1/9/2020

Computer Software Assurance

Paradigm Shift
Shana D Kinney
Sr Manager, CSV
REGENXBIO Inc.

Ken Shitamoto
Sr Director, IT
Gilead Sciences

Khaled Moussally
Global Head of QMS
Compliance Group

January 16, 2020

GAMP 5
Guidance vs. Practice

1
 1/9/2020

GAMP 5
Risk-Based Guidance

Connecting Pharmaceutical Knowledge ispe.org 3

GAMP 5
In Practice [Risk Management]

Connecting Pharmaceutical Knowledge ispe.org 4

2
 1/9/2020

GAMP 5
In Practice [Risk Management] (continued)

Connecting Pharmaceutical Knowledge ispe.org 5

GAMP 5
In Practice [Non-Configured Product V-Model]

Connecting Pharmaceutical Knowledge ispe.org 6

3
 1/9/2020

GAMP 5
In Practice [Configured Product V-Model]

Connecting Pharmaceutical Knowledge ispe.org 7

Computer Software Assurance

Anticipated FDA Draft Guidance

4
 1/9/2020

FDA CDRH
Case for Quality

“…the FDA is working with stakeholders—industry, health

care providers, patients, payers, and investors—to build a
strong Case for Quality.”
https://www.fda.gov/medical-devices/quality-and-compliance-medical-devices/case-quality

Computer Systems Validation identified as a major pain

point and barrier for moving to better, more efficient
technology.

Connecting Pharmaceutical Knowledge ispe.org 9

Journey of FDA CDRH CSV Team

FDA Case for
Siemens – Fresenius
Quality begins Industry team formed /
2011 - Executive Exchange w/
2015 recommendation development begins
2012 FDA: CSV Barrier
Q2
identified 2016
Q1

Begin promoting recommendations:

2017
Zoll Lifevest + Medtronic value
examples
• More industry adoption
• FDA “A List” status for CSA • CSA Draft Guidance
Draft Guidance release targeted for 2019
2018
• More examples developed
• More firms applying
2019
recommendations (ICU
Medical, Gilead, etc.)

10
www.fda.gov

10

5
 1/9/2020

The Industry CSV Team

Company Name Company Name

Baxter Healthcare Tina Koepke Johnson and Johnson Dana Guarnaccia
Boston Scientific Damien McPhillips Johnson and Johnson Ron Schardong
Boston Scientific Ray Murphy Lantheus Imaging Lou Poirier
Compliance Group Khaled Moussally Medtronic Frankie Bill
Edwards Lifesciences Penny Sangkhavichith Medtronic Michael Branch
Edwards Lifesciences Andy Lee Medtronic April Francis
FDA Cisco Vicenty NeuroVision Imaging Pepe Davis
FDA John Murray Ortho-Clinical Diagnostics Des Chesterfield
Fresenius Medical Care Bill D'Innocenzo Siemens PLM Jason Spiegler
Fresenius Medical Care Curt Curtis Siemens PLM Greg Robino
Fresenius Medical Care Marc Koetter Siemens PLM Thorsten Ruehl
Gilead Sciences Ken Shitamoto Zoll Lifevest Frank Meledandri Sr.
Gilead Sciences Senthil Gurumoorthi

Contributions also provided by past team members:

Stacey Allen, Jason Aurich, Sean Benedik, Laura Clayton, Bill Hargrave, Joe Hens , Scott Moeller & Mark Willis

11
www.fda.gov

11

Computer Software Assurance Considerations and Approach

The Quality System regulations allow for a manufacturer to apply a critical

risk-based approach to their assurance activities. Establishing the intended
use of the system, software, or feature is the foundation for determining
the direct impact to device safety, device quality, or quality system
integrity. Furthermore, FDA is interested in the situations when a failure to
fulfill the intended use of the system, software, or feature, directly
impacting device safety and device quality, results in direct patient safety
risk.

12
www.fda.gov

12

6
 1/9/2020

Key Take Aways

Why Now?

Med Dev lags other industries

• Lack of clarity
• Outdated compliance approach 80%
• Perceived regulatory burden
20%
• Reduces manufacturer’s
Test Document
capability to learn, react, &
improve % Time Spent

13
www.fda.gov

13

Key Take Aways

Why Now? Defining Risk
• Clearly define “intended use”.
Create a Paradigm Shift…
• Focus on the “direct impact on device safety and
• Streamline with value-driven,
device quality”, and does it result in “patient/user
patient focused approaches 80%
safety risk?” See examples.
• Critical thinking & risk-based 20%  LMS vs Manufacturing Equipment Software
agile approaches
Test Document • For PMA Products, CDRH is exploring using risk
• Improve manufacturer’s
capabilities with automation
% Time Spent determination to make implementation of systems
an annually reportable change no 30-Day Notice

