Fax Initials Annex with airSlate SignNow

Fax initials annex

welcome thank you for joining our governance risk and compliance best practice series webinar i'm becca melody your hostess for today's presentation diane grinder our vp of operations will be presenting if you do not see the presentation slides on your screen at this point please click on the annex 11 tab at the top center of your screen the discussion today will cover introductions USDM at a glance whether my logistics and our discussion topic the updated annex 11 what does it mean for computer systems validation Diane Klein's there is our VP of operations for us diligent and she has 21 years of experience in quality assurance and regulatory compliance within pharmaceutical biotech and medical device industries Diane is our lab practice director and she leads the USDM operations team and she's done so successfully for eight years now us data management is focused exclusively on the life science domain where the market leader in providing IT quality and regulatory compliance professional service solutions were headquartered in Ventura California and one compliance partner for many best-of-breed vendors including a sapien Oracle Open Text an Agilent Technologies we've delivered more than a thousand successful projects with over 130 life science clients and were a preferred compliance partner for small mid tier and large life sciences companies we specialize in assisting clients with reducing regulatory risk while maximizing their investment in quality systems and ECM laboratory instruments as well as systems and IT infrastructure our directive is to simplify unify and optimize compliance and business objectives the content of the presentation will be covered in approximately 30 minutes and we'll invite you to post questions for our team via the I like message board on the bottom left of your screen will address all questions immediately following the presentation but feel free to put them in as they come to you through the slide presentation and if something strikes you just go ahead and enter it and we'll get started right after Diane's finish to answer your questions if you're having any issues logging into the system I suggest you turn off your popup blockers and so you know the webinar is being recorded and will be made available on our website if you want to review the slides later and to keep you from taking tons of notes through the session the overall goal of the webinar is to facilitate discussion we're here to share ideas and provide the platform and they get to the edge and explore solutions together thanks again for taking the time to join us and now I'll turn the presentation over to Diane hello everyone and thanks again for joining us today on the on this webinar we'll be discussing what annex 11 is just very briefly for those of you who aren't very familiar with it the changes that were made to annex 11 recently that went into effect that affect computer system validation validation of applications under annex 11 IT infrastructure additional information on that now now IT infrastructure qualification is a requirement and how to qualify the IT infrastructure the risk management element that's been introduced into annex 11 current good practices documentation which is chapter 4 of annex 11 which was also updated and went into effect at the same time excuse me this this will discuss pardon me some of the documentation that's required now for computer systems validation the update to supply your services and how to handle them in a validation of a system and then we'll discuss just an overall summary and again at the end of this presentation we will have question and answers so please do feel free to add any questions during the presentation so what is an X 11 basically it's the European equivalent of our in the US the part 11 requirements was first released in 1992 in 2008 they revision was proposed to bring annex 11 more into compliance with the increased use of computer systems and the complexity of those systems that new guideline was introduced in 2011 and it became effective on July 1st of this year annex 11 is for those companies who are based in the United States and who want to sell in Europe it's also so if you're in the United States and you're selling solely for your product selling filly in the United States you need to follow part 11 if however you are based in Europe and you're selling in Europe you need to meet the annex 7 requirements if you are based in the United States and you want to sell in Europe you also have to comply with annex 11 as well as part 11 to the change in that effect computer systems validation first of all there's a requirement now that you must validate your applications you must qualify IT infrastructure validation does not stop with a one-time validation event they've expanded the validation lifecycle in annex 11 and that means you must maintain the validated state of your system requirements must be traceable throughout the validation lifecycle traceability has always been a regulatory expectation but now it's actually a regulatory requirement you must be able to demonstrate that your data has integrity it's available and it's confidential vendor audits are a requirement now when you do a vendor audit you need to consider risk we'll talk about that in a bit more detail later on they also are now subject to inspection during a regulatory audit risk management for CSV we all know risk management has become an issue in the United States and it's an expectation now under part 11 under the predicate rules annex 11 extends that to European Union and the chapter 4 changes which are critical to the understanding and computer system validation you now must define electronic raw data there's no such thing any longer as an electronic system generating a paper record and only that paper record is raw data if you have an electronic system that generates a paper record that electronic file is required to be a part of the raw data and has