Summary
- CAPA, Deviations, Quality Events
- CAPA and Deviations
- New QMS? Pay attention to these key success factors!
- Validation of the Imaging Technology for a novel microbiological colony counter
- Barrier Technologies & Revision of Annex 1: requirements & operational responses for manufacturers
- GMP Annex 1 and Lyophilization
CAPA and Deviations
The handling of CAPAs is central to the quality system. For all that, its day-to-day implementation is difficult, not only for the pharmaceutical company doing the manufacturing, but also for its subcontractors and suppliers. The use of an e-QMS is an undeniable asset in preventing the main deviations encountered. Here we describe these deviations in detail, as well as the advantages and disadvantages of e-QMS solutions whether via subscription or installed locally.
1. Deviations encountered in the handling of CAPAs
a. Deviations that affect the company internally
It would doubtless be fanciful to wish to list here all the deviations observed in the management of CAPAs. The FDA Warning Letters and injunctions of the European Competent Authorities provide us with plenty of examples, not to mention the many inspection reports in which points relating to the handling of CAPAs very often appear. Here we will only cite the main points, by way of illustration.
Among these points, the time taken to handle CAPAs is without doubt one of the most common deviations. We often tend to overestimate our ability to handle a CAPA within the time frames that we have set ourselves, which comes down to underestimating the actual handling time, and yet again to underestimating the other CAPAs that will inevitably take up some of the time during which the CAPA in question should be handled and closed. E-QMS secure much easier access to ongoing CAPAs, to the division of responsibilities, and to the resources allocated for their processing. They provide an overview of the estimated processing time for the CAPA to be launched, and the time that has already been allocated to other ongoing CAPAs.
The impact on these other ongoing CAPAs is also a common deviation, and one that is difficult to grasp in the paper system. Everything of course depends on their number, but this number is generally significant and proportional to the size of the site concerned. The greater their number, the more difficult it is to identify those that may be potentially impacted by the CAPA to be launched and to evaluate the exact nature of the impact of this new CAPA on the CAPAs already in progress.
The best solution remains to consolidate all the CAPAs into a single system, rather than separating them according to their origin. By way of example, we have encountered CAPAs derived from an internal audit, that were inconsistent with CAPAs derived from production non-conformities. Their origin was of course different, but the root cause was indeed identical. Separate processing had led to two different CAPAs that were not totally consistent, and were being managed in parallel by different persons.
An e-QMS provides an overview of ongoing CAPAs and facilitates the evaluation of the impact of a potential CAPA on ongoing CAPAs before its launch. The use of clearly-defined, well-informed key words in the e-QMS is one of the keys to success in these impact studies.
There is also a deviation that is fortunately less common, but more complicated to prevent: is the CAPA consistent with the MA dossier? The question is of concern, as the MA dossier is not easily accessible on production sites.
Who has seen (or rather glimpsed) all of the MA dossiers for the products manufactured on a site? Hardly anyone or perhaps even no-one! It is complicated to ensure that the CAPA, whether derived from a change control or not, does not impact one or even several MA dossiers. Is there not a risk that the CAPA might have a negative impact on the manufactured product, even if it doesn’t impact the MA? This other evaluation necessitates activation of a circuit whose complexity is all the greater when a large number of protagonists is involved. There again, the e-QMS tool provides a real advantage by facilitating communication with corresponding regulatory affairs experts, often located on other sites.
When the CAPA takes a long time to set up, a common deviation is a change of objective during implementation, often for sound reasons. The CAPA being carried out no longer fully matches, or does not at all match, the CAPA launched at the start, but the reasons that led to these changes are not always fully documented along the way. Often, the true reason is the difficulty in accessing the wording of the CAPA as launched originally. Electronic processing allows easy access to the original CAPA wording, and documentation of any change that might be needed, if only by making reference to the documents that contain the justifications for these changes.
Trend analyses are necessary in the handling and monitoring of CAPAs, but difficult to perform in paper format, as entering and exploiting the data is very time-consuming. Unless several full-time equivalent staff are mobilized to complete Excel tables manually, the e-QMS tool represents an undeniable time saving to avoid any deviation, as it provides these trend analyses instantly, which allows us to concentrate on their handling.
