Change Management and Preparing for Computerized System Audits is Critical to Ensure Positive Regulatory Inspections

Change management in the pharmaceutical industry is Part 2 in our conversation on computer system validation (CSV). As discussed in Part 1, the increase in the use of automated manufacturing and quality systems is forcing an increased exposure on computer systems during regulatory inspections.

Validated computerized systems are integral for producing accurate, reliable, and consistent data, and all systems change during their life cycle. GxP professionals should be familiar with the characteristics of proper change management in the pharmaceutical industry. 

Systems that are prone to unauthorized and uncontrollable modification are a huge risk from both safety and regulatory viewpoints. Regulatory agencies refer to systems as being either in control or out of control.

The way that a system is kept in control is through change management.

A look at change management in the pharmaceutical industry

Change control of computerized systems is required to ensure that the validated state is maintained when alterations to the system configuration, software, or hardware are required.

Change control may be considered as a process that borrows elements from both risk management and validation. Specifically, any change request must undergo a process of formal impact assessment, approval, testing, and verification before the request is closed out.

From the health authority inspector’s point of view the main items from a change control process are the procedure and the records. Normally a standard operating procedure (SOP) is used to describe the process, as it is part of the Quality Management System (QMS). The SOP should include the approval steps to ensure that management and the system owner are made aware of any changes that are being planned.

Every change request must be recorded whether it is implemented or not because a rejected change may be subsequently re-requested with a different impact assessment. 

It is essential too, when planning the change, to test the changes in a pre-production environment, which should be as similar to the production environment as possible. This helps ensure that the production system and data are not compromised.

If this cannot be done, an alternative strategy is to have a replicated, or mirror, copy of the production server that can be used to restore the system should testing indicate a functional error or result in loss of data integrity.

Policies and SOPs are needed for the entire lifecycle

Organizations should have policies and procedures in place that address the lifecycle of a computerized system. The documents are approved by management and are generated so that the intended user of the system can ensure the quality and integrity of the data and system that they are using.

The controlled documents fall into two categories: general and system specific. A general process, for instance, would be the validation policy, and a system specific procedure would be the operational use SOP.

The policies and procedures should include:

• Validation methodology
• Validation deliverables
• Infrastructure qualification
• Access administration
• Configuration management
• Testing
• Change management control
• Periodic review
• System maintenance (e.g., incident management, problem management, etc.)
• Physical and logical security
• Record retention
• Back-up, retrieval, and archiving
• Data migration
• Environmental controls
• Data definitions
• Business continuity
• Disaster recovery
• Training
• Retirement

Each controlled document will indicate the workflow for the process and the roles and responsibilities of the staff using and maintaining the system.

During an inspection of the operational use phase of a computerized system, training records of personnel using or maintaining the system will be requested for review to confirm that any and all appropriate training has been completed.

Computerized System Audit

The objectives of a computerized system audit are to demonstrate that a system is under control with evidence of quality management, to verify that procedures are in place and being followed, and to determine whether the staff possess the required level of expertise appropriate for their roles.

With computerized systems, there are specific and non-specific items to be evaluated. In addition to the usual QMS functions, routine operations include change management control, user account management, backup and recovery, SLC methodology, archiving, and business continuity planning.

Specific project management and validation records for systems that are within scope of regulatory inspections or that are business critical may also be evaluated. For instance, a clinical trial database generally has a common architecture and base functions, yet it is usually configured or customized according to the requirements of the clinical study protocol.

An inspection of the database will include the study-specific programming and test records including resolution of test failures. 

Checklist for computerized system audits

To aide with a company’s inspection readiness strategy, the below list of categories and subsequent question can act as a checklist to ensure that the computerized system audit occurs as smoothly as possible.

Vendor Quality Assurance

• Does a formal quality assurance, quality control, or compliance function exist?
• Does the quality assurance, quality control, or compliance function operate according to formal procedures?
• Do procedures cover periodic audits/inspections of all computer-related activities and does documented evidence confirm that they are being followed?

Staff Training and Qualifications

• Are formal procedures in place regarding staff training and retention of training records?
• Are procedures regarding staff training and retention of training records being complied with, and is such compliance supported by documented evidence?
• Do current CVs and training records exist for the necessary individuals, and do they confirm that these individuals have the background, training, and expertise commensurate with their responsibilities?

