Additional Information
Book Details
Abstract
Guiding chromatographers working in regulated industries and helping them to validate their chromatography data systems to meet data integrity, business and regulatory needs. This book is a detailed look at the life cycle and documented evidence required to ensure a system is fit for purpose throughout the lifecycle. Initially providing the regulatory, data integrity and system life cycle requirements for computerised system validation, the book then develops into a guide on planning, specifying, managing risk, configuring and testing a chromatography data system before release. This is followed by operational aspects such as training, integration and IT support and finally retirement. All areas are discussed in detail with case studies and practical examples provided as appropriate.
The book has been carefully written and is right up to date including recently released FDA data integrity guidance. It provides detailed guidance on good practice and expands on the first edition making it an invaluable addition to a chromatographer’s book shelf.
Table of Contents
Section Title | Page | Action | Price |
---|---|---|---|
Cover | Cover | ||
Validation of Chromatography Data Systems: Ensuring Data Integrity, Meeting Business and Regulatory Requirements 2nd Edition | i | ||
Preface to the First Edition | v | ||
Preface to the Second Edition | vii | ||
Biography | ix | ||
Acknowledgements | xi | ||
Contents | xiii | ||
Chapter 1 - How to Use this Book | 1 | ||
1.1 Purpose and Scope | 1 | ||
1.2 The Way It Was… | 2 | ||
1.3 The Way It Should Be… | 3 | ||
1.4 Book Structure: Life to Death of a CDS | 3 | ||
1.4.1 Chapter Structure | 4 | ||
1.4.2 Part 1: Understanding the Basics | 6 | ||
1.4.3 Part 2: Planning the Work | 7 | ||
1.4.4 Part 3: Selecting the System | 8 | ||
1.4.5 Part 4: Risk, Traceability, Configuration, Installation and Integration | 9 | ||
1.4.6 Part 5: User Acceptance Testing | 10 | ||
1.4.7 Part 6: Supporting Documentation and System Release | 10 | ||
1.4.8 Part 7: Maintaining the Validation Status | 11 | ||
1.4.9 Part 8: Records Retention and System Retirement | 12 | ||
1.4.10 Part 9: When All Else Fails: Retrospective Validation of a CDS | 12 | ||
1.4.11 Ensuring Data Integrity | 12 | ||
1.4.12 Importance of the Second Person Review in Ensuring Data Integrity | 13 | ||
1.5 Use Your Organisation’s Computer Validation Procedures | 13 | ||
1.5.1 Terminology Used in this Book | 14 | ||
1.6 Why Does it Take so Long to Validate a CDS | 14 | ||
1.6.1 CDS Validation: The Way It Is | 14 | ||
1.6.2 CDS Validation: The Way It Should Be | 14 | ||
1.6.3 The Core System | 15 | ||
1.7 Ten Critical Success Factors for Fast CDS Validation | 16 | ||
1.7.1 Management Involvement and Backing | 16 | ||
1.7.2 Dedicated Key Project Team Members | 17 | ||
1.7.3 Use an Appropriate Life Cycle Model | 17 | ||
1.7.4 Knowledge of the CDS Application | 18 | ||
1.7.5 Active and Flexible Quality Assurance Involvement | 18 | ||
1.7.6 Effective and Compliant IT Participation | 18 | ||
1.7.7 Use the Supplier Effectively | 19 | ||
1.7.8 Planning, Planning and Planning | 20 | ||
1.7.9 Focus on the Core System | 20 | ||
1.7.10 Get More from Less Testing | 21 | ||
1.8 Assumptions, Exclusions and Limitations | 21 | ||
Chapter 2 - What is a CDS The Past, Present and Future | 22 | ||
2.1 Introduction to Chromatography Data Systems | 22 | ||
2.2 What is a Chromatography Data System | 22 | ||
2.2.1 Types of Chromatography Data System | 23 | ||
2.2.2 Naming Conventions | 25 | ||
2.2.3 Data Acquisition Files | 25 | ||
2.2.4 Instrument Control Files | 26 | ||
2.2.5 Sequence File | 27 | ||
2.2.6 Acquisition of Chromatographic Data | 27 | ||
2.2.7 Management of Data: Database or Files | 28 | ||
2.2.8 Interpretation of Chromatographic Data | 28 | ||
2.2.9 System Suitability Test (SST) Calculations | 30 | ||
2.2.10 Calibration | 30 | ||
2.2.11 User Defined Analytical Run Parameters | 31 | ||
2.2.12 Collation of Results and Reports | 32 | ||
2.2.13 Architecture of a Networked CDS | 32 | ||
2.3 Evolution of Chromatography Data Systems | 33 | ||
2.3.1 CDS: Where Have We Come From | 33 | ||
2.3.2 The Evolutionary Ages of CDS | 34 | ||
2.4 Stone Age: Paper Based Peak Measurement Techniques | 35 | ||
2.4.1 Cut and Weigh | 36 | ||
2.4.2 Ruler and Pencil | 36 | ||
2.4.3 Disk Integrator | 37 | ||
2.4.4 Summary of Stone Age CDS | 37 | ||
2.5 Bronze Age: Electronic Peak Measurement | 38 | ||
2.5.1 Central Data Systems | 38 | ||
2.5.2 Computing Integrators | 38 | ||
2.5.3 Summary of Bronze Age CDS | 39 | ||
2.6 Iron Age: Expansion to Include Instrument Control | 40 | ||
2.6.1 Standalone PCs: Extension to Instrument Control | 40 | ||
2.6.2 PC Client–Server Networks | 40 | ||
2.6.3 Summary of Iron Age CDS | 41 | ||
2.7 Technology Age: Electronic Working and Regulatory Compliance | 41 | ||
2.7.1 Migrating from Paper to Electronic Records | 41 | ||
2.7.2 Part 11 Regulatory Compliance Features | 42 | ||
2.7.3 Compliant Electronic Working Practices | 42 | ||
2.7.4 Summary of Technology Age CDS | 42 | ||
2.8 Think When You Use a CDS | 43 | ||
2.9 Quo Vadis CDS | 43 | ||
2.9.1 Networked CDS Architecture | 44 | ||
2.9.2 Data Management via a Database | 45 | ||
2.9.3 Independent IT Support | 46 | ||
2.9.4 Interfaces to Instruments and Systems | 47 | ||
2.9.5 Open Data File Formats | 47 | ||
2.9.6 Method Development Function | 47 | ||
2.9.7 Analytical Procedure Validation | 48 | ||
2.9.8 Trending Analytical Data | 48 | ||
2.9.9 Additional Functions for Electronic Working | 50 | ||
2.9.10 Laboratory Investigation Module | 51 | ||
2.9.11 Documenting Configuration Settings | 51 | ||
2.9.12 Automated Instrument Qualification | 52 | ||
2.9.13 Securing Metadata for Ensuring Data Integrity | 53 | ||
2.9.14 Improved Audit Trail Review | 53 | ||
2.9.15 Compliance Control in Unattended Analysis | 54 | ||
References | 55 | ||
Chapter 3 - Laboratory Informatics and the Role of a CDS | 57 | ||
3.1 Laboratory Informatics Applications | 57 | ||
3.1.1 Instrument Data Systems | 58 | ||
3.1.2 Electronic Laboratory Notebooks (ELN) | 58 | ||
3.1.3 Scientific Data Management Systems (SDMS) | 59 | ||
3.1.4 Laboratory Information Management Systems (LIMS) | 59 | ||
3.1.5 Application Convergence | 60 | ||
3.1.6 Data Analysis Applications | 60 | ||
3.2 Islands of Automation in an Ocean of Paper | 61 | ||
3.2.1 The Current Situation | 61 | ||
3.2.2 Interfacing Laboratory Informatics Applications | 61 | ||
3.2.3 Why Interface Laboratory Informatics Applications | 62 | ||
3.2.4 Interfacing in Detail | 62 | ||
3.2.5 Overview of Interfacing a CDS to a LIMS | 63 | ||
3.3 The Role of a CDS in Laboratory Informatics | 65 | ||
3.3.1 The Laboratory Jig-Saw | 65 | ||
3.4 The Operating Principles of an Electronic Laboratory | 65 | ||
3.4.1 Standalone Data Systems Cannot be Integrated into an Electronic Laboratory | 66 | ||
3.5 Developing a Strategy for an Electronic Laboratory | 67 | ||
3.6 Strategic Planning for an Electronic Laboratory | 67 | ||
3.7 Systems and the Operating Principles of the Electronic Laboratory | 68 | ||
3.8 Phased Implementation of Systems | 70 | ||
3.9 Justification of Individual Systems | 72 | ||
References | 73 | ||
Chapter 4 - Applicable GXP Regulations and Guidance for CSV | 74 | ||
4.1 When All Else Fails Read and Understand the Regulations | 74 | ||
