IT Validation Training

IT Validation

Who cares? Why is it so important?

Bob Sturm

Director, IT Validation

IT Validation - Agenda

• What is validation? • Why validate software? • What does our company want? • What is the GAMP 5/Validation Life Cycle? • What does the FDA want?

• What are good documentation practices? • What is our document naming convention? • What about Change Control for GxP systems? • Any Questions?

• Check the IT Validation site on SharePoint for the latest

validation templates as well as training, reference and administrative documentation for validation

Questions For You

• How many here use validated computer systems?

• How many here have been actively involved in a computer system validation (CSV) project?

• How many here have used software, at work or at home, that doesn’t quite do what it’s supposed to?

What is validation?

• FDA definition Establishing documented evidence that provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications (requirements) and quality

attributes

What Does That Mean?

• If it’s a critical GMP, GLP, or GCP process: • You have to know what it’s supposed to do

• It has to work when it’s rolled out

• It has to work over its expected lifetime

• You have to be able to PROVE IT!

So What Is Computer Validation?

• FDA definition:

“Confirmation by examination and provision of

objective evidence that software specifications

conform to user needs and intended uses, and that

the particular requirements implemented through

software can be consistently fulfilled."

Okay… What Does That Mean?

• We document what the user needs and what the system must do • This establishes intended use and predetermined specifications

• We document testing of the system’s function and performance • This establishes that the system fulfills the requirements

• We document proper engineering and quality assurance practices in the design, build, and installation of computer hardware and software • This establishes that the system should consistently work right

• FIT FOR IT’S INTENDED USE! Key

Why validate software?

How Do We Decide Whether To Validate?

• If the system automates a process or manages records regulated by the GMPs, GCPs, or GLPs, we validate

• Validation isn’t a fixed concept… • The amount of work, documentation, and $$

involved depends on: • The level of risk assigned to the system • The complexity of the system • Whether we write the software ourselves, or purchase it and

install it ourselves, or use a system that’s hosted by a partner

• Contact me or QA Systems

WAN Infrastructure (Qualified)

General IT Services

Core IT Infrastructure Software and Network

Operating Systems

Hardware

Data Centers

ITMS processes – ISO certifications

• Qualification layers: GLOBAL | LOCAL

LAN

Desktop Computers

GxP software applications

• Validation layer

Oracle (GxP) CSCR

GMGT008

The Difference between Validation and Qualification

Computer Validation Process

• SOP for Validation of GxP Computer Systems • QA Systems does a GxP Risk Assessment • Complete a CSCR • Form a validation team

• System owner • QA Systems • IT: Applications, Infrastructure, Validation

• Decide what activities and deliverables are appropriate • Start the system implementation • Do formal validation testing and documentation • Use and maintain the system under procedural controls

Potential Validation Documents (GAMP 5)

Validation Plan

User Requirements

Functional Specs

Risk Analysis

Design specs

Trace Matrix

IQ Protocol/ Scripts

OQ Protocol/ Scripts

PQ Protocol/ Scripts

Validation Summary

Data Migration (DM)

Even More Possible CSV Deliverables

• Migration Qualification: assure that data from the old system makes it to the new system okay

• Configuration Baseline Document • Training materials • SOPs/ WIs for system use, security, administration,

etc.

• All of these CSV documents have two purposes: • Prove to ourselves that it works and we did the validation right • Prove the same thing to an inspector, maybe years later,

maybe when everyone who was involved is gone

• One size does not fit all validations!

Policies vs. SOPs vs. Work Instructions

• “Policies generally set the overall tone and are high-level requirements for the organization.

• SOPs then add the "how to implement" back-bone to your policies.

• Some companies then use Work Instructions as step-by-step procedures for doing a particular operation.

• From an auditing perspective, whatever a person needs to do his or her job is a procedure.

• The FDA considers policies, SOPs, procedures, work instructions, and your other internal guidance ALL as "procedures" under its regulations.”

- Janis Olson, 22 years as an FDA field investigator and regional manager; May 2011

What does the FDA want?

