III All-Russian GMP conference A practical approach to...
Transcript of III All-Russian GMP conference A practical approach to...
R. Bertini – PQE Group August, 2018
III All-Russian GMP conference
A practical approach to Data Integrity Assessment and CAPA Plan
REGULATORY BACKGROUND• Data integrity shall be embedded in the Pharmaceutical Quality
System to ensure:
Man
ufac
turin
gR
esea
rch
Vigi
lanc
e on
Fi
nal
Prod
uct
QUALITY OF MEDICINES
QUALITY OF GXP DECISIONS
EVOLUTION OF GMP PROCESSES• 1997 2018
Use of Computer Systems and Electronic Records in Lab and Prod processes has greatly increased in the last 20 yearsDI Compliance is nowadays a fundamental requirement for Lab and Prod Systems
DATA INTEGRITY REQUIREMENTS
• Attributable & Consistent, e.g. User Access Control
• Legible & Enduring. e.g. Backup in place
• Contemporaneous, e.g. Secured Timestamp
• Original, e.g. secured Audit Trail
• Accurate & Available, e.g. User groups, Trainings, Computerized Systems Validation
GxP
DATA INTEGRITY: The extent to which all data are complete, consistent and accurate throughout the data lifecycle, i.e. from initial data generation and recording through processing (including transformation or migration), use, retention, archiving, retrieval and destruction.In a nutshell: GxP records are required to be ALCOA+
TUNE THE ASSESSMENT LEVEL
Level of details and relevant expected outcomes should be tuned on the basis of the agreed resources in terms of time, acceptable regulatory exposure and budget
Exposure
Budget
Time
Assessment activities may be developed combining one or more keyfactors (see below):o Status of Technology used to implement data integrity featureso Adequacy and Completeness of Data/Systems Validation Life Cycleso Presence of specific Process/Operational requirements within
specifications and testing documentso Status of supporting Quality System documentso Status of IT Infrastructure Qualification supporting GxP critical applications
PROPOSED METHODOLOGYBased on best practices, developed and fine-tuned in +500assessment projects with regulated companies world-wideTakes into account:o Applicable regulatory requirementso most recent guidelines on DI issued by Regulatory Authorities world-wideo feedback from authorities inspections
It is intended to be used:o When it is necessary to deal with a high number of systems in a short timeo to quickly identify the most common DI gaps in a system and immediately start the
remediated phaseStreamlined assessment phaseRisk-based and priority–driven approach to the remediation phase
ASSESSMENT METHODOLOGY
SYSTEMS INVENTORY
SYSTEMS RISK ASSESSMENT
SYSTEMS GAP ANALYSIS • TECHNOLOGY • DOCUMENTATION
CAPA PLAN
CAPA PLAN EXECUTION
3
4
1
5
2
1 – Inventory
• Unique System ID• Business Unit/Department• Location• Control SW Name• SW Version• SW Supplier
• HW / Controlled Equipment ID • HW / Controlled Equipment description• Business Process Owner• Technical Owner (System Administrator)• Quality Unit• Interfaced systems
SYSTEM INFORMATION
• GxP Relevance• Regulated ER/ES• System Risk Priority Level • System GAMP Category• Notes
ANALYSIS RESULT
GxP Relevance Regulated Regulated ERES
Relevance System Risk
Level
System GAMP
Category(Yes/No) ER ES (Yes/No) (VH, H,M,L) (1,3,4,5)
PCS.001 Pharma 5 Pharma 5 EBRS 3.0/21 Werum Körber Solutions NA Chargendokumentation
Fermentation/ Aufarbeitung XXX YYY ZZZ Yes Yes
-Master Batch Record-Batch Record-Measurement values (PCS)-Messages (PCS)-weighing values
all manual process stepts
Yes VERY HIGH 5Configurations:- Material Master- Batch Master
PCS.002 Pharma 5 120 ABB WUPWP07-P002 5.1 ABB NA Aufarbeitung XXX YYY ZZZ Yes Yes
-Alarms History-Control Recipes (batch specific)-Sequences-Trends-Messstellen-Alarm Tresholds-Set Points
NA Yes High 5
PCS Aufarbeitung including:- Server (Windows Server 2008)- OS Operative Panels (Windows 7 embedded [Thin Clients])- Controllers
808xA (Handling SW)TCL Builder (Recipts) - MOD 300Contol Builder (Messstellen) MOD 300IMS interface to EBRS
Master Recipe is a SW application developed inside the System (GAMP SW 5). The system is provided with a tool for source code compare
PCS.005_a Pharma 5 120 ChemStation LC B04.03-SP1
[87]Agilent
Technologies HPLC86
- HPLC86 (Agilent Technologies 1200 Series) TCC + Gerstel Multipurpose Sampler MPS3+J17
XXX YYY ZZZ Yes Yes
- Instrument Methods- Methods. Sequences- Raw Data- Results/Report
No Yes Medium 4
Server HDEWUPS0237Interface between PLS ABB WUPWP07-P002 und Online HPLC-Systemen HDEWUPC8342, HDEWUPC8343 und HDEWUPC9055Notes of process on notebookInstrument Methods and Methods are connected (stored on the same file)Process Owner is Pharma 5 but the system is shared with Q and it's also located into Q laboratory. The system was assessed from the Pharma 5 process point of view.
