Table Of ContentJ
u
n
e
2
0
1
7
Reduce Risk in a data
integRity WoRld:
appRoaches to ensuRe
compliance
Presented in partnership with
Sponsored by
®
485F US Highway One South, Suite 210, © 2017 UBM. All rights reserved. No part of this
Iselin, NJ 08830 publication may be reproduced or transmitted in any
(732) 596-0276 form or by any means, electronic or mechanical including
by photocopy, recording, or information storage
PuBLISHInG & SALeS and retrieval without permission in writing from the
publisher. Authorization to photocopy items for internal/
Michael J. Tessalone educational or personal use, or the internal/educational
Vice President/Group Publisher or personal use of specific clients is granted by UBM for
[email protected] libraries and other users registered with the Copyright
Clearance Center, 222 Rosewood Dr. Danvers, MA
edward Fantuzzi 01923, 978-750-8400 fax 978-646-8700 or visit http://
Publisher www.copyright.com online. For uses beyond those listed
above, please direct your written request to Permission
Stephanie Shaffer
Dept. fax 440-756-5255 or email: Maureen.Cannon@
Sales Manager
ubm.com.
Brianne Molnar
UBM Americas provides certain customer contact
Sales Manager
data (such as customer’s name, addresses, phone
Oliver Waters numbers, and e-mail addresses) to third parties who
Sales Manager wish to promote relevant products, services, and
other opportunities that may be of interest to you. If
Liz McClean you do not want UBM Americas to make your contact
Sales Executive information available to third parties for marketing
purposes, simply call toll-free 866-529-2922 between
Michael Kushner
the hours of 7:30 a.m. and 5 p.m. CST and a customer
Senior Director, Digital Media
service representative will assist you in removing your
name from UBM Americas lists. Outside the U.S., please
SPeCIAL PROJeCTS
phone 218-740-6477.
Kaylynn Chiarello-ebner
LCGC does not verify any claims or other information
Managing Editor, Special Projects
appearing in any of the advertisements contained in the
Sabina Advani publication, and cannot take responsibility for any losses
or other damages incurred by readers in reliance of such
Digital Production Manager
content.
Vania Oliveira
Project Manager LCGC North America (ISSN 1527-5949 print) (ISSN
1939-1889 digital) is published monthly by UBM Life
Kristen Moore
Sciences, 131 West First Street, Duluth, MN 55802-2065.
Webcast Operations Manager LCGC Europe (ISSN 1471-6577) and LCGC Asia Pacific
(ISSN 1754-2715) are published monthly by UBM EMEA,
eDITORIAL Hinderton Point, Lloyd Drive, Cheshire Oaks, Cheshire
CH65 9HQ, UK. Issues are distributed free of charge to
Laura Bush users and specifiers of chromatographic equipment.
Editorial Director
[email protected] To subscribe, call toll-free 888-527-7008. Outside the
U.S. call 218-740-6477.
Megan L’Heureux
Managing Editor, LCGC North America
UBM Americas (www.ubmlifesciences.com) is a leading
Stephen A. Brown worldwide media company providing integrated
marketing solutions for the Fashion, Life Sciences and
Group Technical Editor, LCGC North America
Powersports industries. UBM Americas serves business
Cindy Delonas professionals and consumers in these industries with its
Associate Editor, LCGC North America portfolio of 91 events, 67 publications and directories,
150 electronic publications and Web sites, as well as
Alasdair Matheson
educational and direct marketing products and services.
Editor-in-Chief, LCGC Europe Market leading brands and a commitment to delivering
innovative, quality products and services enables UBM
Kate Mosford
Americas to “Connect Our Customers with Theirs.”
Managing Editor, LCGC Europe
UBM Americas has approximately 1000 employees and
Lewis Botcherby currently operates from multiple offices in North America
Assistant Editor, LCGC Europe and Europe.
intRoduction
W
ith the release of the long-awaited Data Integrity and Compliance
with CGMP Guidance for Industry in 2016, the US Food and Drug
Administration revealed a change in its current thinking: if an
activity happened, it must be documented. For instance, if an
injection is started—and the resulting data are unexpected for the sample—it
must be recorded.
This principle places additional emphasis on the importance of data integrity
in computerized systems and validation, especially as it relates to cGMP
regulations. LCGC’s new eBook on Reduce Risk in a Data Integrity World:
Approaches to Ensure Compliance (sponsored by Agilent Technologies) offers
important insight about how laboratories can ensure their data are secure and
their systems comply with FDA guidelines.
The first article, “Demystifying Software Validation,” summarizes the key points
from a recent LCGC webcast, highlighting the differences between software
qualification and validation, the kinds of systems that require validation, when
revalidation is necessary, and how one knows when enough validation work has
been completed. The accompanying frequently asked questions (page 10) offer
detailed information to clarify confusing issues related to software validation.