to be maintained so you need to keep and manage all electronic records now there's an addition in annex 11 of IT infrastructure it's always been expected that you would qualify your infrastructure but it's never really been looked at or regulated now annex 11 says all forms of computerized systems used as a part of GXP regulated activities must be controlled and qualified and where a computerised system replaces a manual operation there can be no resultant decrease in product quality process control or Quality Assurance and no increase in the overall risk of the process again you need to validate your computer systems applications you need to validate your infrastructure and this applies across the board as a part of GXP regulated activities - what does qualification of infrastructure mean under par under annex 11 and really this is not so much different than what it means in the United States it's just an excellent just gives you a bit more detail on it so it means you need to bring your infrastructure into initial conformance with the established standards and you establish those standards based on good practices within the industry you need to have a planned documented verification process based on good IT practices and you need to maintain that qualified state by having sufficient processes and QA QA activities in place to demonstrate that your processes and activities are effective in maintaining a validated state you need to make sure that user IDs are unique to an individual and not reuse a lot of this you'll see this is very similar to part 11 requirements you need to implement adequate password controls establish user roles and permissions making sure the only authorized people can make changes to your system and you need to control changes to the system including how they're configured and changes to the infrastructure and controller changes means you need to know what you have to start with you need a baseline and so you need system architecture diagrams and descriptions you need a list of the applications that are being supported on your infrastructure you need documented assurance that the underlying network infrastructure is actually capable of supporting the validated applications that are being housed on that infrastructure you need to make sure that your IT staff as well as your technical staff your your scientists and other staff or adequately chain trained to operate the network system again need to make sure that support procedures are in place to ensure and maintain data integrity and security and you need to test those support procedures to verify that they're effective and you need to look at them periodically and make sure that they continue to be adequate that they continue to be effective and that they continue to state what you're actually doing risk management under part 11 or under annex 11 needs to be applied throughout the lifecycle of the computerized system and it should take into account patient safety data integrity and product quality it's always been under the predicate rules those are the things that you need to look at as part of this risk management system you need to make decisions based on the on the extent of how much validation and how many controls that you need to put into place that needs to be based on a justified and documented risk assessment of the system that you're looking at and really you need to apply risk management across the board for all of your corporate processes and procedures but specifically they're talking now about validation of systems and how you're going to ensure that your data is maintained and that it has integrity across the board for the life cycle of that system does that mean you have to go to the nth degree no you need to justify it based on the patient safety data integrity and product quality one of the keys to being able to interpret and understand annex 11 is being able to apply risk management to your products and processes you need in order to do that you need an understanding of what those products and processes are if you have that understanding then you'll be able to develop an adequate and appropriate control to ensure the product quality safety and data integrity or maintained regulated companies need to be able to justify what standards protocols and acceptance criteria those procedures and processes that you have documented and what records you require based on an analysis and an assessment of the risk involved in developing this standard the European Union's aligned itself closely with the quality risk management I CH procedure as well as gap 5 and these things have been in place for quite a while they've just aligned themselves with this so they're really getting to a point now where good practices for systems have been incorporated into this updated regulation so you'll see that the updated annex 11 has harmonized with much of the 5 terminology it describes lifecycle phases roles and responsibilities for validation of computer systems they've clarified and built on the vendor and supplier roles and the vendor and supplier responsibilities and activity that GAMP 5 has quite a bit of detail around this is reflecting an increasing role of IT service providers and the increased dependence on supplier activities and documentation when you're validating a computer system so now we take your quality system and audit information for suppliers into account when you're validating the system and not you don't have to duplicate the effort that that supplier has already put in to do the testing necessary for the system excuse me it allows you to focus your effort more closely on testing of your intended use and not repeating what the vendors already done but this audit information that you generate when you do a vendor audit of your supplier again this now is required to be made available to an inspector during an audit other best practices that are now addressed in the regulation is a maintaining and up-to-date G XP system inventory so an inventory of all