NotesQuality Unit
Business Unit / Department Location Control SW Name SW Version SW Supplier
HW / Controlled
Equipment ID
HW / Controlled Equipment Description
Business Process Owner
Technical Owner
SYSTEM INFORMATION RISK ANALYSIS RESULTS
Interfaced System
(Yes/No)
System ID (Sort field)
From PIC/S Guidance “Good Practices for Computerized Systems in Regulated GxPEnvironments”
OPERATING ENVIRONMENTCOMPUTERIZED SYSTEM
PROCESS
INFRASTRUCTURE (NETWORK)
COMPUTER SYSTEM(Controlling System)
SOFTWARE
HARDWAREFIRMWARE
CONTROLLED FUNCTION
OPERATING PROCEDURES AND
PEOPLE
EQUIPMENT
2 – System Risk Assessment
CRITICALITY
COMPLEXITY
System Risk Level is determinedbased on the combined values ofCriticality and Complexity
CRITICALITY
HIGH MEDIUM LOW
COM
PLEX
ITY
HIG
H
HIGH
MED
IUM
MEDIUM
LOW LOW
Impact of Systems andrelated E-records onpatient safety and productquality
Degree to which data canbe configured, andtherefore potentiallymanipulated
SYSTEM RISK LEVEL
Predefined checklists are used to evaluate the Criticality and Complexity of each System
3 – GAP Analysis: Technology
The Technology Gap Analysis is oriented to verify whether adequate featuresresult to be in place, in order to meet all data integrity requirements
Access Control User Profiles Audit Trail Protection from Records Alteration
Time Reference Backup / Restore Auto Save E-signature
3 - GAP Analysis: DocumentationSystems life cycle should be developed to embed data integrity measures following quality-by-design approach. Systems Validation Life Cycles is assessed to verify the Adequacy andCompleteness of implemented strategy/approaches and life cycle documents
Validation Life Cycle Operation & Administration Procedures
SOP
3 - GAP Analysis: System Compliance Level
Results of GAP Analysis are recorded and evaluated in dedicated work-sheets
SEVERITY OF TECHNOLOGY GAPS
NULL LOW MEDIUM HIGH
SEVE
RITY
OF
DOCU
MEN
TATI
ON
GAP
S
NU
LL FULL
LOW PARTIAL
MED
IUM
LOW
HIG
H
NO
System Compliance Level is determined based on the combined values ofTechnology and Documentation Gaps Severity
TECHNOLOGY ASSESSMENT
DOCUMENTATION ASSESSMENT
4 – CAPA Plan: Regulatory ExposureSystem Regulatory Exposure is determined based on the combined values of ComplianceLevel and Risk Level
Priority and Timing of CAPA execution shall be based on the Regulatory Exposure
SYSTEM COMPLIACE LEVEL
NO LOW PARTIAL
SYST
EM R
ISK
LEVE
L HIG
H
HIGH
MED
IUM
MEDIUM
LOW LOW
SYSTEM COMPLIANCELEVEL
SYSTEM RISK LEVEL
REGULATORY EXPOSURE
Assessment Summary ReportGxP
Relevance Regulated Regulated ERES Relevance
System Risk Level
System GAMP
Category(Yes/No) ER ES (Yes/No) (VH, H,M,L) (1,3,4,5)
PCS.001 Pharma 5 Pharma 5 EBRS 3.0/21 Werum Körber Solutions NA Chargendokumentation
Fermentation/ Aufarbeitung XXX YYY ZZZ Yes Yes
-Master Batch Record-Batch Record-Measurement values (PCS)-Messages (PCS)-weighing values
all manual process stepts
