Regulations and Guidance for Assessing a Computer System Supplier

Hello good people of the world! Today’s post is continuing the series on compliance in the cloud. Today’s post is a simple list of regulations and guidance that you can provide to someone who asks the question: why do we have to assess suppliers of computer systems/software? These are the reasons why!

FDA 21 CFR Part 820 Quality System Regulation (link)

Section 820.50 Purchasing controls

Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.

EudraLex Volume 4 Annex 11: Computerised Systems (PDF)

Section 3 – Suppliers and Service Providers

3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

Section 4 – Validation

4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.

ICH Guideline Q9 on Quality Risk Management (PDF)

II.4 Quality Risk Management for Facilities, Equipment and Utilities

Computer systems and computer controlled equipment

To select the design of computer hardware and software (e.g., modular, structured, fault tolerance); 

To determine the extent of validation, e.g., 

• identification of critical performance parameters; 
• selection of the requirements and design; 
• code review; 
• the extent of testing and test methods; 
• reliability of electronic records and signatures.

II.5 Quality Risk Management as Part of Materials Management

Assessment and evaluation of suppliers and contract manufacturers

To provide a comprehensive evaluation of suppliers and contract manufacturers (e.g., auditing, supplier quality agreements).

ICH Guideline Q10 on Pharmaceutical Quality System (PDF)

Section 2.7 Management of Outsourced Activities and Purchased Materials

• Assessing prior to outsourcing operations or selecting material suppliers, the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain (e.g., audits, material evaluations, qualification); 

ICH Guidance E6 on Good Clinical Practice (PDF)

Section 5.5 Trial Management, data handling, and record keeping

5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should: 

(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e., validation).

That’s it! Are there any I missed? Comment below!

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Advertisement

Oral Solid Dose – Architectural Considerations

Hello good people of the world! Today we’re talking about architectural considerations in the design of oral solid dose (OSD) manufacturing facilities.

In addition to normal architectural standards, the following must be considered for OSD manufacturing facilities:

• Manufacturing process flow
• Personnel flow
• Equipment flow (clean and dirty)
• Waste flow

Risks to consider when mapping flows include:

• Risk of contamination from outside contaminates
• Risk of cross-contamination
• Risk of mix-up

Risk mitigations should consider:

• Process containment
• Isolators
• Environmental controls
• Room size
• Transition spaces and airlocks
• Personnel controls such as gowning
• Administrative controls such as frequency of operation

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Oral Solid Dose – Isolation and Containment

Hello good people of the world! Today we’re going to talk about isolation and containment considerations in oral solid dose manufacturing. The purpose of isolation and containment is to control the level of pharmaceutical ingredient exposure to personnel and the environment. It is typically not possible to eliminate all exposures, so we try to reduce it to a tolerable level, which must be defined.

The CFRs and other regulations require manufacturers to limit exposure to customers of any undesirable substance. Limits have been established by industry group and regulatory bodies, and quantify things such as Allowable Daily Exposure (ADE).

Things to look at when considering isolation and containment include:

• Material flow
• Personnel flow
• Operator interventions
• Sampling
• Waste flow
• Maintenance procedures
• Utility interactions

Isolation and containment risks must be evaluated and mitigated to get a solid handle on the implications. A multi-disciplinary approach must be used. Migations may include:

• Physical barriers
• Air control
• Cleaning procedures
• Disposables
• Training

What considerations come in to play in your isolation/containment strageties? Comment below!

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Oral Solid Dose – Supporting Equipment and Systems

Hello good people of the world! Continuing the series on oral solid dosage forms, today we’re going to talk about supporting equipment and systems. The main equipment in unit operations get the spotlight when it comes to manufacturing Oral Solid Dosage forms, but they cannot work without supporting equipment and systems.

Supporting Equipment:
Typical supporting equipment in a OSD manufacturing process includes:

1. Air Systems: all modern manufacturing processes use air systems for process, instruments, and environment. HVAC helps control environmental conditions, including particulate (viable and nonviable) counts, temperature, and humidity. Compressed air systems may be used in the process to cool or cover product, such as with nitrogen, or operate unit operation steps, such as in fluid bed drying. Automated systems will use compressed air to pneumatically control valves and other components.
2. Dust Collection: compared to biotech and other pharmacuetical processes, OSD processes have the added complication of dust collection. OSD material movement and processes can create a lot of dust, which can be a risk from a product quality point-of-view, but also a safety point-of-view, since dust can lead to fires and even explosions. Dust collection equipment must be employed to minimize and control dust.
3. Vacuum Systems: vacuum systems may be used for cleaning, dust collection, and also in process steps such as vacuum drying.

Supporting Systems:
Typical supporting systems include:

1. Change Control: it is expected that engineering changes are controlled with quality oversight through a formal process.
2. Preventive Maintenance: it is expected that regular preventive maintenance be performed and documented formally.
3. Calibration: it is expected that “critical” instruments are calibrated at regular intervals traceable to an international standard. Calibration procedures and results must be formally documented. The method to determine and results of the determination of critical instruments must be documented.

