US FDA and Global

Guidance for Computer and

Software Validation
Orlando Lpez
GAMP Data Integrity SIG SME
April 27, 2015
1

Disclosure
The opinions expressed during this
presentation are those of the presenter.

1
 Objectives
How do US FDA drug and device related
computer system regulations compare?
Review US FDA and global computer
systems compliance regulatory
requirements and guidelines.
Present a new approach to computer
compliance.

References
Fry, Edmund M, FDA Regulation of Computer
Systems in Drug Manufacturing, Pharmaceutical
Engineering, Sep/Oct, 1988.
Lpez, O., FDA Regulation of Computer Systems in
Drug Manufacturing 13 Years Later,
Pharmaceutical Engineering, May/Jun 2001.
Lpez, O., Regulations and Guidelines of Computer
Systems in Drug Manufacturing 25 Years Later,
Pharmaceutical Engineering, Jul/Aug 2013.

2
 References
http://www.computer-systems-
validation.net/annex11crosswalk.html

The Crosswalk relates Annex

11 guidelines to other official
regulations, standards and guidance
documents.

References
Lpez, O., EU Annex 11 and the Integrity of
Erecs, Journal of GxP Compliance, Volume
18 Number 2, May 2014.
Lpez, O., A Computer Data Integrity
Compliance Model, Pharmaceutical
Engineering, March/April 2015.
Lpez, O., Trustworthy Computer Systems,
Pharmaceutical Engineering, xxx/xxx 2015.

3
 References
O. Lpez, EU Annex
11 Guide to Computer
Validation Compliance
for the Worldwide
Health Agency GMP,
CRC Press, April 2015.
http://www.crcpress.com/pr
oduct/isbn/9781482243628

ISBN 9781482243628

REGULATIONS AND
GUIDELINES TIMELINE
8

4
 Relevant Regulations and
Guidelines
21 CFR Part 211.2(b), June 1963.
21 CFR Part 211.68 (1976) and
820.70(i) (1997).
CDER Guide to Inspection of
Computerized Systems in Drug
Processing, January 1983.
FDA CPGs (1982-87).
Compliance Policy Guides
CGMP Applicability To Hardware
and Software (CPG 7132a.11) 84
Input/Output Checking
(CPG 7132a.07) 82
Identification of "Persons" on Batch
Production and Control Records
(CPG 7132a.08) 82
Vendor Responsibility
(CPG 7132a.12) 85
Source Code for Process Control
Application Programs
(CPG 7132a.15) 87
9

Relevant Regulations and

Guidelines
21 CFR Part 211.2(b), June 1963.
21 CFR Part 211.68 (1976) and
820.70(i) (1997).
CDER Guide to Inspection of
Computerized Systems in Drug
Processing, January 1983.
FDA CPGs (1982-87).
Annex 11 (Rev 0), January 1992.
PDAs Technical Report 18, Validation
of Computer-Related Systems,
January-February 1995.
GAMP 1, March 1995.
APV Guideline "Computerized
Systems" based on Annex 11 of the
EU-GMP Guideline, April 1996.

10

5
 Relevant Regulations and
Guidelines
21 CFR Part 211.2(b), June 1963.
21 CFR Part 211.68 (1976) and
820.70(i) (1997).
CDER Guide to Inspection of
Computerized Systems in Drug
Processing, January 1983.
FDA CPGs (1987).
Annex 11 (Rev 0), January 1992.
PDAs Technical Report 18,
Validation of Computer-Related
Systems, January-February 1995.
GAMP 1, March 1995.
APV Guideline "Computerized
Systems" based on Annex 11 of the
EU-GMP Guideline, April 1996.
2008
21 CFR Part 11, March 1997.
GAMP 5
MAXIMS
2002 FDA
Risk Based Approach
General Principles of Software
Validation; Final Guidance for Industry
and FDA Staff, January 2002.
Guidance for Industry Part 11,
Electronic Records; Electronic
Signatures Scope and Application,
August 2003.
PIC/S, PI 011-3, Good Practices for
Computerised Systems in Regulated
GXP Environments, September
2007.
21 CFR Part 211.68 (2008).
Annex 11 (Rev 1), January 2011.
MHRA, GMP Data Integrity Definitions
and Guidance for Industry, March
2015.
11
6
 Computer Compliance
Maxims
CGMP Applicability To Hardware
and Software (CPG 7132a.11)
FDA doesnt FDA regulates drug
regulate computer manufacturers and
system performing drug products.
GMP functions. Any computer can
Hardware itself is be used as long as
subject to the GMP the intended use is
requirements that
demonstrated.
apply to equipment.
Software itself is Fry, Edmund M, FDA Regulation of
subject to the same Computer Systems in Drug
Manufacturing, Pharmaceutical
GMP requirements Engineering, Sep/Oct, 1988.
applicable to SOPs.

