PHARMA QUALITY EUROPE / / [email protected] Quality Information Technology Pharmaceuticals PQE A Road Map to COTS CSV, HPLC 1 A Road Map to.

PHARMA QUALITY EUROPE / www.pqe.it / [email protected]

Quality

InformationTechnology

Pharmaceuticals

PQE

A Road Map to COTS CSV, HPLC 1

A Road Map toA Road Map to

SARQ, 3rd of October, 2002

Ulf SegerstéenPharma Quality Europe AB

COTSComputer System Validation

based on a HPLC, as example


Quality


Pharmaceuticals

PQE


Validation of systems to ensureaccuracy, reliability, consistent

intended performance, and the ability todiscern invalid or altered records (§11.10(a))

Validation of systems to ensureaccuracy, reliability, consistent

intended performance, and the ability todiscern invalid or altered records (§11.10(a))

21 CFR Part 11 effective Incipit requires ....21 CFR Part 11 effective Incipit requires ....

CSV COMPLIANCE

OLD STD

CO

MP

LIA

NC

E

CSV COMPLIANCE

NEW STD

PART 11 COMPLIANCE

STD

……. The Bar is being raised. The Bar is being raised……. The Bar is being raised. The Bar is being raised

ER NO ER

ER NEW

NEW


Quality


Pharmaceuticals

PQE


Guidance Content:Guidance Content:Guidance Content:Guidance Content: GUIDANCE KEY ELEMENTS

System Requirements Specifications (5.1)Documentation of Validation Activity (5.2)Equipment Installation (5.3)Dynamic Testing (5.4)Static Verification Techniques (5.5)Extent of Validation (5.6)Independence of Review (5.7)Change Control (5.8)

SPECIAL CONSIDERATIONS: COTS products and Internet

CF

R 2

1 P

11

GU

IDA

NC

E

CF

R 2

1 P

11

GU

IDA

NC

E

Computer system validation should be performed by persons other than those responsible for building the system.Two approaches to ensuring an objective review are: (1) Engaging a third party(2) dividing the work within an organization such that people who review the system (or a portion of the system) are not the same people who built it.

Computer system validation should be performed by persons other than those responsible for building the system.Two approaches to ensuring an objective review are: (1) Engaging a third party(2) dividing the work within an organization such that people who review the system (or a portion of the system) are not the same people who built it.

Example of Guidance: Independence of ReviewExample of Guidance: Independence of ReviewExample of Guidance: Independence of ReviewExample of Guidance: Independence of Review


Quality


Pharmaceuticals

PQE


COTS (Commercial Off-The Shelf) productsCOTS (Commercial Off-The Shelf) productsCOTS (Commercial Off-The Shelf) productsCOTS (Commercial Off-The Shelf) productsC

FR

21

P 1

1 G

UID

AN

CE

CF

R 2

1 P

11

GU

IDA

NC

ECommercial software used in electronic record keeping system subject to part 11 needs to be validated, just as programs written by end users need to validated(…)We do not consider commercial marketing alone to be sufficient proof of a program’s performance suitability(…)See 62 Federal Register 13430 at 1344-13445 March 20,1997

Commercial software used in electronic record keeping system subject to part 11 needs to be validated, just as programs written by end users need to validated(…)We do not consider commercial marketing alone to be sufficient proof of a program’s performance suitability(…)See 62 Federal Register 13430 at 1344-13445 March 20,1997

WRONG APPROACH

RIGHT APPROACH

SYSTEM IS A COMMERCIAL PACKAGE, WIDELY USED

IT’S OK.NOT NEED TO BE VALIDATED

SYSTEM IS A COMMERCIAL PACKAGE, WIDELY USED

END USER REQ SPECS

SW STRUCTURAL INTEGRITY

FUNCTIONAL SW TESTING


Quality


Pharmaceuticals

PQE


New Trend - Partnership by-Outsourcing Validation Activities What’s in it for the Customer ?•Staying focused on his business - be more cost-effective.•Staying on top of the requirements - stay compliant rather than spending time solving regulatory issues.•Sharing the latest knowledge - don’t be active in all fields and save time for the core business.•Being prepared for what’s to come - get resources when needed, don’t let them be an added cost to the Products.•Being part of the solution NOT part of the problem - give theorganization confidence to handle changes and challenges.•Always having access to a Partner to discuss and solve issues with.

