CASE STUDIES

General Risk Methodology:

Risk is the combination of the severity of the harm and probability of its occurrence.

Harm is the factor which will impose the negative risk on the product quality, Patient safety and Data integrity. General risk management flow is depicted in the diagram attached. The main objective of Risk management is to control the impact to acceptance level by implementing the design and procedural controls. As we all aware, risk cannot be eliminated but can be reduced to acceptance level. The highly effective tool to control the risk is to identify the risk during the design of the system and update the design to reduce the impact of the risk to acceptance level.

A typical Risk Management involves in five stages.

  1. Risk Identification
  2. Risk Assessment
  3. Risk Evaluation
  4. Risk control
  5. Risk Mitigation

 Risk Identification:

Risk Identification is the cardinal aspect of the any of the risk assessment tool. Risk Identification always starts with collection of information and understanding the system functionality.

To identify the risk of any computerized systems, user needs to understand the minute details of the system as mentioned below;

  1. Basic usage of the computerized system
  2. Impact of the System on Critical Quality attributes
  3. User Requirement
  4. Regulatory expectations
  5. System components and architecture
  6. Supplier capability

Risk Assessment:

Risk Assessment is the subsequent phase and completely depends on the identification process. The risks which were identified should be assessed against the product quality, patient safety and data integrity.

Risk Assessment is a process of understanding the impact of risk. This assessment will be done with the following;

  • Severity of the failure
  • Probability of the failure
  • Detectability of the failure

Risk Evaluation:

Risk Evaluation is the process of comparison the analyzed risk against the given risk criteria. This evaluation should be done based on the evidences which provided during the assessment.

The uncertainty in the evaluation will be resulted due to lack of knowledge on the system.

Risk Evaluation shall be done in two ways;

  • Quantitative estimate of risk
  • Qualitative description of a range of risk

The approach to be selected based on the requirement and scenario of methodology

Risk Mitigation:

Risk control includes decision making to reduce and/or accept risks. The purpose of risk control

is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.

Risk control might focus on the following questions:

  • Is the risk above an acceptable level?
  • What can be done to reduce or eliminate risks?
  • What is the appropriate balance among benefits, risks and resources?
  • Are new risks introduced as a result of the identified risks being controlled?

From the conclusion of questions, risk mitigations shall be proposed and implemented accordingly.

Risk Review:

Risk review includes the identification of residual risk after risk mitigation. During the review, if the result is found unacceptable, then above process should be repeated until the risk level reduced to acceptance.

Qualification and training of project team in CSV:

As discussed in earlier articles, training of the project team is essential to implement the computerized system. Expertize in the respective field always minimize the risk and optimize the time of validation.

Training is an investment in people that pays its dividends in a more skilled workforce, improved productivity, and higher levels of product and service quality.

It is identified that the new facilities are being commissioned with new technology and new personnel, it would not be surprising to see nearly all of the available time spent on training activities: becoming familiar with the equipment, learning the process, procedures, safety practices and systems. In firms with skilled, experienced personnel, training could be reduced to 3–5% of available time. Hence skills and experience plays vital role in implementation of computerized systems.

Regulations are lay down for this;

  1. World Health organization describes about the personnel requirement in Annex 3 WHO good
  2. manufacturing practices for pharmaceutical products.
  3. Schedule M describes about the personnel requirement in PART 1Good Manufacturing Practices for Premises and Materials of Good Manufacturing Practices and Requirements of Premises, Plant and Equipment for Pharmaceutical Products.
  4. USFDA describes about the personnel requirement in PART 211—Current Good m anufacturing Practice for Finished Pharmaceuticals
    1. Subpart B—Organization and Personnel
  5. Medicines and Healthcare products regulatory Agency (MHRA): describes about the personnel requirement in Chapter II Guidance On Good Manufacturing Practice (GMP) – Personnel
  6. TGA describes about the personnel requirement in CHAPTER 2Personnel
  7. PICS describes about the personnel requirement in CHAPTER 2Personnel

Regulatory companies which are hiring the consultants should comply with the Sec. 211.34 Consultants.