the applications of all the pieces of your network that have any GXP applicability and in what the system does that has GXP applicability so what is it that that system is doing for you you need to formally assess and document that your automated testing tools and test environments so if you have a validation environment if you have a separate test environment those environments that you consider to be under control need documentation around them as well as any testing tools that you're using you need to show documented evidence that it's in control and you need to periodically evaluate your computer system to verify first of all that it's still after all the changes you've implemented that that system is still under control that you're still using it for the original intended use and you haven't changed the intended use of your system then it remains in a validated state continues to be compliant with business needs and regulations so this is a new regulation it's always been recommended that you do periodic system reviews now it's required if you have to comply with that next 11 at first look annex 11 is really focused on the increased requirements around the computer systems but at the same time the updated annex 11 was released they release a new version of chapter 4 which is documentation and that update focuses on the documentation requirements for computer system validation annex 11 is a far it's far more detailed and prescriptive around what's actually required then part 11 was part 11 leaves says what you have to be what you have to get at the end of the day that you need to document an evidence but it doesn't really tell you what evidence you need or how to get that and annex 11 offers a bit more meat to let you know how you need to comply under the records definition documentation can exist in a variety of forms it can be paper electronic form it can be photographic media anything that you store that's related to that system or to the data is now documentation the records can still be hybrid you may still have some elements that are electronic and others that are paper but the records now as we discussed a little bit earlier include the raw data used to generate other records so a lot of companies that have been in over the past years have said well we're using the computer system but it's not our system of records so we don't have to validate it we actually have paper and that hard copy is our system of record well under annex 11 you are no longer allowed to just negate the fact that you have electronic records you can still have hard copies that are your system of record but the electronic files are used to create that hard paper copy must be maintained and that computer system must be validated regulated users are required to define which data are to be used as raw data but all data regardless of whether it's electronic media paper photographs all the media we described before on which that quality decision is based must be defined as raw data a complex system must be understood it must be well-documented it must be validated and must have adequate controls in place and the company you as a regulated company are required to be the people that define what adequate control is for electronic documents templates forms and master documents should be implemented so if you're using if you have reports you need to go ahead and start working on templates and defining forms and master documents that will be consistent throughout your process you need to make sure that you have appropriate controls in place again to ensure the integrity of the record and the record again is any sort of media that you're using to make sure that you maintain and ensure the integrity of that record throughout the retention period chapter four requirements for electronic records and these signatures are not as detailed nor as prescriptive as FDA's part 11 especially around these signatures but they are at a high level in line with part 11 for supplier service providers there really aren't any brand new concepts but that section was expanded just to sort of add clarification around what's required when you use a third party and I'm not sure what a third artist looks like we lost a couple letters there but a third party to provide install configure integrate validate maintain modify or retain a computerised system or related service or you use them for data processing you must have a formal ingredient agreement in place now between the manufacturer and the third party and the agreements need to clearly state what the responsibilities of that third party are so if you use an outsourced supplier to validate your system you need an agreement in place that clearly defines responsibilities if you bring in an implementation team to implement your system you must have an agreement in place that clearly defines roles and responsibilities again any quality management system or supplier audits need to be made available to inspectors and the need to audit a supplier or service provider needs to be based on risk you'll hear risk assessment brought in over and over again and not just when it concerns an X 11 but it's in part 11 now it's in the predicate rules now over and over again risk is an integral part risk management risk assessment is an integral part of what you have to do in computer systems validation there is an increased emphasis on ensuring that you document your risk assessment and the GXP impact of requirements and risks to the system itself again you need to make sure that user requirements are traceable throughout the lifecycle of the system so as you update the system as you make changes to the system that user requirements document needs to be updated and you need to maintain the traceability of where it's tested where it's verified to be myth and again you want to focus your traceability on those requirements with the highest risk to product quality data integrity and patient safety annex 11 increases the focus on strategy for testing including when