Where Do You Start and End?
April 27, 2016 Copyright by QACV Consulting, LLC 1
Sharon StrauseSenior Consultant
QACV Consulting, LLC
17th Annual Computer and Software Validation Conference
Hilton at Penn’s L:anding
Philadelphia, PA
April 26-28, 2016
Sharon Strause
15 years - Pharmaceutical industry
Documentation
Computer System Validation
Quality Assurance in
Information Management.
12 years - Consulting
LifeScience Industries
Consumer Product Industries
Software Development Companies
April 27, 2016 Copyright by QACV Consulting, LLC 2
Where are you from?
April 27, 2016 Copyright by QACV Consulting, LLC 3
AgendaDetermining the Magnitude
The 5 W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 4
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 5
Identifying Stakeholders A person or organization (e.g. customer, sponsor,
performing organization, or the public) that is actively involved in the project, or whose interest may be positively or negatively affected by the execution or completion of the project.
A stakeholder may also exert influence over the project and its deliverables. (PMBOK® Third Edition)
April 27, 2016 Copyright by QACV Consulting, LLC 6
Key Stakeholders
Management
User Community
Project Team
Technical Team
Power Users
Support Team
April 27, 2016 Copyright by QACV Consulting, LLC 7
Team Concept for Qualification/Validation
With computers and infrastructures becoming more specialized and complex, the skills needed for the project can rarely be provided by one individual.
April 27, 2016 Copyright by QACV Consulting, LLC 8
Who Does Work in Qualification/Validation..
Team
With Assistance From....
Consultants
System Analysts
End Users
Operations
Quality Assurance
Technical Services
Vendors
April 27, 2016 Copyright by QACV Consulting, LLC 9
FDA GXP’s
GMP (Drug) 21 CFR 210, 211
GMP (Medical Device) 21 CFR 820
GLP 21 CFR 58
GCP 21 CFR 50, 54, 56, 312, 314, 316, 601, 812, 814
Part 11 21CFR 11
April 27, 2016 Copyright by QACV Consulting, LLC 10
Guidance Guide to Inspection of Computerized Systems in
Drug Processing: Blue Book 1983 Computerized Systems Used in Clinical Trials:
4/99 Guide To Inspections of Computerized System In
The Food Processing Industry General Principles of Software Validation; Final
Guidance for Industry and FDA Staff: Jan ‘02 Guidance for Industry Part 11, Electronic Records;
Electronic Signatures — Scope and Application: Feb ‘03
April 27, 2016 Copyright by QACV Consulting, LLC 11
Additional Governing Agencies/Regulatory Acts
HIPAA
OSHA
EPA
DEA
DOD
MHRA (Formerly MCA)
Sarbanes-Oxley
April 27, 2016 Copyright by QACV Consulting, LLC 12
Computer System Validation In A Global Environment
April 27, 2016 Copyright by QACV Consulting, LLC 13
•Outside of the U.S., other guidelines exist for Good Manufacturing
Practice, electronic records, and electronic signatures. These
guidelines include:
•European Community Guideline to GMP for Medicinal Products, Annex
11, Computerised Systems
•Pharmaceutical Inspection Convention (PIC) GMP Guideline PI 011-3
Good Practices for Computerized Systems in Regulated “GXP”
Environment.
•ICH, Q8, 9, 10
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 14
Elements of NIQ
April 27, 2016 Copyright by QACV Consulting, LLC 15
Infrastructure
April 27, 2016 Copyright by QACV Consulting, LLC 16
Areas Directly
Controlled by the
End User
Area NOT
Directly
controlled by
The End User
Software
Application
Equipment
System
Documentation
And Procedures
Computer System
Network Infrastructure
Know Everything at Any Time
April 27, 2016 Copyright by QACV Consulting, LLC 17
SV04
SV03
DH08
SV02
`
SV01
Bench 1 Bench 2
Review
Clients
Bench 3
DH09
DH08DH03
DH02
DH01
DH05
DH06
DH07DH04
N01N02N04N05N03
WANNetwork
05
CS01 CS02
SD FIBER
GB-Ethernet
100BaseT
`
CORE
ACCESS
DISTRIBUTION
Information on each component and how they interact, at any time
Ultimate Goal – Highest System Uptime
• Equipment Hardware
• Computer Hardware
• Network Components
• Operating Systems
• Application Software
• Specifications
• Qualification/Validation
status
• Documentation
Courtesy of Ludwig Huber
Data Management Procedures
Back-up scheduling, logging Deviation reporting Media labeling and storage
on-site & off-site
Restoration Process
Minimum Documentation Back-Up Logs Restoration Logs Risk Analysis Reports Event Logs
April 27, 2016 Copyright by QACV Consulting, LLC 18
Business Continuity Disaster Recovery
Continuance of service provision in event of catastrophe
Disaster Recovery Plan
Contingency
Continuance of service provision in event of less serious contingencies
Business Continuity Plan
April 27, 2016 Copyright by QACV Consulting, LLC 19
Risk & NIQ
April 27, 2016 Copyright by QACV Consulting, LLC 20
Definition - Risk A measure of the probability and severity of
undesired effects. Often taken as the simple product of probability and consequence. (IEEE)
Risk level - A quantitative estimate that describes the level of degree of risk. The value is additive based on quantitative values assigned for public health (severity), regulatory risk, and business risk.