Once set up, the efficiency of the CAPA must be checked, and/or be the subject of appropriate validations. Yes, but who checks? Who validates? When? How? and Why? It is not uncommon for checks or validations to be incompletely connected to the CAPA, for want of a tool that allows the easy linking of documents and the conclusions of checks or validations to the corresponding CAPA. The criteria that allow a ruling to be made on the completeness and efficiency of the CAPA must be clear, and responsibilities clearly established. The e-QMS allows closure of the CAPA to be made conditional on the checks and/or validations that were defined at the outset, and the definition of an effective decision circuit, without having the need to circulate paper documents.
Finally, as simple as this may appear, a (too) common deviation that comes up during inspections, is quite simply… the failure to close the CAPA. Without a system that monitors the CAPA, warns the persons concerned, and generates as many reminders as necessary, forgetting to close a CAPA that is drowning under many other CAPAs or other ongoing tasks is easily done. The e-QMS tool provides a clear view of the CAPAs that are to be closed and within which time frame. It improves the management of these closures on schedule.
b. Deviations involving subcontractors and suppliers
Managing CAPAs internally is not always easy, but it is much more complicated to manage CAPAs that involve subcontractors and suppliers. The deviations are globally the same, but the operational circuit brings more participants into play. The client pharmaceutical company often has limited resources to monitor the launch, running, checks and/or validation, and finally closure of the CAPA. Everything rests on the communication with the subcontractor or supplier, generally carried out remotely. Having a single contact person with the subcontractor or supplier for the management of CAPAs is an undeniable plus, but this is not always the case.
Given this context, specific deviations appear. Some supplier and subcontractor CAPAs are not launched for multiple reasons (lack of time, of resources, disagreement with the client, etc.), without the client necessarily being informed of this. The CAPAs launched may be noticeably different to those agreed. The verification or validation criteria for their implementation and their efficacy may be judged inappropriate by the client. These deviations may be demonstrated by the client during the handling of CAPAs, in a synchronous manner, but there are also cases where these deviations are only brought to light during an audit, a long time after closure of the CAPA.
The closeness of the relationship between the client and their subcontractor or supplier is the key to success. Here also, the e-QMS tool provides a real advantage, insofar as it facilitates effective communication between the client and the subcontractor or supplier. The ideal situation is that the supplier or subcontractor has an e-QMS whose CAPA module is compatible with that of the client, or agrees to enter information directly into the client’s e-QMS, if the latter has given them the right do so. But this is not always possible for multiple reasons. The client must adapt to the many different and specific cases.
c. Validation of the use of the application
The process used to record events and to manage the monitoring of actions and their closure must be validated taking into account the nature of the tool that is used and the manner in which it operates to manage, process and secure the stored information.
Regardless of the technology or the process used, a formalized document will present the functioning, processing and management of information, as well as the roles and responsibilities associated with the use of the tool and the exploitation of information.
The integrity of the information present in the process (whatever method or system is used), must be guaranteed by a series of preventive measures aiming to prevent:
- Any uncontrolled change that is not tracked in the system,
- Any uncontrolled deletion not tracked in the system, of information justifying the validity of corrective and preventive actions to control deviations.
The CAPA process managed via spreadsheet does not guarantee the security and integrity of information through a set of passwords. The tool designed via a spreadsheet allows at most the securing of an accidental entry of information in a cell containing a formula, but is absolutely not designed to protect the integrity of critical information on its own. The form must be archived in an IT environment which protects it from any uncontrolled deletion or untracked change in its content. A risk analysis to evaluate situations with an impact on loss of information or loss of integrity would allow the identification and implementation of a number of technical and procedural measures, taking account of an essential question “How far should we go in locking the tool and its environment, without constraining its use and finally abandoning it”.
Applications are available on the market, but at the price of investments which may prove costly if the need is not formalized and evaluated (User Requirement Specification = URS). This alternative does not exempt the person responsible for its use from validating the process by taking a risk-based approach to the way in which they will use the computerized solution.
