“By failing to prepare, you are preparing to fail”. – Benjamin Franklin
FDA published an announcement in August 2016 to focus on part 11 inspections in near future. The future is now. Project tollgates, health checks, periodic reviews, assessments, audits, real time monitoring. What is the best way to always be prepared and ready for Health Authority inspections?
Computerized systems and projects vary in size and complexity ranging from few users by supporting a simple business process to thousands of users supporting multiple business processes. Furthermore, projects can range from single location to a global rollout and from a single application to many applications making up the finished solution and combinations thereof.
For over a decade IT Project management is being taught and has matured significantly since then. Hence everyone knows, initially, before the solution is being built the one thing that all projects must have is a clear vision and business requirement as well as good planning. Otherwise failure is highly likely and the disappointment is huge for the business.
In regulated GxP environments, additionally, a strong know-how in compliance and quality related to different business areas is a must. The ability to anticipate different quality and compliance aspects of a computerized system validation project and being prepared is a key success factor. Even the smallest act which goes wrong could hit your project like a snowball and lead into a regulatory catastrophe. Therefore almost every computerized system validation project is determined before it goes live. One of the key success factors is excellent preparation. There is a variety of preparation levels – project plans, toll gate reviews, quality assessments, internal audit and project health checks as well as alignments with the right stakeholders for business, quality assurance and IT.
You might think that, in general, internal audits and health checks of your project before it goes live are not required, unless there are reasons for it, which might be a:
- New business process,
- New validation approach,
- Complex and large IT system, or
- Any financial and business risk.
On one hand, think of an health check as an additional outside view which could lead to more efficiency of processes and fulfillment of requirements. Furthermore, the assessor will bring a fresh pair of eyes coming from the outside with experience gained from working with different clients.
An health check before your testing phase kicks-in gives you a high degree of assurance that all business processes have been defined, correctly classified (GxP vs. non-GxP) and specified for verification during testing. It is also important that the validation strategy and plan is completely and correctly executed as planned with deviations having sound reasoning and documented justification. The deviation from plan can be different types, the strategy normally doesn’t change but elements like scope may change e.g. an application has been replaced by another or even de-scoped. The check at this point before testing does allow you to have assurance that, even though the plan may have changed, the solution documents e.g. your Functional and/or Design Specification represent the solution as required before the costly phase of testing begins.
An early health check will ensure (you) that possible findings can be addressed early on and, therefore, in a more cost effective and efficient way. If findings are identified late, the cost of remediation is higher, especially if user and regulatory requirements have to be added and therefore software code changed.
On the other hand, an official internal audit versus health check might have a stronger meaning and, hence, gives you a stronger view or check against internal processes and requirements as well as a good preparation for any future FDA and EMA audits. Health checks might not uncover all issues as it is more biased and pre-aligned with the project team.
If you plan to do an internal quality audit, you need to know your company process and how to remediate possible audit findings. Depending on your companys’ Quality Management System and procedures there might be no option but to accept some risks and remediate findings later after going live which could lead to a delay to the start of your project. All findings must be addressed within a CAPA plan. All CAPAs must be ideally remediated before you go live depending on the associated risk. Therefore this might lead to a later use of the system and maybe higher project cost. A project health check is less binding. Risks of related findings can be assessed and possibly accepted to be implemented as a change after going live. Therefore, you can make a decision whether your risks can be accepted and findings shall be remediated later, or never, without deviation from your internal Quality Management System.
From an IT project management point of view, an audit and health check could be, on the other hand, distracting from completing project tasks and activities (increased timelines), because the project team is busy preparing for the audit and health check instead of focusing on your initial project plan and goal.
Nevertheless, no audit or health check at all could mean that issues are being uncovered during operations which might lead to problems and higher cost because of unplanned change requests. Furthermore, there is no preparation for future FDA or EMA audits. A more serious problem is a recall or patient harm from a product which could lead to major financial costs and potential company reputation issues.
Developing a quality and compliance control matrix and executing an assessment after each project phase can lead to more effective and efficient quality and compliance management during your project.
In general, for your project that has been executed according to company corporate quality standards, passed all planned project phase and checks (e.g. toll gates and assessments), GxP requirements have been met and all testing and results are approved by independent QA. There may seem to be no reason to carry out an audit and health check before going live.
However, successful testing is only half of the story. The process required for operations requires a dry run, not simply user acceptance and Performance Qualification testing, but a walk through. The check would discover if the process had inherent underlying risks which will appear over time e.g. data integrity issues because the process is complex and not well designed for when used in practice. Ie operator recording manual results has to walk some distance from instrument to his recording log book etc. If there is any uncertainty about the requirements and quality/validation approach for your project or the IT solution, it is wise to have an internal audit or health check before going live.
In general, large and complex projects with dedicated subject matter experts from business, IT and Quality Assurance who check the project at each stage for GxP (URS, FS, DQ, IQ, OQ, PQ etc.) and the project team is be responsible for pointing out risks to the steering committee. It would be uncommon to execute an additional audit or health check to be carried out if the project followed the standard process, unless significant risks or deficiencies have been found.
Internal audits and health checks or any other project check (e.g. tollgates) could also be carried out after going live as part of the hyper care project phase to identify if system life cycle documentation and business processes are audit-ready. However, it is a question of risk.
That said, some companies might decide to do internal audits of large and complex projects in-flight instead of, or in addition to, having tollgates. In order to get the most out of it and independently, regardless if it is a health check or audit, both must be well prepared and planned by using well known controls to clearly identify maturity and readiness before going live. If you decide to do a project health check, it is recommended to execute it by subject matter experts independent of the original project team. This way you will get an independent check and additional outside view.
However, validation of a computerized system is not a one-time exercise and must be repeated with every system change hence it is recommended to have a SMART Quality and Compliance framework in place to always be ready and prepared for any health authority audit which may come in near future.
“If you are interested in finding out more about audits and assessment services, feel free to contact KVALITO Consulting Group.”
Author: Magdalena Kurpierz