“Consultants advising on the manufacture, processing, packing, or holding of drug products shall have sufficient education, training, and experience, or any combination thereof, to advise on the subject for which they are retained. Records shall be maintained stating the name, address, and qualifications of any consultants and the type of service they provide”

Regardless of regulations, emphasized that the training is mandatory for every personnel involved in the validation activity and the team involved in implementation, must have the following traceability;

  • The reason for training
  • The time of training occurred
  • Training mode
  • Training assessment result

These training details should be ensured during the identification of team or at the time of validation plan. Any additional person involvedduring the validation, should have a proper training prior to the initiation of activity.

Make sure that Job-roles and responsibilities are clearly documented as supporting evidences for the qualification and training.

Training of the team should be conducted on;

  • Validation SOPs
  • System operation
  • Defects Identification and Management
  • Regulatory Requirements
  • Risk management
  • Security procedure
  • Change control Management
  • Deviation Management
  • Good Documentation practices

Education must have an end in view, for it is not an end in itself. – Sybil Marshall.

Reference: A WHO guide to good manufacturing practice (GMP) requirements – Part 3: Training

PHARMA 4.0

What is Pharma 4.0

Pharma 4.0 is a frame work in adoption of new digital technologies which helps to meet the industry and regulatory expectations. This approach empowers the current era of industry to reduce the manual interventions with a strong and reliabletechnology. Collaboration of personnel, Information systems, process and culture plays an important role in this operating model.

As we know, pharmaceutical industry works under the strict regulations and guidelinesfrom various regulatory bodies. The aim of this regulatory bodies to keep the patient safety as priority amongst all other benefits. In achieving, industries are driving their innovation by using technology towards the regulatory expectations. This approach erases the boundaries between the pharmaceutical and technology industries and increases the edge of industries in serving world. Pharma 4.0 is revolutionary concept to enable and enhance the collaboration between innovation, technology and regulations.

According to a report by Allied Market Research, the IoT healthcare market will reach $136 billion worldwide by 2021, registering CAGR of 12.5% over 2015-2021.

More than 40 top pharmaceutical companies are stated the collaboration with new technologies

Background

The concept is emerged from the fourth industrial revolution refers to an era of using new technologies and innovation in the manufacturing industries.The world around is evolving and emerging with cutting edge technologies which will add the value to human life. Industry 4.0 is proposed to help the industries in process automation, product, data, software and other asset management. The aim is to establish a common platform to assess the new technologies and its usage which increases the economy of the organizations

New Technologies:

  1. Process Digitalization and Automation
  2. Cloud Computing
  3. Big Data Management
  4. AR and VR technologies
  5. 3D-Printing Drugs
  6. IoT integration
  7. Data Science
  8. Artificial Intelligence and Machine learning
  9. Block chain
  10. Organs-On-Chips

Conclusion:

Ensuring the patient safety, product quality and data integrity are the primary challenges for implementation of new technologies. However, industry is being progressed at various levels and the term Pharma 4.0 is coined to represent the progress of current era.

About us:

Our renowned experience in automation, validation and digitization will help you in identification, assessment, implementation, review and monitor the quality and regulatory processes.

Please write to us: csv@valsquare.in

Please visit us at: www.valsquare.in

Software Backup:

In addition to data backup, some of the regulations are mandated about the maintenance of backup copies of software. Software copies maintained to ensure that the system can be restored in case of software failures without any delay. The scope of the backup should be included with software, components, utilities, operating system, code, configuration settings and data as applicable. It is recommended to initiate the backup at predominant points such as:

  • After Software Installation
  • Prior to release for operation
  • After every modification
  • After retirement (if data is to be maintained)

It is good to have at least two generations of copies such as current version and previous version of the software based on the risk. Periodic testing, frequency and management of the software copies should be considered based on the risk.

