Best Practices in Commissioning and Qualification (C&Q)

Why Are We Talking About C&Q?

Understanding the significance of commissioning and qualification (C&Q) is crucial for several reasons. It is a universal regulatory expectation that pharmaceutical manufacturing facilities, systems, and equipment meet stringent criteria for suitability. C&Q is instrumental in establishing the fitness of these elements for their intended purposes, helping you meet this expectation.

An integrated approach ensures coordination and synchronization between your commissioning and qualification activities, enhancing regulatory compliance and product safety. The ISPE Baseline Guide: Commissioning and Qualification (Second Edition) adjoins the terms commissioning and qualification (C&Q), highlighting the need to unify these activities in a science- and risk-based lifecycle approach. The concepts put forth in the Guide drive the strategies and best practices outlined in this article.

Full lifecycle management comprises five stages: requirement, design, verification, quality decision, and operation, as shown in Figure 1. Each phase plays a crucial role in ensuring the final product's or system's safety, efficacy, and compliance. While full lifecycle management is a broader consideration, this article concentrates on phases one through four, the core of C&Q.

Phase One: Requirement Phase

Phase one is the Requirement Phase, where the user's expectations for systems, equipment, or utilities are defined. It consists of several key elements and activities:

1. Intended purpose: This involves clearly stating why the system is needed. For example, if the system is a piece of manufacturing equipment, the intended purpose could be to increase production efficiency. The intended purpose provides a foundational understanding of the project, guiding stakeholders in the development and implementation process.
2. Verifiable form: Verifiable requirements are described in a tangible, measurable form, allowing for objective assessment and validation. These requirements are specific, quantifiable, and testable. For example, instead of stating a vague requirement like "the system should be user-friendly," a verifiable requirement would specify measurable criteria such as "the system shall have a maximum response time of three seconds for user inputs."
3. Requirement category: This involves categorizing requirements by type, e.g., user, quality, safety, business, environmental, and so on. Categorization allows stakeholders to prioritize and address them systematically.
4. Requirement source: Identifying the origin of each requirement involves documenting where the requirement came from, e.g., user needs, regulatory standards, stakeholder input, and so on. Understanding the source of requirements ensures they are relevant and aligned with stakeholder expectations.
5. Data integrity: Data integrity requirements specify how data should be handled to maintain accuracy, consistency, and reliability throughout the system lifecycle. Adherence to data integrity requirements is crucial for regulatory compliance.
6. Data storage and display: Defining requirements for data presentation involves specifying how data should be stored, organized, and displayed within the system interface. Clear requirements ensure that data is presented in a user-friendly and meaningful manner, facilitating effective decision-making and user interaction.
7. Critical alarms: Identifying necessary alarm functionalities involves determining the types of alarms and alerts essential for system operation and user safety. Critical alarms notify users of abnormal or potentially hazardous conditions, prompting timely action to mitigate risks. Requirements for critical alarms may include specifications for alarm thresholds, prioritization, escalation procedures, and alarm response protocols.
8. System automation: Outlining the desired level of automation involves defining the extent to which the system should operate automatically without manual intervention. This includes specifying automation features such as automatic data logging, process control, error detection and recovery, and decision-making algorithms. System automation requirements aim to improve efficiency, consistency, and reliability while reducing the need for human intervention.

Phase One Best Practices

When developing the URS, it is essential to understand the product being manufactured and the processes involved. This includes identifying the critical quality attributes (CQAs) of the product that must be met and the critical process parameters (CPPs) that affect product quality. By thoroughly understanding these critical aspects, you can ensure that the equipment and systems being commissioned and qualified will meet the necessary standards and specifications. Additional best practices include:

• Ensure compliance with regulatory requirements: Incorporating relevant regulatory requirements into the URS is critical. This may include adherence to regulations such as FDA 21 CFR Part 11 for electronic records and signatures or other industry-specific guidelines.
• Include quantity, range, and accuracy specifications: The URS should specify quantitative requirements for the commissioned systems or equipment. This includes production capacity, operational ranges, and accuracy tolerances. By clearly defining these specifications, you provide a clear benchmark for system performance and ensure that the commissioned systems meet the necessary production demands within specified parameters.
• Refer to engineering and industry standards: Standards such as those from ASTM, ASME, or ISO provide guidelines and best practices for system design, operation, and maintenance. By referencing these standards in the URS, you ensure that the commissioned systems adhere to recognized industry norms, enhancing reliability, interoperability, and safety.
• Obtain the quality team's approval for source documents: By getting approval for source documents, such as engineering specifications or industry standards, from the quality unit upfront, you streamline the review and approval process for the URS. This saves time and ensures that all stakeholders are aligned on the requirements, reducing the likelihood of delays or discrepancies during later stages of the project.