you should do negative testing boundary testing challenge testing in order to identify defects in the system and you need to be prepared during and on it to defend the adequacy of your validation approach so this goes back to the validation plan when you're planning that approach you need to make sure that it's justified well documented what you did and why you did it so that during an audit you have that information on hand again automated testing tools and test environments need to have documented assessments for their adequacy and this is reflective of the increasing use of automated tools in testing computer systems when you have when you define the approach to verifying adequacy then you need to base that approach on risk and if you're using tools to maintain your regulated records again base the approach you take to maintenance of those tools on the overall risk of the system and the a documented risk assessment data migration if you're moving data from one version to another or from one format to another make sure that you include checks that data are not altered in value and/or meaning during that process again that's that's very consistent with part 11 on preserving content and meeting of records when you're copying or migrating them when you have interfaces between systems so you have an ERP system talking to your PLM system or a lab system talking to a limb system there's a new clause in annex 11 that says that interface design it's the same to interface design it says computerized systems that exchange data electronically with another system should include appropriate checks for the correct and secure entry and processing of data in order to minimize the risk what does that mean that means that you need to make sure that data crossing that interface is not corrupted that it comes across as it was planned to come across and when they're developing those interfaces when they're designing those interfaces they need to take into account and what you need to use that interface for and it must be designed and documented appropriately during the design phase data backup and restore again this is very similar to part 11 you can't have data with integrity and you can't insure the data safety unless you have adequate backup and restore procedures and those procedures need to be validated now under annex 11 you must verify that backup and restore procedures work and you need to monitor so periodically you need to test that they work and ensure that they continue over time to accurately be able to restore that data to your systems review of all trails is new we all know about audit trails we all know these systems have to have them and what needs to be in them however during validation the audit trail functionality needs to be verified and I think most people do that now but you also need to review those audit trails if you have audit trails for a batch record you need to review them as part of the batch record review audit trails need to be available and convertible to it something that you can read so that you can regularly review them and you need to have a procedure in place of documents when you will review them again for batch records they strongly recommend and it's part of the regulation now that you review them as a part of the batch record review periodic evaluation new clause and annex 11 but it's always been part of good business practice and good computer systems practice to to review the computer system periodically you need you determine based on system risk how often you need to review the current status of validation for that computer system and during that evaluation you need to review the changes that have been made over time you need to review any helpdesk records any system issues that have occurred and overall what you're looking for is some sort of documented assurance in the form of a report at the end of this periodic evaluation that says the system remains under compliance and remains in a validated state or documents what needs to be done to bring it back into a validated state so just as before we wrap up a little side note I've talked to several companies who think well gee your regulations don't affect me yet so I don't really need to worry about this this record electronic record I can still go ahead under part 11 requirements and state that my electronic system doesn't need to be validated and I can just have paper records as my raw data I don't need to worry about the electronic records if you look on the FDA website this is in reference to lab systems to chromatography data systems but it applies across the board there is a statement that says a printed paper copy is not considered a true copy of an entire electronic raw data used to create a chromatogram as required by by the predicate rule so you might want to check that out on the FDA website because it's really basically saying the same thing that we said under annex 11 that no longer can you say a paper record is an adequate representation of the raw date of the system and you still are going to have to validate your computer system and maintain the integrity and maintain the electronic records generated to produce that paper record so in summary again annex 11 became effective June 30th 2011 it went into effect formally on July 1st much of the regulation has not changed substantially but you do need to be well aware of those sections that have changed if you manufacture product intended to be sold in the EU and quite honestly as the FDA formalizes its next opinion on part 11 interpretation they will likely rely on annex 11 as part of their interpretation the most notable changes to be aware of are around an increased detail for documentation around computer systems and validation of those systems there's a few references at the end of the slide deck if anybody wants to get the slide deck you're welcome to get check out the references and was that Becky I will hand this back to you thanks so much Diane what a tremendous presentation we will as we