This document covers most of the topics in the CSV like Importance of CVS, Why to perform CSV, Validation Deliverables, Part 11 and Annex 11 Diferences
2. Flow of Presentation
Importance of CSV
Introduction to CSV
GAMP5
Data Integrity
Part 11 and Annex 11
Prepared by: G. Jaya krishna 2
3. Why to focus more on CSV?
Everything was going well before FDA and other regulatory agency
started focusing in Data Integrity
Everything in Human life and Pharma industry is about Integrity.
In 2016, data integrity issues triggered more than one third of all
regulatory actions
US FDA took maximum actions against china, India led the pack when
it came to non-compliance reports issues by EU Regulators.
European Operations of Major Drug companies like GSK, Otuska, Teva
were found to have serious Non-compliance concerns.
Prepared by: G. Jaya krishna 3
4. Cont..
Everything was going well before FDA and other regulatory agency
started focusing in Data Integrity
Everything in Human life and Pharma industry is about Integrity.
In 2016, data integrity issues triggered more than one third of all
regulatory actions
US FDA took maximum actions against china, India led the pack when
it came to non-compliance reports issues by EU Regulators.
European Operations of Major Drug companies like GSK, Otuska, Teva
were found to have serious Non-compliance concerns.
Prepared by: G. Jaya krishna 4
5. Cont..
In Teva’s Hungary Plant, US FDA Auditors found Quality Related
documents in a waste bin and also found that lack of controls to prevent
analysts from deleting data for the stand alone systems.
In the UK, GSKs API plant recalled more than 425,000 Bacroban
antibiotic products after receiving a stern warning letter from FDA
Regulators in july 2016 for Cross Contamination.
Failure to take corrective action in a timely manner can result in shutting
down manufacturing facilities , consent decrees, and stiff financial
penalties.
The ultimate result could be loss of jobs and companies suffering
economic instabilities resulting in downsizing and possibly eventual
bankruptcy.
Prepared by: G. Jaya krishna 5
6. Cost of Non-Compliance
Cost of Non-compliance is 1000 times higher then the cost of compliance
Poor Record Integrity/ GxP Non-compliance will result in
FDA – 483 Observation (WL)
Import Alert
Consent Decrease
Criminal Prosecution
In the case of Serious Deficiencies/Critical Findings actions may need to be
taken by inspectorate and EU authorities:
Prohibition of Supply
Batches withdrawn from the EU Market
Refusal of the granting of a marketing Authorization
Prepared by: G. Jaya krishna 6
7. What is Validation ??
Establishing Documented Evidence that a provides a high degree of
assurance that a specific process will consistently produce a product
meeting its predetermined specifications and quality attributes
Qualification is an act or process to assure something complies with
some condition, standard or specific requirements
“We qualify a system and/or equipment and we validate a
process”
Ex: “You will qualify an autoclave, where as you validate the sterilization
process”
The term qualification is normally used for equipment, utilities and
systems, and validation for process
Prepared by: G. Jaya krishna 7
8. Why to perform Validation ??
Validation is predicate rule, hence it is mandatory to perform
Computerized system validation
According to 21 CFR Part 820.70 (i) – When computers or automated
data processing systems are used as part of production or the quality
systems, the manufacturer shall validate computer software for its
intended use according to an established protocol. All software changes
shall be validated before approval and issuance. These validation
activities and results shall be documented
Prepared by: G. Jaya krishna 8
9. Purpose of Validation
To prove that we did validation right and system works as intended, identify any
bugs by challenging the system. It increases the confidence level
The personnel involved in the validation are may no longer with the company to
explain to the auditors. Proof of good validation should be maintained till
retention (Documentation is most critical and has to be self explanatory)
Which Systems needs Validation:
All Automated Systems, Computer System which is used to Store, Monitor or
Control GXP Operation and Data needs validation. If system is controlled by the
computer – PLC and it is storing electronic data and electronic signature more
detailed validation needed.
