ispe nordic cop clean utilities september 7 2016 … · and integrity in regulated gmp/gdp...

25
ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 TUUSULA FINLAND Timo Kuosmanen STERIS Finn-Aqua [email protected]

Upload: others

Post on 09-Aug-2020

1 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

ISPE NORDIC COP CLEAN UTILITIESSEPTEMBER 7 2016 TUUSULA FINLAND

Timo KuosmanenSTERIS [email protected]

Page 2: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

AUDIT TRAIL IN CRITICALUTILITIES MONITORINGCURRENT TRENDS

Page 3: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

CONTENTS

BACKGROUND

NEW GUIDANCES

AUDIT TRAIL

RISK ASSESSMENT EXAMPLE

BENEFITS

Q&A

Page 4: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

• Risk Management and Data Integrity have been ”hot topics” recently both in EU and US

• FDA guidance Part 11, Electronic Records; Electronic Signatures — Scope and Application,August 2003, referred to exercising enforcement discretion with respect to certain part 11requirements: ” That is, we do not intend to take enforcement action to enforce compliance with thevalidation, audit trail, record retention, and record copying requirements of part 11 as explained in thisguidance.”

• Revised EU GMP Annex 11 in operation June 2011

• New draft guidances released for comments recently

• Recent FDA Warning Letters reveal CGMP violations involving data integrity

4

BACKGROUND

Page 5: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org 5

BACKGROUND: Recent Warning Letters

Page 6: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org 6

BACKGROUND: Recent Warning Letters

Page 7: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Your quality system does not adequately ensure the accuracy and integrity of data to support the safety,effectiveness, and quality of the drugs you manufacture. In response to this letter, provide the following.1. A comprehensive investigation into the extent of the inaccuracies in data records and reporting. Yourinvestigation should include:• A detailed investigation protocol and methodology; a summary of all laboratories, manufacturing operations,and systems to be covered by the assessment; and a justification for any part of your operation that youpropose to exclude.• Interviews of current and former employees to identify the nature, scope, and root cause of datainaccuracies. We recommend that these interviews be conducted by a qualified third party.• An assessment of the extent of data integrity deficiencies at your facility. Identify omissions, alterations,deletions, record destruction, non-contemporaneous record completion, and other deficiencies. Describe allparts of your facility’s operations in which you discovered data integrity lapses.• A comprehensive retrospective evaluation of the nature of all data integrity deficiencies. We recommendthat a qualified third party with specific expertise in the area where potential batches were identified shouldevaluate all data integrity lapses.

2. A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Yourassessment should include analyses of the risks to patients caused by the release of drugs affected by alapse of data integrity, and risks posed by ongoing operations.

7

BACKGROUND: Consequences

Page 8: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

3. A management strategy for your firm that includes the details of your global corrective action andpreventive action plan. Your strategy should include:• A detailed corrective action plan that describes how you intend to ensure the reliability and completeness ofall of the data you generate, including analytical data, manufacturing records, and all data submitted to FDA.• A comprehensive description of the root causes of your data integrity lapses, including evidence that thescope and depth of the current action plan is commensurate with the findings of the investigation and riskassessment. Indicate whether individuals responsible for data integrity lapses remain able to influenceCGMP-related or drug application data at your firm.• Interim measures describing the actions you have taken or will take to protect patients and to ensure thequality of your drugs, such as notifying your customers, recalling product, conducting additional testing,adding lots to your stability programs to assure stability, drug application actions, and enhanced complaintmonitoring. Long-term measures describing any remediation efforts and enhancements to procedures,processes, methods, controls, systems, management oversight, and human resources (e.g., training, staffingimprovements) designed to ensure the integrity of your company’s data.• A status report for any of the above activities that are already underway or completed.

If you cannot complete corrective actions within 15 working days, state your completion date and reasons fordelay.

8

BACKGROUND: Consequences

Page 9: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

FDA draft document issued April 2016

“FDA expects that data be reliable and accurate”

“CGMP regulations and guidance allow for flexibleand risk-based strategies to prevent and detectdata integrity issues. Firms should implementmeaningful and effective strategies to manage theirdata integrity risks based upon their processunderstanding and knowledge management oftechnologies and business models.”

“In recent years, FDA has increasingly observedCGMP violations involving data integrity duringCGMP inspections.”

9

NEW GUIDANCES

Page 10: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

PIC/S draft guidance

August 2016

GOOD PRACTICES FOR DATA MANAGEMENTAND INTEGRITY IN REGULATED GMP/GDPENVIRONMENTS

“Good data management practices influence theintegrity of all data generated and recorded by amanufacturer and these practices should ensurethat data is accurate, complete and reliable. Whilethe main focus of this document is in relation todata integrity expectations, the principles hereinshould also be considered in the wider context ofgood data management.”