Risk Based Assurance Strategies

Assurance Evidence Capture
• Take credit for work already done
• Use CSV tools to automate assurance activities
 Leverage existing activities and trusted supplier
data Note: FDA does not intend to review validation of
support tools.
• Use Agile test methods (e.g. unscripted testing)
when appropriate • Use electronic data capture & record creation vs
paper documentation, screen shots, etc.
• Mitigate risk with downstream process controls
• Leverage continuous data and information for
monitoring and assurance

14
www.fda.gov

14

7
 1/9/2020

ISPE
Supports Case for Quality

https://ispe.org/pharmaceu
tical-engineering/why-
ispe-gamp-supports-fda-
cdrh-case-quality-program

Connecting Pharmaceutical Knowledge ispe.org

15

Computer Software Assurance

In Real Life

16

16

8
 1/9/2020

What Kind of Elephant Are

You?

17

18

18

9
 1/9/2020

Empirical Analysis
Validation Effort Comparison of Traditional vs. New Models and Their Potential Savings

80%

System Name
70%

60%
CMS EDMS Change Management System*
(Jan 2014)

50%
LES PCS Electronic Document
Management System
(Dec 2014)
EMS PSS
40% Laboratory Execution System
(May 2015)

30% Process Control System*

(May 2016)

20% Environmental Monitoring

System
(Jul 2016)
10%
Product Serialization System
(Aug 2018)
0%
SAVINGS DEVIATION SLIPPAGE MODEL SLIPPAGE * Bold = favorable audit

19

19

Computer Software Assurance

Example: Learning Management System

Indirect Impact

Non-Configured

{next slide}

Connecting Pharmaceutical Knowledge ispe.org 20

20

10
 1/9/2020

Risk Based CSV Example:

Learning Management System (LMS)

A medical device firm applies Risk Based Validation to an off the shelf LMS. Qualifying the vendor
then applying risk to the feature level allows for much less documented verification activities.

Ad Hoc
Basic Assurance / Ex: Usability Features – training notifications,
Testing
Low Risk Features overdue training lists, curricula assignments.
80%

Unscripted
Medium Risk Ex: Capture evidence of training completion by
Testing
Features entering username & password.
20%

Scripted
High Risk Features No High Risk Features Testing
0%

21
www.fda.gov

21

Computer Software Assurance

Example: NCR / CAPA System

Direct Impact

Configured

{next slide}

Connecting Pharmaceutical Knowledge ispe.org 22

22

11
 1/9/2020

Risk Based CSV Example:

Non-Conformance & CAPA Process

A medical device firm applies Risk Based Validation to an off the shelf CAPA System. Qualifying the
vendor then applying risk to the feature level allows for much less documented verification activities.

Ex: Usability Features – required data entry from Ad Hoc

Basic Assurance /
optional data entry, attachments of objects, Testing
Low Risk Features
system workflow, non conformance initiation. 30%

Unscripted
Medium Risk Ex: Electronic Signature Features – audit trail,
Testing
Features meaning of signature (review, approval).
50%

Ex: Product Containment – NC is initiated for

Scripted
product outside of the company’s control, then the
High Risk Features Testing
system prompts the user to identify if a product
20%
recall is then needed.

23
www.fda.gov

23

Computer Software Assurance

Time Spent

Think Critically

Test

Document
Connecting Pharmaceutical Knowledge ispe.org 24

24

12
 1/9/2020

Same Regulations: A Different Perspective

RGNX: GAMP 5 RGNX: CSA

URS Validation URS

Risk
Assessment

Validation

Build/Test

Build/Test
Risk
Assessment

Resulted in numerous deviations related to Resulted in zero deviations related to

documentation and testing errors with documentation and testing errors
minimal bugs found. with more bugs found.
25

25

Same Regulations: A Different Perspective

RGNX: GAMP 5 RGNX: CSA

- Require Risk Assessment for all GxP - Conduct System Level impact assessments
systems. (Direct/Indirect/None)
- Require step by step IQ/OQ/PQ for - Require Risk Assessment for Direct impact
all GxP systems. systems only.
- Require step by step protocols for Direct
impact systems and only those URS items
that are custom/direct impact.
URS

URS
Risk

Test
Test
Risk

26

26

13
 1/9/2020

Computer Software Assurance

Inputs / Outputs

URS
Risk
Assessment

SDLC

Software Assurance

Connecting Pharmaceutical Knowledge ispe.org 27

27

Questions / Discussion

28

28

14
 1/9/2020

For further information, please contact:

Shana D Kinney
Sr Manager, CSV
REGENXBIO Inc.
[email protected]

Ken Shitamoto
Sr Director, IT
Gilead Sciences
[email protected]

Khaled Moussally
Global Head of QMS
Compliance Group
[email protected]

29

Backup Slides

30

15