_{Figure 1: The suggested framework for the risk-based implementation of integrated C&Q.}

System Classification and System Risk Assessment

Between phase one (the Requirement Phase) and phase two (the Design Phase) lies the crucial stage of system classification and system risk assessment.

System classification categorizes systems as direct or non-direct impact using a simple question-and-answer model. A comprehensive risk assessment is essential for direct impact systems, considering every possible scenario that could affect product quality. This assessment involves identifying, assessing, and recording quality risks to CQAs and determining preventive and design controls. The involvement of stakeholders, including users, engineers/maintenance personnel (if not a user), process engineers, vendors, and sometimes quality representatives, is important in this process.

The system risk assessment should be conducted after concept design completion but before detailed engineering begins. This ensures that you address risks before finalizing design drawings and specifications. If the assessment identifies inadequate controls, revisions to the URS may be necessary to incorporate additional safeguards.

Phase Two: Design Phase

Phase two of the integrated C&Q approach involves two critical elements: design review (DR) and design qualification (DQ). According to ISPE, "DR confirms design meets organization and regulatory requirements and is aligned with organization best practices. DQ reviews critical design elements (CDEs) and confirms controls are appropriately designed." An in-depth exploration of both activities is warranted.

Design Review

The design review is a systematic evaluation of specifications, design development, and continuous improvement. It ensures that the design aligns with standards and requirements and identifies problems for corrective action. The design review evaluates both critical and non-critical aspects of system design. Following the review, documented results serve as the basis for design modifications. When properly executed, design reviews minimize the need for expensive design-related change orders.

Critical steps in the DR process include designating a design review lead; forming a design team; defining the scope and boundaries of the review; conducting the review of design requirements against design documents (or drawings or specifications); summarizing design review activities and resolving gaps, evaluating the summary; and obtaining approval.

Design Review Best Practices

• Add a quality unit representative to the design review team for systems with direct quality impact.
• Involve vendors in design reviews for complex systems to ensure alignment with expectations.
• Cover both engineering design (operability, maintainability, safety) and quality design (compliance, critical aspects).

Design Qualification

Design qualification verifies that the design of a new or modified direct impact system meets user requirements and adequately controls quality and safety risks. It begins with identifying the scope and requires three inputs: the system URS, the design review report, and design documentation. The next step is to verify that the CDEs and quality and regulatory requirements have been met. The process concludes with obtaining approval for the design qualification.

Design Qualification Best Practices

• Assign a project manager to oversee prerequisites, including the URS, design documents, and document review.
• Divide design qualification into stages for larger projects to expedite the process and meet timelines.

The ISPE Baseline Guide states, "DR and DQ are not intended to be separate activities, but rather separate documentation. There should be minimal duplication of work; the final report from the design review is a key input into the design qualification process."

C&Q Planning is a Regulatory Expectation

Before we can advance to phase three (Verification), C&Q planning must occur. Your C&Q plan should include the following five activities:

1. Define the scope of testing: Determine the extent and parameters of testing required for the system, considering factors such as system classification, risk assessment outcomes, and user requirements.
2. Identify source documents: Compile and reference all relevant documents, including the URS, risk assessment reports, design drawings, specifications, vendor correspondence, standard operating procedures (SOPs), change control documentation, execution documents, discrepancies or deviations records, and turnover packages (TOPs). Access to these source documents ensures that C&Q activities are done correctly and consistently.
3. Appoint a project manager: Designating a project manager is crucial for overseeing and coordinating various aspects of the C&Q project. In complex C&Q projects, multiple project managers may be assigned to specific tasks or phases, such as factory acceptance testing (FAT), installation verification, and qualification phases, to ensure effective management and timely completion.
4. Define documentation: Identify the required deliverable documents, establish protocols for document creation, review, approval, distribution, and retention, and ensure compliance with regulatory standards and project requirements. Document types may include protocols, reports, standard operating procedures, change control records, and other relevant documentation for documenting C&Q activities and outcomes.
5. Create a signatory matrix: A signatory matrix clarifies roles and responsibilities regarding document review, approval, and sign-off within the C&Q project team. By defining roles upfront, the signatory matrix streamlines document workflows, minimizes delays, and fosters effective communication and collaboration among project stakeholders.

A good C&Q plan ensures the thorough preparation, documentation, and coordination essential for successfully executing commissioning and qualification activities. It is also a regulatory expectation.

