J u n e 2 0 1 7 Reduce Risk in a data integRity WoRld: appRoaches to ensuRe compliance Presented in partnership with Sponsored by ® 485F US Highway One South, Suite 210, © 2017 UBM. All rights reserved. No part of this Iselin, NJ 08830 publication may be reproduced or transmitted in any (732) 596-0276 form or by any means, electronic or mechanical including by photocopy, recording, or information storage PuBLISHInG & SALeS and retrieval without permission in writing from the publisher. Authorization to photocopy items for internal/ Michael J. Tessalone educational or personal use, or the internal/educational Vice President/Group Publisher or personal use of specific clients is granted by UBM for [email protected] libraries and other users registered with the Copyright Clearance Center, 222 Rosewood Dr. Danvers, MA edward Fantuzzi 01923, 978-750-8400 fax 978-646-8700 or visit http:// Publisher www.copyright.com online. For uses beyond those listed above, please direct your written request to Permission Stephanie Shaffer Dept. fax 440-756-5255 or email: Maureen.Cannon@ Sales Manager ubm.com. Brianne Molnar UBM Americas provides certain customer contact Sales Manager data (such as customer’s name, addresses, phone Oliver Waters numbers, and e-mail addresses) to third parties who Sales Manager wish to promote relevant products, services, and other opportunities that may be of interest to you. If Liz McClean you do not want UBM Americas to make your contact Sales Executive information available to third parties for marketing purposes, simply call toll-free 866-529-2922 between Michael Kushner the hours of 7:30 a.m. and 5 p.m. CST and a customer Senior Director, Digital Media service representative will assist you in removing your name from UBM Americas lists. Outside the U.S., please SPeCIAL PROJeCTS phone 218-740-6477. Kaylynn Chiarello-ebner LCGC does not verify any claims or other information Managing Editor, Special Projects appearing in any of the advertisements contained in the Sabina Advani publication, and cannot take responsibility for any losses or other damages incurred by readers in reliance of such Digital Production Manager content. Vania Oliveira Project Manager LCGC North America (ISSN 1527-5949 print) (ISSN 1939-1889 digital) is published monthly by UBM Life Kristen Moore Sciences, 131 West First Street, Duluth, MN 55802-2065. Webcast Operations Manager LCGC Europe (ISSN 1471-6577) and LCGC Asia Pacific (ISSN 1754-2715) are published monthly by UBM EMEA, eDITORIAL Hinderton Point, Lloyd Drive, Cheshire Oaks, Cheshire CH65 9HQ, UK. Issues are distributed free of charge to Laura Bush users and specifiers of chromatographic equipment. Editorial Director [email protected] To subscribe, call toll-free 888-527-7008. Outside the U.S. call 218-740-6477. Megan L’Heureux Managing Editor, LCGC North America UBM Americas (www.ubmlifesciences.com) is a leading Stephen A. Brown worldwide media company providing integrated marketing solutions for the Fashion, Life Sciences and Group Technical Editor, LCGC North America Powersports industries. UBM Americas serves business Cindy Delonas professionals and consumers in these industries with its Associate Editor, LCGC North America portfolio of 91 events, 67 publications and directories, 150 electronic publications and Web sites, as well as Alasdair Matheson educational and direct marketing products and services. Editor-in-Chief, LCGC Europe Market leading brands and a commitment to delivering innovative, quality products and services enables UBM Kate Mosford Americas to “Connect Our Customers with Theirs.” Managing Editor, LCGC Europe UBM Americas has approximately 1000 employees and Lewis Botcherby currently operates from multiple offices in North America Assistant Editor, LCGC Europe and Europe. intRoduction W ith the release of the long-awaited Data Integrity and Compliance with CGMP Guidance for Industry in 2016, the US Food and Drug Administration revealed a change in its current thinking: if an activity happened, it must be documented. For instance, if an injection is started—and the resulting data are unexpected for the sample—it must be recorded. This principle places additional emphasis on the importance of data integrity in computerized systems and validation, especially as it relates to cGMP regulations. LCGC’s new eBook on Reduce Risk in a Data Integrity World: Approaches to Ensure Compliance (sponsored by Agilent Technologies) offers important insight about how laboratories can ensure their data are secure and their systems comply with FDA guidelines. The first article, “Demystifying Software Validation,” summarizes the key points from a recent LCGC webcast, highlighting the differences between software qualification and validation, the kinds of systems that require validation, when revalidation is necessary, and how one knows when enough validation work has been completed. The accompanying frequently asked questions (page 10) offer detailed information to clarify confusing issues related to software validation. Next, R.D. McDowell, editor of the “Questions of Quality” LCGC Europe column, director of R.D. McDowall Ltd., and LCGC Europe editorial advisory board member, shows that a hybrid top-down/bottom-up approach to validation is very beneficial for ensuring data integrity. He stresses that data integrity requires a multi-disciplinary approach to avoid vulnerabilities. Last, McDowell teams up with Paul Smith of Agilent Technologies to explore a life cycle risk