Category Archives: Guidance from Regulators

Regulations and Guidance for Assessing a Computer System Supplier

Hello good people of the world! Today’s post is continuing the series on compliance in the cloud. Today’s post is a simple list of regulations and guidance that you can provide to someone who asks the question: why do we have to assess suppliers of computer systems/software? These are the reasons why!

FDA 21 CFR Part 820 Quality System Regulation (link)

Section 820.50 Purchasing controls

Each manufacturer shall establish and maintain procedures to ensure that all purchased or otherwise received product and services conform to specified requirements.

(a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

(1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

(2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

(3) Establish and maintain records of acceptable suppliers, contractors, and consultants.

EudraLex Volume 4 Annex 11: Computerised Systems (PDF)

Section 3 – Suppliers and Service Providers

3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.

Section 4 – Validation

4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.

ICH Guideline Q9 on Quality Risk Management (PDF)

II.4 Quality Risk Management for Facilities, Equipment and Utilities

Computer systems and computer controlled equipment

To select the design of computer hardware and software (e.g., modular, structured, fault tolerance); 

To determine the extent of validation, e.g., 

  • identification of critical performance parameters; 
  • selection of the requirements and design; 
  • code review; 
  • the extent of testing and test methods; 
  • reliability of electronic records and signatures.

II.5 Quality Risk Management as Part of Materials Management

Assessment and evaluation of suppliers and contract manufacturers

To provide a comprehensive evaluation of suppliers and contract manufacturers (e.g., auditing, supplier quality agreements).

ICH Guideline Q10 on Pharmaceutical Quality System (PDF)

Section 2.7 Management of Outsourced Activities and Purchased Materials

  • Assessing prior to outsourcing operations or selecting material suppliers, the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain (e.g., audits, material evaluations, qualification); 

ICH Guidance E6 on Good Clinical Practice (PDF)

Section 5.5 Trial Management, data handling, and record keeping

5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should: 

(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e., validation).

That’s it! Are there any I missed? Comment below!

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!


Oral Solid Dose – Quality Risk Management Considerations

Hello good people of the world! Today’s post is the second in the series covering the commissioning, qualification, and validation of facilities, systems, and equipment involved in the manufacture of oral solid dose (OSD) products. This post covers quality risk management.

Quality Risk Management is performed per the principles outlined in ICH Q9. The management process may then be divided up into six (6) steps:

  1. Determine risk areas. These are typically safety, product quality, schedule, cost, etc.
  2. Identify the risks for each area defined in step 1. For example, microbiological contamination may be a risk to product quality, APIs may be a risk to personnel safety.
  3. Identify the failure modes which contribute to the risks identified in step 2. For example, pests contribute to microbiological contamination risk, and HVAC failure could be a vector by which personnel are exposed to an API.
  4. Analyze failure modes and identify mitigations. In our examples procedures around pest control and qualification of HVAC systems could be mitigation to the failure modes identified.
  5. Implement monitoring and CAPA (corrective and preventative action) processes.
  6. Apply a continuous improvement plan to periodically review risks, risk assessments, and mitigation.

There are many tools which may be used to document the process, such as: FMEA, HAZOP, PHA, etc.

How do you execute your quality risk management process?

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Corrective Action / Preventive Action (CAPA)

CAPA Process
Hello good people of the world! Today’s post is about Corrective Action / Preventive Action, typically referred to as CAPA. CAPA is an integral part of any Quality System, and certainly one of the first things an agency will look at in any audit.

There is a ton of good information out there already on CAPA, including FDA’s own guidance from 2014.

I’ve personally used a few software packages for CAPA management, including MasterControl and Oracle’s Agile, among others, but have not seen any standouts.

The key points of the CAPA program are:

  1. Issue identification, i.e. ensuring the issue is truly understood and well documented
  2. Root cause analysis, i.e. identifying the root cause of the issue
  3. effectiveness check, i.e. verifying actions have actually resolved the issue

What tips have you learned from your CAPA program? Comment below.

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Data Integrity – What is Means for You

data-integrityHello good people of the world! Data integrity is an important topic in the information age and has come into focus for regulatory agencies as more and more parts of manufacturing processes become automated. Agencies know that data integrity can directly affect drug quality.

This post covers the MHRA (UK) guidance on data integrity version 2, released March, 2015, which can be found here.

The guidance document defines data integrity as “the extent to which all data are complete, consistent, and accurate throughout the data lifecycle.”