Yes VERY HIGH 5Configurations:- Material Master- Batch Master
PCS.002 Pharma 5 120 ABB WUPWP07-P002 5.1 ABB NA Aufarbeitung XXX YYY ZZZ Yes Yes
-Alarms History-Control Recipes (batch specific)-Sequences-Trends-Messstellen-Alarm Tresholds-Set Points
NA Yes High 5
PCS Aufarbeitung including:- Server (Windows Server 2008)- OS Operative Panels (Windows 7 embedded [Thin Clients])- Controllers
808xA (Handling SW)TCL Builder (Recipts) - MOD 300Contol Builder (Messstellen) MOD 300IMS interface to EBRS
Master Recipe is a SW application developed inside the System (GAMP SW 5). The system is provided with a tool for source code compare
PCS.005_a Pharma 5 120 ChemStation LC B04.03-SP1
[87]Agilent
Technologies HPLC86
- HPLC86 (Agilent Technologies 1200 Series) TCC + Gerstel Multipurpose Sampler MPS3+J17
XXX YYY ZZZ Yes Yes
- Instrument Methods- Methods. Sequences- Raw Data- Results/Report
No Yes Medium 4
Server HDEWUPS0237Interface between PLS ABB WUPWP07-P002 und Online HPLC-Systemen HDEWUPC8342, HDEWUPC8343 und HDEWUPC9055Notes of process on notebookInstrument Methods and Methods are connected (stored on the same file)Process Owner is Pharma 5 but the system is shared with Q and it's also located into Q laboratory. The system was assessed from the Pharma 5 process point of view.
NotesQuality Unit
Business Unit / Department Location Control SW Name SW Version SW Supplier
HW / Controlled
Equipment ID
HW / Controlled Equipment Description
Business Process Owner
Technical Owner
SYSTEM INFORMATION RISK ANALYSIS RESULTS
Interfaced System
(Yes/No)
System ID (Sort field)
ICO
S LS
T80
Seav
isio
n Te
rmof
orm
atric
e K2
60/1
Fede
gari
AU 8
524
Them
a 4
Fede
gari
AU 8
525
Them
a 4
Auto
clav
e M
aste
r 6 D
e La
ma
AU00
9
Sper
latri
ce a
utom
atic
a tu
bofia
le B
reve
tti C
ea A
TM
32+/
DSW
Ope
raPa
lltro
nic
Flow
star
FFS
XC
mat
ricol
a 14
1535
26
Pallt
roni
c Fl
owst
ar F
FSXC
m
atric
ola
1714
6626
Pallt
roni
c Fl
owst
ar F
FSXC
m
atric
ola
0431
0026
+
AQUA
VIT
tipo
AW02
XC
mat
ricol
a 17
0359
28
Com
pute
r Sys
tem
Ope
ra
ATM
2x8
Bila
ncia
pes
apez
zi m
odel
lo
Tecn
oEur
opa
Line
a k2
60 -
2Ite
m B
I001
Etic
hetta
trice
EF/
20 C
ORI
MA
Item
IT00
2
Mac
chin
a as
sem
blat
rice
Item
Y00
2 (S
W M
asm
ec)
84, 87, 88 141 1234 125 430 420 123 123 123 146, 147, 148
146, 147, 148
146, 147, 148
146, 147, 148
PCS_007 PCS_037 PCS_009 PCS_010 PCS_011 PCS_012 PCS_013 PCS_014 PCS_015 PCS_016 PCS_017 PCS_018 PCS_019
H M L L L L L L L L L L L
LOW Short TermMEDIUM Medium Term
HIGH Long Term
FD-05 Access control available but not activated
Security11.10 (d,g),
11.300 (a)
12.112.212.3
x RA6: Implement unique and personal accounts for the SW application
FD-06
Secondary security features (expiry date, minimum lenght, automatic log off) are available but not correctly configured or not activated
Security11.10 (d,g),
11.300 (a)
12.112.212.3
xRA7: Issue a Security SOP regulating a manual or hybrid management of secondary security features.