assessment of high performance liquid chromatography instruments, specifically focusing on what can go wrong with a qualified liquid chromatograph during the operational phase. They pair also discusses how system suitability tests and their link to design qualification and operational qualification can mitigate some instrument problems. While data integrity and the validation of software and computerized systems can be daunting, if staff members are well informed about points of confusion and the validation process is approached in a logical manner, one can achieve compliance in a less stressful manner. Demystifying Software Validation: What is It Really and When Do I Need to Do It? All attendees will receive a FREE executive summary of the webinar! ON-DEMAND WEBINAR View for free at www.chromatographyonline.com/lcgc/validation EVENT OVERVIEW: The term “software validation” can trigger many Webinar participants will learn about: responses, including dread and confusion. What is n Regulatory requirements and standards for software validation the difference between qualification and validation? n Applying critical thinking skills to what you What systems need to be validated? When do systems hear or read regarding software validation need to be revalidated? How much validation work n Evaluating the validated state of your current is enough? In addition to answering these questions, laboratory software and associated processes this webinar will provide a foundation for thinking n Taking a practical approach to maintaining critically (and correctly) about system definitions, soft- systems in a validated state ware validation, including discussions on the differ- n When to and when not to rely on your vendors to support your validation ences between qualification and validation, risk-based validation, and revalidation. You’ll learn from Loren Smith, Agilent’s software compliance expert and a Presenter: University of California Berkeley instructor with nearly Software Compliance three decades of regulated software experience. Program Manager Agilent Technologies Who should attend: Moderator: n Lab managers Kate Mosford n Scientists Managing Editor n Technical specialists LGGC Europe Sponsored by Presented by For questions contact Kristen Moore at [email protected] ReDuCe RISK In A DATA TOC InTeGRITy WORLD: APPROACHeS Table of contents TO enSuRe COMPLIAnCe Demystifying Software Validation: Software Validation demystifying software Validation What is It Really and Webcast Executive Summary 6 When Do I Need to Do It? All attendees will receive a FREE executive summary of the webinar! Software Validation FAQs ON-DEMAND WEBINAR software Validation: answers to Frequently asked Questions View for free at www.chromatographyonline.com/lcgc/validation 11 EVENT OVERVIEW: The term “software validation” can trigger many Webinar participants will learn about: responses, including dread and confusion. What is n Regulatory requirements and standards for software validation the difference between qualification and validation? Computerized System Validation n Applying critical thinking skills to what you What systems need to be validated? When do systems Welcome to the hear or read regarding software validation Brave new World of csV need to be revalidated? How much validation work n Evaluating the validated state of your current is enough? In addition to answering these questions, 15 R.D. McDowall laboratory software and associated processes this webinar will provide a foundation for thinking n Taking a practical approach to maintaining critically (and correctly) about system definitions, soft- systems in a validated state ware validation, including discussions on the differ- n When to and when not to rely on your vendors to support your validation HPLC Risk Assessments ences between qualification and validation, risk-based life cycle Risk assessment validation, and revalidation. You’ll learn from Loren of hplc instruments Smith, Agilent’s software compliance expert and a Presenter: Paul Smith and R.D. McDowall University of California Berkeley instructor with nearly 24 Software Compliance three decades of regulated software experience. Program Manager Agilent Technologies Who should attend: Moderator: n Lab managers Kate Mosford n Scientists Managing Editor n Technical specialists LGGC Europe Sponsored by Presented by For questions contact Kristen Moore at [email protected] demystiFying soFtWaRe Validation Learn what software validation means for you and your lab. Introduction and assuring the accuracy, completeness The term “software validation” can trigger and consistency of data over its entire many responses, including confusion life cycle in compliance with applicable and even anxiety. What is the difference regulations.” between qualification and validation? When using a computerized system Which systems need to be validated? to generate and maintain regulated When do systems need to be revalidated? records, the system and its validation are How much validation work is enough? This the foundation for all other related data article provides a foundation for thinking integrity activities. critically about system definitions and Qualification. One can consult FDA’s software validation, including discussions Glossary of Computer System Software on the differences between qualification Development Terminology for a detailed and validation, risk-based validation, and definition of qualification, specifically revalidation. installation qualification (IQ) and operational qualification (OQ). IQ is simply Definitions: Data Integrity, determining that a system was properly Qualification, Validation? installed and configured, while OQ Labs often have questions about software establishes that systems are consistently validation. A good place to start gaining operating within established limits and clarity on this topic is to define three terms tolerances. that are often confusing: data integrity, Software validation. According to the qualification, and validation. same FDA document, software validation Data integrity. Robert D. McDowall, determines the correctness of the Ph.D., provided a useful definition of data software with respect to the user’s needs integrity in a 2013 Scientific Computing and requirements and is accomplished a o article (1). He stated, “In the context of by verifying each stage of the software k t o k laboratory data integrity within a GMP development life cycle (2). m/ o c environment, this can be defined as: A system may be correctly installed k. c o generating, transforming, maintaining and its operations may be qualified, but st r e t t u h s 6 | June 2017 | LCGC Sponsor’s content soFtWaRe soFtWaRe computeRized hplc Risk Validation Validation FaQs system Validation assessments these actions alone do not ensure correct FDA references supporting regulations for results for every process run on the this thinking. 21 CFR Parts 211.63 and 211.68 system. Rather, each individual process talk about the system’s intended use and must be validated to determine that the that the degree of verification should be system generates predictable, repeatable based on the system’s complexity. FDA also results, whether it is drug manufacturing cites 21 CFR Part 211.110, which discusses or another activity such as quality control. process evaluation based on the degree to It is important to understand that which it can affect a drug product. qualification and validation are interrelated Also in its 2016 guidance, FDA (see Figure 1). IQ/OQ are necessary, but recommends certain controls to manage are not sufficient for system validation risks to computerized systems, and the on their own. Likewise, system validation agency’s top three priorities when it is necessary, but it cannot validate considers “risk” are patient safety, product the process alone. While each piece quality, and data integrity (3). is a required element of the software In terms of controls or processes that validation process, individual items are not are appropriate for system validation, sufficient in and of themselves to meet the FDA returned to an old concept in its complete regulatory requirements. 2016 document (3): a system is more than just software and hardware. Systems also What Are the Regulatory include the people, processes, and the Requirements for Software Validation? documentation associated with it. Thus, In April 2016, FDA released its latest (and when FDA uses the term “system” and long-awaited) thinking on data integrity discusses system validation, one must in computerized systems as it relates to consider the much larger context of cGMP regulations (3). validating the entire process. FDA evaluated the regulatory requirements and developed relevant When Does My System questions with answers about the agency’s need to Be Revalidated? thinking on several subjects. One question Often, if not always, the concept of asks, “Does each workflow on our revalidation causes anxiety, perhaps computer system need to be validated?” because these projects can be large, The short answer is yes. The guidance long, expensive, and labor intensive. explains that if one does not validate the FDA’s General Principles of Software computer system for its intended use, it Validation discusses revalidation, is impossible to know if the workflow runs suggesting that when systems are altered, correctly. This underscores that system those changes must be studied not validation is important to, but not the just for the nature of the change itself, same as, process validation. but also for any potential impact and 7 | June 2017 | LCGC Sponsor’s content soFtWaRe soFtWaRe computeRized hplc Risk Validation Validation FaQs system Validation assessments Process Validation System validation IQ/OQ Figure 1: How qualification and validation are related. unintended consequences they may How Much Validation Work Is enough? introduce across the whole system (4). In a Many firms want to know how much validated environment, such an evaluation validation work is sufficient and whether normally includes regression testing. they can use IQ/OQ vendor packages. Many individuals try to avoid Vendors like Agilent often offer such changes (including software updates) packages to help customers qualify their to computerized systems to avoid the systems. IQ/OQ activities are designed need for revalidation. At some point, to ensure systems are installed and however, system fixes or improvements configured correctly and operate as will become important enough to warrant intended. Is running an IQ/OQ package an update and any required revalidation sufficient for system validation? effort. The longer one waits to update a Monica Cahilly, a consultant and trainer system, however, the larger the scope of for FDA who has worked extensively with changes and the greater the validation the agency on data integrity, stated at a effort required. Thus, it is important to 2015 workshop that companies cannot consider keeping systems current. If a abdicate their responsibility for validation system has been in use for a year and to the vendor (5). For one thing, the IQ/ updates are implemented, the validation OQ activities are limited. As represented effort will probably not be as significant in Figure 1, IQ/OQ is necessary, but not as if five years’ worth of updates were sufficient to establish validation of the installed all at once. system or the process. 