Next, R.D. McDowell, editor of the “Questions of Quality” LCGC Europe column,
director of R.D. McDowall Ltd., and LCGC Europe editorial advisory board
member, shows that a hybrid top-down/bottom-up approach to validation is
very beneficial for ensuring data integrity. He stresses that data integrity requires
a multi-disciplinary approach to avoid vulnerabilities.
Last, McDowell teams up with Paul Smith of Agilent Technologies to explore
a life cycle risk assessment of high performance liquid chromatography
instruments, specifically focusing on what can go wrong with a qualified liquid
chromatograph during the operational phase. They pair also discusses how
system suitability tests and their link to design qualification and operational
qualification can mitigate some instrument problems.
While data integrity and the validation of software and computerized systems
can be daunting, if staff members are well informed about points of confusion
and the validation process is approached in a logical manner, one can achieve
compliance in a less stressful manner.
Demystifying Software Validation:
What is It Really and
When Do I Need to Do It?
All attendees will receive a FREE executive summary of the webinar!
ON-DEMAND WEBINAR
View for free at www.chromatographyonline.com/lcgc/validation
EVENT OVERVIEW:
The term “software validation” can trigger many Webinar participants will learn about:
responses, including dread and confusion. What is n Regulatory requirements and standards for
software validation
the difference between qualification and validation?
n Applying critical thinking skills to what you
What systems need to be validated? When do systems
hear or read regarding software validation
need to be revalidated? How much validation work
n Evaluating the validated state of your current
is enough? In addition to answering these questions,
laboratory software and associated processes
this webinar will provide a foundation for thinking
n Taking a practical approach to maintaining
critically (and correctly) about system definitions, soft- systems in a validated state
ware validation, including discussions on the differ- n When to and when not to rely on your vendors
to support your validation
ences between qualification and validation, risk-based
validation, and revalidation. You’ll learn from Loren
Smith, Agilent’s software compliance expert and a Presenter:
University of California Berkeley instructor with nearly
Software Compliance
three decades of regulated software experience.
Program Manager
Agilent Technologies
Who should attend:
Moderator:
n Lab managers
Kate Mosford
n Scientists
Managing Editor
n Technical specialists
LGGC Europe
Sponsored by Presented by
For questions contact Kristen Moore at
[email protected]
ReDuCe RISK In A DATA
TOC
InTeGRITy WORLD: APPROACHeS
Table of contents TO enSuRe COMPLIAnCe
Demystifying Software Validation:
Software Validation
demystifying software Validation
What is It Really and
Webcast Executive Summary
6
When Do I Need to Do It?
All attendees will receive a FREE executive summary of the webinar!
Software Validation FAQs
ON-DEMAND WEBINAR software Validation: answers to
Frequently asked Questions
View for free at www.chromatographyonline.com/lcgc/validation
11
EVENT OVERVIEW:
The term “software validation” can trigger many Webinar participants will learn about:
responses, including dread and confusion. What is n Regulatory requirements and standards for
software validation
the difference between qualification and validation? Computerized System Validation
n Applying critical thinking skills to what you
What systems need to be validated? When do systems Welcome to the
hear or read regarding software validation
Brave new World of csV
need to be revalidated? How much validation work
n Evaluating the validated state of your current
is enough? In addition to answering these questions, 15 R.D. McDowall
laboratory software and associated processes
this webinar will provide a foundation for thinking
n Taking a practical approach to maintaining
critically (and correctly) about system definitions, soft- systems in a validated state
ware validation, including discussions on the differ- n When to and when not to rely on your vendors
to support your validation HPLC Risk Assessments
ences between qualification and validation, risk-based
life cycle Risk assessment
validation, and revalidation. You’ll learn from Loren
of hplc instruments
Smith, Agilent’s software compliance expert and a Presenter:
Paul Smith and R.D. McDowall
University of California Berkeley instructor with nearly 24
Software Compliance
three decades of regulated software experience.
Program Manager
Agilent Technologies
Who should attend:
Moderator:
n Lab managers
Kate Mosford
n Scientists
Managing Editor
n Technical specialists
LGGC Europe
Sponsored by Presented by
For questions contact Kristen Moore at
[email protected]
demystiFying
soFtWaRe Validation
Learn what software validation means for you and your lab.
