Inspection ReadinessMikael Yde, Principal Consultant, Epista Life Science A/S

Continuously Improving Compliance

Epista Life Science is a consultancy dedicated to

continuously improving regulatory compliance

We turn

compliance obstacles into

business opportunities

for our clients and for the industry

Continuously Improving Compliance

HOW?

WHY?

• Pioneer new compliance methodologies and technology partnerships.

• Bridge the gap between IT, Quality and Line-of-Business departments by building regulatory requirements seamlessly into business processes.

• Pioneer new compliance methodologies and technology partnerships

• Bridge the gap between IT, Quality and Line-of-Business departments by building regulatory requirements seamlessly into business processes

• To help our clients find the absolute best balance between compliance, risk and their business goals

Speaker

Mikael YdePrincipal Consultant

Life Science since 2001, IT since 1987

Epista Life Science A/S 2013 - present

– Inspection Readiness

– IT Compliance

– IT QMS, CSV, GxP IT

H. Lundbeck A/S 2001 - 2013

Headed Global IT Compliance, 10+ years

– Corporate Validation of applications

– Global Qualification of IT infrastructure

– Corporate Information Security

– Inspection Coordinator for Corporate IT

– Global Service Management/ITIL processes

– Lean Manager in Corporate IT

Objectives

FDA Inspection readiness requires control of:

– Data

– Applications

– Infrastructure

– Procedures

– Suppliers

– Documented evidence

– IT Compliance

– And People …among other things…

From Compliance to Quality

More than a decade ago, the FDA published A vision for 21st Century Manufactoring. The document was a call to action designed to move the LifeScience industry from mere compliance to true quality.

While much progress has been made, its goal – to improve the quality of products, processes and manufactoring – remains a multifaceted challenge.

You have to combine and embrace the technology, quality and capability of the processes with quality systems to successfully achieve valuable compliance.

Pay now

- or pay later

To be IN CONTROL

Compliance:

The challenge of being in control while balancing risk, quality and cost.

Satisfy regulatory requirements while meeting expectations from customers and business.

BE CONCIOUSLY INCOMPETENT

Balancing Risk vs. Cost

Cost

Risk

Compliance

level

Time

Compliance

Types of inspections Inspections under a risk-based compliance program• FDA aims to prioritize regular inspections based on risk

assessments• These inspections are generally announced in advance

Product-related GXP inspections• FDA may carry out pre-approval inspections when assessing an

application for a marketing authorization• These inspections are generally announced in advance

Triggered or For Cause Inspections• Competent Authorities may inspect you if they are informed

about possible GMP or GDP breaches - for example by a whistle blower, press/ media or another regulatory authority

• Here, little or no notification of these inspections is given in advance

Cloud

Responsibilities

QualifiedIT Infrastructure

IT Supplier

ExternalSupplier

Business application

IT applications

Data

Procedures

Procedures

Trained personnel

Trained personnel

IT Compliance Plan

Strategy and approach Areas of interest

Identified gaps and mitigations Implementation plan

State-of-the-Union

IT Compliance Plan

• Compliance StatementPurpose

• Regulations

• LocationScope

• Management

• IT Organization

• Quality Organization

• Roles & Responsibilities

Organizational Structure

• Applications

• Data

• Infrastructure

• Procedures

Computerized Systems

• GxP classification

• Risk assessment

System Inventory list (Legacy systems)

• Policies and Procedures

• Personnel recordsIT Quality Management System (QMS)

• Identified gaps

• Mitigations

• Action planConclusion

Computerized Systems

Operating Environment(including other networked, or standalone computerized systems, other systems, media, people, equipment

and procedures)

Computerized System

Computer System(Controlling System)

Software

Hardware

Firmware

Controlled Function or Process

Operating Procedure and

People

Equipment

Source: GAMP5® Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized Systems. Copyright ISPE 2008. All rights reserved.

Computerized systems - New

Classification

– GxP assessment

– Risk assessment

Validate GxP systems

– Prospective documented quality assurance

Dual effort between IT and Business System Owners!