What supporting equipment and/or systems do you use in your OSD manufacturing process? Comment below!

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Oral Solid Dose – Material Handling

Hello good people of the world! Continuing the series on oral solid dosage forms, today we’re going to talk about material handling. Oral solid dose manufacturing is typically a batch process, which means materials need to be transferred from step-to-step. Sometimes there is direct conveyance between steps, but often transfer is performed via Intermediate Bulk Container (IBC).

In terms of design, IBCs should be able to handle the worst-case (lowest) density material in the process. IBCs should be cleanable, especially if a single container will support many product manufacturing processes. IBCs should be designed in such a way that they drain easily. Charging/discharging must be considered.

IBCs may be transported on wheels, or by a pallet truck.

Discharging may be facilitated by applying vibrations to the IBC, either internally or externally.

For direct conveyance, gravity, pneumatic conveyance, and mechanical conveyors are options.

What considerations around material handling do you have in your OSD lines? Comment below!

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Oral Solid Dose – Equipment Cleaning

Hello good people of the world! Continuing the series on oral solid dosage forms, today we’re going to talk about equipment cleaning. OSD manufacturing equipment can be notoriously hard to clean, and manual cleaning procedures introduce high risk of contamination and carryover. It is recommended that any new or existing process equipment be cleaned with automated processes wherever possible.

The three automated cleaning processes typically used in industry are:

• Clean-in-Place (CIP)
• Wash-in-Place (WIP)
• Clean-out-of-Place (COP)

CIP is done without moving the equipment, as the name implies, and uses a CIP skid to deliver cleaning and rinse solutions. CIP should not require any manual operations.

WIP is done in-place as well, but may include some manual operations, such as removing filters.

COP requires equipment to be moved to a wash station. Tanks and vessels are typically COP’d.

Some specific concerns related to cleaning OSD equipment include:

• Dry Granulator/Roller Compactor cannot typically be CIP’d. Particularly the auger must be removed and COP’d.
• Fluid Bed Dryers a large and complex, making cleaning difficult. Modern dryers will include CIP/WIP but typically still require manual cleaning of some parts.
• Milling equipment typically requires the screen to be manually removed before any CIP/WIP.
• Tablet presses can be difficult to clean, requiring many manual interventions prior to washing.
• Capsule filling machines should be wettable to allow cleaning.
• Tablet coaters should include WIP

Of course, cleaning processes, whether automated or not, need to be validated. Riboflavin tests may be performed to verify wash coverage, and swabbing can verify lack of residual API and cleaning solutions.

What challenges have you run into in cleaning your OSD manufacturing equipment? Comment below!

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Oral Solid Dose – Equipment

Hello good people of the world! Today’s post is the third in the series covering the commissioning, qualification, and validation of facilities, systems, and equipment involved in the manufacture of oral solid dose (OSD) products. This post covers the equipment used to manufacture these products.

Considerations include: materials of construction, sampling, and cleanability.

1. Materials of Construction: it is critical that equipment materials do not react with or otherwise adulterate the product being manufactured. Materials of construction may be metals (e.g. 316L stainless steel), plastics, or elastomers. Other considerations include design documentation, surface finish including at welds, and any certification required.
2. Sampling: equipment must be designed so that sampling is facilitated where required. Sampling is typically a mitigation for product quality failure modes such as content uniformity in granulation, over/under drying in drying, failed particle size distribution in milling, leakage in encapsulation, and over spray in coating, among others.
3. Cleanability: automated clean-in-place (CIP) cleaning procedures are preferred where practical. Manual cleaning and sterilization may also be considerations.

What do you think about in terms of your OSD manufacturing equipment?

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Oral Solid Dose – Quality Risk Management Considerations

Hello good people of the world! Today’s post is the second in the series covering the commissioning, qualification, and validation of facilities, systems, and equipment involved in the manufacture of oral solid dose (OSD) products. This post covers quality risk management.

Quality Risk Management is performed per the principles outlined in ICH Q9. The management process may then be divided up into six (6) steps:

1. Determine risk areas. These are typically safety, product quality, schedule, cost, etc.
2. Identify the risks for each area defined in step 1. For example, microbiological contamination may be a risk to product quality, APIs may be a risk to personnel safety.
3. Identify the failure modes which contribute to the risks identified in step 2. For example, pests contribute to microbiological contamination risk, and HVAC failure could be a vector by which personnel are exposed to an API.
4. Analyze failure modes and identify mitigations. In our examples procedures around pest control and qualification of HVAC systems could be mitigation to the failure modes identified.
5. Implement monitoring and CAPA (corrective and preventative action) processes.
6. Apply a continuous improvement plan to periodically review risks, risk assessments, and mitigation.

There are many tools which may be used to document the process, such as: FMEA, HAZOP, PHA, etc.

How do you execute your quality risk management process?

