Life cycle of computerized systems in the pharmaceutical industry
The management of computerized systems must be understood as part of the quality system of companies whose activity is regulated by the GxP. Within this regulated context, we must ensure that computerized systems are functioning according to their intended use. The life cycle approach envisages validation at all stages through which a computerized system passes. Establishing this type of approach facilitates and ensures regulatory compliance and the suitability of the system for the process it is intended to manage.
The process that helps us to understand, control and monitor the risks of using computerized systems is the validation process.
Validation is not a finite time project that is equivalent to obtaining a certificate that certifies that the system has been successfully tested, but should be understood as part of the quality management that controls the conception of the system (identifying and detailing the requirements to be met), passing through its implementation, development, verification and release, controlling the entire time of use and ending with its withdrawal process.
The main objective of this article is to clarify the concept of life cycle considering the casuistry and risks inherent to the manufacturing process in the pharmaceutical sector, specifically the management of a computerized MES system.
Computerized systems associated with the pharmaceutical manufacturing process
Specialties Computerized Systems
There are different types of computerized systems related to the manufacturing activity, from systems that interact at the lowest level by integrating with the plant signals to those that allow a grouped analysis of the organization’s data, enabling decisions to be made and predictions to be made.
The types of systems we can observe in manufacturing management are as follows:
- Systems that allow integration with plant equipment. These systems allow the interpretation of signals from the physical plant equipment. For example: sensors and PLCs.
- Industrial control systems. They allow governing the physical plant equipment and managing the intervention of users in the process. For example, SCADA systems.
- Operations management systems. They manage defined and regulated processes, taking into account the intervention of users, automating and controlling processes, integrating with equipment and generating reliable process data. For example: MES (manufacturing management), WMS (warehouse management), CMMS (maintenance management) or LIMS (management of quality control activities).
- Business management system. They allow the planning of business resources taking into account the multiple operations of the company. For example: ERP systems or planners.
- Data processing systems. They allow the exploitation of information, giving it meaning and enabling decision making in the organization. For example: business intelligence systems.
Process and information flow MES systems
A Manufacturing Execution System MES (Manufacturing Execution System) is a computerized system designed to organize, control and monitor manufacturing processes ensuring traceability and security of processes and information.
MES systems have the functionality to interact with plant signals (electronically and/or mechanically) and operators to manage manufacturing operations. They optimize operations, manage data and control the process and information flow.
The following process map represents the usual management of MES systems:
The MES system is a clear example of a management system for an activity regulated by the GxP, due to its impact on product development and traceability. Therefore, it must be managed within the quality assurance system from its conception (definition of user requirements). Its design and implementation must be done from the deep understanding of the process to be managed and with a risk-based approach, involving the key personnel of the organization in the quality, logistics, production and maintenance processes and with the support of the technological supplier that provides it.
The implementation of an MES system must be properly planned and managed, considering its implementation as part of the business strategy, taking into account the following particularities of the company that wishes to implement it:
- Definition of global requirements or per facility in case different plants are available.
- Identification of hardware, software and IT infrastructure required.
- Languages and geographical areas required.
- Regulatory requirements of the different applicable geographical areas.
- System architecture (global or local) and data management.
- Process management and associated procedures.
- Validation approach.
- System support management during its time of use.
- Suppliers involved.
Relying on people
In order to contemplate all the risks in the process of design, configuration, verification and commissioning of the system, a multidisciplinary team must be formed to lead the project with experience and knowledge in the areas of IT, quality, logistics, production and engineering and maintenance.
It should be noted that the implementation of this type of system has a direct impact on the company’s operations (way of working) and the recording of critical information (traceability). Therefore, this type of change can generate rejection by the staff of the organization, both at the level of operators, supervisors or quality assurance. Consequently, it is of vital importance to involve the organization’s personnel in the whole process, from taking and approving the system requirements, development, testing, training, implementation, maintenance and retirement.