Data Compliance Maxim

Regulatory requirements for data do not
change whether data are captured on
paper, electronically, or using a hybrid
approach.

7
HOW DO US FDA DRUG AND DEVICE
REGULATIONS COMPARE?

15

GMP
Medical Devices Pharma/Bio
Quality System Quality System
Software Software
Device Production Pharma/Bio
Software Production Software
Medical Devices
Software

16

8
US MEDICAL DEVICES
REGULATIONS
17

GMP Medical Devices

Quality System Software and Device
Production Software
21 CFR 820.70(i), Automated Processes
21 CFR 11
Medical Devices Software
820.30(c) 820.30(g)
820.30(i) 820.40
Medical Device Data Systems
18

9
 Requirements
21 CFR 820.70(i)
Validate computer software for its intended use
according to an established protocol.
All software changes shall be validated before
approval and issuance.
These validation activities and results shall be
documented.
US FDA, General Principles of Software
Validation; Final Guidance for Industry and FDA
Staff, CDRH and CBER, Jan 2002.
21 CFR 11 (See Pharma/Bio) 19

Requirements
21 CFR 820.30(c)
Design Inputs
Requires a mechanism for addressing
incomplete, ambiguous, or conflicting
requirements.

20

10
 Requirements
21 CFR 820.30(g)
Design Validation
The device software (embedded software)
in a medical device is validated to assure it
performs as intended.

21

Requirements
21 CFR 820.30(h)
Design Transfer
Manufacturers are prepared to provide
evidence that the software used for
duplicating the device software, and the
software used in automated manufacturing
or QA, meet the software design
specifications.

22

11
 Requirements
21 CFR 820.30(i)
Design Changes
Any changes to a computer system
including system configurations should
only be made in a controlled manner in
accordance with a defined procedure.

23

Requirements
21 CFR 820.40
Document Control
Any changes to a computer system
including system configurations should
only be made in a controlled manner in
accordance with a defined procedure.

24

12
 Requirements
21 CFR 880
Feb 2011
Medical Device Data Systems
are intended to transfer, store, convert from
one format to another according to preset
specifications, or display medical device data.
perform all intended functions without
controlling or altering the function or
parameters of any connected medical devices.
is not intended to be used in connection with
active patient monitoring.
25

MEDICAL DEVICES
GUIDELINES
26

13
 US FDA Medical Devices
Guidelines
Off-The-Shelf Software Use in Medical Devices, Sep
1999.
General Principles of Software Validation; Final Guidance
for Industry and FDA Staff, CDRH and CBER, Jan 2002.
Radio Frequency Wireless Technology in Medical
Devices, Aug 2013.
Mobile Medical Applications, Feb 2015.
Medical Device Data Systems, Medical Image Storage
Devices, and Medical Image Communications Devices,
Feb 2015.

27

US FDA Medical Devices

Guidelines
Cybersecurity
Cybersecurity for Networked Medical Devices
Containing Off-the-Shelf (OTS) Software, Jan 2005.
US FDA, Content of Premarket Submissions for
Management of Cybersecurity in Medical Devices, Oct
2014.

28

14
 US FDA Medical Devices
Guidelines
Blood Establishments
Blood Establishment Computer Crossmatch, Dec
2011.
Blood Establishment Computer System Validation in
the User's Facility, Apr 2013.

29

International Medical Devices

Guidelines/Standards
http://ec.europa.eu/enterprise/policies/european-
standards/harmonised-standards/medical-
devices/index_en.htm
http://www.emergogroup.com/resources/regulations
IEC 62304 Medical Device Software Development
Lifecycle.
ISO 14971-2012 Medical Devices - Application of Risk
Management to Medical Devices.
.

