Международные требования к использованию электронных систем в клинических исследованиях Timur Galimov, CTO
Why regulate? Patient safety Product quality Data integrity
computer system validation (CSV) Key terms computer system validation (CSV) computer system computerized system GxP record electronic record paper record electronic signature
Terms: computer vs computerized Computer system A functional unit, consisting of one or more computers and associated peripheral input and output devices, and associated software, that uses common storage for all or part of a program and also for all or part of the data necessary for the execution of the program; executes user-written or user-designated programs; performs user-designated data manipulation, including arithmetic operations and logic operations; and that can execute programs that modify themselves during their execution. A computer system may be a stand-alone unit or may consist of several interconnected units. <FDA Glossary of Computer System Software Development Terminology (8/95)> Computerized system Includes hardware, software, peripheral devices, personnel, and documentation; e.g., manuals and Standard Operating Procedures.
Terms: computer vs computerized software hardware server COMPUTER SYSTEM IZED users procedures
Terms: GxP record GxP mandate: GxP? GxP record paper electronic Good Laboratory Practice Good Clinical Practice Good Manufacturing Practice Good Distribution Practice Good Pharmacovigilance Practice GxP mandate: what records must be maintained; the content of records; whether record signatures are required; how long records must be maintained. GxP record paper electronic
Examples of GxP records Good Practice GxP Example of records Good Clinical Practice GCP Patient data information, Recruitment Information, SOPs, Drug Inventory, Monitoring Reports, Training records Good Laboratory Practice GLP Patient Test Results, SOPs, Product Specifications, Certificates of Analysis, Training records Good Manufacturing Practice GMP Batch records, Artwork, Patient Information Leaflets, SOPs, Training records Good Distribution Practice GDP Batch Data (e.g., Lot No and Expiry Dates), SOPs, Shipping Notifications, Temperature Records, Training records
Terms: electronic signature Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature. <21 CFR Part 11, Sec. 11.3 (7)>
Regulations on CS in GxP 1983 1992 1992 1996 1996 1997 1997 2000 2000 FDA Blue Book EU GMP Guide Annex 11 ICH E6 GCP FDA 21 CFR Part 11 ICH Q7 GMP
Guidelines/practices PIC/S PI 011-3 ‘Good practices for computerized systems in regulated “GXP” environments’ (2007) GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems (2008) ‘21 CFR Part 11: Complete Guide to International Computer Validation Compliance for the Pharmaceutical Industry’ (Orlando Lopez, 2004) FDA Guidance for Industry: ‘General Principles of Software Validation’ (2002) FDA Guidance for Industry: ‘Computerized systems used in clinical investigations’ (2007)
21 CFR Part 11 The most commonly applied requirements used to audit CS The 21 CFR Part 11 requirements set forth the criteria under which the FDA considers electronic records and electronic signatures to be: trustworthy reliable generally equivalent to paper records and handwritten signatures executed on paper
Scope of 21 CFR Part 11 21 CFR Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in the FDA’s regulations 21 CFR Part 11 does not apply to paper records that are, or have been, transmitted by electronic means.
21 CFR Part 11 technical controls Audit trail Password expiration User access control (limited to authorized individuals) The ability to generate copies of e-records E-signature components The printed name of the signer The date and time when the signature was executed The meaning (such as review, approval, responsibility, or authorship) associated with the signature E-signature shall be irretrievably linked to their respective electronic records Operational system checks to enforce permitted sequencing Security safeguards (e.g., https protocol)
21 CFR Part 11 procedural controls Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. The establishment of written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification (e.g., policy on use of electronic signatures). Use of appropriate controls over systems documentation (controls over the distribution of/access to documentation, change control)
How evidence CS compliance? GCP EudraLex Volume 4 GMP Annex 11 FDA 21 CFR Part 11 GMP SYSTEM VALIDATION
Validation definition FDA: Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specifications and quality characteristics. IEEE (Institute of Electrical and Electronics Engineers Standards Association): Confirmation by examination and provisions of objective evidence that the particular requirements for a specific intended use are fulfilled.
CSV definition Computer System Validation (CSV) - establishing documented evidence which provides a high degree of assurance that a specific system will consistently produce result (e.g., control information, data) meeting its predetermined specifications and quality attributes.
System Lifecycle VALIDATION Project definition Requirements Design Coding Testing Deployment VALIDATION
Validation definition USER COMPUTERIZED SYSTEM USER REQUIREMENTS COMPUTER SYSTEM PROCEDURES & TRAINING VALIDATION
Do we have to validate? 21 CFR Part 11: applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations.
