En tant qu'experts de la validation ERP dans l'industrie des sciences de la vie, nous sommes souvent interrogés sur les réglementations et les normes applicables. Même si un bon programme de validation de système informatique (CSV) offre des avantages qui vont au-delà de la satisfaction des exigences réglementaires, la conformité réglementaire reste à ce jour le principal moteur de cette activité à l'échelle de l'industrie et comprendre ce paysage peut être une tâche ardue.
Si vous êtes, ou êtes associé à, une organisation des sciences de la vie opérant ou envisageant d'opérer aux États-Unis, au Canada ou en Europe, ce blog devrait vous aider à identifier les réglementations en matière de recherche clinique, pharmaceutique ou de dispositifs médicaux à prendre en compte lors de l'élaboration d'une stratégie de validation ERP...
"Dois-je valider mon système ERP?" Oui, vous le devez…
Il existe un océan de réglementations et de normes liées à l'industrie des sciences de la vie et, aux fins du présent blog, cet océan peut se diviser en trois grandes mers: la recherche clinique, le pharmaceutique et les dispositifs médicaux.
Il existe des réglementations que vous devez connaître pour naviguer judicieusement dans chaque mer. Le tableau 1 est un résumé des principales réglementations présentées par régions et segments industriels. Elle se limite aux réglementations mentionnant spécifiquement la nécessité de valider les systèmes informatisés, comme le représenterait un système ERP. À la suite de ce tableau, vous trouverez des extraits de ces réglementations et normes clés. Il est important de noter que cette liste devrait augmenter considérablement si nous devions inclure également des matériaux ayant trait à la validation de processus, de méthode de test et/ou d'équipement, ou à des fonctionnalités spécifiques couvertes par un système ERP, qui sont des sujets qu'il vaut mieux garder pour discussions futures.
Tableau 1: TABLEAU DE CONFORMITÉ CSV (Validation de système informatique)
* Notez que la réglementation européenne sur les dispositifs médicaux est en train de subir des changements majeurs. Les dispositifs médicaux au sein de l'UE sont actuellement réglementés par 3 directives: le Council Directive 90/385/EEC on Active Implantable Medical Devices (AIMDD) (1990), le Council Directive 93/42/EEC on Medical Devices (MDD) and (1993), et le Council Directive 98/79/EC on in vitro Diagnostic Medical Devices (IVDMD) (1998). Ces directives sont remplacées par deux nouveaux règlements: le Regulation (EU) 2017/745 et le Regulation (EU) 2017/746 . Par souci de simplicité, nous pousserons les discussions ou commentaires potentiels sur les nouveaux règlements et les directives actuelles à une date ultérieure.
**Étant donné la nature juridique des textes réglementaires, ceux-ci seront présentés en langue anglaise.
Région(s) applicable(s): USA || Segment(s) industriel(s): Tous
Subpart B - Electronic Records
11.10 Controls for closed systems.
Persons who use closed systems to create, modify, maintain or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records.
[...]
Région(s) applicable(s): CAN & EUR || Segment(s) industriel(s): Dispositifs médicaux
“4.1.6 The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application.
The specific approach and activities associated with software validation and revalidation shall be
proportionate to the risk associated with the use of the software.
Records of such activities shall be maintained (see 4.2.5).”
“7.5.6 Validation of processes for production and service provision
[...]
The organization shall document procedures for the validation of the application of computer software used in production and service provision. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications.
[...]
7.6 Control of monitoring and measuring equipment
[...]
The organization shall document procedures for the validation of the application of computer software used for the monitoring and measurement of requirements. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application.
The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications.
Records of the results and conclusion of validation and necessary actions from the validation shall be maintained (see 4.2.4 and 4.2.5).”
Région(s) applicable(s): CAN || Segment(s) industriel(s): Dispositifs médicaux
Remarque: La nécessité de valider le logiciel intégré aux dispositifs médicaux est spécifiée dans le SOR/98-282, mais rien de spécifique au CSV ne peut être trouvé. Cependant, le SOR/98-282 exige qu'un certificat de système de gestion de la qualité soit fourni pour les dispositifs de type II, III ou IV (pas pour le type I). Cela signifie être conforme à la norme ISO 13485: 2016. Voir ISO 13485 ci-dessus pour les exigences CSV liées à cette norme.
“Validation means confirmation by examination and the provision of objective evidence that the requirements for a specific intended use have been fulfilled, as set out in the definition validation in section 2.18 of International Organization for Standardization standard ISO 8402:1994, Quality management and quality assurance - Vocabulary, as amended from time to time.
Application for a Medical Device Licence
(32)(2)(f) a copy of the quality management system certificate certifying that the quality management system under which the device is manufactured satisfies National Standard of Canada CAN/CSA-ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes.
