Computerized System Audit- What Are

the Considerations?

Mehron Mirian, BS, Senior Validation Manager-QA , Avid bioservices

Introduction

Regulatory and Guidelines

Audit Types Computerized System

Audit

Agency Audit Considerations

Survey
2
 I. Introduction

Year Event
1981 Peregrine, parent company, was originally
incorporated in the State of California; it was
reincorporated in the State of Delaware in
1996
1993 Peregrine began cGMP Manufacturing
2002 Established Avid Bioservices, Inc. as a wholly-
owned subsidiary *CDMO
2005 Commercial Manufacturing

*Contract Development and Manufacturing

Organization
I. Introduction
3 Buildings totaling 62K ft2 which house
Franklin 1 our Franklin Manufacturing Facility,
Campus Process Development Labs, GMP
Storage, and Supporting QC Labs
I. Introduction
42K ft2 used to house the
Myford Manufacturing Facility
Myford including supporting QC Labs
and GMP Warehousing. An
Building additional 42K ft2 of open space
is dedicated for expansion
I. Introduction
I. Introduction
Franklin 2 25K ft2 of open warehouse space to be
converted into a centralized GMP
Building Warehouse.
Introduction

Regulatory and Guidelines

Audit Types Computerized System

Audit

Agency Audit Considerations

Survey
 II. Regulatory and Guideline
What does an Audit mean to Life Science Industries?

Sec. 820.3 Definitions.(t) Quality audit

Quality audit means a systematic, independent examination of a manufacturer's quality system that is
performed at defined intervals and at sufficient frequency to determine whether both quality system
activities and the results of such activities comply with quality system procedures, that these
procedures are implemented effectively, and that these procedures are suitable to achieve quality
system objectives.

Systematic Examination Quality System

Defined Interval with Frequency

Quality System Activities Procedures

and Results Implemented
Comply with Procedures Effectively and Suitable
for Quality objectives
 II. Regulatory and Guideline
What does an Audit mean to Life Science Industries? (Continued)

Sec. 820.20 Management responsibility. (2)Resources.

Each manufacturer shall provide adequate resources, including the assignment of trained personnel,
for management, performance of work, and assessment activities, including internal quality audits, to
meet the requirements of this part.

Resource

Train

Internal Audit
 II. Regulatory and Guideline
What does an Audit mean to Life Science Industries? (Continued)

Sec. 820.22 Quality audit.

Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that
the quality system is in compliance with the established quality system requirements and to determine
the effectiveness of the quality system.
Quality audits shall be conducted by individuals who do not have direct responsibility for the matters
being audited.
Corrective action(s), including a re-audit of deficient matters, shall be taken when necessary. A report
of the results of each quality audit, and re-audit(s) where taken, shall be made and such reports shall be
reviewed by management having responsibility for the matters audited. The dates and results of quality
audits and re-audits shall be documented.
II. Regulatory and Guideline
What does an Audit mean to Life Science Industries? (Continued)

Systematic
Procedures

Examination
of QS Trained
Personnel

Quality System
Compliance
Report

Audit
 II. Regulatory and Guideline
What does an Audit mean to Life Science Industries? (Continued)

General Principles of Software Validation; Final Guidance for Industry and FDA Staff Document
issued on: January 11, 2002:
Where possible and depending upon the device risk involved, the device manufacturer should
consider auditing the vendor’s Design and development methodologies used in the construction
of the OTS software and should assess the development and validation documentation generated
for the OTS software.
Such audits can be conducted by the device manufacturer or by a qualified third party. The
audit should demonstrate that the vendor’s procedures for and results of the verification and
validation activities performed the OTS software are appropriate and sufficient for the safety
and effectiveness requirements of the medical device to be produced using that software.

Risk

Vendor Audit

design Development Validation

Procedure V &V Safety Effectiveness

 II. Regulatory and Guideline
What does an Audit mean to Life Science Industries? (Continued)

General Principles of Software Validation; Final Guidance for Industry and FDA Staff Document
issued on: January 11, 2002:
Some vendors who are not accustomed to operating in a regulated environment may not have a
documented life cycle process that can support the device manufacturer’s validation
requirement.
Other vendors may not permit an audit. Where necessary validation information is not available
from the vendor, the device manufacturer will need to perform sufficient system level “black
box” testing to establish that the software meets their “user needs and intended uses.”

Not having No Audit

DLC Permission

Sufficient Black Box Testing

“SW meets user needs

and Intended use”
II. Regulatory and Guideline
What does an Audit mean to Life Science Industries? (Continued)

Risks
Procedures

Design
Development
Trained
Validation
Personnel

Safety
Effectiveness
Report

Vendor Audit
Introduction

Regulatory and Guidelines

Audit Types Computerized System

Audit

Agency Audit Considerations

Survey
III. Audit Types
What are Audit Types?

Internal

Agency Vendor
 III. Audit Types
What are Audit Types?

Internal Audit:

A. Triggers: Verification Audit, Annual Audit (Frequent), For cause Audit (Quality Management
System Reviews, CAPAs, Change Control, Data Migration), Regulatory Trends and Acquisition

B. Responsibilities: Quality Compliance, Department Head, and Quality Assurance

 III. Audit Types
What are Audit Types?

Internal Audit:
C. Process
1 Approved Audit Schedule

2 Audit Preparation

3 Audit Planning/Agenda to auditee

4 Audit Conduction

5 Audit Report: Observations

6 Response

7 Corrective Action

8 Verification

9 Audit Close out

 III. Audit Types
What are Audit Types?

Vendor Audit:

A. Triggers: New System and For Cause Audit

B. Responsibilities: Quality Compliance, Quality Assurance , and Vendor Department Head and
Quality Assurance
 III. Audit Types
What are Audit Types?

