How to carefully select suppliers for validating automation products and supporting services
By Walfried Laibacher HBS EMEA Validation Services Lead

To maximize the market life of a patented drug, pharmaceutical companies must quickly move products from conception to market. These companies can avert risk and serious financial loss by adhering to the project delivery schedule in operational areas such as process control, building automation or quality control documentation.

Given this objective, it's important for them to carefully select third-party suppliers for automation products and supporting services, while paying special attention to Good Manufacturing Practice (GMP). A structured approach minimizes deviations and helps identify low-risk, high-value partners.

The Good Automated Manufacturing Practice (GAMP) Guide for Validation of Automated Systems - its supplier audit section in particular1 - is widely used as a starting point for identifying the right vendors. This article examines key aspects of this process, both in respect of project delivery and automation product development, and illustrates opportunities for adding value as well as some of the pitfalls to be avoided.
Product Quality and Manufacturing Process - A Mirror Image Technology, processes and people impact regulated products
Pharmaceutical companies must demonstrate that everything is manufactured in a controlled state. Detailed documentary evidence must support current Good Manufacturing Practice (cGMP) compliance, validate each process step and provide a complete audit trail and full traceability. Products from suppliers must be validated and have records to prove it2. This strict requirement has a threefold impact on suppliers that work with pharmaceutical companies; it affects their people, processes and products:

* Supplier personnel working with pharmaceutical companies must understand and communicate their knowledge of regulatory compliance. Suppliers must demonstrate that their people have been trained accordingly.

* Suppliers must document their processes as proof they can deliver in a cGMP environment. Any third-party must withstand an audit of its processes.

* Third-party products must support industry regulations, such as 21 CFR, part 11. The supplier must also support an audit of its product development facilities.

Consider, for example, a typical heating, ventilation and air conditioning (HVAC) environmental control system. Why is it necessary to audit a third-party HVAC supplier?

A typical HVAC system contains the same basic components as any automated, standalone or distributed control system (DCS). So why should the validation approach to a stand-alone HVAC environmental control solution change as soon as GMP risk assessment defines it as a system having direct impact upon product quality?

GAMP3 categorizes distributed control systems (DCSs) as a process control system, along with building management systems (BMS), programmable logic controllers (PLCs), and supervisory control and data acquisition (SCADA) systems controlling the process plant. The same project life-cycle model applies to all of them.
GAMP - The Guide for Validation of Automated Systems
GAMP is a common, technically sound approach to validating automated systems. It defines a comprehensive life-cycle model and clarifies responsibilities. It also provides a common language for all involved parties, and supports benchmarking of supplier procedures and identification of process gaps to be filled.

The life cycle model in GAMP considers several project phases:

* Planning

* Specification

* Design

* Implementation

* Testing Planning & Test

* Installation & Acceptance and

* Operational Phase

GAMP defines validation activities for each of these project phases. For example, there are several reviews that need to take place during the design phase.

Likewise, GAMP helps tailor the validation effort by determining the software and hardware categories4 to which the system in question belongs.

Given that most installations do not require the development of bespoke hardware, it makes sense to focus on the software items.

GAMP divides software into five different categories; from Category 1 describing the validation approach of software type 'operating systems' up to category 5 for 'custom or bespoke code'. With each category the validation approach becomes more stringent.

A configurable HVAC environmental control system falls within Category 4, which pertains to configurable software packages for systems like BMS, DCS and SCADA.

GAMP recommends that pharmaceutical companies audit their HVAC supplier for Category 4 software for critical applications. And, after deploying its supplier audit checklist, (described in 1) a supplier's strengths and weaknesses to deliver in a cGMP environment quickly become obvious.
cGMP-Compliant Project Delivery
But what does this really mean? What is cGMP-compliant project delivery? Honeywell defines it as such:

"Project Delivery processes are cGMP compliant if they deliver projects that are validatable, use a state-of-the-art project delivery methodology and an auditable quality assurance (QA)/validation process that complies with the FDA requirements of current Good Manufacturing Practices (cGMP)."