30

15
 Other Computer related
Medical Devices
Regulations/Guidelines
EC, Green Paper on mobile Health ("mHealth), Mar 2014.
TGA Regulation of medical software and mobile medical
'apps, Sep 2013.
MHRA
MHRA - Blood Bank Electronic Issues
Guidance on medical device stand-alone software
Guidance on the regulations for electronic instructions for
use of medical devices

31

US GMP PHARMA
REGULATIONS
32

16
 GMP Pharma
Quality System Software and
Production Software
21 CFR 211.68, Automatic, mechanical,
and electronic equipment, Sep 2008.
ICH Harmonized Tripartite Guideline,
Good Manufacturing Practice Guidance
for Active Pharmaceutical Ingredients, Q7,
Nov 2000.
21 CFR 11, Mar 1997.
33

211.68(a) Requirements
Automatic, mechanical, or electronic equipment or
other types of equipment, including computers, or
related systems that will perform a function
satisfactorily, may be used in the manufacture,
processing, packing, and holding of a drug product.
If such equipment is so used, it shall be routinely
calibrated, inspected, or checked according to a written
program designed to assure proper performance.
Written records of those calibration checks and
inspections shall be maintained.

34

17
 211.68(b) Requirements
Data Integrity
Clause
Appropriate controls shall be exercised over computer
or related systems to assure that changes in master
production and control records or other records are
instituted only by authorized personnel.
Input to and output from the computer or related
system of formulas or other records or data shall be
checked for accuracy.
The degree and frequency of input/output verification
shall be based on the complexity and reliability of the
computer or related system.

35

211.68(b) Requirements
Original clause
1978 GMPs

Appropriate controls shall be exercised over computer

or related systems to assure that changes in master
CPG 7132a.07
production and control records or other records
1982
are
instituted only by authorized personnel.
Input to and output from the computer or related
system of formulas or other records or data shall be
checked for accuracy.
The degree and frequency of input/output verification
shall be based on the complexity and reliability of the
computer or related system.

36

18
 211.68(b) Requirements
Appropriate controls shall be exercised over computer
or related systems to assure that changes in master
production and control records or other records are
instituted only by authorized personnel.
Input to and output from the computer or related
system of formulas or other records or data shall
1995 be
GMPs
checked for accuracy.
The degree and frequency of input/output verification
shall be based on the complexity and reliability of the
computer or related system.

37

211.68(b) Requirements
A backup file of data entered into the computer or
related system shall be maintained except where
certain data, such as calculations performed in
connection with laboratory analysis, are eliminated by
computerization or other automated processes.
In such instances a written record of the program shall
be maintained along with appropriate validation data.
Hard copy or alternative systems, such as duplicates,
tapes, or microfilm, designed to assure that backup
data are exact and complete and that it is secure from
alteration, inadvertent erasures, or loss shall be
maintained.

38

19
 211.68(c) Requirements
Such automated equipment used for performance of
operations addressed by 211.101(c) or (d), 211.103,
211.182, or 211.188(b)(11) can satisfy the
requirements included in those sections relating to the
performance of an operation by one person and
checking by another person if such equipment is used
in conformity with this section, and one person checks
that the equipment properly performed the operation.

2008 GMPs

39

ICH Requirements
API Q7
Section 5.4
Nov 2000
10 Requirements
Risk Assessment, Security, Operation and
Maintenance
CEFIC, Computer Validation Guide, API
Committee of CEFIC, Dec 2002.

40

20
 ICH Requirements
API Q7 Data Integrity
Clause

Section 6.60
Complete data derived from all tests
conducted to ensure compliance with
established specifications and standards,
including examinations.

41

21 CFR Part 11
21 CFR 11
Mar 1997.
Guideline Aug
2003.

42

21
 21 CFR Part 11
Narrowed Scope
The 2003 FDA guidance on Part 11 redefines
the scope of records subject to Part 11 as
follows:
[Electronic]records that are required to be
maintained under predicate rules, provided they
are relied on to perform regulated activities.
Electronic records submitted to FDA under
predicate rule requirements

21 CFR 11
(Scope)

Records that are required to be maintained

by predicate rules and that are maintained in
electronic format in place of paper format.
Records that are required to be maintained
by predicate rules, are maintained in
electronic format in addition to paper format,
and are relied on to perform regulated
activities.