8 | June 2017 | LCGC Sponsor’s content soFtWaRe soFtWaRe computeRized hplc Risk Validation Validation FaQs system Validation assessments Auditing your vendor: Apples and Oranges* (Jacques Mourrain, Ph.D.) Procedures Quality Management Testing Training/personnel Systems Software development Infrastructure Scoring models in these six areas support defensible individual and comparative evaluation (scoring) of GxP software and service vendors as well as inform risk-driven validation strategies. *Therapeutic Innovation & Regulatory Science April 2006 vol. 40 no. 2 177-183 Figure 2: A model for vendor audit. May 24, 2017 30 The next question often raised is: a core validation for the LIMS, for How can the validated state of current instance, and expand upon any unique laboratory software and associated details for a particular process. processes be evaluated? After the inventory step is completed, Considering current FDA discussions plan and prioritize the work based on risk about computerized system validation in terms of patient safety, product quality, in the context of process validation, one and data integrity, though not all systems should start by making an inventory of will have the same degree of risk in these processes happening in the laboratory. areas. For example, one may have a Standard operating procedures can be system for administering staff training, used to review various types of testing, which is lower risk than a manufacturing chemical analyses, instrumental analyses, execution system that would directly and methodologies that occur. influence product quality. Clearly, higher Then, develop a list of instruments, risk processes merit more validation work software, data management systems, than lower risk processes. and laboratory information management Finally, get the work done with the systems (LIMS). Systems shared by understanding that the longer firms wait multiple processes may have some to update their systems, the more work overlap, so it may be possible to conduct will be required later on and the greater 9 | June 2017 | LCGC Sponsor’s content soFtWaRe soFtWaRe computeRized hplc Risk Validation Validation FaQs system Validation assessments the chance of missed vendors’ defect Summary corrections and functional software Systems changes are bound to happen, enhancements. and when they do, firms must study those changes and revalidate systems, ensuring How Can My Vendor that the risk to patient safety, product Support My Validation? quality, and data integrity are considered FDA’s General Principles of Software in that order. A systematic vendor audit Validation suggests that manufacturers is a helpful tool in this process. Waiting and laboratories can use vendor audit to complete software updates and information as the starting point for their revalidation is problematic; the longer required validation documentation (4). changes are postponed, the more Ideally, audits should occur before complex and burdensome the updates companies acquire their systems or at and the revalidation process will be. least before validation begins to fully Finally, qualification is not validation. understand the vendor’s process. Qualification, while necessary, deals with How are vendor audits conducted? In proper system installation and operation. a 2006 technical article, IT quality and Validation goes further to include the compliance expert Jacques Mourrain, PhD, FDA’s current focus on the context of the introduced a model for vendor audit that is process. more effective and time efficient than the checklist method (see Figure 2) (6). References The model evaluates and scores six (1) R.D. McDowall, “FDA’s Focus on Laboratory Data Integrity: Part 1,” Scientific Computing (Sept. 2013). http://www.scientificcom- areas, starting with procedures and puting.com/article/2013/09/fda%E2%80%99s-focus-labo- ratory-data-integrity-%E2%80%93-part-1 quality management systems, then (2) FDA, Glossary of Computer System Software Development Terminology, branching out to testing, software https://www.fda.gov/iceci/inspections/inspectionguides/ ucm074875.htm development, infrastructure, and (3) FDA, Data Integrity and Compliance with CGMP Guidance for training/personnel. Mourrain’s systematic Industry, https://www.fda.gov/downloads/drugs/guidances/ ucm495891.pdf approach allows companies to plan (4) FDA, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, https://www.fda.gov/RegulatoryInfor- for and execute the vendor audit in an mation/Guidances/ucm085281.htm objective and organized manner. (5) M. Cahilly, Workshop on Data Integrity and Industry Practice, Peking University, Beijing, June 22–23, 2015. Vendors are scored, and the results are (6) J. Mourrain, “Apples and Oranges: Comparing Computer Systems then used to determine vendor-related Audits,” Ther. Innov. Regul. Sci. 40 (2), 177–183 (2006). risks or validation work. The model can be used to conduct a side-by-side comparison of multiple vendors and make a decision about which vendor’s process works best for a given situation. 10 | June 2017 | LCGC Sponsor’s content