What’s in it for the Partner ?•Client staying focused on his business makes easier for the Partner to support him.•Client staying updated on the requirements gives the Partner flexibility to act more proactively.•Sharing the latest knowledge makes the Client and the Partner understand each other, reducing misunderstandings and increasing efficiency.•Being prepared for what is to come helps the Partner to keep prices down and gives the Client more accurate budget control.•Being part of the solution, NOT part of the problem, helps both parties in solving and anticipating potential problems.


Quality


Pharmaceuticals

PQE


SPECIFY TEST START UP

CONTROLSUPPORT

& IMPROVE

PLAN TO BEPROACTIVE

The Lifecycle Activities for a COTS, usinga Project perspective:


Quality


Pharmaceuticals

PQE


URS (PROCESS)

EVALUATION

VALIDATION PLAN

MASTER INDEX(MI)

SPECIFY TEST START UP

PROCESS Q

FAT & SAT

TEST PLAN

DRAFT SOP’s

USER GUIDE

SYSTEM ORG. & DOC’s VALIDATIONREPORT

SOP’S (Approved)

The Lifecycle Activities for a COTS, cont.


Quality


Pharmaceuticals

PQE


SPECIFY

User Requirement Specification based on:• the lab Process including the HPLC-equipment, HW-platform, SW-application, printer, expected filestorage and user interactions.

• requirements for compliance to CFR 21 Part 11 (ER & ES) and other applicable GxP regulations

• testable requirements URS (PROCESS)

EVALUATION

VALIDATION PLAN

MASTER INDEX(MI)


It is important that your end user requirements specifications take into account •predicate rules•part 11•and other needs unique to your system that relate to ensuring•record authenticity•integrity•signer non-repudiation•and, when appropriate, confidentiality.

It is important that your end user requirements specifications take into account •predicate rules•part 11•and other needs unique to your system that relate to ensuring•record authenticity•integrity•signer non-repudiation•and, when appropriate, confidentiality.C

FR

21

P 1

1 G

UID

AN

CE

CF

R 2

1 P

11

GU

IDA

NC

E


Quality


Pharmaceuticals

PQE


CF

R 2

1 P

11

GU

IDA

NC

EC

FR

21

P 1

1 G

UID

AN

CE

End users should document their requirements specifications relative to part 11 requirements and other factors, as discussed above.End users should document their requirements specifications relative to part 11 requirements and other factors, as discussed above.

Pharma Industry

UserRequirementsSpecifications

Quality Assurance ______System Owner _________

March, 2002

Define what

predicate rule needs

Define what you

need(all factors) Define

what Part 11

needs

COTS COTS End User Requirements SpecificationsEnd User Requirements Specifications

COTS COTS End User Requirements SpecificationsEnd User Requirements Specifications


Quality


Pharmaceuticals

PQE


SPECIFYEvaluation based on:• the CS fulfilling the Process that it is to be used within.

• Risk Assessment Index, based on complexity of the CS and on the criticality for failure during the process.RISK MANAGEMENT=RISK APPROACH+RISK ACTIVITIES

• the Suppliers expected role, process and responsibilities during the Project for developing + testing (FAT), installing and testing at the customers site (SAT), supporting the CS over time and license agreements.

• fulfillment of compliance to CFR 21 Part 11 (ER & ES) and other valid GxP regulations

• referenced other Pharmaceutical customers using the system.

URS (PROCESS)

EVALUATION

VALIDATION PLAN

MASTER INDEX(MI)



Quality


Pharmaceuticals

PQE


CRITICALITY

COMPLEXITY

PROCESS

DATA

SYSTEM

VALIDATION EFFORT SHOULD BE MAXIMUN FOR

HIGH CRITICAL AND COMPLEX SYSTEMS.

EFFORT MIGHT BE REDUCED THROUGH AUDITS IN CASE

OF SW STANDARDSCATEGORY

GOLDEN RULE

Evaluation of WHAT approach to take:



Quality


Pharmaceuticals

PQE


• HighSoftware application whose features and functions have a direct impact on the quality, performance and efficacy of drug products

• MediumSoftware used for business process analysis, information and documentation systems that poses some business risk, or can have an indirect impact on drug products

• LowPackaged Software used for business purposes that poses no business risk

Criticality Assessment


Quality


Pharmaceuticals

PQE


The Risk Assessment Index (RAI) is a rationale to evaluate the criticality and complexity of computerized systems.

