Risk-Based Approach to CSV, 21 CFR Part 11 and FDA Compliance
An EAS Complimentary Webinar
Presented by Carolyn Troiano, EAS Independent Consultant
Enter Your Information to Watch Now
By clicking submit above, you consent to allow EAS Consulting Group to store and process the personal information submitted above to provide you the content requested.
FDA’s recent focus on 21 CFR Part 11 compliance for electronic records and electronic signatures (ER/ES) and data integrity during computer system validation inspections and audits has brought this issue to the forefront of importance for compliance of systems used in regulated industries. Requirements for Part 11 and data integrity (the “ALCOA+” principles) are very intertwined, with some overlap that will be explained.
The systems are those that “touch” product, meaning they are used to create, collect, analyze, manage, transfer and report data regulated by FDA. All structured data, including database records, and unstructured data, including documents, spreadsheets, presentations, images, audio, and video files, amongst others, must be managed and maintained with integrity and in compliance with Part 11 throughout their entire data/record life cycle. A risk-based approach leads to the best results and compliance with FDA’s expectations, and we will cover some examples.
There are very specific limitations that arise when using ER/ES capability, such as the elimination of print capability to prevent users from making decisions based on a paper record as opposed to the electronic record.
It also requires very specific identification of users that ensures the person signing the record is the same person whose credentials are being entered and verified by the system. The rule for changing passwords must be rigorously adhered to and the passwords must be kept secure.
It is critical that the system specify the exact meaning of the signature. It may be that the person conducted the work, recorded the result, reviewed the result, or approved the result.
A person may simply be attesting to the fact that they reviewed the work and the signatures, and there was appropriate segregation of duties (i.e., the person recording the result is not the same as either the person reviewing or the person giving final approval).
A company must have specific policies and procedures in place that explicitly state responsibilities and provide guidance for implementing and using ER/ES capability. These must clarify the 21 CFR Part 11 regulation and provide insight as to the way the company interprets its responsibility for meeting it.
As FDA continues to evolve and change due to the many factors that influence the regulatory environment, companies must be able to adapt. New technologies will continue to emerge that will change the way companies do business.
While many of these are intended to streamline operations, reducing time and resources, some unintentionally result in added layers of oversight that encumber a computer system validation program and require more time and resources, making the technology unattractive from a cost-benefit perspective.
This webinar will cover the key aspects of complying with 21 CFR Part 11 in both validating systems and maintaining them in a validated state throughout their entire life cycle.
Why Should You Attend
This webinar will help you understand in detail Computer System Validation (CSV) and how to apply the System Development Life Cycle (SDLC) Methodology when validating computer systems subject to FDA regulations. This is critical in order to develop the appropriate validation strategy and achieve the thoroughness required to prove that a system does what it purports to do, and a key element is a thorough risk assessment. It also ensures that a system is maintained in a validated state throughout its entire life cycle, from conception through retirement, making it critical to continue assessing risk as changes are made. We will discuss the phases within the SDLC, and how these form the basis for any CSV project. The importance of the sequence of steps will also be covered.
More specifically, we will discuss how FDA’s requirements for ER/ES may be met through validation testing. 21 CFR Part 11, the FDA’s guidance from 1997 on ER/ES requires specific criteria to be defined and met, as demonstrated through appropriate testing, in order to prove the functionality meets the letter of the law.
Computer system validation has been regulated by FDA for more than 40 years, as it relates to systems used in the manufacturing, testing and distribution of a product in the pharmaceutical, biotechnology, medical device or other FDA-regulated industries. The FDA requirements ensure thorough planning, implementation, integration, testing and management of computer systems used to collect, analyze and/or report data.
Electronic records and electronic signatures (ER/ES) came into play through guidelines established by FDA in 1997, and disseminated through 21 CFR Part 11. This code describes the basic requirements for validating and documenting ER/ES capability in systems used in an FDA-regulated environment.
In the early 2000s, FDA recognized they could not inspect every computer system at every regulated company and placed the onus on industry to begin assessing all regulated computer systems based on risk. The level of potential risk, should the system fail to operate properly, needs to be the basis for each company’s approach to developing a validation approach and rationale as part of the planning process. System size, complexity, business criticality, GAMP®5 category and risk rating are the five key components for determining the scope and robustness of testing required to ensure data integrity and product safety.