Phase Three: Verification Phase

Phase three concerns testing and documentation. C&Q testing and documentation spans from design to system release. The scope of the testing depends on the scope of the project. The type and rigor of testing depend on the type of system (or equipment) and its potential to impact product quality. Key verification activities include:

1. Planning: This involves establishing a comprehensive plan for verification activities, outlining the scope, schedule, resources, and responsibilities for testing and documentation. The verification plan serves as a roadmap, guiding the execution of verification activities and ensuring that all necessary tests are conducted to demonstrate compliance with requirements.
2. Training: To execute verification activities effectively, personnel must be adequately trained in verification procedures and documentation standards. Training programs should cover testing protocols, data recording practices, safety procedures, and regulatory compliance requirements.
3. DQ integration: Integrating design qualification into the testing process ensures the system design meets predefined requirements and specifications before verification activities begin. DQ activities may include reviewing design documents, conducting risk assessments, and verifying design specifications. By incorporating DQ into the verification phase, potential design flaws or deficiencies can be identified and addressed early in the process.
4. Vendor documentation and testing: Using vendor documentation and testing results leverages the expertise and resources of equipment manufacturers or suppliers. Vendor documentation may include specifications, test reports, and validation protocols you can use to support qualification activities. Incorporating vendor testing results minimizes redundant testing efforts, speeding up qualification.
5. Change management: Managing system changes through established engineering change management procedures is essential for maintaining the integrity and compliance of the verification process. Any changes to system design, specifications, or requirements should be carefully evaluated, documented, and approved through a formal change control process. Effective change management helps prevent unauthorized modifications, ensures traceability of changes, and minimizes the impact on verification activities.
6. Execution: Carrying out various testing and execution activities involves executing the verification plan, including vendor and system construction phase documentation, installation testing, startup execution, operational and functional testing, and performance qualification. Execution activities require meticulous attention to detail, adherence to established procedures, and accurate documentation of test results and observations.
7. Deviation or exception management: Implementing procedures to manage and address deviations or exceptions encountered during verification ensures that non-conformances are identified, documented, and resolved promptly. Deviations may arise due to unexpected test results, equipment malfunctions, or procedural errors. Effective deviation management involves investigating the root cause of deviations, implementing corrective actions, and documenting the resolution process to maintain compliance with requirements.

Phase Three Best Practices

Before commencing verification activities, it is crucial to establish clear and consistent standards for documentation. This includes defining formats, templates, naming conventions, and version control protocols for all verification-related documents. Adhering to predefined documentation standards ensures consistency, clarity, and traceability throughout the verification process. Other best practices include:

• Train on documentation standards: Once you establish documentation standards, providing comprehensive training to relevant personnel is essential. Training should cover the specifics of the documentation standards, including how to create, review, revise, and approve verification documents. Training sessions may include workshops, seminars, or online modules to ensure all team members understand and adhere to the established standards.
• Predefine test witnesses: Test witnesses play a crucial role in verification activities by providing oversight, verification, and validation of test procedures and outcomes. Identifying key test witnesses and associated requirements beforehand ensures that the right individuals are involved in each verification test. These individuals should possess the necessary expertise, authority, and independence to evaluate test results and provide validation impartially.
• Assess the vendor: When leveraging vendor documentation and testing results for the validation turnover package (VTOP), it is essential to conduct a thorough audit or review of the vendor's processes. This assessment ensures that the vendor's documentation meets the required quality standards and regulatory requirements.
• Manage system changes: Throughout the verification phase, changes to the system design or specifications may occur. It is crucial to establish a robust system for managing these changes effectively. This includes implementing formal engineering change management processes to document, evaluate, approve, and implement any proposed changes. By following predefined change management procedures, you can minimize potential disruptions or delays to the verification process and preserve the integrity of the qualification results.
• Predefine the process for test failures: Despite thorough planning and execution, test failures may occur during the verification phase. To address these failures promptly and effectively, it is essential to establish a predefined process for managing test failures. This process should include procedures for promptly identifying, documenting, investigating, and resolving test failures. By having clear escalation pathways, corrective actions, and decision-making protocols in place, teams can expedite the resolution of test failures and maintain project momentum.

Phase Four: Quality Decision Phase

The last phase in our C&Q journey is the Quality Decision Phase. The key elements of this phase include:

1. Prerequisites completion: Ensure all prerequisites, including documentation and testing, are met before proceeding.
2. Investigation of unexpected results: Investigate any unexpected or anomalous results encountered during testing.
3. Addressing discrepancies/deviations/exceptions: Address and resolve any discrepancies, deviations, or exceptions identified during the verification phase.
4. Closure of engineering change management (ECM): Close out all engineering change management activities related to the project.