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

ISPE’s Commissioning and Qualification Guide Second Edition

Hello good people of the world! Today’s post covers ISPE’s release of the second edition of their commissioning and qualification guide. This is volume 5 of the baseline guides. The first edition was first released way back in March 2001, so we should expect this to be a significant revision. Please note this guide is not available for free.

One very nice thing about this second edition is that it not only updates the first edition of the volume 5 guide, but incorporates scope from two other now-outdated guides as well: “Science and Risk-Based Approach for the Delivery of Facilities, Systems, and Equipment” and “Applied Risk Management for Commissioning and Qualification.” So if you have these in your library, you can safely archive them.

It’s always important to note that industry guides such as this one do not constitute regulations and are not required to be followed. It is often the case however that best practices documented in guides become industry standard, and then set expectations for regulators. Per the guide, it is intended to comply with EU GMP Annex 15, FDA Guidance on Process Validation, and ICH Q9.

The table of contents shows the following sections:

1. Introduction
2. User Requirements Specification
3. System Classification
4. System Risk Assessment
5. Design Review and Design Qualification
6. C&Q Planning
7. C&Q Testing and Documentation
8. Acceptance and Release
9. Periodic Review
10. Vendor Assessment for C&Q Documentation Purposes
11. Engineering Quality Process
12. Change Management
13. Good Documentation Practice for C&Q
14. Strategies for Implementation of Science and Risk-Based C&Q Process

And the following appendices:

1. Regulatory Basis
2. User Requirements Specification Example
3. System Classification Form Example
4. Direct Impact System Examples
5. System Risk Assessment Example
6. Design Review/Design Qualification Examples
7. Supporting Plans
8. System Start-Up Examples
9. Discrepancy Form Example
10. Qualification Summary Report Examples
11. Periodic Review Example
12. Periodic Review for Controlled Temperature Chambers
13. Vendor Assessment Tool Example
14. Organizational Maturity Assessment Example
15. Approach to Qualifying Legacy Systems or Systems with Inadequate Qualification
16. References
17. Glossary

You’ll have to purchase the guide to get all the details, but below are some highlights that stuck out to me:

• This second edition introduces the term Critical Design Elements (CDEs). CDEs are defined as “design functions or features of an engineered system that are necessary to consistently manufacture products with the desired quality attributes.”
• Concepts that were removed from this edition of the guide include Component Criticality Assessment, Enhanced Commissioning, Enhanced Design Review, Enhanced Document, Indirect Impact (systems are either direct impact or not direct impact now), and the V-Model.
• A Direct Impact system is defined as a system that directly impacts product CQAs, or directly impacts the quality of the product delivered by a critical utility system. All other systems are considered to be not direct impact. An example included in section 3 demonstrates the previously categorized “indirect impact” systems would become not direct impact systems and would be commissioned only, although the commissioning for these system may be more robust than a purely “no impact” system. The guide provides an eight (8) question process for determining if a system is direct impact.
• System boundaries should be marked on design drawings.
• Inputs to the URS should include: CQAs, CPPs, regulatory, organization quality, business, data integrity and storage, alarm, automation, and health, safety, and environmental requirements, and engineering specifications and industry standards. The example URS template does include a classification of each requirement (e.g. business, safety, quality).
• A system risk assessment is performed to identify CDEs and controls required to mitigate risks. Standard off-the-shelf systems typically do not require a risk assessment. Risk levels are defined as low, medium, and high and the risk assessment approach is not a typical FMECA process. Instead each CQA at each step gets one entry on how the CQA can be impacted, what are the design controls around that CQA and any alarm or procedural controls to mitigate risk. The residual risk post-controls is includes as low, medium, or high.
• Design Qualification looks somewhat informal 0=- no DQ protocol, but a DQ report that summarizes other documents (URS, SIA) and design review meetings.
• A C&Q plan should include clear scope, the execution strategy, documentation expected for each system (URS, FAT, SAT, IOQ, SOPs, etc.), and roles and responsibilities (e.g. approval matrix).
• The discrepancy form has closure signatures only (no pre-implementation signatures)
• For legacy systems without adequate C&Q documentation, focus should be on identifying product and process user requirements including Critical Quality Attributes (CQAs) and Critical Process Parameters (CPPs), and then the Critical Design Elements (CDEs) that affect them. It is necessary to confirm that accurate drawings exist, that maintenance files are up-to-date, and there is test evidence to support changes since commissioning. A risk-based approach can be used to qualify the system in the absence of typical C&Q documentation.

Do you use the ISPE guides for your C&Q approach? Comment below.

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

 

Can SharePoint Online be Compliant?

SharePoint is an off-the-shelf configurable software solution that has been offered by Microsoft since 2001. It is popular in many industries (including Biotech, Pharmaceutical, and Medical Device) for document management, local Intranet, and many other applications. However, if SharePoint is being used for any GxP purpose, you better believe it is subject to 21CFR11 and/or Annex 11. Continue reading Can SharePoint Online be Compliant? →