Validation 101b
Is FDA regulations for software validation is based on Gamp4 or vice-versa.
FDA regulations are spelled out in 21 CFR (Code of Federal Regulations). The part that affects us controls guys most are
Part 210 - Current Good Manufacturing Practice in Manufacturing, Processing, Packaging, or Holing of Drugs; General and
Part 211 - Current Good Manufacturing Practice for Finished Pharamceuticals. Since you're working with medical devices, there may be other sections that apply (Part 26, for example, although that applies to everybody too).
The Regulations are mostly legalese and definition of terms. When boiled down, they amount to three "simple" rules:
1) State up front what the system will do (and document it).
2) Make a system that does what you say it will (and document it).
3) Prove that the system does what its supposed to (and document it).
And then, once it's all working, don't change ANYTHING. Whatever you have done to make the drug come out the way it does the first time, that's what you have to do always, regardless of how silly or awkward it is to repeat it that way. And it has to be all down in writing, so that 1) someone new can be trained on the system, and 2) the FDA inspector can verify that this is what's going on.
Well, this is all well and good, but just how do you go about implementing such a structure? Well, way back when, the pharmaceutical companies wanted to know that too. So they asked the government (who wrote the rules) to explain what the rules mean. The answer (like the Supreme Court's definition of pornography) was "We won't tell you what's good, but we'll tell you if it's bad."
Well, since that was no help, the pharaceuticals kicked in some money and formed GAMP to set up a standard by which they could all live by. They figured (righly) that if they each came up with their own interpretations, the goverment inspectors would play one company off another ("We like how you did THIS, but that other company did THAT better. So we're going to fine you.") which would cost them money.
And the FDA inspectors were happy because it gave them some guidance to the "I'll know it when I see it" policy. So while GAMP (now up to revision 4) isn't the
de jure, it is the
de facto standard (
See, Ken, you're not the only one who speaks latin around here)
[D]o I have to do the Software Validation on IQ/OQ/PQ, or does it have to be done once. If so when should I do it, during IQ or, on or before OQ and PQ?
Definitions:
IQ - Instrument (sometimes Installation) Qualification
OQ - Operational Qualification
PQ - Process Qualification
Each pharmaceutical does it a little differently and so again I say "
Check with the client", but the most common method is this:
IQ - verify that each device installed a)matches the one specified (part/model number; tag nameplate, etc), b)that it functions as specified (power requirements, output ranges, sensing capablities, calibration certificates, etc), and c) that it is installed correctly (wire numbers, wires have continuity to terminal blocks to PLC). This will include the
hardware aspects of the PLC and HMI.
OQ - verify that the PLC/HMI can do everything that the specifcation says they can, from testing each individual device/sensor to running a full blown recipe (usually using only water as raw materials).
PQ - verify that the drug that is to be made is the one that is actually made. That the CIP system actually does sufficiently clean the vessel. Verify that the SOPs are correct and sensible.
In short, the IQ tests the hardware (and the electrical contractor), the OQ tests the software (and the systems integrator), and the PQ tests the system as a whole (and the chemical engineer/process designer).
That's one way. I have also seen the OQ as a test only of the signals and scaling of the PLC/HMI (forcing individual outputs, verify screen displays), and the PQ will be for the coordinated system (phases, recipe running). Where the HOA logic gets tested can get fuzzy - that's why I like the first approach.
Any more questions?
In reviewing my post, I meantioned 21 CFR Parts 210 and 211, but forgot to talk about the infamous 21 CFR Part 11 - Electronic Records / Electronic Signatures. How are you addressing THOSE issues?(it's not covered in GAMP4)