(Note: The above statement repeats itself multiple times within SOR/98-282”
Région(s) applicable(s): USA || Segment(s) industriel(s): Dispositifs médicaux
“Subpart G—Production and Process Controls
§ 820.70 Production and process controls.
[...]
(i) Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.”
Région(s) applicable(s): USA, CAN, EUR, + || Segment(s) industriel(s): Pharmaceutique
“12. VALIDATION
12.1 Validation Policy
12.10 The company's overall policy, intentions, and approach to validation, including the validation of production processes, cleaning procedures, analytical methods, in-process control test procedures, computerized systems, and persons responsible for design, review, approval and documentation of each validation phase, should be documented.”
Région(s) applicable(s): CAN || Segment(s) industriel(s): Pharmaceutique
“C.020.020 to C.02.024
Interpretation # 6
If you use an electronic system to create, modify or store records required under these regulations, you should validate the system for its intended use.
a. Ensure all access and user rights in electronic systems are properly controlled to prevent system users from compromising data integrity.
b. Control electronic records in a way that ensures the records:
i. can only be created and modified by authorized personnel
ii. are protected against intentional or accidental deletion
iii. are named and organized in a way that allows for easy traceability
iv. are tracked through an audit trail when created or modified (the audit trail should include changes made to the record, who made the change, the time and date the record was changed and, if applicable, the reason the record was modified)
v. are backed up at regular intervals to protect against potential data loss due to system issues or data corruption
vi. are available for review during an inspection and are readily retrievable in a suitable format
vii. include all necessary metadata”
Région(s) applicable(s): EUR || Segment(s) industriel(s): Pharmaceutique
“Principle
This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.”
Région(s) applicable(s): USA || Segment(s) industriel(s): Pharmaceutique
“27.0 § 211.68 Automatic, mechanical, and electronic equipment.
(a) Automatic, mechanical, or electronic equipment or other types of equipment, including computers, or related systems that will perform a function satisfactorily, may be used in the manufacture, processing, packing, and holding of a drug product. If such equipment is so used, it shall be routinely calibrated, inspected, or checked according to a written program designed to assure proper performance. Written records of those calibration checks and inspections shall be maintained.
(b) Appropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. Input to and output from the computer or related system of formulas or other records or data shall be checked for accuracy. The degree and frequency of input/output verification shall be based on the complexity and reliability of the computer or related system. A backup file of data entered into the computer or related system shall be maintained except where certain data, such as calculations performed in connection with laboratory analysis, are eliminated by computerization or other automated processes. In such instances a written record of the program shall be maintained along with appropriate validation data. Hard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained.”
Région(s) applicable(s): USA, CAN, EUR, + || Segment(s) industriel(s): Recherche Clinique
“1.65 Validation of Computerized Systems
A process of establishing and documenting that the specified requirements of a computerized system can be consistently fulfilled from design until decommissioning of the system or transition to a new system. The approach to validation should be based on a risk assessment that takes into consideration the intended use of the system and the potential of the system to affect human subject protection and reliability of trial results.
5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should:
(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor's established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e., validation).”
"Alors, cela signifie-t-il que je dois valider mon système ERP?" Oui, c'est la loi…
En conclusion, si vous travaillez dans la recherche clinique, l'industrie pharmaceutique ou des dispositifs médicaux, il est fort probable que les réglementations applicables vous obligent à valider votre système ERP, ou tout autre système qui pourrait avoir un impact sur la sécurité du patient, la qualité du produit ou l'intégrité des données.
Nous espérons que vous avez trouvé ce tour d'horizon de la réglementation utile. N'hésitez pas à nous contacter si vous croyez avoir d'autres réglementations, normes ou extraits de base qui, selon vous, auraient dû être inclus. Nous sommes toujours reconnaissants pour vos commentaires constructifs.
Références:
1. EUROPEAN COMMISSION, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11: Computerized Systems (2011)
2. HEALTH CANADA, Good manufacturing Good manufacturing practices guide for drug products, GUI-0001 (2018)
3. INTERNATIONAL CONFERENCE ON HARMONISATION OF TECHNICAL REQUIREMENTS FOR REGISTRATION OF PHARMACEUTICALS FOR HUMAN USE,
4. INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes (2016)
5. THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
5a. REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (2017)
5b. REGULATION (EU) 2017/746 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (2017)
6. THE MINISTER OF JUSTICE OF CANADA, Medical Devices Regulations, SOR/98-282 (2020)
7. U.S FOOD & DRUGS ADMINISTRATION (FDA), Title 21 -– Food and Drugs, Chapter I, Food and Drug Administration Department of Health and Human Services,
Subchapter C –- Drugs: general,
Subchapter H – Medical Devices,
Comments