Introduction and assuring the accuracy, completeness
The term “software validation” can trigger and consistency of data over its entire
many responses, including confusion life cycle in compliance with applicable
and even anxiety. What is the difference regulations.”
between qualification and validation? When using a computerized system
Which systems need to be validated? to generate and maintain regulated
When do systems need to be revalidated? records, the system and its validation are
How much validation work is enough? This the foundation for all other related data
article provides a foundation for thinking integrity activities.
critically about system definitions and Qualification. One can consult FDA’s
software validation, including discussions Glossary of Computer System Software
on the differences between qualification Development Terminology for a detailed
and validation, risk-based validation, and definition of qualification, specifically
revalidation. installation qualification (IQ) and
operational qualification (OQ). IQ is simply
Definitions: Data Integrity, determining that a system was properly
Qualification, Validation? installed and configured, while OQ
Labs often have questions about software establishes that systems are consistently
validation. A good place to start gaining operating within established limits and
clarity on this topic is to define three terms tolerances.
that are often confusing: data integrity, Software validation. According to the
qualification, and validation. same FDA document, software validation
Data integrity. Robert D. McDowall, determines the correctness of the
Ph.D., provided a useful definition of data software with respect to the user’s needs
integrity in a 2013 Scientific Computing and requirements and is accomplished
a
o
article (1). He stated, “In the context of by verifying each stage of the software k
t
o
k
laboratory data integrity within a GMP development life cycle (2). m/
o
c
environment, this can be defined as: A system may be correctly installed k.
c
o
generating, transforming, maintaining and its operations may be qualified, but st
r
e
t
t
u
h
s
6 | June 2017 | LCGC Sponsor’s content
soFtWaRe soFtWaRe computeRized hplc Risk
Validation Validation FaQs system Validation assessments
these actions alone do not ensure correct FDA references supporting regulations for
results for every process run on the this thinking. 21 CFR Parts 211.63 and 211.68
system. Rather, each individual process talk about the system’s intended use and
must be validated to determine that the that the degree of verification should be
system generates predictable, repeatable based on the system’s complexity. FDA also
results, whether it is drug manufacturing cites 21 CFR Part 211.110, which discusses
or another activity such as quality control. process evaluation based on the degree to
It is important to understand that which it can affect a drug product.
qualification and validation are interrelated Also in its 2016 guidance, FDA
(see Figure 1). IQ/OQ are necessary, but recommends certain controls to manage
are not sufficient for system validation risks to computerized systems, and the
on their own. Likewise, system validation agency’s top three priorities when it
is necessary, but it cannot validate considers “risk” are patient safety, product
the process alone. While each piece quality, and data integrity (3).
is a required element of the software In terms of controls or processes that
validation process, individual items are not are appropriate for system validation,
sufficient in and of themselves to meet the FDA returned to an old concept in its
complete regulatory requirements. 2016 document (3): a system is more than
just software and hardware. Systems also
What Are the Regulatory include the people, processes, and the
Requirements for Software Validation? documentation associated with it. Thus,
In April 2016, FDA released its latest (and when FDA uses the term “system” and
long-awaited) thinking on data integrity discusses system validation, one must
in computerized systems as it relates to consider the much larger context of
cGMP regulations (3). validating the entire process.
FDA evaluated the regulatory
requirements and developed relevant When Does My System
questions with answers about the agency’s need to Be Revalidated?
thinking on several subjects. One question Often, if not always, the concept of
asks, “Does each workflow on our revalidation causes anxiety, perhaps
computer system need to be validated?” because these projects can be large,
The short answer is yes. The guidance long, expensive, and labor intensive.
explains that if one does not validate the FDA’s General Principles of Software
computer system for its intended use, it Validation discusses revalidation,
is impossible to know if the workflow runs suggesting that when systems are altered,
correctly. This underscores that system those changes must be studied not
validation is important to, but not the just for the nature of the change itself,
same as, process validation. but also for any potential impact and
7 | June 2017 | LCGC Sponsor’s content
soFtWaRe soFtWaRe computeRized hplc Risk
Validation Validation FaQs system Validation assessments
Process Validation
System validation
IQ/OQ
Figure 1: How qualification and validation are related.
unintended consequences they may How Much Validation Work Is enough?
introduce across the whole system (4). In a Many firms want to know how much
validated environment, such an evaluation validation work is sufficient and whether
normally includes regression testing. they can use IQ/OQ vendor packages.
Many individuals try to avoid Vendors like Agilent often offer such
changes (including software updates) packages to help customers qualify their
to computerized systems to avoid the systems. IQ/OQ activities are designed
need for revalidation. At some point, to ensure systems are installed and
however, system fixes or improvements configured correctly and operate as
will become important enough to warrant intended. Is running an IQ/OQ package
an update and any required revalidation sufficient for system validation?
effort. The longer one waits to update a Monica Cahilly, a consultant and trainer
system, however, the larger the scope of for FDA who has worked extensively with
changes and the greater the validation the agency on data integrity, stated at a
effort required. Thus, it is important to 2015 workshop that companies cannot
consider keeping systems current. If a abdicate their responsibility for validation
system has been in use for a year and to the vendor (5). For one thing, the IQ/
updates are implemented, the validation OQ activities are limited. As represented
effort will probably not be as significant in Figure 1, IQ/OQ is necessary, but not
as if five years’ worth of updates were sufficient to establish validation of the
installed all at once. system or the process.