April 27, 2016 Copyright by QACV Consulting, LLC 21
Definition – Risk Assessment A comprehensive evaluation of the risk and its
associated impact. (DOD)
Risk Analysis - Investigation of available information to identify hazards and to estimate impacts and costs of risks
April 27, 2016 Copyright by QACV Consulting, LLC 22
Definition – Risk Management
Systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating and controlling.
Risk management includes analysis, evaluation, mitigation and on-going monitoring and updates.
April 27, 2016 Copyright by QACV Consulting, LLC 23
Tools for Evaluation GAMP 5
Lifecycle approach
Phased to Project Management and Qualification/Validation Process
FMEA
Quality Tools
Six Sigma
April 27, 2016 Copyright by QACV Consulting, LLC 24
Feasibility Stage
Is
Validation
Required
?
User
Requirements
Specification
Response to User
Requirements
Specification
Supplier
Assessment and
Purchase
Functional Spec
and Design
Test System
Validated System
Change Control
Determine Scope
of Validation
Document Justification
of Validation Approach
Update Validation
Plan
Develop Test
Plans
Decision
Documented
No
Yes
R
R
R
R
R
Validation ActivitiesProject Implementation Activities
Risk Assessment and
Validation Process, GAMP 4
April 27, 2016 Copyright by QACV Consulting, LLC 25
April 27, 2016 Copyright by QACV Consulting, LLC 26
Quality Risk Management Process
Step 1
Step 2
Step 3
Step 4
Step 5
Perform Initial Risk Assessment
And Determine System Impact
Identify Functions with Impact on Patient
Safety, Product Quality, and Data Integrity
Perform functional Risk Assessments
And Identify Controls
Implement and Verify Appropriate Controls
Review Risks and Monitor Controls
GAMP 5
Risk Management
Identify the system Identify hazards and possible harms
April 27, 2016 Copyright by QACV Consulting, LLC 27
Risk Analysis
Risk Evaluation
Risk Mitigation/Control
On-going Evaluation
Estimate, justify and document risk level(probability/severity)
Estimate costs of mitigationvs. non-mitigation
Define and take actions for mitigation
Monitor for new harms Monitor risk levels Update plan and take
actions
Risk
assessm
ent
Key criteria: product quality (public health), business continuity
ISO 14971-1:1998
Risk Assessment Start with a Process Flow Chart
Determine potential risks of the process relative to intended use
List critical control points for each identified hazard
List critical limits for each of the critical control points
List procedures used to monitor each of the critical control points
April 27, 2016 Copyright by QACV Consulting, LLC 28
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 29
Evolution of Computer Infrastructure
April 27, 2016 Copyright by QACV Consulting, LLC 30
Dedicated
Environment
OS/390
One Client
One Server
Unix
Client/Server
Multi-Client
One Server
PC Client
UNIX Server
Multi-Client
Multi-Server
Web Client
Db. App. Server
Compute
Abstraction
SAN. Grid
1970’s 1980’s 1990’s Today Tomorrow
Today Validate applications & process
Qualify infrastructure
No longer possible to draw the box around all the infrastructure components
April 27, 2016 Copyright by QACV Consulting, LLC 31
Examples of In-Scope Infrastructure
Desktop Computers PC, Workstation, Laptop
Servers OS/400, UNIX, Windows
Network Services ID Management, Network O/s, LDAP, E-Mail, Citrix, Time
Server
Network Management Software, Media, Network Equipment,
Telecomm Vendors, VPN’s
Data Center HVAC, Power, Fire Suppression, Card Readers
April 27, 2016 Copyright by QACV Consulting, LLC 32
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 33
GAMP(Good Automated Manufacturing Practices)
Publication developed from a UK initiative to aggregate best industry practices helping healthcare communities to achieve validated and compliant automated systems meeting current GxP regulations
Generally accepted as a standard for achieving compliance
Accelerates implementation of application validation standards
www.ispe.org/gamp
April 27, 2016 Copyright by QACV Consulting, LLC 34
ITIL(IT Infrastructure Library) Set of publications
Service Management
Public domain framework
Best practice framework
Quality approach and standards
itSMF is the ITIL user group
April 27, 2016 Copyright by QACV Consulting, LLC 35
ITIL and GAMP
can be used together
to achieve
both compliance and efficiency
in support
of your network infrastructure
April 27, 2016 Copyright by QACV Consulting, LLC 36
Web Sites for Information
PDA
www.pda.org
ISPE
www.ispe.org
GAMP www.ispe.org/gamp
FDA
www.fda.gov
IVT
www.ivtnetwork.com
Agilent
www.chem.agilent.com
Lab Compliancewww.labcompliance.com
ITIL
www.itil-officialsite.com
April 27, 2016 Copyright by QACV Consulting, LLC 37
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 38
Regulation Impact
IT professionals are responsible for the company’s network – the infrastructure must be qualified (servers, routers, storage area, networks, etc.