4.1.1 Why Read the Regulations | 74 | ||
4.1.2 Approach to Regulations in this Book | 75 | ||
4.2 Regulations and Guidance Impacting Computerised Systems | 76 | ||
4.2.1 Scope of Regulations and Guidance | 76 | ||
4.2.2 Computerised Systems are Often Equated to Equipment or Apparatus | 76 | ||
4.3 Good Manufacturing Practice (GMP) Regulations and Guidance | 78 | ||
4.3.1 FDA Good Manufacturing Practice (GMP) 21 CFR 211 | 78 | ||
4.3.2 Update of 21 CFR 211: 2007–2008 | 81 | ||
4.3.3 Inspection of Pharmaceutical Quality Control Laboratories | 82 | ||
4.3.4 Compliance Program Guidance 7346.832 for Pre-Approval Inspections (PAI) | 83 | ||
4.3.5 FDA Guidance for Industry: Circumstances that Constitute Delaying, Denying, Limiting, or Refusing a Drug Inspection | 84 | ||
4.3.6 European Union GMP Regulations | 84 | ||
4.3.7 EU GMP Part 2 & ICH Q7: GMP for Active Pharmaceutical Ingredients | 85 | ||
4.3.8 Japanese GMP Regulations | 86 | ||
4.3.9 Japanese GMP Guidance for Computerised Systems | 88 | ||
4.3.10 PIC/S Guidance on Computerised Systems in GXP Environments | 89 | ||
4.3.11 PIC/S Guidance for Validation Master Plans | 90 | ||
4.3.12 WHO GMP Recommendations | 90 | ||
4.3.13 FDA Level 2 GMP Guidance Records and Reports | 91 | ||
4.3.14 Good Automated Manufacturing Practice (GAMP) Guidelines | 92 | ||
4.3.15 GAMP Good Practice Guide for Validation of Laboratory Computerised Systems | 93 | ||
4.4 Medical Device Good Manufacturing Practice | 93 | ||
4.4.1 An Overview of Medical Device Regulations | 93 | ||
4.4.2 Quality System Regulation for Medical Devices: 21 CFR 820 | 94 | ||
4.4.3 FDA Guidance: General Principles of Software Validation | 95 | ||
4.4.4 ISO 13485 and EN 62304 | 96 | ||
4.5 Good Laboratory Practice Regulations and Guidance | 96 | ||
4.5.1 Overview of GLP | 96 | ||
4.5.2 Aims of GLP | 97 | ||
4.5.3 GLP Regulations and Guidance Reviewed | 98 | ||
4.5.4 US Good Laboratory Practice Regulations for Non-Clinical Studies (21 CFR 58) | 98 | ||
4.5.5 Japanese Good Laboratory Practice Regulations | 99 | ||
4.5.6 OECD Good Laboratory Practice Regulations | 99 | ||
4.5.7 OECD GLP Guidance Document Number 10 | 100 | ||
4.5.8 OECD GLP Guidance Document Number 17 | 102 | ||
4.5.9 WHO GLP Handbook Second Edition 2009 | 103 | ||
4.5.10 Drug Information Association (DIA) Red Apple Guidance 1988 and 2008 | 104 | ||
4.5.11 Swiss AGIT GLP Guidance Documents | 105 | ||
4.6 Good Clinical Practice Regulations | 107 | ||
4.6.1 ICH Good Clinical Practice | 107 | ||
4.6.2 Good Clinical Laboratory Practice | 108 | ||
4.6.3 FDA Guidance Computerised Systems in Clinical Investigations | 109 | ||
4.7 21 CFR 11 – Electronic Records and Electronic Signatures Regulation | 112 | ||
4.7.1 21 CFR 11 is an Integrated Regulation | 112 | ||
4.7.2 Interpret 21 CFR 11 by the Applicable Predicate Rule | 113 | ||
4.7.3 The Need for 21 CFR Part 11 Assessment of Software | 114 | ||
4.7.4 Current FDA Activities on 21 CFR 11 | 115 | ||
4.8 European Union GMP Annex 11 and Chapter 4 | 115 | ||
4.8.1 Introduction | 115 | ||
4.8.2 EU GMP Overview | 116 | ||
4.8.3 Increased Scope of Annex 11 | 116 | ||
4.8.4 Risk Management Throughout the Life Cycle | 117 | ||
4.8.5 New Roles and Responsibilities | 117 | ||
4.8.6 Suppliers and Service Providers | 118 | ||
4.8.7 Validation | 119 | ||
4.8.8 Annex 11 Controls for Ensuring Data Integrity | 120 | ||
4.8.9 Electronic Signatures | 121 | ||
4.8.10 IT Support of Validated Computer Systems | 121 | ||
4.8.11 Maintaining Validation | 122 | ||
4.8.12 What has been Omitted in the New Annex 11 | 122 | ||
4.8.13 EU GMP Chapter 4: Major Changes | 123 | ||
4.8.14 Principle: Define Raw Data | 123 | ||
4.8.15 Generation and Control of Documentation | 124 | ||
4.8.16 Dead as a Dodo: My Raw Data are Paper | 125 | ||
4.8.17 Retention of Documents | 125 | ||
4.9 United States Pharmacopoeia ၘ on Analytical Instrument Qualification | 126 | ||
4.9.1 Overview of USP General Chapters | 126 | ||
4.9.2 Origins of USP ၘ on Analytical Instrument Qualification | 127 | ||
4.9.3 AIQ Life Cycle | 128 | ||
4.9.4 The Data Quality Triangle | 129 | ||
4.9.5 Classification of Apparatus, Instruments and Systems | 133 | ||
4.9.6 Problems with the Current USP ၘ | 134 | ||
4.9.7 Progress Updating USP ၘ | 136 | ||
4.9.8 What has Changed in the In-Process Revisions of USP ၘ | 137 | ||
4.9.9 Is the Proposed USP ၘ Better | 137 | ||
4.9.10 Definition of Qualification | 137 | ||
4.10 GXP Regulations and Guidance Summary for Computerised Systems | 141 | ||
References | 141 | ||
Chapter 5 - Concepts of Computer Validation | 147 | ||
5.1 Why Bother to Validate Your Software | 147 | ||
5.1.1 Investment Protection | 147 | ||
5.1.2 Consistent Product Quality | 148 | ||
5.1.3 Compliance with Regulations | 148 | ||
5.1.4 Ensure Data Integrity | 148 | ||
5.1.5 Protection of Intellectual Property | 148 | ||
5.2 What is Computerised System Validation (CSV) | 148 | ||
5.2.1 Definitions of Computerised System Validation | 148 | ||
5.2.2 Key Concepts of Computer Validation | 149 | ||
5.3 What is a Computerised System | 150 | ||
5.4 What Computer Validation is and is not | 152 | ||
5.4.1 Principles of Computer Validation | 152 | ||
5.4.2 Computer Validation Assumptions and Misconceptions | 152 | ||
5.4.3 Problems with Computer Validation | 152 | ||
5.5 Corporate Computer Validation Policy | 157 | ||
5.6 Changing Approaches to CSV Due to Data Integrity Issues | 159 | ||
5.6.1 Traditional Computerised System Validation | 159 | ||
5.6.2 Process, Process, Process | 160 | ||
5.6.3 A Validated System with Vulnerable Records Means Data Integrity Problems | 162 | ||
5.6.4 Back to the Future | 162 | ||
5.6.5 Brave New CSV World | 163 | ||
5.6.6 Turning principles into practice | 164 | ||
References | 165 | ||
Chapter 6 - Understanding Software Categories and System Life Cycles | 167 | ||
6.1 What Do the Regulators Want | 167 | ||
6.1.1 EU GMP Annex 11 | 167 | ||
6.1.2 FDA Guidance on General Principles of Software Validation | 168 | ||
6.1.3 Regulatory Summary | 168 | ||
6.2 Business Rationale | 168 | ||
6.3 GAMP Software Categories | 169 | ||
6.3.1 Origins of the GAMP Guide | 169 | ||
6.3.2 GAMP 5 Software Classification Categories | 169 | ||
6.3.3 Why Classify Software | 171 | ||
6.4 Software Classification Changes and their Laboratory Impact | 171 | ||
6.4.1 Category 1: Greatly Expanded Scope – Infrastructure Software | 171 | ||
6.4.2 Category 2: Ignore the Discontinuation of Firmware Classification – but with Care | 173 | ||
6.4.3 Software Silos or Software Continuum | 176 | ||
6.4.4 Category 3 Software: What’s in a Name | 176 | ||
6.4.5 Category 4: Configured Products Refined | 177 | ||
6.4.6 Category 4 and 5 Software: Configure Versus Customise – Where is the Line | 177 | ||
6.4.7 Category 5: Custom Applications, Macros and Modules | 178 | ||
6.4.8 Users and the Software Screw-Up Factor | 179 | ||
6.4.9 A Modified Software Classification | 181 | ||
6.4.10 Do Not Use the Term COTS Software | 182 | ||
6.5 Why is a System Life Cycle Model Important | 182 | ||
6.5.1 Overview | 182 | ||
6.5.2 Using V Life Cycle Models | 183 | ||
6.5.3 Do Not Forget Validation Control | 184 | ||
6.5.4 Category 3 Life Cycle Model | 185 | ||
6.5.5 Category 4 Life Cycle Model – Complex Version | 185 | ||
6.5.6 Category 4 Life Cycle Model – Simple Version | 187 | ||
6.5.7 System Life Cycle Summary | 188 | ||
