Reviewing the FDA’s Database of Inspectional Observations (Form 483) can be helpful when preparing for regulatory inspections. The database can provide insight into the FDA’s approach to inspections. It can also help in identifying your organization’s strengths and potential weaknesses from a regulatory standpoint.
According to statistics published by the FDA, nearly 5000 observations were issued following inspections conducted between October 2013 and October 2014. Based on the Inspectional Observation Summaries released by the FDA, here are some common observations to take into account when operating a computer system in a GxP environment:
Observation: Failure to Validate a Regulated System
The purpose of a regulatory inspection is to demonstrate that your organization is in control of their processes by providing documented evidence that established procedures are followed. Computer System Validation (CSV) is an integral part of demonstrating regulatory compliance since it provides confirmation that computer systems function according to their intended use.
Validation activities and the documentation generated during these activities are often an area of interest for inspectors. In the case of Computer System Validation, an inspector would typically look for documented evidence that validation activities were performed in accordance with approved validation procedures. Additionally, the documentation presented to the inspectors should show that applicable regulatory requirements were met.
Observation: Absence of Written Procedures
Procedures provide an established, approved framework for carrying out tasks within a regulated environment. And they are often among the first documents requested by inspectors. Validation procedures should document with sufficient detail how validation activities are performed and what deliverables are generated via these activities. The approach to validation taken should also be specified. Ensure that the approach takes into account applicable regulations (such as 21 CFR Part 11) and outlines the methodology used (for example, a risk-based approach following GAMP® 5). Moreover, the process stakeholders should be identified and their respective roles and responsibilities should be clearly defined.
Aside from validation procedures, additional procedures pertaining to regulated computer systems are necessary to meet the procedural control requirements of 21 CFR Part 11. These procedures should cover IT-related activities, such as System Maintenance and Logical Security. Procedures should also be in place to manage incidents involving GxP electronic systems along with any changes made to these systems. For a comprehensive list of procedures required for implementing and operating a regulated computer system, this is a great article.
Observation: Written Procedures Not Followed
It is important to be able to demonstrate that the written procedures in place are followed over the course of day-to-day activities. Any procedural deviations should be recorded via the appropriate quality system (investigations, change control, etc.) along with a justification for the actions taken.
When performing computer system validation, make sure that any deviations to the validation plan are documented and a rationale for the deviation is provided. Validation non-conformances should be addressed by identifying the root cause and implementing appropriate corrective actions. The system must not be released for use prior to completing validation and any system limitations should be specified in writing. Changes made to the system once it is validated should be put in place in accordance with an approved change request.
Observation: Failure to Maintain Records
Computer systems are used to manage a variety of regulated documents, ranging from training records and complaint files to raw data obtained during laboratory and production activities. Failure to demonstrate during validation that a regulated computer system functions as intended can lead to serious problems -and potential regulatory observations- down the line. Data integrity and security could be compromised, resulting in the inability to produce documentation requested during inspections. If a computer system is used to track reporting to regulatory bodies, such as the mandatory reporting of medical device issues or adverse drug experiences, it is crucial to ensure that the system performs as expected to be sure that reporting deadlines are respected.
Employing a risk-based approach when validating a computer system in a GxP environment can prevent potential issues involving document management and data retrieval. The scope of the validation should be tied to the risk the system poses to patient safety, product quality and data integrity. The validation should verify that provisions are in place for systemic data back-up, restoration and archiving. Data migration from legacy systems must be properly performed to ensure that all relevant data is conserved. If the computer system allows for the use of electronic signatures, these signatures should be shown to be Part 11 compliant during validation.
Proper document management is key to demonstrating regulatory compliance during a FDA inspection. Since computer systems are widely used to manage regulated documents, it is important to be able to show inspectors that these computer systems function as intended. The inspectors will also want to see that internal processes are governed by approved procedures that are systematically followed.
Remember that when faced with an inspection, an ounce of prevention is worth a pound of cure. Taking common regulatory observations into consideration when planning, performing and documenting CSV activities will reduce the likelihood of receiving similar observations during your next inspection.
Written by Chrysa Plagiannos - Senior Validation and Verification Analyst at Montrium