44

22
 21 CFR 11
(Scope)

Records submitted to FDA in electronic

format, under the predicate rules (even if
such records are not specifically identified in
Agency regulations)
assuming the records have been identified
in the docket as the types of submissions the
Agency accepts in electronic format
Electronic signatures that are intended to be
the equivalent of handwritten signatures,
initials, and other general signings required
by predicate rules.
45

21 CFR 11
Out of Scope
Records (and any associated signatures) that are
not required to be retained by predicate rules, but
that are nonetheless maintained in electronic
format.

46

23
 International Pharma
Guidelines/Standards
ISO 90003-2004 Software Engineering -
Guidelines for the Application of ISO
9001 2000 to Computer Software.
ISO 12207 Systems and software
Engineering - Software Life Cycle.
ISO 12119-1994 Information technology
- Software packages - Quality
requirements and testing.
47

International Pharma
Guidelines/Standards
ISO 17025 General Requirements for
the Competence of Testing and
Calibration Laboratories.
ASTM E2500-07R12 Standard Guide
for Specification, Design, and
Verification of Pharmaceutical and
Biopharmaceutical Manufacturing
Systems and Equipment.

48

24
 International Pharma
Guidelines/Standards
ICH Harmonized Tripartite Guideline, Good
Manufacturing Practice Guidance for Active
Pharmaceutical Ingredients, Q7, Section 5.4,
Nov 2000.
CEFIC, Computer Validation Guide, API
Committee of CEFIC, Dec 2002.
WHO, Technical Report Series No. 937,
Annex 4. Appendix 5, Validation of
computerized systems, 2006.

49

Other Computer-Related
Guidelines
Official Medicines Control Laboratories
(OMCL) Network of the Council of Europe,
Validation of Computerized Systems, Core
Document.
ISO 17025
In-house and commercial software for calculation.
Database computer systems.
Laboratory Information Management Systems
(LIMS), Electronic Laboratory Notebooks (ELN).
Computers as part of test equipment.
50

25
 Other Computer-Related
Guidelines
MHRA
MHRA expectation regarding self inspection and
data integrity
GLP Guidance Archiving
MHRA Good manufacturing practice data integrity
definitions
Pre-Inspection Compliance Report Document

51

Other Computer-Related
Guidelines
EudraLex Volume 4, EU Guidelines to Good
Manufacturing Practice, Medicinal Products
for Human and Veterinary Use, Annex 11 -
Computerised Systems, Jun 2011.
EMEA's answers to FAQ on Computerized
Systems.
PI 011-3. Good Practices for Computerised
Systems in Regulated GXP Environments,
Pharmaceutical Inspection Co-operation
Scheme (PIC/S), Sep 2007.
52

26
 US FDA MEDICAL DEVICES VS
PHARMA
53

Raw Data vs Results

Q: Must all data maintained, even if the data is

manipulated automatically to provide information
in pass or fail format?
A: Not for devices. See part 820 preamble pp.
52631 and 52646. Part 820 requires that
results of acceptance activities be recorded but
not necessarily all raw data. Results must have
audit trails. Be sensitive to need for raw data
during failure investigations under CAPA.
54

27
NEW APPROACH COMPUTER
COMPLIANCE
55

New Approach Computer

Compliance
Trustworthy System
It is one that produces consistent reliable
and authentic records. The focus of all
controls and IT security mechanism should
be the assurance that this trustworthy
condition is maintained.

56

28
 New Approach Computer
Compliance
Trustworthy System
Are reasonably suited to performing their intended
function (21 CFR 11.10(a)).
Provide a reasonably reliable level of availability,
reliability and correct operation (21 CFR 11.10(a)).
I n t e g r i t y

Are reasonably secure from intrusion and misuse.

Adhere to generally accepted security principles.

11.10(d) 11.10(g) 11.10(j)(1) 11.10(e)

211.68(b) Section 5.4
Da t a

ICH

57

New Approach Computer

Compliance
Trustworthy System (Main Proponents)
Authority Regulation / Guideline
US FDA Sub Part B in 21 CFR Part 11
ICH Q7 Section 5.4
Australia TGA Medical Products: Chapter 4 section 4.9 in the Code
of GMP
China SFDA draft GMP Annex 2 (2014)
WHO Technical Report Series, No. 937, 2006. Annex 4
Appendix 5.
Japanese MHLW Guideline on Management of Computerized Systems for Marketing
Authorization Holders and Manufacturers of Drugs and Quasi-
Drugs

Brazil ANVISA Title VII Resolution of the Executive Board No. 17, Computerized
Information System
58
EMA Annex 11

29
EMA ANNEX 11

59

EMA Annex 11
European Medicines Agency GMP
guideline applicable to computer
systems.
Two (2) revisions: 1992 and 2011.
Annex 11 (like the rest of Eudralex
Volume) is a guidance.