It is important to recognize a potential pitfall: these project delivery processes must not be confused with quality processes that ensure proper product development - i.e., HVAC controllers produced and tested within a factory before being released.

So how can we verify the processes for project delivery are state of the art?

The GAMP checklist for supplier audits1 focuses on automation project life cycle activities integral to a supplier's Quality Management System (QMS). Be aware this agenda is additional to a comprehensive process for planning and performing an audit

In order to get a better overview, it is important to look at some key elements from the supplier audit checklist.
The Supplier Audit Checklist
This checklist verifies all phases of an automation project life cycle from a cGMP compliance point of view:

Section 1.

Initial questions are general and consider the proposed supplier's financial stability, product development pedigree and track record in project execution in a cGMP environment.

Section 2.

This section looks at the supplying organization and its approach to quality management. Among the typical questions: Is there a mature QMS and is the company certified to ISO 9001:2000? Are the personnel qualified and what is the company's methodology for selecting appropriate subcontractors? Are project-specific internal audits performed in order to measure quality criterion?

Section 3.

The planning and project management section scrutinizes the preparation of quality and project plans5.

Section 4.

Questions relate to the creation of functional and design specifications, in particular traceability through specifications. After all, this is the only guaranteed way to ensure all requirements have been implemented and verified for correct operation.

Section 5.

This category considers the implementation phase of the project life cycle. What (if any) programming standards are used? Is there a common methodology governing file and directory naming and is there a tag-naming concept for hardware and software components? Have source code reviews been performed prior to testing? Do they verify adherence to coding standards and are they recorded?

Section 6.

This is called the Testing section. As its name suggests, the section considers the test strategy employed at each level of project development. This spans system integration test specifications (SIT) and system acceptance test specifications (SAT). It asks whether checklists are available for each document type and if documented evidence supports stress and performance testing where required.

Section 7.

This section investigates processes around completion and release - documented project handover in particular. Is there a specification detailing who checks and approves which documents? This again is best described in the project quality plan (PQP)4.

Section 8.

The support and maintenance section explores supplier support services. Is there a help desk, for example? Is there a fault reporting mechanism and can the third-party confirm that only qualified people are providing support - people who understand and are familiar with the site processes underpinning the validated state?

Section 9.

Finally, the existence of supportive processes and activities comes under scrutiny. How is software configuration management supported? Are proper change control processes being applied to software, hardware and documentation items - are they in place at the start of the project life cycle?
Saving Efforts with Postal Audits?
An in-depth audit of a project delivery organization takes time. Neither the end user nor the supplier can shortcut preparation, execution and follow up. The QA teams, however, may opt for a postal audit depending on the system criticality and its determined software category.

A postal audit is relevant on two counts: as part of the tendering process if a supplier merits further consideration or as a preliminary audit in order to focus on more critical areas. It can also be used as means for follow-up audits.

Postal audits must not, however, be regarded as a substitute for visiting the supplier.
Validation Readiness of Products
In addition to a supplier's credentials and capabilities when it comes to delivering a project for the pharmaceutical industry, it's important to consider a vendor's product portfolio. Has it been developed within the same hardware or software development processes? How can you ensure the products comply with vital quality criteria before the OK-to-ship release from the factory?

Consider the following Honeywell definition:

"Products are validation-ready only if they have been designed, developed, tested and maintained, using a state-of-the-art engineering life-cycle methodology and an auditable quality system that complies with the FDA requirements of current Good Manufacturing Practices."

The various criteria from the checklist also can apply to product development methodology.

Product development organizations for environmental control solutions might also consider a product's conformance to established software maturity models. The Capability Maturity Model (CMMI) of the Software Engineering Institute (SEI6), for example, allows buyers to judge the maturity of an organization's software processes and to identify key practices required to increase the maturity of these processes. The software CMMI has become a de facto standard for assessing and improving software processes.

There are five levels of maturity in this model. They rank from Level 1 (INITIAL) to Level 5 (OPTIMIZED). A Level 2 (REPEATABLE) certified development organization/potential supplier satisfies several key process areas (KPA) required by cGMP. Categorization as such provides proof of good process understanding. Level 3 (DEFINED) certified suppliers exceed GMP requirements in terms of their product development capabilities.