• www.fda.gov

• Four key things: Validation Project Plan, Requirements, Test documents and a Validation Summary Report

• Focus: Patient safety, Product quality and Data integrity

• Complete, accurate, reliable and consistent • Audit trial, system security, access controls and data

backup • “IF IT ISN’T DOCUMENTED, IT DIDN’T HAPPEN” (FDA and IT Industry Mantra)

What about 21 CFR Part 11?

• As we started using computers more, inspectors found it hard to audit records required by the regulations

• We also started using electronic signatures

• 21 CFR Part 11 is intended to assure two things: • Electronic records required by regulations are as trustworthy and

inspectable as paper records • Electronic signatures required by regulations are as valid and

legally binding as wet ink signatures

• If Part 11 applies to the records in your system, the required Part 11 controls simply become part of your validation requirements

Industry Mistakes and Misconceptions - From FDA field investigators

• Focusing on a software package rather than the system as a whole

• Failure to plan for and address configuration • Treating Part 11 as a quality issue • Part 11 is focused on electronic signatures • Audit trials can be manual • If I print and sign, I can delete the electronic record

• Vendor certification is all that is needed for COTS software

FDA Warning Letters - 483

• Purpose • First warning of an issue from the FDA • Gets the attention of senior company management • Initiation of administrative enforcement

• Impact

• Corrective actions • Company’s reputation with the FDA

FDA 483 Warning Letters

• FDA concludes that the…systems lack adequate validation and therefore are unacceptable for use in the production of drug products

Trends • As many as half of all inspections are now

focusing on some aspect of computerized system quality and compliance

Always use a Blue or Black ballpoint pen

Initial & date cross outs. Only one line.

Documentation Good Practices

Validation Templates: Always use the latest version

from SharePoint.

Use the correct date format:

03-Nov-10

03Nov10

Complete all fields in forms, don’t leave any fields blank and write

legibly

SOP for Good Documentation Practices - Use MS Word’s Spell & Grammar Checker

Keep it current. Store and retain it properly.

Neatness Counts!

Once Our System Is Validated

• Validation shows that our system works… on the day that validation is complete

• During the (hopefully) years the system is in operation, we need ongoing procedural controls, especially: • System use • Change control • Problem management • Periodic evaluation • Training for new users • Ongoing system administration and security administration

Change Control - CSCR

• Uncontrolled changes to a validated system will make people question whether it’s really still validated

• SOP for Computerized System Change Control • All changes to a validated system must be documented, justified,

tested, and approved • Changes might be as simple as a software patch from the vendor,

or as complex as installing a new version of the application • Each change includes a mini validation effort… or maybe not so

mini, to assure and document that the system still works right

Problem Management - CSPR

• When things aren’t working right, people may question whether the system is really still validated

SOP for Computerized System Problem Reporting • Problems using or administering a validated GxP computer

system must be reported, tracked, resolved, and approved • System users should report each issue to IT and the system

owner • IT and system owners should consult with QA Systems to

determine whether the issue rises to the level of a “formal problem” per the SOP

• The fix for a problem may be quick, or it may turn into a change control

Periodic Evaluation

• SOP for Validation of GxP Computer Systems

• Requires a periodic evaluation at least every three years (and an annual security check)

• Evaluation includes original validation work, all change controls, all problem reports, discussions with system owner/users

• Does the original validation work meet current standards? • Have planned or unplanned system changes caused issues? • Have changes outside the system caused issues? • End result: either we declare the system to still be validated, or

we decide we need to perform some remedial activities

• Every once in a while, we need to step back and take a look at our validated computer systems

9 Most Common Validation Errors

Validation Documents • Missing Information – All • Inconsistency – All • Lack of Needed Detail – URS and FS • Traceability – TM • Vague Wording – All • Unverifiable Test Results – Test scripts • GDP – Test scripts • Incomplete Testing – Test scripts • Ambiguity – URS and FS

Questions??

• The only dumb question is the one you don’t ask.

* * * Complete your training record!

BONUS SECTION • Additional information

FDA 483 Inspectional Observations

• “Validation…is inadequate in that there is no documentation of: validation plan, test plan, training plan or validation report

• “Original specifications are not complete • “Validation…is inadequate in that there was no clear

correlation and comparison between expected and actual test results

• “Documentation of the validation…is inadequate in that observed test results are recorded only as a check mark. Actual observed results are not recorded.