6.6 Defining the Documentation for a CDS Validation | 188 | ||
6.6.1 A CDS is GAMP Category 4 Software | 188 | ||
6.6.2 Compliance Health Warning | 190 | ||
6.6.3 Interpreting the System Life Cycle Deliverables for a CDS | 190 | ||
6.6.4 Document Controls | 190 | ||
References | 193 | ||
Chapter 7 - Ensuring Data Integrity for Chromatography Data Systems | 194 | ||
7.1 What the Regulators Want | 194 | ||
7.1.1 EU Good Manufacturing Practice | 194 | ||
7.1.2 EU GMP Chapter 4 on Documentation | 195 | ||
7.1.3 Overview of Regulatory Guidance for Data Integrity | 195 | ||
7.1.4 FDA Compliance Program Guide 7346.832 on Pre Approval Inspections | 197 | ||
7.1.5 PIC/S Guidance Documents | 198 | ||
7.1.6 FDA Level 2 Guidance | 198 | ||
7.1.7 Delaying, Denying, Limiting or Refusing an FDA Inspection | 199 | ||
7.1.8 MHRA GMP Data Integrity Guidance | 199 | ||
7.1.9 WHO Guidance on Good Data and Records Management Practices | 200 | ||
7.1.10 FDA Guidance on Data Integrity and Compliance with cGMP | 201 | ||
7.1.11 Regulations and Regulatory Guidance Summary | 202 | ||
7.2 What is Data Integrity | 202 | ||
7.2.1 A Plethora of Definitions | 202 | ||
7.2.2 What do the Definitions Mean | 202 | ||
7.2.3 Criteria for Integrity of Laboratory Data | 203 | ||
7.3 Chromatography Data Systems in Falsification and Fraud | 204 | ||
7.3.1 A Brief History of Data Falsification and Testing into Compliance | 204 | ||
7.3.2 Able Laboratories Fraud Case 2005 | 204 | ||
7.3.3 Overview of Regulatory Citations for CDS in FDA Warning Letters | 206 | ||
7.3.4 Quality Management System Failures | 207 | ||
7.3.5 Equipment Citations | 208 | ||
7.3.6 Citations for Lack of Laboratory Controls | 209 | ||
7.3.7 Failure to Have Complete Laboratory Records | 210 | ||
7.4 A Data Integrity Model | 211 | ||
7.4.1 The Concept of Data Governance | 211 | ||
7.4.2 Layers of Data Integrity | 212 | ||
7.4.3 Focus on the Laboratory Levels of the Data Integrity Model | 213 | ||
7.4.4 Foundation Layer: Right Corporate Culture for Data Integrity | 213 | ||
7.4.5 Layer 1: Right Instrument and System for the Job | 216 | ||
7.4.6 Layer 2: Right Analytical Procedure for the Job | 216 | ||
7.4.7 Layer 3: Right Analysis for the Right Reportable Result | 217 | ||
7.4.8 Linking the Data Integrity Model to the Analytical Process | 217 | ||
7.4.9 Quality No Longer Owns Quality | 219 | ||
7.5 Environmental Analysis and an Approach to Data Integrity | 219 | ||
7.5.1 Background to EPA and Data Integrity | 219 | ||
7.5.2 NELAC and Laboratory Accreditation | 220 | ||
7.5.3 NELAC Quality System | 220 | ||
7.5.4 NELAC Data Integrity Training | 222 | ||
7.6 Data Integrity Foundation: Data Governance | 223 | ||
7.6.1 Management Leadership and Oversight | 226 | ||
7.6.2 Data Integrity Policy | 226 | ||
7.6.3 Regulatory Requirements for GMP Training | 227 | ||
7.6.4 Data Integrity Policy Training | 229 | ||
7.6.5 Open Culture | 231 | ||
7.6.6 Good Documentation Practice Training | 231 | ||
7.6.7 Data Integrity Training for a Chromatography Data System: Operational SOPs | 232 | ||
7.6.8 Data Integrity Audits and Investigations | 232 | ||
7.7 Establishing Data Criticality and Inherent Integrity Risk | 234 | ||
7.7.1 Regulatory Background | 234 | ||
7.7.2 Spectrum of Laboratory Processes and Systems | 235 | ||
7.7.3 The Data Life Cycle | 237 | ||
7.7.4 Managing the CDS Data: Data Owners and Data Stewards | 239 | ||
7.7.5 System Assessment and Remediation | 240 | ||
7.8 CDS Compliance Commandments | 242 | ||
7.8.1 Management are Responsible | 243 | ||
7.8.2 Understand the Applicable Regulations for Laboratory Records | 243 | ||
7.8.3 Use a CDS that is Networked and Uses a Database | 246 | ||
7.8.4 Document the CDS Application Configuration Settings | 246 | ||
7.8.5 Work Electronically | 246 | ||
7.8.6 Identify Each User Uniquely and have Adequate Password Controls | 246 | ||
7.8.7 Separate Roles with Different Access Privileges | 247 | ||
7.8.8 Define Methods that Can and Cannot be Modified | 248 | ||
7.8.9 An SOP for Chromatographic Integration | 248 | ||
7.8.10 Control Changes to the System | 248 | ||
7.8.11 Only Trained Staff Must Operate the System | 249 | ||
7.8.12 Define and Document Electronic Records for the System | 249 | ||
7.8.13 Review the Audit Trail Entries for Each Batch | 251 | ||
7.8.14 Backup the System Regularly | 251 | ||
7.8.15 Conduct Data Integrity Audits | 252 | ||
7.8.16 Control Blank Forms | 252 | ||
7.9 Audit Trails and an Introduction to Second Person Review | 254 | ||
7.9.1 EU GMP Annex 11 | 254 | ||
7.9.2 FDA Guidance on Data Integrity and cGMP Compliance | 254 | ||
7.9.3 Which Audit Trail Should Be Reviewed | 255 | ||
7.9.4 How Regular is a Regular Review of Audit Trail Entries | 256 | ||
7.10 Is The Chromatographic System Ready to Run | 259 | ||
7.10.1 “Test” or “Prep” Injections Using Samples | 259 | ||
7.10.2 FDA Guidance for Using Actual Samples for SST Injections | 259 | ||
7.10.3 Role of System Evaluation Injections | 260 | ||
References | 261 | ||
Chapter 8 - CDS Validation: Managing System Risk | 266 | ||
8.1 What Do the Regulators Want | 266 | ||
8.1.1 EU GMP Annex 11 | 266 | ||
8.1.2 FDA Guidance on Part 11 Scope and Application | 267 | ||
8.1.3 FDA General Principles of Software Validation | 267 | ||
8.1.4 PIC/S Guidance on Computerised Systems in GXP Environments | 267 | ||
8.1.5 OECD Guidance 17 on Application of GLP Principles to Computerised Systems | 267 | ||
8.1.6 Regulatory Summary | 268 | ||
8.2 Risk Management: Balancing Compliance and Non-Compliance | 269 | ||
8.3 Overview of a System Risk Assessment | 270 | ||
8.3.1 Overview of the Laboratory Risk Assessment | 270 | ||
8.3.2 USP ၘ Based Integrated AIQ and CSV Risk Assessment | 271 | ||
8.3.3 Risk Assessment Flow Chart | 273 | ||
8.3.4 Define the Item and the Intended Use | 274 | ||
8.3.5 Does the Item Carry Out Any GXP Work | 274 | ||
8.3.6 Identification of Software, Apparatus, Instrument or System | 276 | ||
8.3.7 Separating Instruments from Systems | 277 | ||
8.3.8 Group C Systems – Documenting the GAMP Software Category | 277 | ||
8.3.9 Group C Systems: Determining the Record Impact | 280 | ||
8.3.10 Group C System Sub-Classification | 280 | ||
References | 282 | ||
Chapter 9 - Working Electronically and Using Electronic Signatures | 284 | ||
9.1 What Do the Regulators Want | 285 | ||
9.1.1 EU GMP Annex 11 | 285 | ||
9.1.2 21 CFR 11 Main Electronic Signature Requirements | 285 | ||
9.1.3 Signature Requirements in GXP Regulations | 286 | ||
9.1.4 21 CFR 11 is an Integrated Regulation | 286 | ||
9.1.5 FDA GMP Regulations: Number of Signatures and Order of Signing | 286 | ||
9.1.6 Regulations Summary | 287 | ||
9.2 Process Redesign is Essential for Working Electronically | 287 | ||
9.2.1 Rationale for Using Electronic Signatures | 287 | ||
9.2.2 Understand the Current Process | 288 | ||
9.3 Process Mapping and Analysis | 288 | ||
9.3.1 Importance of Understanding the Process | 288 | ||
9.3.2 Map the Current Process | 289 | ||
9.3.3 Other Benefits from Redesigning the Process | 289 | ||
9.3.4 Leverage Benefits from Other Laboratory Applications | 293 | ||
9.4 Case Study Descriptions | 293 | ||
9.4.1 Case Study 1 | 293 | ||
9.4.2 Case Study 2 | 296 | ||
9.5 Optimising the Workflow for Electronic Signatures – Case Study 1 | 296 | ||
9.5.1 The Current Process | 296 | ||
9.5.2 Basic Process Improvement Ideas | 297 | ||
