FDA Compliance / Automation Validation of Automated Systems for FDA Compliance
FDA regulatory compliance is a mission-critical requirement. If the FDA finds a manufacturer to be non-compliant to or in violation of FDA rules, the consequences can be severe with warning letters, mandatory product recalls, temporary shutdowns, criminal penalties and fines depending on the severity of the violation. These penalties imposed by FDA could seriously dent the manufacturer’s brand image and at times could even cripple the manufacturer financially.
If a manufacturing process is highly automated, the basic process control system will play an important role in obtaining quality certification for the process. Every organisation, which utilises such systems, has a support structure of personnel and procedures to maintain and modify these systems, albeit in many cases this infrastructure may be lacking in documentation, producing a system that can be insecure and vulnerable for a process seeking quality certification. Whether trying to achieve certification or improve the integrity and security of this vital piece of operating equipment, one should take this opportunity to develop a methodology that not only documents the system’s logic, but also documents the personnel and procedures that support the system, as well. Accurate documentation is very vital.
This documentation provides guidance to persons, who in fulfillment in a statute or another part of FDA’s regulations to maintain records or submit designated information electronically and, as result, have become subject to part 11. Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in agency regulations. Part 11 also applies to electronic records submitted to the agency under the Federal Food, Drug and Cosmetic Act and Public Health Act (the PHS Act), even if such records are not specifically identified in agency regulations. The underlying requirements set forth in the Act, PHS Act and FDA regulations (other than part 11) are referred to in this guidance document as predicate rules.
FDA Compliance: 21 CFR Part 11 Demands
- A common enterprise wide IT system to provide visibility into the processes and performance metrics at various operational and management levels.
- Enterprise solution also should immutably be linked to all components of manufacturing (including equipment, raw materials and inventories) analytical laboratories as well for the distribution – purview of USFDA for capturing nonconformance out of spec production, tracking and managing the corrective action process
- IT systems have to have audit trail forensuring successful implementation of recommendations
- IT system should also improve efficiency and speed in operations as well as regulatory process
But what are the basics in terms of FDA compliance one has to keep in mind?
Compliance auf Automation Systems: Basics
- Any IT solution not linked to enterprise level is not going to serve the purpose
- Any IT solution not linked to production, equipment, operators is going to fail the compliance test
- Any IT solution at enterprise level, linking to facilities but not having audit trail would also fail (corollary: if an organisation does employ electronic records and signatures but fails to comply with the systems requirements, the USFDA would cite the firm for violating the underlying regulation – 21 CFR 211.198(b)).
As a outgrowth of its current Good Manufacturing Practice (cGMP) initiative for human and animal drugs and biologics, FDA is reexamining part 11 as it applies to all FDA regulated products. We anticipate initiating rulemaking to change part 11 as a result of this re-examination. FDA issued final part 11 regulations, which provide criteria for acceptance by FDA under certain circumstances, of electronic records, e-signatures and handwritten signatures executed to e-records as equivalent to paper records and handwritten signatures executed on paper. These rules that apply to all FDA program areas, were intended to permit the widest possible use of IT compatible with FDA’s responsibility.
Definition of part 11 records
FDA considers part 11 to be applicable to the following records or signatures in electronic format (part 11 records or signatures):
- Records that are required to be maintained under predicate rule requirements, and that are maintained in e-format in place of paper format. Also, records (and any associated signatures) that are not required to be retained under predicate rules, but that are nonetheless maintained in e-format, are not part 11 records.
- Records required to be maintained under predicate rules, that are maintained in eformat in addition to paper format, and that are relied on to perform regulated activities.
In some cases, actual business practices may dictate whether you use a computer to generate a paper printout of the e-records, but you however rely on the e-record to perform regulated activities, the agency may consider to be using the e-record instead of paper record. That is, the agency may take your business practices into account in determining whether part 11 applies.
Thus, we suggest that, for each record required to be maintained under predicate rules, you decide in advance if you plan to rely on the e-record or paper record to do regulated activities. We say that you document this decision (e.g. in a Standard Operating Procedure), or a specification document. So how does the audit procedure look like?
- Records submitted to FDA under predicate rules (even if such records are not specifically identified in agency regulations) in e-format (assuming the records have been identified in docket number 92S-0251 as the types of submissions the agency accepts in e-format ). But, a record, not itself submitted, but is used in generating submission, is not a part 11 record unless it’s otherwise needed to be maintained under a predicate rule and it’s kept in e-format.