Of course, the concept of data integrity also applies to paper records, but it is the novelty and complexity of computerized systems that makes data integrity applied to electronic records a subject worthy of discussion and exploration. While we’ve had generations to get used to maintaining paper records, electronic records are relatively new, and the best practices for assuring data integrity may still be maturing.

Raw electronic data typically comes from one of four sources:

  1. Direct data capture via instrument/device output (e.g. temperature transmitter, valve actuator feedback, etc.)
  2. Capture of data stream from another computerized system (e.g. electronic chart recorder, electronic scale, etc.)
  3. Automated import of data from another computerized system (e.g. event or alarm log, recipe, etc.)
  4. Manual entry via HMI (Human-Machine Interface)/OIT (Operator Interface Terminal)

Each of these methods is subject to qualification/validation. Method #4 is a unique case in that is may require secondary verification by a separate operator or, in some cases, a supervisor, for critical data or any case where data is being transcribed from another location (electronic or paper-based).

The rules that apply to paper-based data also apply to electronic data. Data must be (ALCOA):

  • Attributable – it must be clear who made the entry
  • Legible – it must be clear what the entry is
  • Contemporaneous – the data must be recorded at the time of action/event
  • Original – the data must be raw
  • Accurate – the data must be correct, complete, and accurate

In order to maintain electronic data integrity, the following concepts are applied:

  1. Access Control
    • Each user shall be uniquely identified
    • Password controls shall be adequate
    • User’s shall have only the permissions necessary to perform their job functions
    • A list of current and historic users shall be maintained
  2. Change Control
    • Changes to the system shall be controlled and only available to authorized users
  3. Training
    • All users shall have the training necessary to perform their job functions
  4. Record and Retain Data
    • Required data shall be recorded ALCOA and retained through the lifecycle
  5. Audit Trail
    • Modifications to raw data shall be recorded in an audit trail, with who made the change, the original data, the modified data, when the change was made, and why
    • The audit trail may also record system events, transactions, logins, etc.
  6. Review Data
    • Data shall be available for review
  7. Backup Data
    • Data shall be backed up to ensure redundancy and eliminate any single point of failure

Originally, audit trails only captured changes to raw data, the way a line-out would capture a correction on a paper record. Now, much more may be expected of the audit trail, and audit trail functionality may consist of multiple system reports, for example record of logins (attempted and successful), application transactions, any change to application data or metadata. In addition, the audit trail report is expected to:

  • Record the original and modified values of any data change with user and date/time stamp
  • Not be editable
  • Be viewable and understandable by end-users (that means no foreign key values or other coded/hex values please!)
  • Be reviewed as part of batch release
  • Be regularly backed up

Some more considerations around your audit trail:

  1. Do administrators have the ability to modify or disable the audit trail? If yes, how to control the added risk
  2. Does the audit trail contain enough data to allow robust data review?
  3. Do the items in the audit trail include enough relevant items that will permit the reconstruction of the process or activity?
  4. What is the process for audit trail review?

Some more considerations around your user access procedures:

  1. Is there a procedure that describes how access is granted to a user, defines each user group, and their access levels?
  2. Is user access granted only after a documented training has been completed?
  3. Do users have only access rights appropriate for their job role (tied to SOP ideally)?
  4. Is it clear what rights to a specific individual (e.g. via user rights report)?
  5. Is historical information regarding user access levels available?
  6. Are shared logins or generic user access accounts used? Should avoid these!
  7. Is administrator access restricted to the minimum number of people required? Don’t want excessive numbers of admins!
  8. Is the generic administrator account available for use? Don’t allow this!

How do you assure data integrity in your organization?

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

WHO’s Draft Guidelines on Validation May 2016

Hello good people of the world! On May 15, 2016, the World Health Organization released its draft Guidelines on Validation. It is available on the WHO website for download here.

This post covers my review of the guidance. Continue reading WHO’s Draft Guidelines on Validation May 2016

Controlled Room Temperature


Hello good people of the world! Today’s post is about controlled room temperature, which is of importance for any space holding drug products, including manufacture, storage, and transportation. Storage temperature requirements are closely related to drug stability, so are an important focus of regulatory agencies.