System Development Process

• Is a formal system development lifecycle in place regarding the development and on-going maintenance of systems?
• Is formal testing carried out?
• Are formal testing procedures and records available?
• Are formal documentation standards in place (e.g., user documentation, training documentation, etc.)?
• Are formal coding standards in place?

Vendor Project Management

• Are formal and approved user/functional requirements available? 
• Are the requirements sufficiently detailed to permit the development of technical specifications and acceptance tests? 
• Are formal and approved technical specifications available? 
• Do the technical specifications include interfaces? 
• Are the technical specifications traceable to the user requirements?

Computerized System Validation (CSV)

• Are formal procedures in place (IQ, OQ and PQ)? 
• Is the vendor complying with the qualification procedures, and is documentation available?
• Does a validation plan and summary report exist?
• If formal qualification procedures are not used, is there evidence of implementation and testing in a controlled and proper manner?

Vendor System Testing

• Are the system programs developed according to formal programming and coding standards? 
• Is structural testing at the unit/module level performed? 
• Are the structural tests traceable to the technical specifications? 
• Are the results of structural testing independently reviewed? 
• Is functional testing documented in formal test plans? 
• Are the functional tests traceable to the technical specifications? 
• Have all testing exceptions been appropriately resolved?

Vendor System Release

• Are formal procedures in place regarding system validation? 
• Are formal procedures in place regarding releases of new versions and new releases, and are new versions and new releases properly defined?
• What documentation accompanies a new version?

End User Activities

• Is access to data restricted to authorized users? 
• Does access control include physical and logical security? 
• Are application passwords shared by users? Are they complex and time expired? Are they used for ‘single sign on’? 
• How are appropriate access and permissions granted? 

Systems Maintenance

• Are maintenance procedures in place and in use? 
• Has maintenance been recorded/logged and was appropriate testing performed? 
• Is a formal disaster recovery plan in place to ensure continued resource availability in the event of a system loss? 
• Has the disaster recovery plan been completely tested and are the test results documented? 

Resources to support computerized system audits

Information on general approaches to inspections of computerized systems and the documentation to support such inspections in the pharmaceutical industry can be found in:

• US FDA’s “Computerized Systems in Drug Establishments” (2/83)
• US FDA’s “General Principles of Software Validation; Final Guidance for Industry and FDA Staff” (1/02) 
• US FDA’s “Guidance for Industry- Computerized Systems Used in Clinical Trials” (4/99)
• EU EMA’s “Guideline on Computerised systems and electronic data in Clinical Trials” (03/23)

Requirements to support inspections of computerized systems can be found in: 

• Chapter 7: Outsourced Activities in “EudraLex, Volume 4: EU Guidelines for GMPs for Medicinal Products for Human and Veterinary Use” 
• Annex 11: Computerised Systems in “EudraLex, Volume 4” 
• US FDA Compliance Policy Guide, Section 425.200, Computerized Drug Processing; Vendor Responsibility (CPG 7132a.12) 
• EMA’s “Q&A: Good Clinical Practice (GCP)” 
• OECD Monograph 10 GLP, The Application of the Principles of GLP to Computerised Systems 
• ICH E6 GCP 
• US FDA 21 CFR Part 11 

Moving forward

There is much to consider about computer system validation (CSV) programs prior to an inspection. The purpose of inspections are to demonstrate to global health authorities, like the FDA, that the regulated company complies with requirements and implements controls in their QMS with the goals of patient safety, product quality, and data integrity at the forefront.

As discussed, it is critical to have a system inventory list in place, the proper SOPs in place, and to inspect essential systems and their documentation prior to a regulatory inspection. While regulatory authorities may be inspecting a facility for other reasons, they may also want to audit the computer system validation (CSV) program.

With an increasing number of business processes carried out in electronic systems, it is beneficial to assess your computer validation program now, whether an inspection is foreseen or not.

For questions or further discussion, Please click here to connect with the right resource to respond.

Authored by: Yaritza Menéndez, Sr. Quality and Compliance Specialist, Quality and Compliance.