Vendor Audit:
C. Process
1 Approved Audit Schedule

2 Audit Preparation

3 Audit Planning/Agenda to auditee

4 Audit Conduction

5 Audit Report: Observations

6 Response

7 Corrective Action

8 Verification

9 Audit Close out

 III. Audit Types
What are Audit Types?

Agency Audit:

A. Triggers: New Drug , Supplement and GMP

B. Responsibilities: Quality Compliance, Quality Assurance and Plant Manager

 III. Audit Types
What are Audit Types?

Agency Audit:
C. Process
1 Approved Audit Schedule

2 Audit Preparation

3 Audit Planning/Agenda to auditee

4 Audit Conduction

5 Audit Report: Observations

6 Response

7 Corrective Action

8 Verification

9 Audit Close out-EIRs (Establishment Inspection Report)

Introduction

Regulatory and Guidelines

Audit Types Computerized System

Audit

Agency Audit Considerations

Survey
IV. Agency Audit Considerations
What are Agency’s Considerations?

Operation
Maintenance Implementing

Degree of
Automation

Design Assessment
 IV. Agency Audit Considerations
What are Agency’s Considerations?
What is Computerized System?

OPERATING ENVIRONMENT Degree of

(network, standalone, media, people, equipment and procedures) Automation

Software Operating Procedures

and People

Hardware/Firmware
Equipment

Computer System Controlled Function

(Controlling System) or Process
Computerized System
 IV. Agency Audit Considerations
What are Agency’s Considerations?
Why do we need to consider “Degree of Automation”?

120 Degree of
100 Automation
Degree of Risks

80
60
40
20
0
1 2 3 4 5 6 7 8 9 10
Number of Systems

Risk vs Automation Risk vs Automation Mitigated

IV. Agency Audit Considerations
What are Agency’s Considerations?
Assessment:

GxP Computerized System Assessment

Quality Risk Management

Supplier Audit
IV. Agency Audit Considerations
What are Agency’s Considerations?
Design:

Specifications Design
Data
IV. Agency Audit Considerations
What are Agency’s Considerations?
Implementing:

Validation Policy
Implementing
Validation Approach

A. Validation Master Plan

B. Verification
 IV. Agency Audit Considerations
What are Agency’s Considerations?
Operation / Maintenance:

Change Control: Operation

Configuration Management
Maintenance

Training
Introduction

Regulatory and Guidelines

Audit Types Computerized System

Audit

Agency Audit Considerations

Survey
 V. Survey
Y=Yes N=No
Survey
Item Subject Y N NS
A Organization √ NS=Not Sure
1 Is management involved?
2 Is the Quality organization involved?
3 Is there any details of the organization of IT/Computer Services and Project Engineering on Site
4 Is there any details of the management of IT/Computer Services and Project Engineering on Site
5 Is there any project management standards and procedures exist Check Mark
B Policies
1 Are there any policies on procurement of hardware, software and systems for use in GxP areas?
2 Is there any policy in contracting out the support and maintenance of system?
3 Is there any validation Policy in place?
4 Is there any policy in Life-cycle model?
5 Have terminologies in policy been defined correctly?
C List
1 IT/Computer Services Standards and SOPs
2 All Computerized Systems on site
D A summary of documentation
1 to provide up-to-date descriptions of the systems
2 to indicate physical arrragement and data flows
3 to indicate interactions with other systems
4 to indicate life cycle and validation records
5 to indicate whether all of these systems have been fully documented and validated
6 to indicate the significant computer system changes made since the last inspection
7 to indicate plans for future developments
E Available Documentation for Audit
1 Disaster-recovery
2 Back up
3 Change-controls
4 Security
5 Audit Trail
6 Configuration Management
7 Qualifications and training background of personnel
8 Training Logs
9 Supplier Assessment
10 Validation Policy
11 Quality System Policy
12 Legacy System validation Justifications
 V. Survey
Survey
Organization
19 Yes No Not Sure
18 Policies
14 Yes No Not Sure
12 18

9 13
12 12
7 7 10
5 5 8
5 5 6 5
4 3
2 2 2 2
1 1 1 1 1

Is management Is the Quality Organization of Management of Project procurement of contracting out Validation Life-cycle model Terminalogy
involved? organization IT/Computer IT/Computer management hardware, the support and Policy Policy Policy
involved? Services and Services and standards and software maintenance of
Project Project procedures system
Engineering on Engineering on exist
Site Site
 V. Survey
Survey
Documentation
List
Yes No Not Sure
Yes No Not Sure
15 13 13 13
12
11
10
9 9
9 9
7 7
6
5 5
5 4 4 4 4 4
3 3 3
1 1

IT/Computer Services All Computerized Systems up-to-date physical interactions with life cycle and systems have changes made to indicate plans
Standards and SOPs on site descriptions of arrragement and other systems validation records been fully since the last for future
the systems data flows documented and inspection developments
validated
V. Survey
Survey
Documentation -Audit
Yes No Not Sure

21 21
20
19 19
18 18
16
15
13
11
9
6 6
5 5 5
4 4
3 3 3
2 2 2
1 1 1
Computerized System Audit- What Are the
Considerations?
Questions
 Computerized System Audit- What Are the
Considerations?

Contact Information:
mmirian@avidbio.com