Further to that, each requirement must be evaluated for potential risk and tested accordingly, with those posing the greatest risk if not met would require the most robust testing. A standard risk assessment and rating scale must be established by each company and applied uniformly across all GxP systems.
We will explore the best practices and strategic approach for evaluating computer systems used in the conduct FDA-regulated activities and determining the level of potential risk, should they fail, on data integrity, process and product quality, and consumer/patient safety. We will walk through the System Development Life Cycle (SDLC) approach to validation, based on risk assessment, and will also discuss 21 CFR Part 11 and the importance of managing electronic records and signatures appropriately through the validation effort and beyond, for the life of the system.
To date, many people in industry still have a “compliance mindset,” meaning they are doing validation activities by rote, the same exact way they had been doing them for years, specifically in the hope of not receiving any citations during an inspection. FDA has been very clear, as evidenced in their draft guidance for Computer Software Assurance (CSA), issued in September 2022, that critical thinking should drive validation testing, not documentation. We will take a look at CSA vs. traditional CSV and the impact on Part 11 requirements.
We will also discuss the updated version of GAMP®5, Second Edition that was issued last July, 2022, and review how the changes to the guidance align with CSA.
We will discuss alternate approaches to software development/testing and validation, including waterfall and agile.
We will also walk through the entire set of essential policies and procedures, and other supporting documentation and activities that must be developed and followed to ensure compliance. We will provide an overview of practices to prepare for an FDA inspection, and will also touch on the importance of auditing vendors of computer system hardware, software, tools and utilities, and services.
Finally, we will provide an overview of industry best practices, with a focus on data integrity and risk assessment that can be leveraged to assist in all your GxP work.
Agenda/ Areas Covered
- Understand the key components of 21 CFR Part 11 compliance for electronic records and signatures
- Understand the key principles of data integrity (“ALCOA+) and compliance for ER/ES
- Learn how to identify “GxP” Systems
- Discuss the Computer System Validation (CSV) approach based on FDA requirements
- Discuss the recent draft Computer Software Assurance (CSA) from FDA, a newer approach to validation that considers critical thinking and automated testing
- Learn about the System Development Life Cycle (SDLC) approach to validation
- Discuss the best practices for documenting computer system validation efforts, including requirements, design, development, testing and operational maintenance procedures
- Understand the need to include an assessment of a computer system’s size, complexity, business criticality, GAMP®5 category and risk, should it fail, to develop a cohesive and comprehensive validation rationale
- Understand how to maintain a system in a validated state through the system’s entire life cycle
- Discuss the importance of “GxP” documentation that complies with FDA requirements
- Learn about the policies and procedures needed to support your validation process and ongoing maintenance of your systems in a validated state
- Know the regulatory influences that lead to FDA’s current thinking at any given time
- Learn how to conduct a risk assessment on computer systems that will provide the basis for developing a validation rationale
- Learn how to assess risk, based on probability of occurrence, severity of impact, detectability and mitigation, along with technical and procedural controls that can help minimize risk
- Learn how to best prepare for an FDA inspection or audit of a GxP computer system
- Understand the importance of performing a thorough vendor audit to ensure oversight to the products and services they deliver
- Finally, understand the industry best practices that will enable you to optimize your approach to validation and compliance, based on risk assessment, to ensure data integrity is maintained throughout the entire data life cycle
Who Will Benefit
Personnel in the following roles will benefit:
- Information Technology Analysts
- QC/QA Managers
- QC/QA Analysts
- Clinical Data Managers
- Clinical Data Scientists
- Analytical Chemists
- Compliance Managers
- Laboratory Managers
- Automation Analysts
- Manufacturing Managers
- Manufacturing Supervisors
- Supply Chain Specialists
- Computer System Validation Specialists
- GMP Training Specialists
- Business Stakeholders responsible for computer system validation planning, execution, reporting, compliance, maintenance and audit
- Consultants working in the life sciences industry who are involved in computer system implementation, validation and compliance
- Auditors engaged in the internal inspection of labeling records and practices
About the Presenter
Carolyn Troiano has more than 40 years of experience in computer system validation and compliance in the pharmaceutical, medical device, tobacco and other FDA-regulated industries. Carolyn participated in the drafting of the Part 11 guidance with a group of industry and FDA participants. She is currently an independent consultant, advising companies on computer system validation and large-scale IT system implementation projects.
Posted in On Demand Webinar.