US pharmacopeia has at least two applicable monographs:

Good Storage and Shipping Practices


Pharmaceutical Stability

ISPE summarizes the general industry approach nicely in the Good Practice Guide on Cold Chain Management (not free but available here):

“‘Controlled room temperature’ indicates a temperature maintained thermostatically that encompasses the usual and customary working environment of 20° to 25°C (68° to 77°F); that results in a mean kinetic temperature calculated to be not more than 25°C; and that allows excursions between 15° and 30°C (59° and 86°F) that are experienced in pharmacies, hospitals, and warehouses.”

How do you control your room temperature space? Leave a comment below and please share this post with whomever you think would benefit.

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

Revision to EudraLex Volume 4 August 2014


Hello good people of the world! Another short post today, this one on the revision to EudraLex Volume 4 (GMPs) dated 13 August 2014. The revision is here. A short revision, the changes include updates to Chapter 3 (Premises and Equipment) and Chapter 5 (Production) around prevention of cross-contamination and qualification of suppliers.

Of note is the increased guidance around the use of quality risk management principles.

The revision will come into affect in March 2015.

What do you think of these changes? How will you adjust your quality program, if at all?

Like this MWV (Mike Williamson Validation) post? Be sure to like, share, and subscribe!

Environmental Control and Monitoring for Aseptic Processing

Petri dish

Hello good people of the world! Today’s post is an overview of environmental control and monitoring for aseptic processing.

Applicable references for the US are:

  • FDA Guideline for “Sterile Drug Products Produced by Aseptic Processing” September, 2004
  • FDA Guideline for the submission of “Documentation for Sterilization Process Validation in Applications for Human and Veterinary Drug Products”
  • 21 CFR Part 211 — Current Good Manufacturing Practices for Finished Pharmaceuticals


Environmental control is designed to prevent microbiological contamination of sterile products.

Environmental monitoring is designed to detect microbiological contamination in aseptic processing areas.

Scope: Environmental control and monitoring is a required part of aseptic processing, i.e. where “terminal” sterilization is not possible. Terminal sterilization means the finished drug product is sterilized at the last step of the process via heat, radiation or other. Many pharmaceuticals and most biologics do not tolerate terminal sterilization, thus the importance of aseptic processing.

Control Considerations:

  1. Air particle count: maintaining air particle counts is critical to aseptic processing, because particles themselves can be harmful, and likely carry microorganisms.
  2. Cleanroom design: for the aseptic core (where critical aseptic process steps occur, e.g. where product is open to the environment) the FDA recommends class 100. The core should surrounded by class 1,000 or class 10,000 areas.
  3. Air pressure differentials: the FDA recommends a 10-15 Pascal pressure differential between rooms of differing classification, with the higher pressure in higher-class rooms, so that air naturally flows outward to the lower class rooms.
  4. HEPA filtration: High Efficiency Particulate Air (HEPA) filters should be used in class 100 rooms to aid in particle removal
  5. Equipment: should be cleanable and non-shedding. Stainless steel is the preferred material of construction for equipment surfaces.
  6. Process design: processes should be designed with minimizing contaminate risks in mind (e.g. don’t force operators to reach over open product)
  7. Process Validation: media runs should be performed to demonstrate the process can run aseptically

Monitoring Considerations:

  1. Air quality measurements should look at viable and nonviable particulate levels
  2. Particle counting: ongoing monitoring should look at particle counts in critical areas
  3. Active sampling: devices such as impaction and membrane samplers should be used to evaluate aseptic processing areas
  4. Passive sampling: settling plates should be used to collect microbial information
  5. WFI and other excipients: should be routinely tested for microbial/particulate load
  6. Personnel: the greatest single contributor of particulates and microbes in a cleanroom. Steps (training, gowning, testing) must be taken to minimize risk

Like this MWV (Mike Williamson Validation) post? Be sure to like, share, and subscribe! 

EU Guidance Revision: EudraLex Volume 4, Annex 15, Qualification and Validation


European Commission

Hello good people of the world! On February 6, 2014 the European Commission released a draft revision of EudraLex Volume 4, Annex 15 “Qualification and Validation” for comments.

The previous version (latest approved at the time of this blog post) is available here.

The new draft version is here.


General: the guidance has increased from 11 pages to 17, with added sections on “Verification of Transportation,” “Validation of Packaging,” “Qualification of Utilities,” “Validation of Test Methods,” and “Cleaning Validation.”

Detailed differences in each section are highlighted below. Continue reading EU Guidance Revision: EudraLex Volume 4, Annex 15, Qualification and Validation