- E-signatures that are intended to be the equivalent of handwritten signatures, initials and other general signings required by predicate rules. Part 11 signatures include e-signatures that are used, for example to document the fact that certain events or actions occurred in accordance with the predicate rule (e.g. approved, reviewed and verified).
Approach to Compliance to Part 11
FDA holds that decision to validate computerised systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements. One should also consider the impact those systems might have on the accuracy, reliability, integrity, availability and authenticity of needed records and signatures. Even if there’s no predicate rule requirement to validate a system, in few cases it may be important to validate the system.
The agency intends to exercise enforcement discretion regarding specific part 11 requirements related to computer generated, time stamped audit trails. Persons must still comply with all applicable predicate rule requirements related top documentation of, for example, date, time or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.
Even if there are no predicate rule requirements to document, for example, date, time or sequence of events in a particular instance, it may nonetheless be important to have audit trails or other physical, logical or procedural security measures in place to ensure the trustworthiness and reliability of the records. We recommend that you base your decision on whether to apply audit trails, or other appropriate measures, on the need to comply with predicate rule requirements, a justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity. We suggest that you apply appropriate controls based on such an assessment. Audit trails can be particularly appropriate when users are expected to create, modify or delete regulated records during normal operation.
What is the FDA Audit Trail Supposed to Do?
- To check application commitments and to verify authenticity and accuracy of data contained in submissions
- To assure that the product development was done justifying process attributes
- To ensure development facilities comply with GMP standards
- To ensure manufacturing facilities comply with GMP standards
- To ensure related controlled facilities (like water, clean steam, HVAC, gases, raw materials delivery, vendors etc.) comply with GMP standards
In the end, being prepared makes the differece – this is especially true in terms of auditing as the next paragraph shows.
How to Get the FDA Compliance Audit by Keeping Records
Option A: Hard copies of data and documents as is the current practice Option B: Hybrid system of converting data into documents and then using DMS. DMS with the features like – Preparation, Approval, Control, Amendment, Withdrawal, Distribution and Archival.
Option C: Total IT based audit system, where software needed are – ERP/SAP/CAMMS with audit trail functionality, DMS and special software modules for process validation and analytical testing validation.
‘Option A’ needs one to keep log reports over a considerably long time period, and is cumbersome to adhere for validation. ‘Option B’ is an improvement, but, there is considerable time and effort required in preparation to archival of the records. ‘Option C’ is the latest and the most sophisticated solution.
The process validation of the system is documented based on the process parameters that are provided by the owner. However, templates provided by the software vendor aid in asset qualification and validation. The
21 CFR Part 11 Validation Plan includes compliance approach, organisation, system validation, risk evaluation, system gap analysis and remediation. The software package supports SOP’s (Standard Operating Procedure) which needs to be worked as per compliance approach by the client. The detailed module covers internal as well as external expertise levels validation. The system validation covers various system validation related to Process and Analytical know how and associated risks. In Gap Analysis, unadressed requirements and program/module/interface – integrity documentation is tested. Subsequently, the lvel of risk evaluated is mitigated based on the client’s requirements.
Forewarned is Forearmed – Preparing for FDA Audit
The Agency intends to exercise enforcement discretion with regard to specific part 11 requirements for generating copies of records and any corresponding requirement. You should provide an investigator with reasonable and useful access to records during an inspection. All records held by you are subject to inspection in accordance with predicate rules.
FDA recommends that you supply copies of electronic records by – producing copies of records held in common portable formats when records are maintained in these formats, and using established automated conversion or export methods, where available, to make copies in a more common format (examples of such formats include, but are not limited to, PDF, XML OR SGML).
In each case, we recommend that the copying process used produces copies that preserve the content and meaning of the record. If you have the ability to search, sort or trend part 11 records, copies given to the agency should provide the same capability if it is reasonable and technically feasible. You should allow inspection, review and copying of records in a human readable form, at your site using your hardware and following your hardware and following your established procedures and techniques for accessing records.
FDA also intends to exercise enforcement discretion with regard to the part 11 requirements for the protection of records to enable their accurate and ready retrieval throughout the records retention period, and any corresponding requirement. Persons must still comply with all applicable predicate rule requirements for record retention and availability. We suggest that your decision on how to maintain records must be based on predicate rule requirements, and that you base your decision on a justified and documented risk assessment and a determination of the value of records over time.