MES system life cycle
The life cycle of a computerized system is understood as the complete management from its conception to the end of its use. A possible division of the stages that make up the life cycle is as follows:
- Selection of computerized solutions and their technology provider
- Functional and design specifications
- Configuration and development
- Implementation and testing
- Data migration
- Control status maintenance
The following is an analysis of each of the stages.
All project activities must be perfectly coordinated, establishing the specific objectives, responsibilities, prerequisites and methodology for each activity, as well as the documentation and records to generate all the required evidence and work methods.
The factors to be taken into account in the definition of this strategy (validation plan) are the following:
- Definition of the scope of Validation. The entire application should not be verified or to the same extent, an initial risk assessment should be performed to identify the regulated areas or functionalities and the applicable regulations.
- Identification of the hardware and software elements of the system and classification according to GAMP5. Applicable to one or several installations.
- Supplier evaluation. The criticality is established according to the expected product and/or service. The use of documentation generated by the supplier must follow an evaluation process where the activities and content are adequate, accurate and complete.
- The validation approach must be defined in case the MES is implemented in several installations. A global validation or a validation per installation could be defined, both options can be valid.
- Definition of the multidisciplinary validation team.
- Identification of required test environments. One or more to simulate hardware, software and integrations. The suitability of the test environment as equivalent to the production environment must be evidenced.
They must define, clearly and precisely, what the regulated company requires from the system. The so-called “intended use”. They must be associated with the business process and be independent of the solution to be used. This document is essential for the validation process.
The extent and detail of requirements gathering and specification should be sufficient to support risk assessment, subsequent specification and development of a system, as well as verification.
In the case of the MES system, it is essential to understand the process to be managed and the applicable regulatory requirements. The MES must comply with the organization’s quality management system. The specific requirements of the product process and its critical parameters must be addressed, taking into account the specifications of the recipe, rather than from the design of the system.
It must be taken into account that MES management is not composed of a single system, it is the set of industrial elements, hardware and software. We must also define a process approach (taking into account all software, hardware and integrations), so that all risks are taken into account.
The requirements for the MES to be present in several facilities must also be taken into account. A data flow indicating data ownership, access and transfer requirements must be developed.
Selection of the computerized solution and its technology provider
From the definition of these requirements, it is possible to ensure the selection of the system (taking into account that it complies as much as possible with the established requirements), the correct installation (complying with the technical and IT specifications), the system configuration (to adapt the functionalities to the characteristics of the organization’s processes), the system operation (in order to achieve the expected performance), the required security (at the level of administration, process control and system auditing) and compliance with the applicable regulations.
The selection process must take into account the quality system of the technology supplier in order to ensure that its internal management and traceability is aligned with the regulatory requirements of the organization.
Functional and design specifications
Since the MES system will be composed of different hardware, software and integration elements, it is a good practice to generate a functional map to be able to assign risks to the required functions and to the different systems.
Typically, the responsibilities between computerized systems are posed in the following way:
- The ERP is the starting point for all processes, centralizes part of the configuration of the main master data, structures and defines activities, centralizes process information globally and handles economic data.
- The MES has concrete and specific data on equipment, materials and processes, manages process operations and information flow, and records plant manufacturing data.
- SCADA and/or PLCs manage plant processes and signals at the lowest level.
It is possible to generate global and specific specifications for the MES software.
Global specifications determine common functionality, such as electronic data exchange. The individual MES system specifications focus on process management, logging and security.
The design documentation for the MES should relate the hardware and software application to manufacturing. Design and configuration specifications detail how the system is built and configured for use at each location.
Configuration and Development
Once the way in which the process needs to be computerized is understood (expressed in the requirements) and the computerized system that will manage the operations and their registration are established, the configuration or development to be applied to the system must be determined in order to adapt it to the specific processes of the company so that it can fulfil its purpose as expected.
The configuration may consist of:
- Enable or disable system areas/modules.