• System Complexity is higher when system: Performs detailed algorithm or calculations Interfaces with other computerized systems performs extensive data input checking processes numerous types of transactions requires extensive support to be maintained involves a large number of users

• GxP Criticality is an index of the impact of the system on pharmaceutical product or on raw data safety and traceability

System Complexity

GxP Criticality

RAI definition

(see next page)

Risk Assessment EvaluationRisk Assessment EvaluationRisk Assessment EvaluationRisk Assessment Evaluation


Quality


Pharmaceuticals

PQE


RISK ASSESSMENT INDEXGLP/GMP Criticality Complexity RAI

Null Low/Medium/High complexity 0

Low criticality Low complexity 1

Low criticality Medium complexity 2

Low criticality High complexity 3

Medium criticality Low complexity 4

Medium criticality Medium complexity 5

Medium criticality High complexity 6

High criticality Low complexity 7

High criticality Medium complexity 8

High criticality High complexity 9

…that brings to RAI definition:

Risk Assessment EvaluationRisk Assessment EvaluationRisk Assessment EvaluationRisk Assessment Evaluation


Quality


Pharmaceuticals

PQE


COSTS

RISKSEVALUATION

THROUGH REFERENCES

EVALUATION THROUGH

EXPERIENCES

REQUEST FOR INFORMATION

3RD PARTY AUDIT

SPECIFIC FIRM AUDIT

RAI used for evaluating HOW to perform RAI used for evaluating HOW to perform the Supplier Evaluationthe Supplier Evaluation

RAI used for evaluating HOW to perform RAI used for evaluating HOW to perform the Supplier Evaluationthe Supplier Evaluation

RAI=9

RAI=0-2

RAI=3-4

RAI=5-6

RAI=7-8


Quality


Pharmaceuticals

PQE


COTS Functional Testing of SW dependent on COTS Functional Testing of SW dependent on Supplier Documentation availableSupplier Documentation available

COTS Functional Testing of SW dependent on COTS Functional Testing of SW dependent on Supplier Documentation availableSupplier Documentation available

CF

R 2

1 P

11

GU

IDA

NC

EC

FR

21

P 1

1 G

UID

AN

CE

When the end user cannot directly review the program source code or development documentation more extensive functional testing might be warranted than when such documentation is available to the user.

When the end user cannot directly review the program source code or development documentation more extensive functional testing might be warranted than when such documentation is available to the user.

DEVELOPMENT DOCSREDUCE

VALIDATION EFFORT


Quality


Pharmaceuticals

PQE


SPECIFYValidation Plan based on:• Validation Strategy which is based on the Evaluation.

• available Validation Methods, Tools and knowledge

• a Validation Process that are documented as a matrix of all Validation Activities (VA), based on RAI that are expected to be executed for a HPLC (COTS). Rational given for VA’s that are not to be performed. Correspondent User roles in the Project and Supplier roles to these activities in the project are used in the same matrix.

• statement for compliance to CFR 21 Part 11 (ER & ES) and other valid GxP regulations

• required Supplier-, System Documentation and User Organization and SOPs for supporting and maintaining the CS.

URS (PROCESS)

EVALUATION

VALIDATION PLAN

MASTER INDEX(MI)



Quality


Pharmaceuticals

PQE


Master Index (MI)

ProjectDocumentation• User Requirements

Validation Documentation• Validation Plan• Validation Protocols and Records• Validation Report

MaintenanceDocumentation• Registration• Support Agreements for HW and SW• SOP´s

REALIZE

OPERATE

UserDocumentation

Change ControlDocuments

ValidationDocumentation

Escrow

BackupLog

IQLog

PeriodicReview


Quality


Pharmaceuticals

PQE


SPECIFY TEST

Prerequisites to move to Test phase:Reviewed and Approved URS

Approved EVALUATION REPORT

Reviewed and Approved VALIDATION PLAN

Standard Index produced for all documents

URS (PROCESS)

EVALUATION

VALIDATION PLAN

MASTER INDEX(MI)



Quality


Pharmaceuticals

PQE


TESTING

USRFSP

VALPLAN

SOPs

VALREPORT

TESTING IS THE KEYSTONE OF THE VALIDATION

PROCESS...

INDEPENDENCE FROM DEVELOPMENT

CF

R 2

1 P

11

GU

IDA

NC

EC

FR

21

P 1

1 G

UID

AN

CE

Tests should include not only “normal or “expected” values, but also stress conditions.Test conditions should extend to •boundary values, •unexpected data entries, •error conditions, •reasonable challenges, •branches, •and combinations of inputs.

Tests should include not only “normal or “expected” values, but also stress conditions.Test conditions should extend to •boundary values, •unexpected data entries, •error conditions, •reasonable challenges, •branches, •and combinations of inputs.


Quality


Pharmaceuticals

PQE


STRUCTURAL TESTINGThis testing takes into account the internal mechanism of a system or component (white box testing). Structural testing should show that the software creator followed contemporary quality standards.This testing usually includes inspections of the program code and development documents.