10

NEW GUIDANCES

Page 11: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org 11

NEW GUIDANCES

BACKGROUND

“The way in which regulatory data is generated hascontinued to evolve in line with the introduction andongoing development of supporting technologies,supply chains and ways of working. Systems tosupport these ways of working can range frommanual processes with paper records to the use ofcomputerised systems. However the main purposeof the regulatory requirements remains the same;having confidence in the quality and the integrity ofthe data generated and being able to reconstructactivities remains a fundamental requirement.”

Page 12: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

WHO Technical Report Series No. 996 Annex 5, 2016

Guidance on good data and record management practices

“However, in recent years, the number of observations made regarding good data and record managementpractices (GDRP) during inspections of good manufacturing practice (GMP) (1), good clinical practice(GCP) and good laboratory practice (GLP) has been increasing. The reasons for the increasing concern ofhealth authorities regarding data reliability are undoubtedly multifactorial and include increased regulatoryawareness and concern regarding gaps between industry choices and appropriate and modern controlstrategies.”

“Contributing factors include failures by organizations to apply robust systems that inhibit data risks, toimprove the detection of situations where data reliability may be compromised, and/or to investigate andaddress root causes when failures do arise. For example, organizations subject to medical product goodpractice requirements have been using validated computerized systems for many decades but many fail toadequately review and manage original electronic records and instead often only review and manageincomplete and/or inappropriate printouts. These observations highlight the need for industry to modernizecontrol strategies and apply modern quality risk management (QRM) and sound scientific principles tocurrent business models (such as outsourcing and globalization) as well as technologies currently in use(such as computerized systems).”

12

NEW GUIDANCES

Page 13: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

• Data integrity (ALCOA)

• Emphasis on following technological advancements and modernizing QMS systems to includedata management and data integrity

• Training program to include company’s data integrity policy and data integrity SOPs

• Concern over shared login accounts

• Risk assessment and risk management

• Validation of computerised systems

• Data reviews/internal audits including audit trails

13

COMMON ELEMENTS

Page 14: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Data Integrity Attribute Requirement

Attributable It should be possible to identify the individual who performed the recorded task.Legible All records must be legible – the information must be readable in order for it to be of

any use.Contemporaneous The evidence of actions, events or decisions should be recorded as they take place.Original The original record can be described as the first-capture of information, whether

recorded on paper (static) or electronically.Accurate Ensuring results and records are accurate is achieved through many elements of a

robust Pharmaceutical Quality Management System. This can be comprised of:• equipment-related factors such as qualification, calibration, maintenance and

computer validation.• policies and procedures to control actions and behaviours, including data review

procedures to verify adherence to procedural requirements• deviation management including root cause analysis, impact assessments and

CAPA• trained and qualified personnel who understand the importance of following

established procedures and documenting their actions and decisions.

14

ALCOA (PIC/S guidance)

Page 15: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

FDA, draftguidance 2016

For purposes of this guidance, audit trail means a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relatingto the creation, modification, or deletion of an electronic record. An audit trail is achronology of the “who, what, when, and why” of a record.

MHRA Audit trails are metadata that are a record of critical information (for example the changeor deletion of relevant data) that permit the reconstruction of activities.

WHO The audit trail is a form of metadata that contains information associated with actionsthat relate to the creation, modification or deletion of GXP records. An audit trail providesfor secure recording of life-cycle details such as creation, additions, deletions oralterations of information in a record, either paper or electronic, without obscuring oroverwriting the original record. An audit trail facilitates the reconstruction of the history ofsuch events relating to the record regardless of its medium, including the “who, what,when and why” of the action.

15

DEFINITION OF AUDIT TRAIL

Page 16: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Source

FDA, August 2003 We recommend that you base your decision on whether to apply audit trails, orother appropriate measures, on the need to comply with predicate rulerequirements, a justified and documented risk assessment, and a determination ofthe potential effect on product quality and safety and record integrity. We suggestthat you apply appropriate controls based on such an assessment. Audit trails canbe particularly appropriate when users are expected to create, modify, or deleteregulated records during normal operation.

EU Annex 11 Consideration should be given, based on a risk assessment, to building into thesystem the creation of a record of all GMP-relevant changes and deletions (asystem generated "audit trail").

16

AUDIT TRAIL AND RISK ASSESSMENT

Page 17: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Source

PIC/S If no electronic audit trail system exists a paper based record to demonstratechanges to data may be acceptable until a fully audit trailed (integrated system orindependent audit software using a validated interface) system becomes available.These hybrid systems are permitted, where they achieve equivalence to integratedaudit trail, such as described in Annex 11 of the PIC/S GMP Guide.