Another alternative remains an application used via subscription (Cloud/SAAS) as a CAPA management tool, but this is limited as regards customizable settings. However, it can be configured to restrict use to users with the necessary licenses and profiles (rights and privileges) set out in the subscription contract. The specific feature is that it is the publisher who manages the changes and updates of the application. As for the previous two alternatives, it must be subject to a plan for validation and maintaining its validated status, according to the frames of reference in force.
The database remains the property of the user client, even if the subscription is discontinued. It is the responsibility of the user client to regulate, via a support contract, the migration of their data for use by another solution or the possibility of extracting information from the database to make it usable.
2. Operation of a CAPA application by subscription or installed locally on a computer
When the choice of procedural management via a form created on the basis of a spreadsheet is not selected, the two alternatives which offer the most advantages in terms of data integrity protection are:
- An application installed and configured for an appropriate use or with specific development that requires its maintenance via a support contract,
- A configurable application, operating by subscribing to an SAAS contract.
Computer solution installed in the IT infrastructure of the user site
The computer application configured and installed in the IT infrastructure of the user client is a tool that operates on the basis of a configured program (on a URS base), on one hand and on the other, a database containing all records and information entered during the declaration of an event, the monitoring and handling of corrective actions, up to their validation (closure). The database will be administered by a coordinator from the IT Department, under the responsibility of the process manager (QA/QC).
Computer solution operating in the “Cloud” (SAAS Mode)
This alternative operates and is used on the same principle as applications installed locally on the user site. It requires however a subscription proportionate to the number of licenses associated with rights and authorizations in the system.
As with the other solution installed on site, the URS will be the subject of a design review, so that the customized settings for its operation are adapted to its managed use.
In this alternative, the standard base of the computer application cannot be customized specifically to particular needs since it is used, at the same time, by several client companies of the publisher. To this is added the fact that the user client does not have control of its development or updating, which are managed by the solution supplier. However, as with any other use of a computerized system in a regulated activity, it is the final user who is responsible for validation of the computerized process in compliance with the applicable regulations.
In this alternative they remain the owner of the database and responsible for maintaining its validated status. Through a framework agreement, they will have to anticipate the way in which they can continue to exploit the database in the event of termination of the agreement with the publisher. For this in the majority of cases the database is either hosted within the internal IT infrastructure or with a host with whom they will have to set up a subcontractor framework agreement (see §2 Annex 11). It is essential to anticipate the readability of historic data migrated for use by another IT solution.
External and internal (IT Department) service providers take part in the formalized process which oversees the maintenance of the validated status of “key user” authorizations with roles in the qualified system, in compliance with the applicable regulations.
It is essential (indeed obligatory) to accord the same constraints (rights and privileges), to external service providers as to users and owners of the management process.
The use and functioning of the application and its database will be incorporated into a validation plan using a risk-based approach. The impacts taken into account in the evaluation of each risk situation associated with its operation and use are essentially the loss of information (referred to as critical and decisional) or the loss of their integrity.
The computer application and its database forming the core of the process follow a plan for the validation and maintaining of the validated status adapted to a category 4 software, as a minimum (see GAMP V). This initial validation plan, like the process for maintaining validated status, takes account of the operational specification documentation such as that which allows use of the application and maintenance of its database throughout its life cycle and beyond, for as long as the quality data in the database is retained.
Conclusion
Whatever computerized solution is chosen, of course taking financial resources into account, centralizing the e-QMS will allow easier configuration (preselection) of the standard root causes, the activities concerned, the systems or source processes impacted, the procedures, indeed the health products impacted. Through validated settings, this easily allows rapid visual identification and classification of the causes, sources, processes, the suppliers or the system, as well as their recurrence and the products impacted.
It is easier to identify and analyze CAPAs when the tool (e-QMS), can compile, filter and classify more quickly and without error, according to the needs required to conduct trends analyses efficiently, based on type of anomaly, type or nature of root sources, supplier, activity, system or products impacted, and can better target the product, system or a particular common source. A computer application is faster and more accurate than a document analysis which requires the “sharp eye” of an experienced person.