STRUCTURAL TESTINGThis testing takes into account the internal mechanism of a system or component (white box testing). Structural testing should show that the software creator followed contemporary quality standards.This testing usually includes inspections of the program code and development documents.

FUNCTIONAL TESTINGThis testing involves running the program under known conditions with defined inputs and documented outcome that can be compared to pre-defined expectations (“black box” testing)

FUNCTIONAL TESTINGThis testing involves running the program under known conditions with defined inputs and documented outcome that can be compared to pre-defined expectations (“black box” testing)

PROGRAM BUILD TESTINGThis testing is performed on units of modules, integrated units of code and the program as a whole.

PROGRAM BUILD TESTINGThis testing is performed on units of modules, integrated units of code and the program as a whole.

SYSTEM TEST

FAT/SAT

OQ/PQ

The perfect path …..The perfect path …..The perfect path …..The perfect path …..


Quality


Pharmaceuticals

PQE


URS User Requirement Specification Performance/Process Qualification

Risk Analysis

Functional Specification Operation Qualification

Risk Analysis

Design Specification Installation Qualification

Source Code / Source Code Testing

Life & Test Cycle Model:

SUPPLIER


Quality


Pharmaceuticals

PQE


TESTTest Plan based on:• Validation Plan and RAI of the CS.

• FAT, which would include review of Supplier Evaluation, Test, System & User documentation from the Supplier

• SAT, which would include witness during IQ and OQ on site together with Supplier. These tests should normally include test for compliance to CFR 21 Part 11.

• PROCESS QUALIFICATION, which would include performing the complete lab process as required by URS and User Guide, should also include CS Administration tests. • DRAFT SOPs could be in one document for this type of systems and should be available at PQ.

PROCESS Q

FAT & SAT

TEST PLAN

DRAFT SOP’s



Quality


Pharmaceuticals

PQE


Prerequisites to move to Start Up phase:

Reviewed and Approved PROCESS Q based on DRAFT versions of the User Guide and SOP’sApproved FAT & SAT REPORT

Reviewed and Approved TEST PLAN

Filed in the Master Index (MI)

TEST START UP

PROCESS Q

FAT & SAT

TEST PLAN

DRAFT SOP’s



Quality


Pharmaceuticals

PQE


START UPSTART UP: THROUGH CS DECISION based on:

USER GUIDE approved and Users trained

SYSTEM ORGANISATION trained on CS and System Documentation available.VALIDATION REPORT, no remaining corrections, all documents in MI approved.

(included in MI)

USER GUIDE

SYSTEM ORG. & DOC’s VALIDATIONREPORT

SOP’S (Approved)

The Lifecycle Activities for a COTS, END


Quality


Pharmaceuticals

PQE


Example of a Validation Tool to a COTS

APPENDIX

TOOL

1-CS Req. & SOP:•URS/FS/DS and user guide•Training•CS Security and authorization (incl. Backup and Contingency)•Maintenance •Change Control•Periodic Review

VALIDATION TOOL1-CS Req. & SOP2-Validation Plan & Report3-Test Plan & Report4-Validation Plan & Report

2-VALIDATION P&RMatrix with:•Activities incl. CFR 21 Part 11-declaration•Responsibility•Expected Output4-Validation Report•Reported Output•Deviations•Summary•Approval/Rejection

2-Test Plan & ReportVer. 1Matrix with:•Test case•Expected Result

4-Test Plan & ReportVer. 2•Reported Result•Deviations/Re-test•Summary & Recommend.

REUSABLE


Quality


Pharmaceuticals

PQE


Saving Effort by “Reusing” the Tool

Critic

al

Applicat

ions

Infrastructure

Effort Save

Effort Save

Effort SaveE

ffo

rt


Quality


Pharmaceuticals

PQE


Finally:To be in Compliance means:Coordination (Policy & Standards) Cooperation (sharing knowledge & support) Capacity (make realistic Plans for big changes) Competence (get trained to gain competence)

Consistency (use same measurements & tools)


Quality


Pharmaceuticals

PQE


We envision to conveniently engineer

innovative technology in order to

synergistically facilitate value-added

leadership skills to stay competitive in

tomorrow's world Dilbert

PHARMA QUALITY EUROPE / / [email protected] Quality Information Technology Pharmaceuticals PQE A Road Map to COTS CSV, HPLC 1 A Road Map to.

Documents

cots csv

validated system

cots commercial

system subject

road map

cots products

validation of systems

extent of validation