FDA does not intend to object if you decide to archive required records in electronic format to nonelectronic media such as microfilm, microfiche, and paper or standard electronic file format (examples of such formats include, but are not limited to, PDF, XML or SGML). Persons must still comply with all predicate rule requirements and the records themselves, and any copies of the required records should preserve the meaning and content.
As long as predicate rule requirements are fully satisfied and the content and meaning of the records are preserved and archived, you can delete the electronic version of the records. In addition, paper and electronic record and signature components can co-exist (i.e. hybrid situation) as long as predicate rule requirements are met and the content and meaning of those records are preserved.
Application and Benefits of FDA Appliance
The compliance to 21 CFR part 11 offers several benefits, such as – cost benefits-by aiding the production of systems that are fit for purpose, meet user and business requirements, and have acceptable operation and maintenance costs; better visibility of projects to ensure delivery on time, on budget, and to agreed quality standards; increased understanding of the subject and introduction of a common language and terminology; reductions in the cost and time taken to achieve compliant systems; improved compliance with regulatory expectation by defining a common and comprehensive life cycle model and clarification of the division of responsibility between user and supplier.
As an example, consider the application of BPCS (Batch Process Control System) in one of the plants of Glaxo SmithKline. The size of the automation system is approximated at 4500 I/O, 40 batch operations of varying sizes, over 800 programs and approximately 580 process and safety interlocked measurements. With the exception of three small annuciator panels, the BPCS provides entire operator interface for the various
automation systems. The majority of the initial programming was performed by the engineering firm contracted to provide the detail design and construction of the three units. As a result of this contract, various electronic files of software documentation were provided to plant personnel upon startup.
The plant automation support group decided to maintain these documents as they were an invaluable tool for troubleshooting and optimising such a vast amount of software. Because of the closely scheduled start-ups, this period proved to be very active for the software of all three units. Therefore, it was desirous to have a method to document what modifications had been requested, and which requests had been completed for any given unit since the last shift cycle.
Two simple spreadsheets were quickly developed to request modifications as needed and to post, daily, the last 30 modifications completed, sorted by unit. Unknown to the DCS support group at the time, all of these documents would become the infrastructure of the DCS Quality System. Development of the ‘e-records’ from DCS itself continues to evolve and improve, and has provided countless opportunities to support the work of the DCS group, which maintains it. The DCS Quality Control Log Sheet documents every modification made by date, item modified (i.e. tag, program, graphic), short description and initials of the person making the modification. This historical value of this database is priceless as it is referred to on a regular basis: The log sheet is an invaluable tool for troubleshooting the performance history of a specific loop or program.Queries are made regularly to determine the number of modifications performed concerning a specific tag or program, when they’re made, and what modifications’re made. The log sheet entry identifies the original process automation request in the quality record filing system by date if more detail is needed concerning the modifications made.
What to Do With Equipment Shutdowns
Start-ups and shutdowns of BPCS and SIS equipment are rare enough that even experienced DCS support personnel need reminders of the most efficient method to minimise the downtime of the process units.
The BPCS/SIS Start-up Checklist has been used on many occasions, such as unexpected power failures, post-software upgrades check-outs, and planned maintenance outages. The checklist continuously improves as more items are added which further ensure the systems are operating properly after any interruption. The ‘shutdown procedure’ has also proven beneficial because it documents a complete system shutdown, as well as the most effective partial shutdown of the automation equipment. In the event of an unplanned power outage, the BPCS and SIS are operating from limited UPS battery sources. A partial shutdown procedure documents the most effective way to conserve energy without losing the process controlling components and providing minimal operator interfaces.
Strategy Makes the Difference – Efforts Are Investments!
On several occasions, this strategy has made the difference between no shutdown at all and a two-hour start-up of the BPCS equipment at a time when this equipment is urgently needed. Previous annual releases of
some documents are kept on file as quality records for some specified number of years. An example of such a document is the units’ interlock matrices. The interlock systems, both process and safety, are documented using a cause/effect matrix methodology. The previous five (+) annual releases of these matrices are available on file, and have been used on several occasions to discuss the history and evolution of the interlock system.
Thus, the efforts to validate the automation system enable one to maintain and improve the system have been – and are genuine investments in time and patience. However, the documented knowledge-base which has grown as a result of this commitment over the last few years has been well worth these investments for those of us who currently support and operate the equipment and for those who will follow us in the future.