Reduces risk and legal liability, Having the evidence that computer systems are
correct for their purpose and operating properly represents a good business
practice.
Prepared by: G. Jaya krishna 9
10. Computerized System Validation
A Computerized system consists of the Software, Hardware and the networking
components, Personnel together with the controlled functions and the
associated documentation
According to the Regulatory guidelines Computerized system validation is
stated as “ESTABLISHING DOCUMENT EVIDENCE.”
Ex: Automated manufacturing equipment, Quality control systems , equipment,
laboratory, clinical (or) manufacturing data base systems.
Prepared by: G. Jaya krishna 10
11. In general , a combination of hardware,
software , people , documents, inputs,
processing and outputs working together
software Hardware
Controlling process
Equipment
Operating Procedures and
Documentation
People and Training
COMPUTER SYSTEM
Prepared by: G. Jaya krishna 11
12. Computerized System Vs Computer System
Computerized System: Any programmable device having hardware,
peripherals, software, procedures, users, interconnections and inputs for
electronic processing & output of information Used for reporting or control
Computer System: A computer system is a set of integrated devices that input,
output, process, and store data and information. Computer systems are
currently built around at least one digital processing device. There are five main
hardware components in a computer system: Input, Processing, Storage,
Output and Communication devices.
Prepared by: G. Jaya krishna 12
13. Types of Validation:
If data are transferred to another data format or system , validation should
include checks that data are not altered in value and / or meaning during this
migration process. E.g. Paper based reports, Screen shots, Video etc….
Prospective Validation – The validation of a new system as it is developed or
The Validation conducted prior to the distribution of either a new product or
product made under a revised manufacturing process
Retrospective Validation – The process of evaluating a computer system
currently in operation against standard validation practices and procedures. The
evaluation determines the reliability, accuracy, and completeness of a system
(existing system)
Concurrent Validation – Validation Simultaneously with Production
Prepared by: G. Jaya krishna 13
14. 4Q Validation Overview (Traditional Method)
Design Qualification (DQ) – Documented evidence that the design of the
system meets requirements
Installation Qualification (IQ) – System has been installed correctly
Operational Qualification (OQ) – System Operates according to the design
Performance Qualification (PQ) – System meets design criteria and operates
according to requirement
Prepared by: G. Jaya krishna 14
15. GAMP5
Good Automated Manufacturing Practice, Founded in 1991.
International Society for Pharmaceutical Engineering (ISPE) sets the
guidelines for manufacturers and the current Version is GAMP 5.
GAMP describes a set of principles and procedures that help ensure
that pharmaceutical Software have required quality.
Computer system validation (CSV) following GAMP guidelines require
users and suppliers to work together so that responsibilities regarding
the validation process are understood.
Prepared by: G. Jaya krishna 15
16. Why GAMP 5?
•Facilitates the interpretation of regulatory requirements.
•Establishes a common language and terminology.
•Promotes a system life cycle approach based on good practice.
•Clarifies roles and responsibilities.
•Focus attention on those computerized systems with most impact on patient
safety, product quality, and data integrity
•Avoid duplication of activities.
Prepared by: G. Jaya krishna 16
17. GAMP5 Key Concepts:
Product and Process understanding
Life cycle approach with in a QMS
Scalable Life Cycle Activities
Science-based Quality Risk Management
Leveraging Supplier Involvement
Prepared by: G. Jaya krishna 17
18. Who plays validation role?
QA and Validation:
Author some major documents
Provide advice , training , auditing
Senior management for each group decides :
Which systems to buy or build
How much resources to make available
What risks are acceptable
Support groups (IT Infrastructures):
Maintain proper network environment
Troubleshooting and maintenance
Desktop and infrastructure control
Prepared by: G. Jaya krishna 18
19. Validation overview / Computerized system life
cycle:
Concept - During the concept phase the regulated company considers opportunities to
automate one or more business processes based upon business and benefits. At this
phase, initial requirements will be developed and potential solutions considered. From an
initial understanding of scope, costs and benefits a decision is made on whether to
proceed to the project phase.
