Upload
mikaelyde
View
158
Download
0
Embed Size (px)
Citation preview
Inspection ReadinessMikael Yde, Principal Consultant, Epista Life Science A/S
Continuously Improving Compliance
Epista Life Science is a consultancy dedicated to
continuously improving regulatory compliance
We turn
compliance obstacles into
business opportunities
for our clients and for the industry
Continuously Improving Compliance
HOW?
WHY?
• Pioneer new compliance methodologies and technology partnerships.
• Bridge the gap between IT, Quality and Line-of-Business departments by building regulatory requirements seamlessly into business processes.
• Pioneer new compliance methodologies and technology partnerships
• Bridge the gap between IT, Quality and Line-of-Business departments by building regulatory requirements seamlessly into business processes
• To help our clients find the absolute best balance between compliance, risk and their business goals
Speaker
Mikael YdePrincipal Consultant
Life Science since 2001, IT since 1987
Epista Life Science A/S 2013 - present
– Inspection Readiness
– IT Compliance
– IT QMS, CSV, GxP IT
H. Lundbeck A/S 2001 - 2013
Headed Global IT Compliance, 10+ years
– Corporate Validation of applications
– Global Qualification of IT infrastructure
– Corporate Information Security
– Inspection Coordinator for Corporate IT
– Global Service Management/ITIL processes
– Lean Manager in Corporate IT
Objectives
FDA Inspection readiness requires control of:
– Data
– Applications
– Infrastructure
– Procedures
– Suppliers
– Documented evidence
– IT Compliance
– And People …among other things…
From Compliance to Quality
More than a decade ago, the FDA published A vision for 21st Century Manufactoring. The document was a call to action designed to move the LifeScience industry from mere compliance to true quality.
While much progress has been made, its goal – to improve the quality of products, processes and manufactoring – remains a multifaceted challenge.
You have to combine and embrace the technology, quality and capability of the processes with quality systems to successfully achieve valuable compliance.
Pay now
- or pay later
To be IN CONTROL
Compliance:
The challenge of being in control while balancing risk, quality and cost.
Satisfy regulatory requirements while meeting expectations from customers and business.
BE CONCIOUSLY INCOMPETENT
Balancing Risk vs. Cost
Cost
Risk
Compliance
level
Time
Compliance
Types of inspections Inspections under a risk-based compliance program• FDA aims to prioritize regular inspections based on risk
assessments• These inspections are generally announced in advance
Product-related GXP inspections• FDA may carry out pre-approval inspections when assessing an
application for a marketing authorization• These inspections are generally announced in advance
Triggered or For Cause Inspections• Competent Authorities may inspect you if they are informed
about possible GMP or GDP breaches - for example by a whistle blower, press/ media or another regulatory authority
• Here, little or no notification of these inspections is given in advance
Cloud
Responsibilities
QualifiedIT Infrastructure
IT Supplier
ExternalSupplier
Business application
IT applications
Data
Procedures
Procedures
Trained personnel
Trained personnel
IT Compliance Plan
Strategy and approach Areas of interest
Identified gaps and mitigations Implementation plan
State-of-the-Union
IT Compliance Plan
• Compliance StatementPurpose
• Regulations
• LocationScope
• Management
• IT Organization
• Quality Organization
• Roles & Responsibilities
Organizational Structure
• Applications
• Data
• Infrastructure
• Procedures
Computerized Systems
• GxP classification
• Risk assessment
System Inventory list (Legacy systems)
• Policies and Procedures
• Personnel recordsIT Quality Management System (QMS)
• Identified gaps
• Mitigations
• Action planConclusion
Computerized Systems
Operating Environment(including other networked, or standalone computerized systems, other systems, media, people, equipment
and procedures)
Computerized System
Computer System(Controlling System)
Software
Hardware
Firmware
Controlled Function or Process
Operating Procedure and
People
Equipment
Source: GAMP5® Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized Systems. Copyright ISPE 2008. All rights reserved.
Computerized systems - New
Classification
– GxP assessment
– Risk assessment
Validate GxP systems
– Prospective documented quality assurance
Dual effort between IT and Business System Owners!