9.5.3 The Redesigned Process | 297 | ||
9.6 Optimising the Workflow for Electronic Signatures – Case Study 2 | 298 | ||
9.6.1 The Current Process | 298 | ||
9.6.2 The Redesigned Process | 299 | ||
9.7 Using the CDS for Automated Compliance | 300 | ||
9.8 Implementing Electronic Signatures Successfully | 300 | ||
9.8.1 Understand the Process | 300 | ||
9.8.2 Electronic Signatures Components | 301 | ||
References | 302 | ||
Chapter 10 - Writing the User and System Requirements | 303 | ||
10.1 What Do the Regulators Want | 303 | ||
10.1.1 FDA GMP and GLP Predicate Rules | 303 | ||
10.1.2 EU GMP Annex 11 | 303 | ||
10.1.3 PIC/S Guide Computerised Systems in GXP Environments | 304 | ||
10.1.4 General Principles of Software Validation | 304 | ||
10.1.5 Regulatory Summary | 304 | ||
10.2 Business Rationale for Writing a URS | 304 | ||
10.3 Contents of a Chromatography Data System URS | 305 | ||
10.3.1 Writing a URS to Select a CDS and Supplier | 305 | ||
10.3.2 Link the URS to a Specific Software Version | 306 | ||
10.3.3 Sections of the URS | 306 | ||
10.4 Guidance for Writing the Requirements | 309 | ||
10.4.1 Sub-Divide the Major URS Sections | 309 | ||
10.4.2 General Guidance for Requirements | 309 | ||
10.4.3 URS Issues to Consider | 310 | ||
10.4.4 Making the Requirements Traceable | 311 | ||
10.4.5 Reviewing the URS | 312 | ||
10.5 Writing Testable or Verifiable Requirements | 312 | ||
10.5.1 How Not To Do It | 312 | ||
10.5.2 Writing Well-Formed Requirements | 313 | ||
10.5.3 Orphan Requirements | 315 | ||
10.5.4 Key Criteria for User Requirements | 315 | ||
10.6 Updating the URS | 316 | ||
10.6.1 A URS is a Living Document | 316 | ||
10.6.2 Maintaining Traceability with URS Updates | 316 | ||
10.6.3 Helping the Reviewers of the Updated URS | 316 | ||
10.7 Configuration Specification | 317 | ||
10.7.1 Areas for Application Configuration in a CDS | 317 | ||
References | 318 | ||
Chapter 11 - Controlling the Validation | 319 | ||
11.1 What Do The Regulators Want | 319 | ||
11.1.1 EU GMP Annex 11 | 319 | ||
11.1.2 EU GMP Annex 15 – Qualification and Validation | 320 | ||
11.1.3 General Principles of Software Validation | 320 | ||
11.1.4 PIC/S Guidance Document | 320 | ||
11.1.5 Regulatory Requirements Summary | 320 | ||
11.2 Validation Plan or Validation Master Plan | 321 | ||
11.2.1 What’s in a Name | 321 | ||
11.2.2 Relationship Between a Validation Master Plan and Validation Plan | 321 | ||
11.3 Content of the Validation Plan | 322 | ||
11.3.1 Title of the Validation Plan: Include the Name and Version of the Application | 323 | ||
11.3.2 Purpose of the Plan and Scope of the System | 324 | ||
11.3.3 When to Write the Validation Plan | 324 | ||
11.3.4 Do not Include a System Description | 325 | ||
11.3.5 Project Plan and Overall Timescales | 325 | ||
11.3.6 One Validation Plan for the System Life or one for Each Software Version | 326 | ||
11.3.7 Roles and Responsibilities | 326 | ||
11.3.8 Validation Team Considerations | 328 | ||
11.3.9 Defining Life Cycle Tasks | 329 | ||
11.4 Defining a Validation Strategy for Some CDS Systems | 330 | ||
11.4.1 Validation Strategy for Four Instances of a CDS | 331 | ||
References | 332 | ||
Chapter 12 - System Selection | 333 | ||
12.1 What Do the Regulators Want | 333 | ||
12.1.1 EU GMP Annex 11 | 333 | ||
12.1.2 PIC/S Guidance PI-011 | 334 | ||
12.1.3 Regulations Summary | 334 | ||
12.2 Investment Protection Versus Seduction by Technology | 334 | ||
12.3 The System Selection Process | 335 | ||
12.3.1 Write an Initial URS for Selecting the System | 335 | ||
12.3.2 Generate a List of Potential Suppliers | 335 | ||
12.3.3 Determine Selection Criteria and Evaluation Tests Now | 335 | ||
12.3.4 Prepare the Invitation to Tender/Request for Proposal | 337 | ||
12.3.5 Evaluate the Supplier ITT Responses | 338 | ||
12.3.6 Testing Systems Against Your Requirements | 338 | ||
12.3.7 Consider User Training Now! | 339 | ||
12.3.8 Visit or Talk with Existing Users | 339 | ||
12.3.9 System Selection and Report | 339 | ||
References | 340 | ||
Chapter 13 - Assessing the CDS Supplier | 341 | ||
13.1 What Do the Regulators Want | 341 | ||
13.1.1 EU GMP Annex 11 | 341 | ||
13.1.2 Preamble to 21 CFR 11 Final Rule | 342 | ||
13.1.3 PIC/S Guide on Computerised Systems in GXP Environments | 342 | ||
13.1.4 Regulatory Requirements Summary | 342 | ||
13.2 Software Quality and Business Risk | 343 | ||
13.3 Rationale for a Supplier Assessment | 343 | ||
13.3.1 ISO 9000: Saint or Sinner | 343 | ||
13.3.2 ISO 9001 and ISO 90003 | 344 | ||
13.3.3 Supplier Certificates of Validation | 345 | ||
13.3.4 Marketing Literature and Contracts | 346 | ||
13.4 When Do I Assess the CDS Supplier | 346 | ||
13.4.1 First, Second or Third Party Assessment or Audit | 347 | ||
13.4.2 On-Site Audit or Remote Assessment | 347 | ||
13.4.3 Remote Supplier Audit | 347 | ||
13.4.4 Remote Assessment with Follow-Up Conference Call | 348 | ||
13.5 On-Site Supplier Audits | 349 | ||
13.5.1 Preparation for an Audit | 349 | ||
13.5.2 The Scope of an On-Site Audit | 351 | ||
13.5.3 The Role of an Audit Checklist | 353 | ||
13.5.4 Software Development – The Move to Agile | 354 | ||
13.5.5 Writing the Audit Report | 355 | ||
13.6 Using the Supplier Audit to Reduce PQ Testing | 356 | ||
References | 357 | ||
Chapter 14 - Negotiating the Contract and Purchasing the System | 358 | ||
14.1 What Do the Regulators Want | 358 | ||
14.1.1 EU GMP Annex 11 | 358 | ||
14.1.2 Regulatory Requirements Summary | 359 | ||
14.2 The Contract and Protection of Rights | 359 | ||
14.2.1 Rationale for Negotiating the Contract | 359 | ||
14.2.2 Overview of the Contract | 359 | ||
14.2.3 Some Key Clauses of a Contract | 360 | ||
14.3 Purchase Order: Defining the Initial Configuration | 363 | ||
References | 363 | ||
Chapter 15 - Planning the Installation of the System | 364 | ||
15.1 What Do the Regulators Want | 364 | ||
15.1.1 US GMP 21 CFR 211: Subpart D – Equipment | 364 | ||
15.1.2 EU GMP Chapter 3: Premises and Equipment | 364 | ||
15.1.3 Regulatory Summary | 365 | ||
15.2 Business Rationale for an Installation Plan | 365 | ||
15.3 Preparing for System Installation | 365 | ||
15.3.1 The CDS System Installation Plan | 365 | ||
15.3.2 Laboratory Plan | 366 | ||
References | 367 | ||
Chapter 16 - CSV Risk Management Requirements Level Assessment | 368 | ||
16.1 What Do the Regulators Want | 368 | ||
16.1.1 EU GMP Annex 11 | 368 | ||
16.1.2 FDA Guidance for Industry: Part 11 Scope and Application | 369 | ||
16.1.3 PIC/S Guidance on Computerised Systems in GXP Environments | 369 | ||
16.1.4 FDA General Principles of Software Validation | 369 | ||
16.1.5 Regulatory Requirements Summary | 369 | ||
16.2 You Need a Current URS Before Starting the Risk Assessment | 370 | ||
16.2.1 Train Key Users | 370 | ||
16.2.2 Understanding the New CDS System or Version | 370 | ||
16.2.3 Stop Here Until You Have a Current URS | 371 | ||
16.2.4 Revised URS Update the Risk Assessment! | 371 | ||
16.3 Risk Management Approach | 371 | ||
16.3.1 Vocabulary Issues | 372 | ||
16.3.2 ISO Guide 73 and ISO 14971: Risk Management Definitions | 372 | ||
16.3.3 Risk Assessment is a Continuous Process | 373 | ||
16.3.4 Application of Risk Assessment to a CDS | 373 | ||
16.4 Risk Assessment at the Requirements Level | 373 | ||
16.4.1 Outcome of Risk Management | 373 | ||
16.4.2 Possible Risk Assessment Methodologies | 373 | ||