Product audits also support verification of a system's provision for compliancy with the FDA's predicate rule on electronic records and electronic signatures (21CFR Part 11). Suppliers to the pharmaceutical market often provide white papers showing Part 11 compliancy for their products. Received in advance of a formal product audit, these can give users a valuable first impression of the extent to which Part 11 controls comprise built-in product features.

The mail is an ideal delivery mechanism for product audits. Satisfactory completion combines with timely return of this preliminary assessment to give a valuable "heads up" as to whether a supplier should continue to be viewed as a provider of products or services.
Audit Cost Consideration
Both users and suppliers incur significant costs when conducting audits at a supplier's premises. In addition to travelling costs, the audit takes many days. Audits for product development processes are particularly intense. Postal audits, joint audits and shared audit reports all help to reduce costs. One potential source for shared audit reports: the Parenteral Drugs Association (PDA), which has a repository of reports on various supplier products and services7.
Proven Validation Agenda
Auditing a supplier's quality management system on project delivery and product development enables recognition of third-party capabilities that meet the needs of a cGMP-regulated manufacturing environment.Bear in mind, however, that some suppliers may offer additional value to pharmaceutical companies; they may provide guidelines and standards - a "validation agenda" - especially aligned to the cGMP.

Typically this structure will provide a uniform set of proven delivery practices deployed across the supplier's organization. More importantly, it will already be aligned to a supplier's product components - such as automation controllers and a central BMS computer, for example (see Figure 1).

(Click image for larger version.)
A generic validation agenda for cGMP-compliant environmental solutions already exists. It is easily adapted to reflect different user system architecture components.

Key elements for validation should draw upon the GAMP4 V-model for project life cycle, i.e., it should include templates and forms starting from functional specification over detailed design specifications; code review checklists; IQ and OQ plans. The same is true for operational-phase elements like disaster recovery and maintenance plans. Here again, content will reflect the supplier's approach to delivering into a cGMP environment. And, very likely, the QA department of other pharmaceutical companies will have already accepted the templates, plans, etc. In other words, it represents a proven approach.

The advantage to the end-user is that he/she gets a common and approved validation approach - one that reduces risk of non-compliance and, better still, offers proven reliability based on experience - in respect to planning schedules and cost estimations.
Regulatory requirements enforce vendor audits. On one hand, GAMP4 tools can be used as a guideline for assessing vendors project delivery capabilities. On the other, they can be used for product development methodologies for verification of "validation readiness." Added to this, a proven validation agenda is evidence of a supplier's experience in an FDA-regulated industry.

Using GAMP4 and its guidelines on supplier audits1 is a reliable, structured approach that, in turn, helps to identify the right vendor for cost effective solutions and services of HVAC environmental control solutions.

If your supplier can provide an additional GAMP4 based validation process, then you can be confident you have identified an experienced partner - one who is capable of delivering watertight systems that meet the requirements of a cGMP environment. And timely validation of automated environmental control solutions ensures risk avoidance, performance improvement, quicker time-to-market and with this, profitable growth.
1 ISPE, GAMP 4 Guide - Validation of Automated Systems, Amsterdam; Dec2001, Appendix M2 Guideline for Supplier Audit

2 PIC/S Guidance - Good Practices for Computerized Systems in Regulated GxP Environments (PI 011-1) 20. Aug 2003

3 ISPE, GAMP 4 Guide - Validation of Automated Systems, Amsterdam; Dec2001, Section 9.3, pg. 50

4 ISPE, GAMP 4 Guide - Validation of Automated Systems, Amsterdam; Dec2001, Appendix M4 Guideline for Categories of Software and Hardware

5 ISPE, GAMP 4 Guide - Validation of Automated Systems, Amsterdam; Dec2001, Appendix M6 Guideline for Quality and Project Planning

6 Carnegie Mellon Software Engineering Institute

7 Parenteral Drug Association USA; PDA Report on Validation of Suppliers providing Computer Products and Services for Regulated Pharmaceutical Operations" (Technical Report No 32, 1999, PDA)