RA8: Configure secondary security features according to relevant SOP and good practices.
FD-07User list and related privileges is either not available or not updated
Security11.10 (d,g),
11.300 (a)
12.112.212.3
RA9: Implement a user list or update the existing one
FD-08
Roles and privileges conflicts exist since Administrators have multiple accounts including analysts one
Security11.10 (d,g),
11.300 (a)
12.112.212.3
x xRA10: Review user accounts and make sure administrators of the SW application do not have analyst privileges and analyst accounts
FD-09 A backup process is not in place Integrity 11.10 (c)
7.217 x x x
RA11: Execute and document manual backups of system data with a regular frequency (daily/weekly) to be defined in a dedicated procedure
RA12: Implement a process of automatic, daily backup following a relevant procedure and best practiceRA13: Execute and document restore procedure of system data with a regular frequency to be defined in a dedicated procedure
Remediation Actions
Regulatory Exposure = Solved
(i.e.fully compliant solution after the implementation of the corrective action)
Within February 2017
Regulatory Exposure = Mitigated
(i.e.residual Regulatory risks may hold after the implementation of
the corrective action)
For each GAP at least one Remediation action either solving or mitigating is due to be implemented. Immediate implementation of a solving solution
makes un-necessary the presence of mitigation also. SW Upgrade actions will be implemented within 2018
Find
ing
ID
Finding Description Topic
21
CFR
Par
t 11
Ref
eren
ce
Ann
ex 1
1 R
efer
ence
ImpactSystem Risk Level
PriorityWithin July 2016
Within November
SHORT TERM
MEDIUM TERM
LONG TERM
5 – CAPA Plan ExecutionAccess ControlSoDBackup & ArchivingAudit TrailData ProtectionTime Reference Protection
Lack of CSVLack of Procedures
MOST COMMON GAPS
Solve the observed GAPs (Enhance SW features, CSV, SOPs) and.......if a lack of control measures has been observed during the assessment… Solution of observed gaps (e.g.activating audit trail functions and instituting password controls) could be insufficient to address possiblemanipulations of data occurred in the past
CAPA - How To Meet Regulatory ExpectationsCAPA Plan should address control measures for historical data and for observed gaps
CAPA FOR HISTORICAL DATA CAPA FOR OBSERVED GAPS
Assess Historical Data in case the current status is observed as deficient
Reliable Data
Data integrity technical measures
SOPs & CSV to ensure system reliability
CAPA - Historical Data Review
VERIFY TRACE TO SOURCE DATA FOR
EACH STEP
CERTIFICATE OF ANALYSIS
ANALYTICALMETHOD
VALIDATION
RAW DATA
DATA ELABORATION
RESULTS
PAPER LAB NOTEBOOK OUT OF
SPECS
LAB INVESTIGATION
REPORT
INSTRUMENTQUALIFICATION
COMPUTER SYSTEM
VALIDATION
REFERENCE STANDARDS
OPERATORS TRAINING
PRODUCT SPECIFICATIONS
INSTRUMENT
ANALYTICALMETHOD
RESULTS DEMONSTRATING PRODUCT QUALITY RELY UPON
THE ENTIRE CHAIN OF RECORDS
Sample Based Approach For Data ReviewRisk based sampling plans can be defined to identify a sample of selected batches to bereviewed
Zero Acceptance NumberSampling Plans - Fifth Edition
DATE Bacth Number (Bx) 2776 Bacth Number (Bx) Bacth Number (Bx) Bacth Number (Bx)
Process (Px) Sterilization Process (Px) Process (Px) Process (Px)
EQUIPMENT Recipe (Rx) Proram 12 Recipe (Rx) Recipe (Rx) Recipe (Rx)
PROCESS ID ACTION DESCRIPTION ACCEPTANCE CRITERIAPAPERS DOCUMENT TO BE CHECKED
VERIFICATION RESULT(ACCEPTANCE CRITERIA
MET)
NOTES/REFERENCES or
SPECIFICATIONS
VERIFICATION RESULT(ACCEPTANCE CRITERIA
MET)
NOTES/REFERENCES or
SPECIFICATIONS
VERIFICATION RESULT(ACCEPTANCE CRITERIA
MET)
NOTES/REFERENCES or
SPECIFICATIONS
VERIFICATION RESULT(ACCEPTANCE CRITERIA
MET)
NOTES/REFERENCES or
SPECIFICATIONS
CRITICAL PARAMETERS R01Are critical parameters recorded on the system and used for the process execution the same as reported in the relevant paper document?
