11 also specifies a number of requirements for software systems to enable trustworthy and reliable electronic records and signatures - see Figure 1. These software requirements must be met for the resulting electronic records to comply with FDA's cGMP. If an organization does employ electronic records and signatures, but fails to comply with these system requirements, the FDA will cite the firm for violating the underlying regulation. For example, if a drug company maintains its written complaint records, required by 21 CFR 211.198(b), in electronic form, but the agency finds that these records are unacceptable substitutes for paper records, the FDA would charge the firm with violating 211.198(b). The potential impact might include FDA requested recall, FDA mandated recall, Warning Letter, seizure, injunction, prosecution, civil penalties, and detention
Figure 1: Scope of 21CFR Part 11 Requirements Source: CGE&Y
(Please click on image for enhanced version)
System Validation is a key 21CFR Part 11 requirement - its primary benefit is to assure quality and performance of the systems deployed to manage any cGxP process. It is the establishment of documented evidence that provides a high degree of assurance that a specific process, managed by the system, will consistently yield a product meeting its predetermined specifications and quality attributes. The ultimate goal of any system validation project is to realize and sustain compliance, while ensuring the peak performance and functionality of those systems.
What is System Validation?
Validation is the process of compiling written verification of all system functions and the performance of those functions to system specifications, as well as data integrity and system maintenance. That written documentation must be in alignment with the industry standards and regulatory laws that guide the FDA in their evaluation and enforcement of regulatory compliance. To successfully manage compliance, each regulated system must be proven to operate in accordance with its intended use and design, and all documentation supporting that evidence must culminate in FDA-acceptable documentation.
The FDA’s General Principles of Software Validation - “Final Guidance for Industry and FDA Staff”, published jointly by CDRH and CBER was originally written with the medical device industry as its intended audience. (See www.fda.gov/cdrh/comp/guidance/938.html). This guidance describes how certain provisions of the medical device Quality System regulation apply to software and FDA’s current approach to evaluating a software validation system. Any software used to automate any part of the device production process or any part of the quality system must be validated for its intended use, as required by 21 CFR 820.70(i). Hence, this requirement applies to any software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system. In addition, computer systems used to create, modify, and maintain electronic records and to manage electronic signatures are also subject to the validation requirements. Systems that maintain certain employee training records may even be subject to validation. Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
This guidance is now being held up to the rest of the FDA-regulated world as an example of best practices in computer system validation. This guidance is now used to validate systems that are governed by any of the GxP regulations, including Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs), and Good Clinical Practices (GCPs.)
Framework for System Validation
While various consulting companies have created their own methodologies for systems validation, our experience shows the following framework to be the comprehensive and applies to both -off-the-shelf software or home grown. This framework ensures that the software being deployed is most likely to be compliant with FDA requirements and will continue to sustain the compliance over time. Key elements of that framework include:
Organizations that implement this framework find it easier to keep their system FDA validated on an ongoing basis.
Using a QMS system for Proactive System Validation
In a world where technology and business practices are dynamic rather than static, reactive compliance audit methodologies provide questionable value. Best practices call for IT organizations and software vendors to use the above framework to proactively audit their software development and implementation processes on an ongoing basis to identify and correct any systemic issues. Industry leaders are deploying Quality Management Systems (QMS) within their IT/development organizations to streamline and automate the entire internal audit and corrective action process.
The QMS system serves as a system-of-record for the systems validation project. All documents including SOPs, specifications and test plans are stored in its repository. The QMS audit capabilities are used to create and track an audit checklist and its results. Once issues have been identified through the internal audit process, the first step is to initiate an investigation and to properly identify the root cause of the problem. After the root cause has been identified, Corrective Action (CAPA) items are created. When corrective actions are approved, appropriate changes are implemented in the environment through a change-control process and then the CAPA is closed out. These changes may include amendments to a documented procedure/SOP or creating a new documented procedure/SOP when one is lacking, or placing controls to ensure that the documented process is followed, or upgrading the skill set of an employee through a training and certification process. Its dashboard provides IT and regulatory management ongoing view into the process metrics. By using a QMS, companies ensure that the ongoing and proactive audit and corrective action process is systematized and provides the basis for lowering the cost of compliance.In summary, system validation is not a onetime project - it is an ongoing process. Through a combination of a good implementation of system development lifecycle and proactive internal auditing of the software development and implementation process, companies can easily comply with the system validation requirements of 21CFR part 11 at a lower cost of compliance.
MetricStream is a market leader in Enterprise-wide Compliance and Quality Management software for global corporations. Leading companies in the Pharmaceutical industry are using MetricStream's products to comply with 21CFR Part 11 and cGMP regulations.