8 | June 2017 | LCGC Sponsor’s content
soFtWaRe soFtWaRe computeRized hplc Risk
Validation Validation FaQs system Validation assessments
Auditing your vendor: Apples and Oranges*
(Jacques Mourrain, Ph.D.)
Procedures
Quality Management
Testing Training/personnel
Systems
Software development Infrastructure
Scoring models in these six areas support
defensible individual and comparative evaluation
(scoring) of GxP software and service vendors as
well as inform risk-driven validation strategies.
*Therapeutic Innovation & Regulatory Science April 2006 vol. 40 no. 2 177-183
Figure 2: A model for vendor audit.
May 24, 2017
30
The next question often raised is: a core validation for the LIMS, for
How can the validated state of current instance, and expand upon any unique
laboratory software and associated details for a particular process.
processes be evaluated? After the inventory step is completed,
Considering current FDA discussions plan and prioritize the work based on risk
about computerized system validation in terms of patient safety, product quality,
in the context of process validation, one and data integrity, though not all systems
should start by making an inventory of will have the same degree of risk in these
processes happening in the laboratory. areas. For example, one may have a
Standard operating procedures can be system for administering staff training,
used to review various types of testing, which is lower risk than a manufacturing
chemical analyses, instrumental analyses, execution system that would directly
and methodologies that occur. influence product quality. Clearly, higher
Then, develop a list of instruments, risk processes merit more validation work
software, data management systems, than lower risk processes.
and laboratory information management Finally, get the work done with the
systems (LIMS). Systems shared by understanding that the longer firms wait
multiple processes may have some to update their systems, the more work
overlap, so it may be possible to conduct will be required later on and the greater
9 | June 2017 | LCGC Sponsor’s content
soFtWaRe soFtWaRe computeRized hplc Risk
Validation Validation FaQs system Validation assessments
the chance of missed vendors’ defect Summary
corrections and functional software Systems changes are bound to happen,
enhancements. and when they do, firms must study those
changes and revalidate systems, ensuring
How Can My Vendor that the risk to patient safety, product
Support My Validation? quality, and data integrity are considered
FDA’s General Principles of Software in that order. A systematic vendor audit
Validation suggests that manufacturers is a helpful tool in this process. Waiting
and laboratories can use vendor audit to complete software updates and
information as the starting point for their revalidation is problematic; the longer
required validation documentation (4). changes are postponed, the more
Ideally, audits should occur before complex and burdensome the updates
companies acquire their systems or at and the revalidation process will be.
least before validation begins to fully Finally, qualification is not validation.
understand the vendor’s process. Qualification, while necessary, deals with
How are vendor audits conducted? In proper system installation and operation.
a 2006 technical article, IT quality and Validation goes further to include the
compliance expert Jacques Mourrain, PhD, FDA’s current focus on the context of the
introduced a model for vendor audit that is process.
more effective and time efficient than the
checklist method (see Figure 2) (6). References
The model evaluates and scores six (1) R.D. McDowall, “FDA’s Focus on Laboratory Data Integrity: Part
1,” Scientific Computing (Sept. 2013). http://www.scientificcom-
areas, starting with procedures and puting.com/article/2013/09/fda%E2%80%99s-focus-labo-
ratory-data-integrity-%E2%80%93-part-1
quality management systems, then
(2) FDA, Glossary of Computer System Software Development Terminology,
branching out to testing, software https://www.fda.gov/iceci/inspections/inspectionguides/
ucm074875.htm
development, infrastructure, and
(3) FDA, Data Integrity and Compliance with CGMP Guidance for
training/personnel. Mourrain’s systematic Industry, https://www.fda.gov/downloads/drugs/guidances/
ucm495891.pdf
approach allows companies to plan (4) FDA, General Principles of Software Validation; Final Guidance for
Industry and FDA Staff, https://www.fda.gov/RegulatoryInfor-
for and execute the vendor audit in an
mation/Guidances/ucm085281.htm
objective and organized manner. (5) M. Cahilly, Workshop on Data Integrity and Industry Practice,
Peking University, Beijing, June 22–23, 2015.
Vendors are scored, and the results are
(6) J. Mourrain, “Apples and Oranges: Comparing Computer Systems
then used to determine vendor-related Audits,” Ther. Innov. Regul. Sci. 40 (2), 177–183 (2006).
risks or validation work. The model
can be used to conduct a side-by-side
comparison of multiple vendors and make
a decision about which vendor’s process
works best for a given situation.
10 | June 2017 | LCGC Sponsor’s content
Description:Alasdair Matheson. Editor-in-Chief, LCGC Europe. Kate Mosford. Managing Editor, LCGC Europe. Lewis Botcherby. Assistant Editor, LCGC Europe.