Project - The project phase involves planning, supplier assessment and selection,
various levels of specification, configuration and verification leading to acceptance and
release for operation. Risk management is applied to identify risks and to remove or
reduce them to an acceptable level.
Operation - This phase is the longest phase and is managed by the use of defined, up
to date, operational procedures applied by personnel who have appropriate training,
education, and experience. Maintaining control (Including Security), fitness for intended
use and compliance are key aspects. The management of changes of different impact,
scope and complexity is an important activity during this phase.
Retirement - The final phase is the ultimate retirement of the system. It involves
decisions about data retention, migration or destruction and the management of these
processes.
Prepared by: G. Jaya krishna
19
22. GAMP Categories
The GAMP categories were originally introduced to provide an initial
assessment as to the validation requirements / deliverables, In GAMP 4 there
were five software categories. These have been revised in GAMP5 to four
categories as detailed below:
Category 1 – Infrastructure software including operating systems, Database
Managers, etc.
Category 3 – Non configurable software including, commercial off the shelf
software (COTS), Laboratory Instruments / Software.
Category 4 – Configured software including, LIMS, SCADA, DCS, CDS, etc.
Category 5 – Bespoke/Tailor-made software
Prepared by: G. Jaya krishna 22
26. Specification and Qualification Relationships
V- Life Cycle Model
URS
FRS
DS
VP
System Build
VSR
PQ
OQ
IQ
Verifies
Verifies
Verifies
IRA /GxP
Prepared by: G. Jaya krishna 26
27. THE VALIDATION PROCESS
Consists of five specific processes
Validation Master Plan
Project Plan
Installation Qualification
Operational Qualification
Performance Qualification
Prepared by: G. Jaya krishna 27
28. Data Integrity:
Def: The Extent to which the data is complete, correct and accurate is
Called Data Integrity . (First used by Stan Woollen)
Acronym: ALCOA ++
A – Attributable
L – Legible
C – Contemporaneous
O – Original
A – Accurate
Complete
Correct
Enduring
Available
Prepared by: G. Jaya krishna
28
29. Data Integrity:
Attributable The Identity of the person completing a record (Who, When, Why)
Legible
The data is readable, Understandable, Traceable, Permanent
allowing for a clear picture of the activities that occurred
Contemporaneous
The data is recorded at the time it is generated or observed (No
Back dating)
Original
Original Records must preserve data accuracy, completeness,
content and meaning. Data as the file or format in which it was
initially generated
Accurate
The data record must be accurate whether paper or electronic, it
must be exact, true and free from error (this might require a
second verification if necessary)
Prepared by: G. Jaya krishna
29
30. Cont..
Consistent
Consistent application of date and time stamps in the expected
sequence.
Complete
All Information needs to be maintained. Batch pass-fail, Re-
analyses carried out. (OOS, OOT)
Enduring
Medium used to record data should be permanent and not
temporary memory RAM.
Available
Available/Accessible for review / audit for the life time of the
record.
Prepared by: G. Jaya krishna 30
31. Common ALCOA ++ Issues
Common Passwords / Passwords sharing
Authority Control
User Privileges – Lack of role based access control
Laboratories have failed to implement to controls over data and
unauthorized access
Data Backup and Restoration
Audit Trail – No audit trail function or Disabled audit trail function
Manipulation of Date/Time stamps & Backdating
Prepared by: G. Jaya krishna 31
32. Data Integrity: Violation of 21 CRR Part
211 is also termed as Data Integrity
Part 211.68 (C) states that the automated equipment used for
performance must satisfy the requirements of an operation by one
person & checking by another person. (Two level check should be
there)
Part 211.100 and 211.160 require that certain activities be documented
at the time of performance & that laboratory controls be scientifically
sound (Contemporaneous)
Part 211.188, 211.194 require complete information-data-records
derived from all tests performed. (Complete)
Part 211.180 requires true copies or other accurate reproductions of the
original records. (Accurate)
Prepared by: G. Jaya krishna 32
33. EU Annex-11
Annex 11 is part of the European GMP Guidelines and defines the terms of
reference for computerized systems used by organizations in the
pharmaceutical industry.