• “All functions of the software were not tested • “Testing was performed before test plans were approved

FDA Warning Letters – Computer Systems

• Computer software • Lacks security to prevent unauthorized access • Has no audit trial capability • Lacks data security • Lacks documentation of changes

• No documented software training • Changes obscure original data • Changes not restricted to authorized persons • Original records can be deleted from the

computerized system without documentation • Inadequate system validation

Possible Computer Validation Deliverables

• Validation Plan: what we want to accomplish • User Requirements: intended use and security • Functional Specification: what the system must do • Design Specification: how the system will do it • Installation Qualification: tests to show we put it together right • Operational Qualification: tests to show it functions correctly • Performance Qualification: tests to show it meets users’ needs • Trace Matrix: shows that all requirements were tested • Validation Report: summarizes what we did and how it went

21 CFR Part 11

• What is a Part 11 record? • Data is submitted to FDA in electronic format • Electronic signatures intended to be the equivalent of a

handwritten signature

• Things to consider: from the 21 CFR Part 11 document • Validation of systems • Audit trails – secure, computer-generated and time stamped • Ensure that only authorized individuals can access system • Persons associated with system have training, education and

experience to perform their tasks • Written policies: SOPs and Work Instructions

21 CFR Part 11 – More items

• More things: from the 21CFRPart11 document • Use of device checks to determine, as appropriate, the

validity of the source data input • Use of operational system checks to enforce appropriate

permitted sequencing of steps and events • Appropriate controls over system documentation

• Electronic Signature (e-sig) • An e-sig is unique to one person, shall not be reused nor

reassigned to anyone else • Person using an e-sig must certify to the FDA that their e-sig

is equivalent to their handwritten signature • An e-sig is either biometric based or it consists of an

identification code and a password

User Requirement Specifications

Functional Specifications

IT Computer System Validation and Document Flow: Key Validation Documents

IDENTIFY REQUIREMENTS WRITE PROTOCOL & TEST SCRIPTS

EXECUTE TESTS SUMMARIZE TEST RESULTS WRITE FINAL REPORTS

Optional: C-Risk Analysis, D-Training Plan, E-Detailed Design Specs., F-Configuration Spec.,

G-Training & Manuals, H-Migration Qualification Protocol,

I-Draft WIs/ SOPs, J-Migration Qualification Report

Administrative: A-GxP Assessment, B-IT Project Charter & CSCR, K-MS Project Plan

Post Implementation

Performance Qualification Test

Execution

Performance Qualification

Summary Report

IQ Execution(Prod. Env.)

IQ Summary Report

(Prod Env.)

Performance Qualification Protocol

& Test Scripts

IQ Protocol & Test Scripts

(Production Env.)

Regression Test Execution

CHANGE CONTROL

Regression Test Protocol

& Test Scripts

** EVALUATE ** ** PLAN **

Supplier Audit

Design Specifications

Validation/ Qualification

Summary Report

Installation Qualification Test

Execution(Val Env.)

Installation Qualification

Summary Report(Val Env.)

Regression Test Summary Report

Validation/ Qualification Project

Plan

** REQUIREMENT ANALYSIS ** ** BUILD / TESTING ** ** DEPLOYMENT **

** MAINTENANCE **

** BUILD / TESTING **

- Major release- Added functionality

Training Records

Support Model

Final WIs/ SOPs

** RETIREMENT **

Operational Qualification Protocol

& Test Scripts

Operational Qualification Test

Execution

Operational Qualification

Summary Report

B K

CD

E F G

H I

F

J Pre

J

J Post J

IQ

IQ

F F

GAMP 5:

I-Draft WIs/ SOPs, J-Migration Qualification Report

G-Training & Manuals,

F-Configuration Spec., E-Detailed Design Specs.,

H-Migration Qualification Protocol,

D-Training Plan,

G

Requirements Trace Matrix

A

Installation Qualification Protocol & Test Scripts

(Val Env)