- Advanced system configuration.
- Configuration of integration with other systems
- Integration with plant elements or process equipment.
- Configuration of system functionalities.
Custom developments may be required to meet specific functional or security requirements that the standard system does not meet. Alteration of the standard operation of the system software and/or hardware implies an increased risk.
La evaluación de los riesgos del sistema desarrollado debe determinar el impacto de forma global en la producción. Así como, la empresa o área responsable de implementar los desarrollos debe contar con unas normas de implementación técnica del desarrollo para, en la medida de lo posible, estandarizar esta actividad y disminuir los riesgos (como dependencia de desarrolladores, ilegibilidad del código o riesgos de trazabilidad).
The implementation approach of the MES system by the integrator directly affects the validation. Preferably a general plan should be approved showing the activities and their estimated duration, prerequisite per activity, documentation to be generated by the parties and responsibilities (of the organization, implementing team and validating team).
Responsibilities for installation, configuration, documentation, testing and maintenance of the MES system must be determined. Including all available system environments.
Consideration should be given, for systems to be deployed in multiple installations, to the system architecture and validation approach, requirements for simulation cases for testing and required data migration.
Verification confirms that the specifications have been met and that the systems are suitable for the intended use.
The MES system usually consists of category 4 software (configured) and category 1 hardware (standard). Testing should focus on:
- Installation testing: Testing should verify and document that system components are matched and installed in accordance with specifications, supplier documentation, and local and global requirements (if applicable).
- Configuration testing: Testing should verify that the system has been configured in accordance with the relevant specification. Testing may take the form of inspections or checking vendor documentation.
- Functional testing: functionality that supports the specific business process based on risk and vendor assessments (this is an area where vendor documentation can be leveraged).
- Requirements testing that demonstrates suitability for the intended use. This may include testing the functionality of the system against requirements on a risk basis.
The process of migrating data between computerized systems is of vital importance to maintain traceability of historical data, as well as to continue with the tasks of recording traceability in a new computerized system.
The acceptance and release report summarizes the validation project by stating the personnel involved, the activities performed, the results obtained, the documentation generated, deviations from the plan, improvement and corrective actions, and provides a statement of fitness for purpose of the computerized system.
The following requirements must be met for the computerized system to be released:
- All the activities identified and defined in the validation methodology are executed, the acceptance criteria defined for each of the activities are checked and the results obtained do not present critical deviations.
- If any deviation is detected in the verifications performed, an analysis must be carried out to identify the root cause of the deviation and establish its criticality. In the event that the deviation is considered critical, appropriate actions must be taken to correct the deviation.
In order to keep the environment validated on a permanent basis, it is necessary to determine the procedures that will be implemented in the organization, making predictable its management periodically or punctually to be carried out in the event of certain events.
These procedures should reflect the activities to be carried out, time of execution and periodicity, required records, scheduled revisions, as well as determine who is responsible.
Control status maintenance procedures are listed below:
- Change control.
- Configuration management.
- Software and data backup and restore.
- Log preservation, archiving and recovery.
- Business continuity plan.
- Periodic reviews. Audits.
- The management of computerized systems should be understood as part of the quality system of companies whose activity is regulated by the GxP.
- The life cycle approach contemplates validation at all stages through which a computerized system passes. Establishing this type of approach facilitates and ensures regulatory compliance, as well as the suitability of the system for the process to be managed.
- The implementation of an MES system must be properly planned and managed, considering its implementation as part of the business strategy.
- It is of vital importance to involve the organization’s personnel in the entire process (whether at the level of operators, managers or quality assurance), from the taking and approval of the system requirements, development, testing, training, implementation, maintenance, until its withdrawal.
- All project activities must be perfectly coordinated, establishing the specific objectives, responsibilities, prerequisites and methodology for each activity, as well as the documentation and records to generate all the required evidence and work methods.
Article originally published in Pharmatech magazine, issue 60, September-October 2021.