Applies to all forms of computerized systems used as part of a GMP regulated
activities.
A computerized system is a set of software and hardware components which
together fulfil certain functionalities.
The application should be validated.
IT infrastructure should be qualified.
Where a computerized system replaces a manual operations, there should be
to resultant decrease in product quality assurance.
There should be no increases in the overall risk of the process.
Prepared by: G. Jaya krishna 33
34. EU Annex-11
1 Risk Management
2 Personnel
3 Suppliers and Service Providers
4 Validation
5 Data
6 Accuracy Checks
7 Data Storage
8 Printouts
9 Audit Trails
10 Change and Configuration Management
11 Periodic Evaluation
12 Security
13 Incident Management
14 Electronic Signatures
15 Batch Release
16 Business Continuity
17 Archiving Prepared by: G. Jaya krishna
34
35. EU Annex-11- Overview
All the personnel should have appropriate qualifications, level of
access and defined responsibilities to carry out their assigned duties
and there should be close cooperation among the individuals
Risk management should be applied through out the life lifecycle of the
computerized by considering patient safety, data integrity and product
quality
For critical data entered manually, there should be an additional check
on the accuracy of the data.
Consideration should be given based on risk assessment, to building
into the creation of a record of all GMP relevant changes and deletions
and reason for change shall be captured
Integrity and accuracy of backup data and the ability to restore the data
should be checked during the validation and monitored periodically
Prepared by: G. Jaya krishna
35
36. EU Annex-11- Overview
The extent of security controls depends on the criticality of the
computerized system
Physical or logical controls should restrict access to computerized
system to authorized persons
When a computerized system is used for recording certification and
batch release, the system should allow only authorized persons to
certify the release of batches
All incidents, not only system failures and data errors should be
reported and assessed
The root cause of a critical incident should be identified and should form
the basis of corrective and preventive actions
Prepared by: G. Jaya krishna 36
37. EU Annex-11- Overview
Any changes to a computerized system, including system
configurations should only be made in a controlled manner in
accordance with a defined procedure
For the availability of computerized systems supporting critical
processes, provisions should be made to ensure continuity of support
for those processes in the event of a system breakdown
Computerized systems should be periodically evaluated to confirm that
they remain in a valid state and are compliant with GMP and such
evolutions include Deviation, Upgrade, Security and Validation status
reports
When third parties are used, formal agreements must exist between the
parties and these agreements should include clear statements of the
responsibilities of the third party
Prepared by: G. Jaya krishna 37
38. EU Annex-11- Overview
The Validation documentation and reports should cover the relevant steps
of the life cycle.
Should be able to justify standards, protocols, acceptance criteria,
procedures and records based on the risk assessment.
User Requirements Specifications should describe the required functions
of the computerized system and be based on documented risk assessment
and GMP impact.
User requirements should be traceable throughout the life-cycle.
For critical systems an up-to-date system description detailing the physical
and logical arrangements, data flow and interfaces with other systems or
processes, any hardware and software pre-requisites and security
measures should be available.
The regulated user should take all reasonable steps to ensure that the
system has been developed in accordance with an appropriate Quality
Management System.
Prepared by: G. Jaya krishna
38
39. EU Annex-11- Overview
Documentation supplied with Commercial-off-the-shelf products should be
reviewed by regulated users to check that user requirements are fulfilled.
Evidence of appropriate test methods and test scenarios should be
demonstrated. Particularly, system parameter limits, data limits and error
handling should be considered.
Validation documentation should include Change Control records and reports
on any deviations observed during the validation process.
If data are transferred to another data format or system, validation should
include checks that data are not altered in value and/or meaning during this
migration process.