mentioned open the floor to questions now thank you to those of you who have already typed in questions for us there just want to remind you that this session has been recorded and it will be posted to our website typically takes about 24 hours to get the recorded session back and get it out there on the site which is of course us data management comm you will find additional webinars there as well across the various practices that US Dairy Management specializes in and happy to have you join us there if they apply to your particular realm the first question that we have is from kal Yanni who asks are the templates mandatory or the guidelines I'm assuming Kalyani that you mean the templates that they're requesting for you to start developing they are guidelines for now but it's strongly recommended that you create templates and that you use them on your computer systems and she's saying yes that is what she indicated so Thank You Diana right on there the second question from kal Yanni says do we need to verify backup and restore for every system to some extent if company is having global backup and restore procedure is it sufficient to verify at the procedure level once during it's not sufficient to verify it once during each validation of your computer system you need to do whatever the policy says so whether you add it to your backup plan and add it to your backup schedules you still need to verify for each system that backup and restore is working and again you might do a global pick one system that you do every six months or something but on a regular basis on some basis you need to verify for each validated system that backup and restore is working and again you can determine the periodicity of that but you should do it for each system tremendous thank you Dan now we have a question from Michael I see does the network infrastructure need to be qualified yes it does under annex 11 you know it's now a requirement it's always been a good business practice to do that it's always been a good practice for a good validation practice but now annex 11 requires that the network infrastructure be qualified Thank You Diane obviously you know we want to respond to the folks that sent us questions ahead of time someone called a guest so there are two questions that are on the Annex eleven registration page just so you know we're going to address your question offline because it will be more lengthy and and take a little more time than we have you today the question is from a guest and they're looking forward to attending gaining useful information performing a 21 CFR part 11 CSV I have central database with three service servers connected skews me back up our perform daily and monthly retained off-site for 30 days of predicate rules for record retention with my backup log suffice for validation if yes what do I need to include if not what must I do just wanted to let you know that we do have that question we'll be responding to you directly Diana and I will put something together and be in touch there with your answers and the second guess what sent a question they are attending the class responsible for a computer system validation for installation qualifications and operational qualifications I'm just wanting to let us know that those are questions and we'll certainly spend some time in addressing that as well what - oh here's one more question Phillip is asking when do we need to validate the network you need well it's a network qualification so there is a difference it's more of a documentation exercise ensuring that you have the appropriate procedures and processes in place to support validated environments and making sure that you've met at least minimum manufacturer's recommendations for installation of your hardware for the operating system and tracking that the operating system is sufficient to manage everything that you're you're going to house on those systems and that should be done as soon as possible really you know ideally when you first implement your network it should be qualified and most people most companies have not done that in the so as you move forward you need to go ahead and build and consider building a plan around how you're going to address that getting a schedule around how you're going to address that and then getting your processes and procedures for network qualification in place and then following those procedures Thank You Diane Oh last one here is not a question but a compliment from Mary we're glad you enjoyed the session and glad the information was helpful for you with that I think we will close the session at this point and we just so appreciate you taking the time to join us it's a you know it's a good thing it's helping everyone to just understand even the questions that need to be asked out there and understanding the path to compliance I would encourage you to join the community participate in our discussions you'll find on our LinkedIn us data management group page there will be entertaining in continuing to address questions there or if it's something of a confidential nature please do send an email directly to me it's our melody and the led why at US data management comm and I can get answers and work through Diane as necessary there and we're just open to that we also appreciate your feedback if there's something that you note would be more useful or helpful for you in the direction of our sessions feel free to share that as well we work seriously on continual improvement and appreciate any direction there also if you have a topic if you have something that you're struggling with on site and you just need direction from one of our practice leaders a little insight or just a little more understanding we're happy to hear that as well and I'll work that into our session as appropriate we do understand your time is valuable so it's quite the compliment that you would join us and now we certainly appreciate the opportunity to team with you and working towards excellence in compliance have a wonderful day