MHRA If no audit trailed system exists a paper based audit trail to demonstrate changes todata will be permitted until a fully audit trailed (integrated system or independentaudit software using a validated interface) system becomes available. These hybridsystems are acceptable, where they achieve equivalence to integrated audit trail,such as described in Chapter 4 of the GMP Guide. If such equivalence cannot bedemonstrated, it is expected that GMP facilities should upgrade to an audit trailedsystem by the end of 2017 (reference: Art 23 of Directive 2001/83/EC).

Art 23 of Directive2001/83/EC

After an authorization has been issued, the authorization holder must, in respect ofthe methods of manufacture and control provided for in Article 8(3)(d) and (h), takeaccount of scientific and technical progress and introduce any changes that may berequired to enable the medicinal product to be manufactured and checked bymeans of generally accepted scientific methods.

17

PAPER BASED AUDIT TRAIL

Page 18: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Source

FDA, draft guidance2016

FDA recommends that audit trails that capture changes to critical data be reviewedwith each record and before final approval of the record. Audit trails subject toregular review should include, but are not limited to, the following: the changehistory of finished product test results, changes to sample run sequences, changesto sample identification, and changes to critical process parameters.

FDA recommends routine scheduled audit trail review based on the complexity ofthe system and its intended use.

EU Annex 11 Audit trails need to be available and convertible to a generally intelligible form andregularly reviewed.

MHRA Routine data review should include a documented audit trail review. Whendesigning a system for review of audit trails, this may be limited to those with GxPrelevance (e.g. relating to data creation, processing, modification and deletion etc).Audit trails may be reviewed as a list of relevant data, or by a ‘exception reporting’process. An exception report is a validated search tool that identifies anddocuments predetermined ‘abnormal’ data or actions, which requires furtherattention or investigation by the data reviewer.

18

AUDIT TRAIL REVIEW

Page 19: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Are Audit Trails mandatory in SFA critical utility equipment?

How to utilize risk assessment?

How to perform risk assessment?

How to mitigate data integrity risks?

How STERIS may help?

19

STERIS FINN-AQUA EQUIPMENT

Page 20: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org 20

Page 21: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Category Yes No Justification

Direct impact? √ Steam may have impact on patient safety and product quality

GxP critical? √ Manufacturing equipment regulated by GxP

21 CFR part 11 applies? √ No electronic records generated, no permanent data memory

Data integrity impact? √ Parameters and calibration have an impact on data integrity

Complex? √ One pump, less than 5 valves and one pressure PID

Novelty? √ Several hundreds installations worldwide

21

INITIAL RISK ASSESSMENT

Page 22: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Controls Yes No Justification

Access control √ Password system with different roles, lockable cabinets

Calibration √ Data accuracy

I/O testing √ Separate Service Menu for testing purposes

System prompts √ Calibration, factory data upload/download

Limiting parameter ranges √ Invalid or unrealistic values not accepted

Sensor fault alarms √ May indicate instrument manipulation

Critical process alarms √ Aborting conductivity alarm

Configuration specifications √ SOP´s for calibration and configuration

Backup functionality √ Parameters and calibration co-efficents

Life cycle model √ GAMP5 implemented

QMS √ Certified quality management system at STERIS Finn-Aqua

Audit trail √ No electronic records

22

IDENTIFY REQUIRED CONTROLS FOR DATA INTEGRITY

Page 23: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org 23

RISK BASED DECISIONS

If needed, more options are available

• Traditional chart recorder available as an option à limited functionality, paper records

• Paperless recorder available as an option à recorder manufacturer´s specified CFR part 11functionality, electronic records

• On special request: Audit trail available

• SIEMENS standard tools and software

• A secure, computer-generated, time-stamped electronic record that allows for reconstruction of thecourse of events relating to the system access, process parameter changes, alarms and calibrationevents

• Ability to detect audit trail manipulation

• Available both in human readable and electronic format, can be exported

Page 24: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org 24

BENEFITS

• Demonstrate risk based approach to data security

• Audit trail review with search and filtering capability

• Ability to detect unsuccessful login attempts

• Ability to detect changes to system parameters

• Ability to detect unscheduled calibration events

• Ability to monitor alarm events

• Ability to re-construct events and actions during failure investigations

• Visibility limited to system administrators

Page 25: ISPE NORDIC COP CLEAN UTILITIES SEPTEMBER 7 2016 … · AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS “Good data management practices influence the integrity of all data generated

Connecting Pharmaceutical Knowledge ispe.org

Questions?

25

Q&A