16.4.3 Team Approach to Risk Assessment | 374 | ||
16.5 Functional Risk Assessment (FRA) | 375 | ||
16.5.1 Risk Analysis of Individual Functions | 375 | ||
16.5.2 Managing the Mandatory and Critical Requirements | 378 | ||
16.5.3 Allocating Requirements to Test Scripts | 379 | ||
16.5.4 Application of FRA | 379 | ||
16.6 Failure Mode Effects Analysis (FMEA) | 379 | ||
16.6.1 Overview of FMEA | 379 | ||
16.6.2 Conducting an FMEA Risk Assessment | 380 | ||
16.6.3 An Example FMEA Assessment | 382 | ||
16.6.4 Limitations of FMEA | 384 | ||
16.7 Risk Acceptance and Risk Communication | 384 | ||
References | 384 | ||
Chapter 17 - Importance of the Traceability Matrix | 386 | ||
17.1 What Do the Regulators Want | 386 | ||
17.1.1 EU GMP Annex 11 | 386 | ||
17.1.2 General Principles of Software Validation | 386 | ||
17.1.3 PIC/S Guide PI-011: Computerised Systems in GXP Environments | 387 | ||
17.1.4 Regulations Summary | 387 | ||
17.2 Business Rationale for a Traceability Matrix | 387 | ||
17.2.1 GAMP 5 | 388 | ||
17.3 A Life Cycle Model Refresher | 388 | ||
17.3.1 Terms and Definitions | 389 | ||
17.3.2 Why Bother to Trace Requirements | 390 | ||
17.4 Linking Requirements with Their Testing or Verification | 392 | ||
17.5 Examples of Requirements Traceability | 394 | ||
17.5.1 Traceability Between the URS and the Configuration Specification | 394 | ||
17.5.2 Traceability Matrix Combined with Functional Risk Assessment | 395 | ||
17.5.3 How Detailed Should User Acceptance Testing Traceability Be | 396 | ||
17.6 Using a Spreadsheet to Manage Traceability | 398 | ||
17.6.1 Evolution and Further Refinement of User Requirements | 400 | ||
17.7 The Traceability Treadmill | 401 | ||
References | 401 | ||
Chapter 18 - Writing Configuration Specifications | 403 | ||
18.1 What Do the Regulators Want | 403 | ||
18.1.1 FDA GMP Regulations | 403 | ||
18.1.2 General Principles of Software Validation | 404 | ||
18.1.3 Regulatory Requirements Summary | 404 | ||
18.2 Business Rationale | 404 | ||
18.3 Scope of CDS Configuration and Approach to Documentation | 404 | ||
18.3.1 Application Configuration Areas of a CDS | 404 | ||
18.3.2 Never Use Unconfigured CDS Software | 405 | ||
18.3.3 Ways of Documenting Application Configuration | 405 | ||
18.4 Application Configuration Specification | 406 | ||
18.4.1 Training to Understand CDS System Settings | 406 | ||
18.4.2 Prototype the Configured System | 406 | ||
18.4.3 Document the Configuration | 407 | ||
18.4.4 Defining User Types and Access Privileges | 407 | ||
18.4.5 Ensure Linkage Between the URS and Configuration Specification | 408 | ||
18.4.6 Confirming the Application Configuration | 409 | ||
18.5 Controlling CDS Configuration by Procedure | 409 | ||
References | 411 | ||
Chapter 19 - Writing the Technical Specification | 412 | ||
19.1 What Do the Regulators Want | 412 | ||
19.1.1 EU GMP Annex 11 | 412 | ||
19.1.2 FDA GMP 21 CFR 211 | 412 | ||
19.1.3 Regulatory Summary | 413 | ||
19.2 Data Gathering for a Technical Specification | 413 | ||
19.2.1 Input from the CDS Supplier | 413 | ||
19.2.2 Corporate IT/IS Standards | 414 | ||
19.2.3 URS Requirements | 414 | ||
19.3 Initial Platform Design | 415 | ||
19.4 Writing the Technical Specification | 415 | ||
19.4.1 Hardware Architecture | 415 | ||
19.4.2 Connections and Communications | 417 | ||
19.4.3 Input into the Installation Qualification Phase | 417 | ||
References | 417 | ||
Chapter 20 - Installing and Integrating System Components | 418 | ||
20.1 What Do the Regulators Want | 419 | ||
20.1.1 US GMP 21 CFR 211 | 419 | ||
20.1.2 EU GMP Chapter 3: Premises and Equipment | 419 | ||
20.1.3 EU GMP Annex 11: Computerised Systems | 419 | ||
20.1.4 PIC/S Guidance PI-011 | 419 | ||
20.1.5 USP ၘ Analytical Instrument Qualification | 420 | ||
20.1.6 General Principles of Software Validation | 420 | ||
20.1.7 Regulatory Summary | 420 | ||
20.2 Overview of the Whole Qualification Process | 420 | ||
20.3 Installing and Integrating the System Components | 421 | ||
20.3.1 Co-Ordinating Suppliers | 421 | ||
20.3.2 Computer Platform | 422 | ||
20.3.3 CDS Application Components and Associated Documentation | 422 | ||
20.3.4 Qualification of the Laboratory Data Servers | 424 | ||
20.3.5 Connection and Qualification of Chromatographs | 424 | ||
20.3.6 Establish the Initial CDS Configuration Baseline Now | 425 | ||
20.4 How Much Value is there in a Software OQ | 425 | ||
20.4.1 Positioning of a Software Operational Qualification | 425 | ||
20.4.2 Is an OQ Essential for a CDS Validation Project | 426 | ||
20.4.3 An OQ Case Study | 428 | ||
20.4.4 Do You Believe in Risk Management | 428 | ||
20.4.5 OQ for Configurable Software | 429 | ||
References | 430 | ||
Chapter 21 - Designing the User Acceptance Test Suite | 431 | ||
21.1 What Do the Regulators Want | 432 | ||
21.1.1 EU GMP Annex 11 | 432 | ||
21.1.2 FDA General Principles of Software Validation | 432 | ||
21.1.3 Regulatory Requirements Summary | 432 | ||
21.2 Overview of the User Acceptance Testing Phase of Validation | 433 | ||
21.2.1 Who Are You Writing the Test Documents For | 434 | ||
21.2.2 UAT/PQ Test Plan | 434 | ||
21.2.3 Writing the Test Scripts | 434 | ||
21.2.4 Executing the Test Scripts | 435 | ||
21.3 The UAT/PQ Test Plan | 435 | ||
21.3.1 Format of a Test Plan | 435 | ||
21.3.2 Test Environment | 436 | ||
21.3.3 Confirming the CDS Application Configuration | 436 | ||
21.3.4 Overview of the Test Suite | 436 | ||
21.3.5 Further Testing Considerations | 439 | ||
21.3.6 Implementation Strategy 1: Same System Multiple Sites | 440 | ||
21.3.7 Implementation Strategy 2: Single Instance with Phased Roll-Out | 441 | ||
21.3.8 Tracing User Requirements to PQ Testing | 441 | ||
21.3.9 Assumptions, Exclusions and Limitations of the Test Approach | 442 | ||
21.3.10 Features Not Tested | 443 | ||
21.3.11 Test Approach | 444 | ||
21.4 Authorising the Test Plan and Test Scripts | 445 | ||
21.4.1 PQ Test Plan | 445 | ||
21.4.2 UAT Test Scripts | 445 | ||
References | 446 | ||
Chapter 22 - Writing Test Scripts and Test Cases | 447 | ||
22.1 What Do the Regulators Want | 447 | ||
22.1.1 EU GMP Annex 11 | 447 | ||
22.1.2 FDA General Principles of Software Validation | 448 | ||
22.1.3 Regulatory Requirements Summary | 448 | ||
22.2 Principles of Software Testing | 448 | ||
22.2.1 Essentials of Software Testing | 448 | ||
22.2.2 White Box and Black Box Testing | 448 | ||
22.2.3 Understanding How the CDS Application Works | 450 | ||
22.2.4 Test Coverage | 451 | ||
22.2.5 Manual or Automated Testing | 451 | ||
22.2.6 Necessity for Pre-Defined Expected Results and Acceptance Criteria | 452 | ||
22.2.7 Updating the URS During the UAT Phase | 452 | ||
22.3 Functional and Non-Functional Testing of a CDS | 453 | ||
22.3.1 Risk Assessment: Extent of Testing | 453 | ||
22.3.2 Functional Testing | 454 | ||
22.3.3 Non-Functional Testing | 455 | ||
22.4 UAT Test Script Structure and Contents | 455 | ||
22.4.1 Purpose of the Test | 455 | ||
22.4.2 Requirements to be Tested and Limitations to the Testing | 455 | ||
22.4.3 Test Preparation | 458 | ||
22.4.4 Identification of Personnel | 459 | ||
22.4.5 Test Procedures | 460 | ||
22.4.6 Collecting and Collating Documented Evidence | 461 | ||
22.4.7 Acceptance Criteria | 462 | ||
22.4.8 Test Execution Log | 463 | ||
22.4.9 Test Summary Log and Test Script Sign-Off | 463 | ||
