Surviving an FDA Validation Audit: 10 Things You Need To Know
There are 3 things for sure in the life of a life science validation professional: death, taxes, and FDA audits! Surviving an FDA audit can be less daunting if you know what to expect. FDA regulations, if smartly interpreted, can serve as legal best practices to ensure higher quality of software. Many organizations view software validation as a necessary evil and sometimes sidestep requirements to meet business goals. This article will discuss 10 principles you need to know before your next audit.
1. Document SOPs
To survive an audit, your first step is to check your SOPs. Your SOPs provide governance for the validation process. Ensure that you have the following SOPs at a minimum for validation:
All SOPs should be approved and referenced in your validation documentation and readily available for the FDA auditor. It is strongly recommended that you have an established document change control process that will withstand the rigors of an FDA audit. Most companies use an Enterprise Document/Content Management system to manage SOP documentation. Your change control document control system may be examined during an audit. Having the RIGHT SOPs for validation goes a long way to ensuring that your validation processes can withstand audit scrutiny.
2. Train – Train – Train!
One of the key reasons that enterprise technologies fail is due to the lack of training. GMP guidelines mandate that all persons working on validated systems be trained in their appropriate areas. During an FDA audit, you will be asked to provide documented training records for all persons involved with the validated system. Training records must be current and accurately reflect the professional experience of each individual. One of the things I have learned over the past 20 years is to ensure that all IT personnel are appropriately trained in validation procedures and processes. In most cases, IT personnel including software developers, technical writers, system administrators, and others have limited or no formal training in software validation and quality processes. They may not understand the importance and rigors of software change control, unit testing, and other validation principles. It is important that these persons be properly trained PRIOR to their involvement in the development and deployment of validated systems. TRAIN-TRAIN-TRAIN to ensure success!
3. Conduct Audit Dry Run
Internal audits are common for many financial and product development processes. However, for enterprise software validation processes, it is sometimes less common. It is recommended that you conduct an audit dry run and train all personnel involved in an audit. I have heard audits described to me in the worst terms! Audits do not have to be feared if you are prepared. During your dry run, you should match your validation deliverables to your SOPs and processes to confirm the adherence to policy. During your audit dry run, it is a good idea to train personnel on what to expect during an audit so they are not surprised. After your dry run, you should document any deviations or observations and take corrective action to address any issues prior to your first audit. Taking this simple step will help to ensure that you will pass a live FDA audit.
4. Maintain Authentic and Accurate Records
One of the most important things to remember is to maintain accurate records. 21 CFR Part 11 includes guidelines for the effective management of electronic records. Whether you use electronic or paper records, you must ensure the authenticity and accuracy of all validation records. Remember “if it is not documented, it did not happen”. This is an old saying but rings very true for records. All validation records should be properly numbered, archived, and stored for ready retrieval. One thing is for sure in an FDA audit – YOU WILL BE ASKED FOR YOUR RECORDS! Many of the validation projects I have worked on included detailed records to support the validation process. It is recommended that you use an Electronic Document/Content Management (EDMS/CMS) system if you don’t already have one. They are excellent to support the documentation requirements to ensure audit success. They also track metadata associated with validation documentation so they are easy to find. Since these have to be archived in accordance with predicate rule requirements an EDMS/CMS can help. Remember, time is of the essence during validation so you want to make sure that information is readily available. This is good best practice.
5. Clearly define Roles and Signature Matrices
Who is authorized to do what is often the subject of discussion during FDA audits. I have seen processes where individuals sign documents because of departmental requirements or “we always sign” rationale. It is good best practice to develop a signature matrix for the validation project. I always include this in the Validation Master Plan (VMP). This tells the auditor the signature authorities for each deliverable in your validation package.
6. Document System Security
One of the focal points of any FDA audit I have been involved with is SECURITY. You will definitely be asked to discuss system security during an FDA audit. Since many enterprise systems offer flexible security models, you will want to document your security model in terms of roles. Many times, it is not necessary to document each and every user and their security roles. The groups/roles will be sufficient. You should also say “how” security is defined and develop a process to define how security roles will be changed. Many IT professionals do not like to document security because they say “permissions change”. The FDA recognizes this fact and simply wants this process to be controlled to ensure that the right people have access to the right information at the right time. DOCUMENT YOUR SYSTEM SECURITY.
7. Always Conduct A Supplier Audit
I always recommend to my client to conduct a supplier audit for validated systems. There are literally thousands of vendors touting compliance with 21 CFR Part 11, GMP, and other regulatory requirements. The FDA holds YOU responsible, not the vendor, for the quality of the software deployed within your organization. Your supplier audit will reveal a lot about their quality processes in the development of the software they sold you. If they do not follow quality processes, do not use their software. During an audit, you will not be able to blame the vendor. Be careful here!
8. Leverage Automation For Validation Testing
I have been conducting validation exercises for over 20 years and one thing that I have noticed is that not much has changed with respect to validation testing. We have been using a “paperless” validation process to automate testing. Using automated testing tools help you execute tests more efficiently, generate test results automatically, and ensure accuracy of tests. Some of the things I have seen during FDA audits are observations that tests do not go far enough or are inadequately documented. Using an automated validation testing tool allows you to easily update and execute validation tests and provide a level of due diligence required by FDA auditors. Use 21st century validation test tools to help ensure a successful audit.
9. Keep Your Validation Package Up To Date
Validation is not a one-time exercise. It is a process. Many IT people believe that once the system is validated, it is always validated. Not true. Validated systems must be periodically reviewed to maintain the validated state. You need to provide documented evidence to FDA auditors that you are KEEPING your system in a validated state. All changes to the system should be documented. Prior to your first FDA audit, you will need to define the process for maintaining the validated state in your VMP and ensure that this process is followed throughout the operational life of the system.
If you are prepared and follow some of the basic prescriptions here, RELAX. Audits don’t have to be painful experiences. Readiness goes a long way to ensuring success. If you follow some general guidelines to support FDA audits, you will not have to worry. The FDA is concerned with product safety and quality. Make sure your processes and your software can withstand the rigors of an FDA audit. Now you know!