60

30
 EMA Annex 11
Used as a model to other regulated
applications and other countries.
PIC/S Guidance on Good Practices for Computerised
Systems in Regulated GxP Environments (PI 011-3)
EU GCP inspectors and ASEAN use PI 011-3
Health Canada ( Health Products and Food Branch
Inspectorate) (Medicinal Products and API)
China (SFDA) (GMP Annex 2 Computerized System
(Draft))
Australia Therapeutic Goods Administration (TGA)
(GMPs and Blood Establishments)

61

EMA Annex 11
Principles
This annex applies to all forms of computerized
systems used as part of a GMP regulated activities. A
computerized system is a set of software and hardware
components which together fulfill certain functionalities.
The application should be validated; IT infrastructure
should be qualified.
Where a computerized system replaces a manual
operation, there should be no resultant decrease in
product quality, process control or quality assurance.
There should be no increase in the overall risk of the
process.
62

31
 EMA Annex 11
General Project Phase
Risk Management Validation
Personnel
Suppliers and Service
Providers

63

EMA Annex 11
Operational Phase
Data Security
Accuracy Checks Incident Management
Data Storage Electronic Signature
Printouts Batch Release
Audit Trails Business Continuity
Change and Archiving
Configuration
Management
Periodic Evaluation

64

32
SUMARY

65

Summary
One of the significant differences between
computer systems compliance in 1992 and
today, is that todays regulatory
methodologies and guidelines requires a risk
based approach throughout the lifecycle of
the computer system taking into account
patient safety, data integrity and product
quality.

66

33
 Summary

Risk
Complexity and Novelty
Supplier

67

Summary
Computer systems can be used to perform
operations covered by the drugs GMP regulation.
These computer systems require a written
validation process.
Computers systems documentation and
validation documentation shall be maintained.
There must be procedural controls for managing
changes to infrastructure and application
software, including documentation.

68

34
 Summary
Computer systems can be used to perform
operations covered by the drugs GMP regulation.
(Principle 1)
These computer systems require a written validation
process. (Principle 2, Annex 11-4)
Computers systems documentation and validation
documentation shall be maintained. (Annex 11-4.1)
There must be procedural controls for managing
changes to infrastructure and application software,
including documentation. (Annex 11-10 and Annex
11-4.2)
69

Summary
Computer systems electronic records must be
controlled including records retention, backup, and
security.
Based on the complexity and reliability of computer
systems there must be procedural controls and
technologies to ensure the accuracy and security of
computer systems I/Os, electronic records and data.

70

35
 Summary
Computer systems electronic records must be
controlled (Annex 11-1, 11-4.8, 11-5, 11-6, 11-7, 11-
8, 11-9, 11-13, 11-14, 11-17) including records
retention, backup (Annex 11-7.2), and security
(Annex 11-12).
Based on the complexity and reliability of computer
systems (Annex 11-1) there must be procedural
controls and technologies to ensure the accuracy and
security (Annex 11-12) of computer systems I/Os
(Annex 11-5), electronic records and data.

71

Summary
Computer systems must have adequate controls to
prevent unauthorized access or changes to data,
inadvertent erasures, or loss.
There must be written procedural controls describing
the maintenance of the computer system, including
an on-going performance evaluation and periodic
reviews.
Verification by a second individual may not be
necessary when automated equipment is used.

72

36
 Summary
Computer systems must have adequate controls to
prevent unauthorized access or changes to data
(Annex 11-12), inadvertent erasures, or loss .
There must be written procedural controls describing
the maintenance of the computer system (Annex 11
Operational Phase), including an on-going
performance evaluation and periodic reviews (Annex
11-11).
Verification by a second individual may not be
necessary when automated equipment is used
(Annex 11-6).

73

Orlando Lpez
GAMP Data Integrity SIG SME
olopez6102@gmail.com 74

37
 FIN
FIN

75

38