22.4.10 Second Person Review of the Test Script | 464 | ||
22.4.11 Approval of the Test Script | 464 | ||
22.5 Designing Tests for Security and Access Control | 464 | ||
22.5.1 Are the User Requirements Adequately Specified | 464 | ||
22.5.2 Logical Security | 465 | ||
22.5.3 Access Control | 465 | ||
22.5.4 Designing the Tests | 466 | ||
22.5.5 Refining the Test Design | 467 | ||
22.5.6 Writing Test Execution Instructions and Expected Results | 468 | ||
22.6 Some Considerations for Testing Electronic Signature Use | 470 | ||
22.7 Execution of Approved Test Scripts | 470 | ||
References | 470 | ||
Chapter 23 - Executing Test Scripts and Reporting the Results | 472 | ||
23.1 What Do the Regulators Want | 472 | ||
23.1.1 EU GMP Annex 11 | 472 | ||
23.1.2 FDA General Principles of Software Validation | 473 | ||
23.1.3 Regulatory Requirements Summary | 473 | ||
23.2 Organising the Test Suite Execution | 473 | ||
23.2.1 Planning the Test Suite Execution | 473 | ||
23.2.2 Have a Known Location for Collating and Reviewing Test Results | 474 | ||
23.2.3 Test Script Execution Status Board | 474 | ||
23.3 Executing a Test Script | 475 | ||
23.3.1 All is Well or Are There Problems | 475 | ||
23.3.2 Read the Test Script | 476 | ||
23.3.3 Preparation for Testing | 477 | ||
23.3.4 Sign into the Test Script | 477 | ||
23.3.5 Execute the Individual Test Procedures and Document the Testing | 478 | ||
23.3.6 Documented Evidence to Support Testing | 478 | ||
23.3.7 Collating Documented Evidence | 480 | ||
23.3.8 Has the Test Passed or Failed | 480 | ||
23.3.9 Documenting and Handling Unexpected Results | 480 | ||
23.3.10 Check the Test Execution Log | 481 | ||
23.3.11 Tester Completes the Test Summary Log and Signs the Test Script | 481 | ||
23.3.12 Update the Test Script Execution Status | 481 | ||
23.4 Reviewing the Completed Test Script | 481 | ||
23.4.1 Role of the Reviewer | 481 | ||
23.4.2 Correcting Any Mistakes | 482 | ||
23.4.3 Resolving Any Disagreements | 482 | ||
23.4.4 Approving the Test Script Execution and Update the Test Script Execution Status | 482 | ||
23.4.5 Enter the Test Script Result into the PQ Section of the Validation Summary Report | 482 | ||
References | 483 | ||
Chapter 24 - User Training and System Documentation | 484 | ||
24.1 What Do the Regulators Require Part 1 | 484 | ||
24.1.1 EU GMP Annex 11 | 484 | ||
24.1.2 FDA 21 CFR 11 | 484 | ||
24.1.3 FDA 21 CFR 211 GMP | 485 | ||
24.1.4 FDA 21 CFR 58 GLP | 485 | ||
24.1.5 Regulatory Requirements Summary | 485 | ||
24.2 Personnel and Training Records | 485 | ||
24.2.1 Personnel Involved in a CDS Validation Project | 485 | ||
24.2.2 User Training Records | 486 | ||
24.3 URS Requirements Define CDS Procedures | 487 | ||
24.3.1 Proactive Use of Requirements for Procedures | 487 | ||
24.3.2 Challenge Existing SOPs with CDS Procedural Requirements | 487 | ||
24.3.3 Confirm Accuracy of CDS Procedures in the UAT Phase | 488 | ||
24.4 System Documentation from the Supplier | 488 | ||
24.5 Standard Operating Procedures (SOPs) for a CDS | 489 | ||
24.5.1 SOPs for a CDS in Relation to a Company Data Governance Framework | 489 | ||
24.5.2 Good Chromatographic Practices | 491 | ||
24.5.3 Good Chromatographic Integration Practices | 492 | ||
24.5.4 Good Analytical Data Review Practices | 493 | ||
24.5.5 Laboratory Deviations and Laboratory Investigations SOPs | 493 | ||
24.5.6 Training for Data Integrity SOPs | 494 | ||
24.5.7 SOP for Laboratory Administration of the CDS | 494 | ||
24.6 Managing Custom Calculations, Fields and Reports | 495 | ||
24.6.1 Development Environment | 495 | ||
24.6.2 Control of Custom Calculations and Fields | 495 | ||
24.6.3 Control of Custom Reports | 496 | ||
24.6.4 Control Changes of Verified Custom Calculations and Reports | 496 | ||
24.7 Second Person Review of CDS Data and Records | 496 | ||
24.7.1 Importance of the Second Person Review | 497 | ||
24.7.2 What Do the Regulators Require Part 2 | 497 | ||
24.7.3 Scope of the Second Person Review | 499 | ||
24.7.4 A CDS Interfaced with a LIMS | 499 | ||
24.7.5 Second Person Review in Practice | 501 | ||
24.7.6 Using the CDS Features to Aid Second Person Review | 504 | ||
24.7.7 How Should the Second Person Review be documented | 504 | ||
24.8 Administrative and Procedural Controls Required for 21 CFR 11 Compliance | 507 | ||
24.8.1 Verifying the Identity of Individuals | 508 | ||
24.8.2 Use of Electronic Signatures with Non Repudiation | 509 | ||
24.8.3 Uniqueness of Electronic Signatures | 509 | ||
24.8.4 Password Management | 509 | ||
24.8.5 Change Control and Configuration Management | 510 | ||
24.8.6 Date and Time Stamps | 510 | ||
24.8.7 Backup and Recovery SOP | 510 | ||
24.8.8 Defining E-Records for the CDS | 511 | ||
24.8.9 Security and Access Control | 511 | ||
24.8.10 Remote Access | 511 | ||
Acknowledgements | 512 | ||
References | 512 | ||
Chapter 25 - IT Support for a CDS | 513 | ||
25.1 What Do the Regulators Want | 513 | ||
25.1.1 FDA GMP 21 CFR 211 | 513 | ||
25.1.2 21 CFR 11 | 514 | ||
25.1.3 EU GMP Annex 11 | 514 | ||
25.1.4 PIC/S Guidance | 515 | ||
25.1.5 FDA Perspective on Time Stamps | 516 | ||
25.1.6 Regulatory Requirements Summary | 516 | ||
25.2 IT Department Quality Management System | 517 | ||
25.2.1 Overview of the IT QMS | 517 | ||
25.2.2 Associated QMS Procedures and Work Instructions | 517 | ||
25.3 Service Level Agreement | 520 | ||
25.4 Backup and Recovery | 521 | ||
25.4.1 Business Rationale: How Important are Your Data | 521 | ||
25.4.2 What is Backup and Recovery | 522 | ||
25.4.3 Roles and Responsibilities | 522 | ||
25.4.4 Hardware to Help Data Security and Integrity | 523 | ||
25.4.5 Options to Consider for Backup | 524 | ||
25.4.6 Main Backup Activities | 525 | ||
25.4.7 Hot or Cold Backups | 526 | ||
25.4.8 Cold Backups | 526 | ||
25.4.9 Hot Backups | 527 | ||
25.4.10 Management of Magnetic Media | 527 | ||
25.4.11 Restoring Data from Tape | 528 | ||
25.4.12 Validation of Backup | 529 | ||
25.5 Time and Date Stamps | 529 | ||
25.5.1 Time Stamps for Standalone CDS Systems | 529 | ||
25.5.2 Time Stamps for Networked CDS Systems | 530 | ||
References | 530 | ||
Chapter 26 - System Description | 532 | ||
26.1 What Do The Regulators Want | 532 | ||
26.1.1 EU GMP Annex 11 | 532 | ||
26.1.2 OECD Application of GLP Principles to Computerised Systems | 532 | ||
26.1.3 OECD 17: Guidance on the Application of GLP Principles to Computerised Systems | 533 | ||
26.1.4 PIC/S Guidance | 533 | ||
26.1.5 Regulatory Requirements Summary | 534 | ||
26.2 Turning Regulations into Practice | 534 | ||
26.2.1 Single Document or Multiple Documents | 534 | ||
26.2.2 Outline for a System Description | 534 | ||
26.2.3 Keeping Current: Updating the System Description | 535 | ||
26.3 Key Sections of the System Description | 536 | ||
26.3.1 Introduction | 536 | ||
26.3.2 System Scope | 536 | ||
26.3.3 Definition of Electronic Records | 538 | ||
26.4 Do Not be Stupid | 538 | ||
References | 538 | ||
Chapter 27 - Defining Electronic Records and Raw Data for a CDS | 540 | ||
27.1 What Do the Regulators Want | 540 | ||
27.1.1 US GLP 21 CFR 58 – Raw Data | 540 | ||
27.1.2 21 CFR 11 – Electronic Records | 541 | ||
27.1.3 US GMP 21 CFR 211 – Complete Data | 541 | ||
27.1.4 EU GMP Chapter 4 on Documentation – Raw Data | 541 | ||
27.1.5 Regulatory Requirements Summary | 542 | ||
27.2 Contributions to the E-Records Debate | 542 | ||