Computer System Validation (CSV)

Requirements Specification

(RS)

Validation Plan(VP)

Installation Qualification

(IQ)

Operation Qualification

(OQ)

Performance Qualification

(PQ)

Validation Report

(VR)

Functional/Design Specification

(FS/DS)

Supplier’s Life Cycle

Model

Planning

Design & Preparation

Testing

The process of providing documented evidence that a system does what it claims to do, and that it will continue to do so in the future

Computerised Legacy Systems

• Establish an Inventory List of all current systems in operation

• GxP assessment of the systems

• Risk assessment of business criticality

• Validate/bring in control – System documentation (Validation Plan,

Requirements Specification, Test documentation, Validation Report, Operating Manual..)

– Supporting processes in IT QMS and by System Owner (SOP’s to operate and support validated state)

• Dual effort between IT and Business System Owners!

Data Integrity

• The extent to which all data are complete, consistent and accurate throughout the data life cycle

• Sharpened and enforced focus on data in legislation and from regulatory bodies/accountants

• Data Classification is key to control

Back up/RestoreDisaster RecoveryContingency planRetention policyArchiving and data clean upAudit trailData review

Qualification of IT Infrastructure

• Authorities are very much aware of the importance of applications running on a defined and controlled technical environment

• Service Requirement to IT from Business/System Owners

Configuration management

Change management

Release Management

Deploy Management

Patch Management

Service Portfolio

Management

Request Fulfillment

Business Relationship Management

Service Catalogue

Management

Service Validation &

Testing

Release & Deploy

Management

Service Level Management

Change Management

Configuration and Asset

Management

Incident Management

Problem Management

User and Access Management

Capacity Management

IT Service Continuity

Management

Service Strategy(SS)

Service Design (SD)

Service Transition(ST)

Service Operations (SO)

Financial Management

SupplierManagement

Demand Management

Service Strategy

Generation

Availability Management

Information Security

Management

Transition Planning and

Support

Change Evaluation

Knowledge Management

Event Management

Process Evaluation

Continual Service Improvement (CSI)

Definition of CSI Initiatives

Service Review

Monitoring of CSI Initiatives

IT Operations Control

Technical Management

Application Management

Facilitites Management

Application Development

Compliance Management

Risk Management

Architecture Management

Design Coordination

IT QMS - ITIL based

…and other

Documentation Management

Personnel Records, Roles, Responsibilities

Computer System Validation

Data Management

IT Quality Management

Compliance Procedures

CA/PA Non-conformaty

System Lifecycle Management

Management Review Periodic Review

Archiving and Retrieval

Electronic Records /Electronic Signatures

Suppliers, FDA

FDA 21CFR820 Subpart E - Purchasing ControlsEach manufacturer shall establish and maintain proceduresto ensure that all purchased or otherwise received product and services conform to specified requirements.

– (a) Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:

• (1) Evaluate and select potential suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.

• (2) Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.

• (3) Establish and maintain records of acceptable suppliers, contractors, and consultants.

– (b) Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with 820.40.

Suppliers, ISO

ISO 13485:2016 sec. 4.1.2

• When the organization chooses to outsource any process that affect product conformity to requirements, it shall monitor and ensure control over such processes

• The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes

• The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4.

• The controls shall include written quality agreements

Mock Inspection

• Are we Inspection Ready?– ”Temperature control”– For cause – announced inspection– Initiating an IT Compliance Plan– Evaluating the outcome of a IT Compliance Plan

• Identifying gaps and risks

• Training and awareness for all personnel

• Periodic review of QMS

• IT Quality responsible

• Evidence of implementation (records)

Looking ahead

FDA focus moving forward:

• For cause inspections – for example: based on confidental informants/whistleblowers.

• Quickly and rigorously follow up on findings to ensure remediation is proceeding quickly.

• Contract manufacturing and research (CMO/CRO). It is the responsibility of both sponsors and contractors to ensure quality.

• Voluntary disclosure to ensure a quicker resolution of the problems and a meaningful reduction in regulatory risk.

IT Compliance synergies

Quality Security

Process

Objectives

Inspection Readiness requires control of:

Data

Applications

Infrastructure

Procedures

Suppliers

Documented evidence

People

Questions?

Mikael YdePrincipal Consultant

M: +45 53 69 49 73E: my@epista.comW: www.epista.com

Questions from participants

• What are the requirements from FDA for subcontractors?

• What parameters are necessary in order to be ready for an FDA inspection?

• In general FDA focus when on inspection.

• FDA's current attitude/approach for part 11 compliance

• Regarding Data Integrity in relation to IT Infrastructure/computer systems.

• Data Integrity observations in Europe.

• Transferability of compliance procedures