This week ARITHMOS has been focusing on Computer System Validation and the importance of implementing a proactive approach to system validation and maintenance. In this week’s blog post, we look at FDA warning letters, what they mean and how to avoid them by following the computer system validation life cycle.
Warning Letters represent two of the three steps that are important to a GxP assessment of deviations.
- The first step are deviations reported on the well-known FDA-483 Form by an FDA inspector at the time of inspection.
- A Warning Letter is issued if the EIR (Establishment Inspection Report) written by the inspector has been checked by the head office and the deviations have been classified as significant or the statement on the elimination of the faults has been classified as insufficient.
If the answer to the Warning Letter is also insufficient from the FDA’s point of view, they enforce step three:
- The inspected site cannot manufacture products for the US/American market until further notice
What are the most notable deviations that result in FDA-483 forms and Warning Letters?
- No individual passwords which can cause repudiation problems
- Insufficient system security
- No electronic audit trail
- (Electronic) raw data not saved or lost
- No correlation between e-records and paper print-outs
- No back-up of data
- No prevention of data deterioration during archiving
- Lack of or inadequate computer system validation
Implementing a CSV Plan to Avoid FDA-483s and Warning Letters
Sponsors can avoid the deviations above by performing a risk assessment on their computerized systems and then maintaining system performance through periodic reviews and change control. The Computer System Validation life cycle follows a process that tests systems throughout the Software Development Life Cycle (SDLC).
For example, let’s look at the requirements for Electronic Records and Electronic Signatures (ERES). ERES requirements are related to the validation of the system and maintaining the system in a validated state. Inspectors will look at a combination of technical controls provided by the system and procedural controls provided by users or administrators of the system.
Therefore, how can Sponsors approach CSV?
- Planning and Requirements: Validation should cover both technical solutions and the implementation of any procedural controls for electronic records and signatures. Define compliance requirements, create a validation plan and define user requirements.
- From Designing to Deployment: Design and build requirements, perform development testing and deploy the system to satisfy all user requirements
- “In Use”: Provide training, define a security procedure in a System Access Plan, retain records according to their retention period and record copies which need to be provided during inspections.
- Cross Phase: Ensure that anyone who develops and maintains systems has the education, training and experience to perform the tasks at hand. An appropriate Document Management Plan should also be defined including a maintenance plan according to change control. Also ensure that a Change Management Process is in place to maintain the validation status.
- Decommissioning: Systems should be decommissioned in accordance with a Decommissioning Plan. Validation documentation must be archived and data maintained in according to the retention period. Even if the system is decommissioned, it must be guaranteed that copies of records are available during inspection.
The FDA requires that organizations comply with all applicable regulatory validation requirements including validation of design, computer software for its intended use and software changes before approval and issuance. Contact ARITHMOS to discuss or strategic and maintenance approach towards CSV and our expert advice on how to avoid FDA (and other regulatory bodies) Warning Letters.