27.2.1 Furman, Tetzlaff and Layloff | 542 | ||
27.2.2 BARQA Paper on Raw Data | 542 | ||
27.2.3 How Raw are Your Data – 1 | 543 | ||
27.2.4 How Raw are Your Data – 2 | 543 | ||
27.2.5 FDA Part 11 Scope and Application Guidance for Industry | 544 | ||
27.2.6 FDA Level 2 Guidance on Records and Reports | 546 | ||
27.2.7 EU GMP Chapter 4 – A Requirement to Define GMP Raw Data | 548 | ||
27.2.8 GLP Raw Data Definition and Interpretation | 549 | ||
27.2.9 Swiss AGIT GLP Electronic Raw Data Guidance | 550 | ||
27.2.10 Compliance Policy Guide 7346.832 | 552 | ||
27.2.11 GAMP Good Practice Guide for Validation of Laboratory Computerised Systems | 552 | ||
27.2.12 FDA Draft Guidance on Data Integrity and cGMP Compliance | 553 | ||
27.2.13 Summarising the Regulations and Guidance | 554 | ||
27.2.14 Dead as a Dodo: Raw Data are Paper | 555 | ||
27.3 Defining the Electronic Records for Your System | 555 | ||
27.3.1 Static and Dynamic Data | 555 | ||
27.3.2 Data Acquisition Phase | 555 | ||
27.3.3 Integration, Calculation and Reporting Phase | 557 | ||
27.3.4 Traceability for Data Integrity | 558 | ||
27.3.5 Common Elements of Raw Data and Complete Data | 558 | ||
27.3.6 Controlled Chromatograph with Separate Data System | 560 | ||
References | 560 | ||
Chapter 28 - Writing the Validation Summary Report | 562 | ||
28.1 What Do the Regulators Want | 562 | ||
28.1.1 PIC/S Guidance | 562 | ||
28.1.2 General Principles of Software Validation | 563 | ||
28.1.3 Regulatory Requirements Summary | 563 | ||
28.2 Map the Validation Plan to the Validation Summary Report | 563 | ||
28.3 Content of the Validation Summary Report | 564 | ||
28.4 Writing the Validation Summary Report | 564 | ||
28.4.1 How to Summarise the Work | 564 | ||
28.4.2 How to Summarise PQ Testing | 566 | ||
28.4.3 PQ Test Execution Notes | 566 | ||
28.4.4 Deviations and Departures from the Validation Plan | 567 | ||
28.4.5 Validation Package | 567 | ||
28.4.6 Releasing the System | 568 | ||
28.4.7 Going Live! Sit Back and Relax | 568 | ||
References | 568 | ||
Chapter 29 - Integration in a Regulated Environment | 569 | ||
29.1 What Do the Regulators Want | 569 | ||
29.1.1 US GMP 21 CFR 211 – Laboratory Controls | 569 | ||
29.1.2 United States and European Pharmacopoeias | 570 | ||
29.1.3 FDA Guidance for Industry Bioanalytical Methods Validation | 570 | ||
29.1.4 EMA Guidance on Bioanalytical Methods Validation | 570 | ||
29.1.5 Regulatory Summary | 571 | ||
29.2 Why Control Chromatographic Integration | 571 | ||
29.2.1 Extracts from FDA Warning Letters | 571 | ||
29.2.2 Approaches to Controlling Chromatographic Integration | 572 | ||
29.3 Back to Integration Basics | 573 | ||
29.4 How Can Manual Integration Result in Falsification | 576 | ||
29.4.1 Uncovering Manipulation | 577 | ||
29.4.2 What is Missing | 577 | ||
29.4.3 Why is there No Definition of Manual Integration | 578 | ||
29.5 Scope of an SOP on Chromatographic Integration | 578 | ||
29.5.1 Integration Process Flow and Decision Tree | 579 | ||
29.5.2 Manual Intervention versus Manual Integration | 581 | ||
29.6 The Four Eyes Principle Applied to Chromatographic Integration | 582 | ||
29.6.1 The Primary Objective is Automatic Integration | 582 | ||
29.6.2 The Secondary Objective is Manual Intervention | 582 | ||
29.6.3 When All Else Fails – Manual Integration | 582 | ||
29.6.4 Methods that Quantify Both Active Ingredient and Impurities | 583 | ||
29.6.5 Procedure and Training for Integration Consistency and Data Integrity | 583 | ||
29.6.6 Second Person Review of Integration | 584 | ||
References | 584 | ||
Chapter 30 - User Account Management | 586 | ||
30.1 What Do the Regulators Require | 586 | ||
30.1.1 FDA GMP 21 CFR 211 | 586 | ||
30.1.2 FDA 21 CFR 11 | 586 | ||
30.1.3 FDA Guidance: Computerised Systems in Clinical Investigations | 587 | ||
30.1.4 EU GMP Annex 11 | 587 | ||
30.1.5 MHRA Data Integrity Guidance | 587 | ||
30.1.6 FDA Guidance on Data Integrity and cGMP Compliance | 588 | ||
30.1.7 WHO Guidance on Good Data and Record Management Practices | 589 | ||
30.1.8 Regulatory Summary | 589 | ||
30.2 Principles of User Account Management | 590 | ||
30.2.1 Prerequisites for User Account Management | 590 | ||
30.2.2 Administration by IT | 591 | ||
30.2.3 Authorised User | 591 | ||
30.2.4 Individual User Accounts | 591 | ||
30.2.5 Cumulative List of Users | 592 | ||
30.2.6 Staff Security Awareness | 592 | ||
30.2.7 Regular Review of Accounts | 593 | ||
30.3 User Account Management in Practice | 593 | ||
30.3.1 Process Workflow | 593 | ||
30.3.2 Creation of a New User Account | 594 | ||
30.3.3 Modification of an Existing User Account | 594 | ||
30.3.4 Disabling a User Account | 595 | ||
30.3.5 Maintaining a Cumulative List of Users | 595 | ||
30.3.6 Periodic Review or Audit of User Accounts | 595 | ||
30.4 Password Management | 596 | ||
30.4.1 Technical Implementation and Enforcement | 596 | ||
30.4.2 Password Paradox | 596 | ||
30.4.3 Forgotten Password | 597 | ||
References | 597 | ||
Chapter 31 - Incident and Problem Management | 598 | ||
31.1 What Do the Regulators Want | 598 | ||
31.1.1 EU GMP Annex 11 | 598 | ||
31.1.2 OECD Guidance 17 for Computerised Systems | 598 | ||
31.1.3 Regulatory Requirements Summary | 599 | ||
31.2 Incidents and Problems | 600 | ||
31.2.1 What is an Incident | 600 | ||
31.2.2 What is a Problem | 600 | ||
31.2.3 Incident Versus Problem | 600 | ||
31.3 Coordination of Incident and Problem Management | 601 | ||
31.3.1 Automation of the Process | 601 | ||
31.3.2 Help Desk Staff | 602 | ||
31.4 Incident Management | 602 | ||
31.4.1 Incident Management Workflow | 602 | ||
31.4.2 Procedure for Incident Management | 603 | ||
31.4.3 Periodic Review of Incidents | 604 | ||
31.5 Problem Management | 604 | ||
31.5.1 Problem Management Workflow | 604 | ||
31.5.2 Procedure for Problem Management | 605 | ||
31.5.3 Problem Management and Regulatory Compliance | 607 | ||
31.6 Linking Incident and Problem Management with Change Management | 607 | ||
References | 607 | ||
Chapter 32 - Change Control and Configuration Management | 608 | ||
32.1 What Do the Regulators Want | 608 | ||
32.1.1 EU GMP Annex 11 | 608 | ||
32.1.2 FDA GMP 21 CFR 211 | 608 | ||
32.1.3 OECD Guidance No. 17 on Computerised Systems | 609 | ||
32.1.4 FDA Guidance: General Principles of Software Validation | 609 | ||
32.1.5 PIC/S Guidance for GXP Systems | 610 | ||
32.1.6 Regulatory Requirements Summary | 611 | ||
32.2 Scope of Changes to a CDS | 612 | ||
32.2.1 Definition of Terms | 612 | ||
32.2.2 Separate Infrastructure from Application Changes | 615 | ||
32.2.3 Triggers for Change | 616 | ||
32.2.4 Is it a Change or Normal Operation | 616 | ||
32.3 Change Control | 617 | ||
32.3.1 The Basic Process | 617 | ||
32.3.2 Types of Change | 620 | ||
32.3.3 Roles and Responsibilities | 621 | ||
32.4 Some Typical CDS Changes | 621 | ||
32.4.1 Scope of Changes to the CDS | 621 | ||
32.4.2 Regression Testing After a Change | 623 | ||
32.5 Configuration Management for a CDS | 623 | ||
32.5.1 Defining the Detail of Configuration Items | 624 | ||
32.5.2 Defining the System Baseline Configuration | 624 | ||
32.5.3 Linking Configuration Management with Change Control | 625 | ||
32.5.4 Re-Baselining the System Configuration | 625 | ||
32.6 Automating the Change Control Process | 625 | ||
32.6.1 Does the Service Desk Software Need to be Validated | 626 | ||