Do we have to validate? ICH GCP E6: 5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should: (a) Ensure and document that the electronic data processing system(s) conforms to the sponsor’s established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e. validation). (b) Maintains SOPs for using these systems. (c) Ensure that the systems are designed to permit data changes in such a way that the data changes are documented and that there is no deletion of entered data (i.e. maintain an audit trail, data trail, edit trail). (d) Maintain a security system that prevents unauthorized access to the data. (e) Maintain a list of the individuals who are authorized to make data changes (see 4.1.5 and 4.9.3). (f) Maintain adequate backup of the data. (g) Safeguard the blinding, if any (e.g. maintain the blinding during data entry and processing).
How much validate? Risk posed by the system shall be determined (risk-based approach) in terms of system impact on: Patient Safety Product Quality Data Integrity
Quality & regulatory risk (example) GMP: high GCP: medium GLP: low
Functionality risk (example) Assign values based on functions the system performs: EDC 3 Submission creation, data analysis 2 Data/document storage 1
Distribution risk (example) Custom system 5 Multi-industry, limited use 4 Regulated industry, limited use 3 Regulated industry, broad use 2 Multi-industry, broad use 1
GAMP® 5 A guideline issued by International Society for Pharmaceutical Engineering (ISPE) that provides pragmatic and practical industry guidance to achieve compliant computerized systems fit for intended use by regulated organizations in an efficient and effective manner (risk-based approach).
GAMP® 5 software categories Category Product Example 1 Infrastructure software Infrastructure software in its most simple form is the operating system on which the application software resides. Infrastructure is qualified but not validated. 2 Discontinued!!! 3 Non-configured software Non Configurable Software is sometimes called COTS (Commercial-Off-The-Shelf-Software) or just OTS (Off-The-Shelf-Software). The software is capable of operating and automating the business process without any modification. 4 Configured software The software applications that are configured to meet user specific business needs. 5 Custom software This software could be written in-house and is possibly the highest risk of the software categories as it is customised and there is a higher level risk of errors within the application code.
Regulations on use of eCLinical systems in GxP environment QUIZ Regulations on use of eCLinical systems in GxP environment
CTMS software is intended for? Management of clinical trials in clinical research to maintain planning, performing and reporting functions, along with tracking deadlines and milestones of the clinical trial Training & SOP management Safety reporting
Which system is used for collection of subjects’ clinical data in electronic format received within clinical trials? eTMF IWRS EDC
Which system is used to manage randomization, subject enrollment and drug supply management in the clinical trial? IWRS LMS IVRS
Which organization has issued 21 CFR Part 11? WHO FDA EMA
What is an electronic record in scope of 21 CFR Part 11? Any paper GxP record that is, or has been, transmitted by electronic means. A record in electronic form that is created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in the FDA’s regulations and/or submitted to the FDA under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in the FDA’s regulations.
Which system creates/modifies/maintains/archives/ retrieves/transmits electronic records? LMS eTMF Pharmacovigilance Reporting Software
Monitoring Visit report Any e-record Which record(s) can be identified as a GxP record? Monitoring Visit report Any e-record Training record
‘Computerized system’ includes? Software application used in GxP environment Software application and hardware (e.g., server, where software is installed) Hardware, software, peripheral devices (if applicable), personnel, and documentation (e.g., manuals and Standard Operating Procedures)
The extent of validation depends on? Risk posed by the system that may impact patient safety, product quality, and data integrity Implementation timelines The extent is always the same, since the approach is pretty formalized
Which regulation or standard states the requirement for system validation? 21 CFR Part 11 ICH Good Clinical Practice E6 ICH Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients Q7 EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Annex 11
Validation is the process which shall be performed? Before the implementation of the computerized system by supplier Before the implementation of the computerized system by supplier and end-user Throughout the whole lifecycle of the computerized system
The Good Automation Manufacturing Practice (GAMP®) 5 is? A guideline issued by International Society for Pharmaceutical Engineering (ISPE) that provides pragmatic and practical industry guidance to achieve compliant computerized systems fit for intended use by regulated organizations in an efficient and effective manner The only prescriptive standard in the industry related to CSV issued by ISPE A regulation issued by FDA that states risk-based approach for validation of computerized systems
3 categories 4 categories 5 categories The Good Automation Manufacturing Practice (GAMP®) 5 categorizes systems into? 3 categories 4 categories 5 categories