Yes.Process parameters stored in the system match the values reported in the paper document
- Batch Record [X]-Master Batch record [X]- Equipment Logbook [ ]- Process Validation [ ]- Users Training [ ]
RECIPES R02Are Recipes used for the process execution the same as reported in the relevant paper document?
Yes.Recipes stored in the system match with recipes reported in the paper document
- Batch Record [X]-Master Batch record [X]- Equipment Logbook [ ]- Process Validation [ ]- Users Training [ ]
PROCESS EXECUTION R03Are Batch Data saved on the system the same as reported in the relevant process phase of paper document?
Batch Data related to the process execution (process results) are the same as reported in the paper document
- Batch Record [X ]- Equipment Logbook [ ]- Process Validation [ ]- Users Training [ ]
PROCESS OPERATOR R04Are Users configured on system consistent with the Users reported in the relevant paper document?
Users configured on system are consistent with those reported in the relevant paper document
- Batch Record [ ]- Equipment Logbook []- Process Validation [ ]- Users Training [X]- Users List [X]
PROCESS OPERATOR R05
Check the consistency between operations/Users recorded on the Bacth Record and operations/Users traced in the Audit Trail (if available)
Operations executed on system match with the Audit Trail record
- Batch Record [X]- Equipment Logbook [ ]- Process Validation [ ]- Users Training [ ]
PROCESS OPERATOR R06
Check the consistency between operations/Users recorded on the Bacth Record and operations/Users traced in the relevant paper document (if Audit Trail is not available)
Operations executed by Users on system match with the relevant paper document
- Batch Record [X]- Equipment Logbook [X]- Process Validation [ ]- Users Training [ ]
PROCESS VALIDATION R07Are critical parameters used for the process execution within the tolerance values verified during the Process Validation (PQ)?
Critical parameters used for the process execution are within the tolerance values verified during the Process Validation (PQ)
- Batch Record [ ]- Equipment Logbook [ ]- Process Validation [X]- Users Training [ ]
REPORT TIMESTAMP R08Are Date and Time of process Results saved on system consistent with those reported in the relevant paper document?
Date and Time saved on system are consistent with those reported in the relevant paper document
- Batch Record [X]- Equipment Logbook [ ]- Process Validation [ ]- Users Training [ ]
DOCUMENT ID
SYSTEM
SAMPLE DATA #3 SAMPLE DATA #4
COMPANY
ACCESS CONTROL & GENERIC USERS ASSESSMENT RESULTS: MITIGATION ACTIONS AND RETROSPECTIVE REVIEW SUMMARY PLAN
SAMPLE DATA #1 SAMPLE DATA #2
Cross Check of information available on Paper and Electronic Records
CAPA – Solution of Observed (Technology) GapsSystem specific solutions depend on IT scenario boundary conditions
IT Architecture: Stand-alone vs Client-ServerConnection to Domain Network (for stand alone)SW Infrastructure (e.g. Operating Systems)SW Applications
Configure restrictions/policies of SW Application and/or Operating System
Install and configure externalSW Tools (mirroring, security, back-up)
Paper-based work-aroundfor Interim Mitigation
System Replacement / Upgrade of SW application release
CAPA – Solution of Observed (Documentation) GAPsValidation Life-Cyle for Systems managing Regulated Electronic Records
DOCUMENTED EVIDENCE OF COMPLIANCE
Conclusions
“It takes something more than intelligence to act intelligently”
Фёдор ДостоевскийПреступление и наказание