Computerized systems exchange data electronically with other systems should
include appropriate built-in checks for the correct and secure entry and
processing of data, in order to minimize the risks.
Prepared by: G. Jaya krishna 39
40. 21 CFR Part 11-Background
21 CFR Part 11 is a law that ensures companies implement good business
practices.
21 CFR (Code of Federal Regulations) Part 11 has defined by the US FDA
regulations that set forth the criteria applies to electronic records and electronic
signatures that persons create, modify, maintain, archive, retrieve, or transmit
under any records or signature requirement set forth in the Federal Food, Drug,
and Cosmetic Act, the Public Health Service Act, or any FDA regulation
Part 11 allows a company to implement computer systems that will greatly
increase the efficiency of individuals, reduce errors by identifying risks, and
increase overall productivity of the company.
In March 1997, FDA issued final Part 11 regulations that provide criteria for
acceptance by FDA, under certain circumstances, of electronic records,
electronic signatures, and handwritten signatures executed to electronic
records as equivalent to paper records and handwritten signatures executed on
paper.
Prepared by: G. Jaya krishna 40
41. 21 CFR Part 11-Background
Electronic signatures that are intended to be the equivalent of
handwritten signatures, initials, and other general signings required by
predicate rules.
These regulations, which apply to all FDA program areas, were
intended to permit the widest possible use of electronic technology,
compatible with FDA's responsibility to protect the public health.
Part 11 signatures include electronic signatures that are used, for
example, to document the fact that certain events or actions occurred in
accordance with the predicate rule (e.g. approved,
reviewed, and verified).
Prepared by: G. Jaya krishna 41
42. 21 CFR Part 11-ERES Contents
Subpart A: General Provisions
• 11.1 Scope
• 11.2 Implementation
• 11.3 Definitions
Subpart B. Electronic Records
• 11.10 Controls for Closed Systems
• 11.30 Controls for Open Systems
• 11.50 Signature Manifestations
• 11.70 Signature/Record Linking
Subpart C: Electronic Signatures
• 11.100 General Requirements
• 11.200 (a) Controls and Components for Non-Biometrics
• 11.200 (b) Controls and Components for Biometrics
• 11.300 Identification of Codes and Passwords
Prepared by: G. Jaya krishna
42
43. 21 CFR Part 11-Overview
Validation of systems to ensure accuracy, reliability, consistent, intended
performance and the ability to discern invalid or altered records
The ability to generate accurate and complete copies of records in both human
readable and electronic form suitable for review, inspection
Protection of records to enable their accurate and ready retrieval throughout the
records retention period
Limiting system access to authorized individuals. Unique combination of user
name and password
Use of secure, computer-generated, time-stamped audit trails to independently
record the date & time of operator entries and actions that create, modify or
delete electronic records
Use of operational system checks to enforce permitted sequencing of steps &
events as appropriate
Prepared by: G. Jaya krishna 43
44. 21 CFR Part 11-Overview
Authorized individuals can only use the system and can electronically sign a
record
The persons who develop. Maintain, use ER/ES systems shall have the
Education, Training and Experience to perform their assigned tasks
The individuals are accountable and responsible for the actions initiated under
their electronic signatures
Signature Manifestation it must have Date and time, complete name of signer
and Meaning of signature
Each Electronic signature shall be unique to one individual and shall not be
reused, reassigned to anyone other than the original user
Should verify the identity of an individual before assigning Electronic signature
Prepared by: G. Jaya krishna 44
45. 21 CFR Part 11-Overview
The electronic signatures are intended to be the legally binding equivalent of
traditional handwritten signatures
Electronic signature not based on biometrics shall have two distinguished
components such as Identification code (user name) and password and their
combination should be unique (No two individuals can have the same
combination)
Procedures shall be in place for Password periodic checking, De-authorization
of passwords, invalid attempts.
System shall lockout on consecutive unsuccessful attempts (Invalid attempts)
System shall have auto logout provision
Prepared by: G. Jaya krishna 45