32.6.2 IT Personnel Must Have GXP Awareness Training | 626 | ||
32.6.3 Service Management Software as a SaaS Solution | 626 | ||
References | 626 | ||
Chapter 33 - Periodic Review of the CDS | 628 | ||
33.1 What Do the Regulators Want | 628 | ||
33.1.1 EU GMP Annex 11 | 628 | ||
33.1.2 PIC/S Guidance on Computerised Systems in GXP Environments | 629 | ||
33.1.3 ICH Q7 GMP for Active Pharmaceutical Ingredients | 630 | ||
33.1.4 WHO Guidance on Good Data and Record Management Practices | 630 | ||
33.1.5 Compliance Policy Guide Section 130.300 | 630 | ||
33.1.6 Regulatory Requirements Summary | 631 | ||
33.2 Rationale for a Periodic Review | 632 | ||
33.2.1 What’s in a Name | 632 | ||
33.2.2 Who Performs the Review | 632 | ||
33.2.3 How Often Should the Review Occur | 633 | ||
33.2.4 Skills and Training of the Auditor | 634 | ||
33.3 Overview of the Periodic Review Process | 635 | ||
33.3.1 Objectives of a Periodic Review | 635 | ||
33.3.2 Planning a Periodic Review | 635 | ||
33.3.3 Who is Involved and What Do They Do | 636 | ||
33.3.4 Schedule for a Review | 637 | ||
33.3.5 Scope of the Review | 637 | ||
33.3.6 Reporting the Periodic Review and Follow-Up | 639 | ||
33.4 Conducting a Periodic Review | 640 | ||
33.4.1 Preparation for a Periodic Review | 640 | ||
33.4.2 Defining the System Scope | 641 | ||
33.4.3 Types of Periodic Review | 643 | ||
33.4.4 Are Computerised Systems Designed to Help Periodic Reviews | 645 | ||
33.4.5 Conducting the Periodic Review | 646 | ||
33.4.6 A Picture is Worth a Thousand Words | 647 | ||
33.4.7 Death by Checklist | 647 | ||
33.4.8 Options for Checklists: Working Smarter Not Harder | 648 | ||
33.5 Data Integrity Audit of a CDS | 649 | ||
33.5.1 Data Integrity at the System Level | 649 | ||
33.5.2 Data Integrity Audit at the Data Level | 652 | ||
33.5.3 Data Integrity and an Interfaced CDS | 652 | ||
33.5.4 Reporting the Audit | 655 | ||
References | 655 | ||
Chapter 34 - CDS Records Retention | 657 | ||
34.1 What Do the Regulators Want | 657 | ||
34.1.1 EU GMP Annex 11 | 657 | ||
34.1.2 GLP Regulations: 21 CFR 58 | 657 | ||
34.1.3 US GMP Regulations: 21 CFR 211 | 658 | ||
34.1.4 US Medical Device GMP Regulations: 21 CFR 820 | 659 | ||
34.1.5 21 CFR 11 Requirements | 659 | ||
34.1.6 FDA Guidance on Data Integrity | 659 | ||
34.1.7 EU GMP Chapter 4 Documentation | 659 | ||
34.1.8 FDA Guidance for Industry Part 11 – Scope and Application Guidance | 660 | ||
34.1.9 FDA Inspection of Pharmaceutical Quality Control Laboratories | 661 | ||
34.1.10 OECD GLP Regulations | 661 | ||
34.1.11 OECD GLP Guidance on Establishment and Control of GLP Archives | 662 | ||
34.1.12 OECD GLP Guidance on Application of GLP to Computerised Systems | 662 | ||
34.1.13 Regulatory Requirements Summary | 662 | ||
34.2 CDS Data File Formats and Standards | 663 | ||
34.2.1 Current CDS Data Standards | 663 | ||
34.2.2 Progress towards a Universal CDS Data File Format | 664 | ||
34.3 Options for Electronic Records Retention and Archive | 665 | ||
34.3.1 Backup is Not Archive (Unless You Are the FDA) | 665 | ||
34.3.2 Organising CDS Electronic Records to Archive | 666 | ||
34.3.3 Options for Electronic Archive | 666 | ||
34.3.4 Can I Read the Records | 667 | ||
34.3.5 Impact of a Changed CDS File Format | 668 | ||
34.3.6 Selection of Off-Line Archive Media | 669 | ||
34.3.7 Changing CDS – What Are The Archive Options | 669 | ||
34.3.8 Overview of Some Options | 669 | ||
34.3.9 Assessment of Option Feasibility | 670 | ||
34.4 OECD Guidance for Developing an Electronic Archive | 670 | ||
34.4.1 Definitions | 670 | ||
34.4.2 Roles and Responsibilities | 671 | ||
34.4.3 Archive Facilities | 672 | ||
34.4.4 Archiving Electronic Records | 672 | ||
References | 674 | ||
Chapter 35 - CDS System Retirement | 676 | ||
35.1 What Do the Regulators Want | 676 | ||
35.1.1 OECD GLP Guidance 17 | 676 | ||
35.1.2 GMP Regulations | 676 | ||
35.1.3 Business Rationale for System Retirement | 676 | ||
35.2 Generic Process for System Retirement | 677 | ||
35.2.1 Notification of System Retirement | 677 | ||
35.2.2 Involvement of Quality Assurance and IT | 678 | ||
35.2.3 Cessation of Work | 678 | ||
35.2.4 Shutdown of the System | 679 | ||
35.2.5 Documenting Retirement and Disposal | 679 | ||
35.3 Case Study of System Retirement | 680 | ||
Reference | 681 | ||
Chapter 36 - CDS Data Migration | 682 | ||
36.1 What Do the Regulators Want | 682 | ||
36.1.1 EU GMP Annex 11 | 682 | ||
36.1.2 EU GMP Chapter 4 on Documentation | 683 | ||
36.1.3 FDA 21 CFR 11 and the Part 11 Scope and Application Guidance for Industry | 683 | ||
36.1.4 OECD Guidance 17 Application of GLP Principles to Computerised Systems | 683 | ||
36.1.5 Regulatory Requirements Summary | 684 | ||
36.2 Business Rationale for Data Migration | 684 | ||
36.3 Drivers for Data Migration and System Retirement | 685 | ||
36.3.1 Internal Drivers | 685 | ||
36.3.2 External Drivers | 685 | ||
36.3.3 Data Migration Options | 686 | ||
36.3.4 Data Migration Between Different Applications | 686 | ||
36.3.5 Data Migration Within an Application | 687 | ||
36.3.6 Validation of Within Application Data Migration | 687 | ||
36.4 Generic Data Migration and System Retirement Process | 687 | ||
36.4.1 Roles of the Process Owner and Senior Management | 689 | ||
36.4.2 Step 1: Inventory of the System | 689 | ||
36.4.3 Step 2: Carry Out a Risk Assessment | 689 | ||
36.4.4 Step 3: Write the Retirement Plan | 689 | ||
36.4.5 Step 4: Detailed Information Gathering | 690 | ||
36.4.6 Step 5: System Decommissioning and Data Migration Plan | 690 | ||
36.4.7 Step 6: Execute Work and Document Activities | 690 | ||
36.4.8 Step 7: Write Retirement and Migration Report | 690 | ||
36.5 Case Study of Data Migration | 691 | ||
36.5.1 Design of the Overall Validation Project | 691 | ||
36.5.2 Overview of the Mass Spectrometry Systems | 692 | ||
36.5.3 Data Acquisition and Processing Software Applications | 692 | ||
36.5.4 Computing Environments | 692 | ||
36.5.5 Differences Between the Two CDS Systems | 693 | ||
36.5.6 Data Migration Strategy | 694 | ||
36.5.7 Supplier Supplied Data Conversion Utilities | 694 | ||
36.5.8 Limitation of the Data Conversion Utilities | 694 | ||
36.5.9 Data Migration Options | 695 | ||
36.5.10 Evolution of the Data Migration Design | 695 | ||
36.5.11 Design of the Overall Data Migration and System Retirement | 696 | ||
36.6 Data Migration: Key Results | 696 | ||
36.6.1 Retention Time | 696 | ||
36.6.2 Instrument Control Parameters | 697 | ||
36.6.3 Integration Algorithms and Calculated Results | 698 | ||
36.6.4 History Logs | 699 | ||
36.6.5 Data Migration Summary | 700 | ||
References | 700 | ||
Chapter 37 - Retrospective Validation | 701 | ||
37.1 What Do the Regulators Want | 701 | ||
37.1.1 EU GMP Annex 11 | 701 | ||
37.1.2 EMA Annex 11 Questions and Answers | 701 | ||
37.1.3 PIC/S Guidance | 702 | ||
37.1.4 Regulatory Requirements Summary | 703 | ||
37.2 Literature References to Retrospective CDS Validation | 703 | ||
37.3 Gap and Plan for Retrospective Validation | 703 | ||
37.3.1 Stage 1: Collect Existing Documentation and Review for Coverage | 703 | ||
37.3.2 Phase 2: Review Existing Documents for Adequacy | 705 | ||
37.3.3 Phase 3: Write the Gap and Plan Report | 706 | ||
References | 707 | ||
Glossary and Abbreviations | 708 | ||
Glossary | 708 | ||
Abbreviations | 714 | ||
Subject Index | 717 |