Privilege matrix and User groups:

Every computerized system must have defined user roles and privileges to ensure that the authorized individuals can use the system and perform the intended functions.

Privilege assignment should be aligned with procedures and functions such as;

  • Internal operation
  • Data reporting (Business process)
  • Data management (Technical Data Management)
  • Service management (Maintenance)

Based on the above, identify the required roles for the system during the validation/ implementation. Leverage vendor knowledge to understand the each function in the role matrix. Make sure that each group (Operator, supervisor, reviewer, service, IT and Administrator) should not have any additional privileges apart from their routine operations. Perform the risk assessment; identify the criticality, impact of the each privilege and categorize as the critical, non-critical and perform the testing accordingly.

Define the objective of each role and its privileges in the standard operating procedure. Disable / delete the roles which are not in use. If the provision is not available to disable, capture the details in the procedure.

CSV and Periodic Review:

In GxP area, every system must

  • Achieve the compliance state during deployment
  • Maintain the compliance for the rest of life

Bringing the system into compliance will be achieved by validation and managing system in the compliance will be ensured by effective monitoring of software. Periodic review is the process which confirms that the system is in compliant state with respect regulatory, procedural and technical requirements.

In general, below changes may occur during the routine operation of the software.

  • System Failures
  • Upgrades
  • Process changes
  • Change in the system usage
  • Updates of regulations.

As explained in the diagram, multiple areas of system should be considered for review and the frequency of the review should be established based on the complexity, criticality and risk of the system. Conduct periodic review as an independent audit for the system to identify the abnormalities. Establish CAPA if required to bring the system into compliance state.

URS is a set of primary expectations which are to be fulfilled by system and regulations.

The other benefits are;

  • Serve as a basis for vendor/in-house develop team.
  • Identify the System use (GxP)
  • Identify the requirements for system implementation
  • Identify the business priority of the requirements.

Each requirement can be identified as Mandatory, Beneficial and nice to have based on the requirement. This would help to developers to work as per priority.

Each requirement should fulfill below attributes.

  • Specific
  • Measureable
  • Achievable
  • Realistic
  • Testable
  • Unambiguous
  • Clear
  • Precise
  • Self-explained

URS is utmost and primary document for the Software implementation. URS can be updated in subsequent phases of validation.

Most of the Problems during the subsequent phases will encounter due to the inadequate URS and generic requirements which cannot be achieved.

Examples for generic statements.

  • Application should have a security option.
  • Application should comply with GMP , GLP, GDP, etc

Application should comply with EU annex 11 and 21 CFR part 11 requirements

Data and its life cycle:

Basic definition of the data under regulation is “Facts, figures and statistics collected together for reference or analysis. All original records and true copies of original records, including source data and metadata and all subsequent transformations and reports of these data, that are generated or recorded at the time of the GXP activity and allow full and complete reconstruction and evaluation of the GXP activity”

As many of us aware, each data should have the ALCOA attributes to prove the integrity along with “+” which refers to Complete, Consistent, Enduring and Available.

Every component in GxP environment, follows the lifecycle approach. Nevertheless to say, each data or record walks through the different stages based on the requirement. Each data comprises with following phases

  • Data Creation
  • Data Processing and reporting
  • Storage and Manage
  • Archive / Retrieval

In each stage, there are potential factors which compromise the data integrity. Some of the attributes required to ensure the integrity of data for computerized system.

  1. Data should be secured by both physical and electronic means against damage.
  2. integrity and access of records
  3. Integrity and accuracy of backup and restoration.
  4. Capacity of storage and accessibility.
  5. Audit trail of e-records for re-construction of activities.
  6. Un-authorized deletion/ modification of the data
  7. Controls during the data transfer
  8. Types of data generated (method, data acquisition, reporting, audit records, user records).
  9. Location of each type of data
  10. Roles and responsibilities to access the data
  11. Procedures for data management
  12. Procedures for data review and reporting.
  13. Disater management for the data.
  14. Real-time backup based on the criticality.