Computer System Validation (CSV)
Requirements Specification
(RS)
Validation Plan(VP)
Installation Qualification
(IQ)
Operation Qualification
(OQ)
Performance Qualification
(PQ)
Validation Report
(VR)
Functional/Design Specification
(FS/DS)
Supplier’s Life Cycle
Model
Planning
Design & Preparation
Testing
The process of providing documented evidence that a system does what it claims to do, and that it will continue to do so in the future
Computerised Legacy Systems
• Establish an Inventory List of all current systems in operation
• GxP assessment of the systems
• Risk assessment of business criticality
• Validate/bring in control – System documentation (Validation Plan,
Requirements Specification, Test documentation, Validation Report, Operating Manual..)
– Supporting processes in IT QMS and by System Owner (SOP’s to operate and support validated state)
• Dual effort between IT and Business System Owners!
Data Integrity
• The extent to which all data are complete, consistent and accurate throughout the data life cycle
• Sharpened and enforced focus on data in legislation and from regulatory bodies/accountants
• Data Classification is key to control
Back up/RestoreDisaster RecoveryContingency planRetention policyArchiving and data clean upAudit trailData review
Qualification of IT Infrastructure
• Authorities are very much aware of the importance of applications running on a defined and controlled technical environment
• Service Requirement to IT from Business/System Owners
Configuration management
Change management
Release Management
Deploy Management
Patch Management
Service Portfolio
Management
Request Fulfillment
Business Relationship Management
Service Catalogue
Management
Service Validation &
Testing
Release & Deploy
Management
Service Level Management
Change Management
Configuration and Asset
Management
Incident Management
Problem Management
User and Access Management
Capacity Management
IT Service Continuity
Management
Service Strategy(SS)
Service Design (SD)
Service Transition(ST)
Service Operations (SO)
Financial Management
SupplierManagement
Demand Management
Service Strategy
Generation
Availability Management
Information Security
Management
Transition Planning and
Support
Change Evaluation
Knowledge Management
Event Management
Process Evaluation
Continual Service Improvement (CSI)
Definition of CSI Initiatives
Service Review
Monitoring of CSI Initiatives
IT Operations Control
Technical Management
Application Management
Facilitites Management
Application Development
Compliance Management
Risk Management
Architecture Management
Design Coordination
IT QMS - ITIL based
…and other
Documentation Management
Personnel Records, Roles, Responsibilities
Computer System Validation
Data Management
IT Quality Management
Compliance Procedures
CA/PA Non-conformaty
System Lifecycle Management
Management Review Periodic Review
Archiving and Retrieval
Electronic Records /Electronic Signatures
Suppliers, FDA
FDA 21CFR820 Subpart E - Purchasing ControlsEach manufacturer shall establish and maintain proceduresto ensure that all purchased or otherwise received product and services conform to specified requirements.
– (a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
• (1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
• (2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
• (3) Establish and maintain records of acceptable suppliers, contractors, and consultants.
– (b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.
Suppliers, ISO
ISO 13485:2016 sec. 4.1.2
• When the organization chooses to outsource any process that affect product conformity to requirements, it shall monitor and ensure control over such processes
• The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes
• The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4.
• The controls shall include written quality agreements
Mock Inspection
• Are we Inspection Ready?– ”Temperature control”– For cause – announced inspection– Initiating an IT Compliance Plan– Evaluating the outcome of a IT Compliance Plan
• Identifying gaps and risks
• Training and awareness for all personnel
• Periodic review of QMS
• IT Quality responsible
• Evidence of implementation (records)
Looking ahead
FDA focus moving forward:
• For cause inspections – for example: based on confidental informants/whistleblowers.
• Quickly and rigorously follow up on findings to ensure remediation is proceeding quickly.
• Contract manufacturing and research (CMO/CRO). It is the responsibility of both sponsors and contractors to ensure quality.
• Voluntary disclosure to ensure a quicker resolution of the problems and a meaningful reduction in regulatory risk.
IT Compliance synergies
Quality Security
Process
Objectives
Inspection Readiness requires control of:
Data
Applications
Infrastructure
Procedures
Suppliers
Documented evidence
People
Questions from participants
• What are the requirements from FDA for subcontractors?
• What parameters are necessary in order to be ready for an FDA inspection?
• In general FDA focus when on inspection.
• FDA's current attitude/approach for part 11 compliance
• Regarding Data Integrity in relation to IT Infrastructure/computer systems.
• Data Integrity observations in Europe.
• Transferability of compliance procedures