Phase Four Best Practices

Ensuring that test descriptions are clear and comprehensive is vital. Each test should be accompanied by a detailed description outlining the expected results, criteria for success, references, and actual results obtained. Additionally, the outcome of the test, whether it passed or failed, should be explicitly stated. Providing such clarity facilitates the review process for quality personnel, enabling them to make informed decisions regarding acceptance and release. Other best practices include:

• Manage discrepancies/exceptions: When you identify discrepancies or exceptions, investigate and address them promptly. Discrepancies should be managed to closure following established procedures, such as engineering change control or formal quality change control processes. Proper handling of discrepancies ensures that quality standards are upheld and mitigates potential risks to the system's integrity and functionality.
• Implement execution metrics: Implementing robust execution metrics that track passed, failed, and deviated outcomes is crucial for expedited decision-making. These metrics provide a comprehensive overview of the C&Q project's execution status, highlighting areas of compliance and noncompliance. By having access to clear and concise execution metrics, quality personnel can assess the project's progress and identify any immediate issues, facilitating efficient decision-making processes.
• Ensure availability of quality system elements: All necessary quality system elements should be in place before system release. This includes documentation, procedures, and controls that ensure product quality and regulatory compliance. By ensuring the availability of quality system elements, organizations can demonstrate readiness for system release and mitigate the risk of quality-related issues post-deployment.
• Prepare formal summary with approval: A formal summary of key project deliverables, such as qualification reports, should be prepared and approved before system release. This summary is a comprehensive overview of the project's outcomes, highlighting key findings, actions taken to address discrepancies, and overall compliance status. Obtaining formal approval ensures that stakeholders agree on the project's readiness for release.

_{Figure 2: Trace matrix generated automatically in ValGenesis minimizes the human error associated with manual tracematrix creation and Excel}

Best Practices for C&Q Projects

In the broader context of the entire C&Q project, several overarching best practices will contribute to its success. These include:

• Inclusive design review: Include all C&Q engineers, site personnel, vendors, and consultants in the design review process to ensure comprehensive input and alignment with project goals.
• System categorization: Drive the C&Q project using system categorization to ensure standardized and efficient execution tailored to specific system requirements. Your C&Q efforts should not be person-driven or function-driven work; a standard system should drive them.
• Timely change management: Delay formal change control requests (CCRs) until after qualification or design qualification phases to avoid unnecessary delays and streamline project progression. ISPE also supports a realistic approach to change management.
• Focused testing: Prioritize critical function and aspect testing during IQ or OQ (where applicable) to ensure a thorough evaluation of system performance and compliance.
• Leveraging testing documents: Execute testing documents wherever possible by subject matter experts (SMEs) and leverage them for qualification to optimize resources and ensure accuracy. Vendors can also be considered SMEs.
• Clear RACI Matrix: Establish a well-accepted RACI (Responsible, Accountable, Consulted, Informed) matrix to clarify roles and responsibilities throughout the project, ensuring efficient collaboration and decision-making.

Conclusion

Integrating commissioning and qualification processes is intricate yet crucial for ensuring the integrity, safety, and compliance of critical systems in regulated industry sectors like pharmaceutical and biotechnology. From the initial Requirement Phase through Design and Verification and into the Quality Decision Phase, each step demands meticulous planning and execution.

By following the best practices presented here and leveraging innovative digital technologies like ValGenesis, regulated organizations can streamline their C&Q processes, mitigate risks, and effectively achieve their project goals.

• Trust-based collaboration: Foster a culture of trust among project stakeholders to facilitate seamless communication, decision-making, and project execution. A trust-based process is the backbone of successful C&Q.
• Digitalization: Embrace digital solutions like ValGenesis to enhance project efficiency, automate processes, and ensure compliance. A robust digital system should drive system categorization, manage engineering changes and deviations, automate trace matrix generation (Figure 2), and facilitate time-bound requalification efforts post-handover, minimizing human intervention and optimizing resource utilization.

Digitalization is the secret ingredient to achieving your C&Q goals faster and more compliantly with limited resources.

References

1. International Society for Pharmaceutical Engineering. (2019). The ISPE Baseline Guide: Commissioning and Qualification (Second Edition).

2. International Society for Pharmaceutical Engineering. (2019). The ISPE Baseline Guide: Commissioning and Qualification (Second Edition).

3. Joshi, Saurabh. (2024, March 5). Best Practices in Commissioning and Qualification: Part One [blog post]. Retrieved from https://www.valgenesis.com/blog/best-practices-in-commissioning-and-qualification-cq-part-one

4. Joshi, Saurabh. (2024, March 7). Best Practices in Commissioning and Qualification: Part Two [blog post]. Retrieved from https://www.valgenesis.com/blog/best-practices-in-commissioning-and-qualification-part-two