IT records are subject to regulatory inspection
11.1 Scope (e) “Computer systems (including hardware and software) controls, and attendant documentation maintained under this part shall be readily available for and subject to, FDA inspection.
IT personnel control, maintain, and support systems that must be compliant.
April 27, 2016 Copyright by QACV Consulting, LLC 39
Documentation - have available for inspection
Network qualification plan Descriptions, specifications Vendor qualification documents Qualification documentation
Installation, test protocols, summary report
User access lists, signed and updated Security procedures, password policies Change Control procedures Change logs Monitoring Charts Audit Documentation
April 27, 2016 Copyright by QACV Consulting, LLC 40
FDA Warning Letter Examples (1) Complete diagrams and text descriptions
identifying other network program interfaces with xxxx, and which specify the data being exchanged between the xxxx and oher programs have not been maintained or updated from original design specifications
Local Area Network diagrams (LAN) with appropriate definition documentation identifying the locations on site that use xxxx have not been included in any xxxx validation documents.
April 27, 2016 Copyright by QACV Consulting, LLC 41
FDA Warning Letter Examples (2) Networked system testing was not conducted to
ensure that each system as configured could handle high sample rates.
Validation of the networked system did not include critical system tests such as volume, stress, performance, boundary, and compatibility.
April 27, 2016 Copyright by QACV Consulting, LLC 42
FDA Warning Letter Examples (3) Lack of computer hardware and software change
control procedure.
Written procedures to differentiate between revision or version changes are not employed.
No validation after hardware and software upgrades and configuration changes.
April 27, 2016 Copyright by QACV Consulting, LLC 43
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 44
Validation Documented
evidence that the item under consideration does what it is supposed to do
April 27, 2016 Copyright by QACV Consulting, LLC 45
Qualification Identification of
particular attributes of equipment, utilities, or processes related to the performance of a particular function, the allocation of certain limits or boundaries to those attributes, and the measurement of those attributes within the functions boundary ranges.
April 27, 2016 Copyright by QACV Consulting, LLC 46
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 47
Total System(Computerized System)
7
Total System(Computerized System)
7
Controlling System(Computer System)
3
Controlled Process
6
Hardware
2
Software
1
Equipment
4
Operating
Procedures and
Documentation
5
Operational Environment8
... and
all the links
between the boxes
... and
all the links
between the boxes
Original Validation-
What needs to be qualified/validated?
April 27, 2016 Copyright by QACV Consulting, LLC 48
Total System(Computerized System)
7
Total System(Computerized System)
7
Controlling System(Computer System)
3
Controlled Process
6
Hardware
2
Software
1
Equipment
4
Operating
Procedures and
Documentation
5
Operational Environment8
Upgrades, etc. - What Needs To Be Re-qualified/re-validated?
Releases/versions
Operating systems
Database
ERP Application
Desktop Applications
fixes
Bug fixes
Patches
Software Configuration
Enhancements/Reports
Interfaces
April 27, 2016 Copyright by QACV Consulting, LLC 49
Total System(Computerized System)
7
Total System(Computerized System)
7
Controlling System(Computer System)
3
Controlled Process
6
Hardware
2
Software
1
Equipment
4
Operating
Procedures and
Documentation
5
Operational Environment8
What Needs To Be Re-validated?
Database & Apps. Servers
Workstations
Network
Peripherals
April 27, 2016 Copyright by QACV Consulting, LLC 50
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management
April 27, 2016 Copyright by QACV Consulting, LLC 51
Network An arrangement of nodes and interconnecting
branches
A system (transmission channels and supporting hardware and software) that connects several remotely located computers via telecommunications
April 27, 2016 Copyright by QACV Consulting, LLC 52
Network Qualification Cycle
April 27, 2016 Copyright by QACV Consulting, LLC 53
Define
Requirements &
Standards Introduction of
New Technology
Design
Network
Implementation
Routine
Operation
Manage
Configuration &
Change
Continuously
Monitor
Performance
Install &
Verify
Equipment
Define Requirements Capacity
Numbers of sites, users, data volumes
Performance
Response Time, Transmission Latency
Reliability
Up Time, Redundancy, Integrity
Security
Physical & Logical Access Controls
Authentication
April 27, 2016 Copyright by QACV Consulting, LLC 54
Define Standards Equipment Rooms/Wiring Closets
Network Devices
Cabling
Design Considerations
Installation and Test Instructions
Operating Procedures
April 27, 2016 Copyright by QACV Consulting, LLC 55
Document Network Design Network Diagrams
Risk Assessments Risk Factors
Loss of service Data loss
Operational errors Data Corruption
Inadequate security Data Security
Risk Mitigation Design Redundancy
Physical & Logical Network Segregation
Physical Security
Technical Security Capabilities
April 27, 2016 Copyright by QACV Consulting, LLC 56
Configuration & Change Management
Procedures governing network configuration and change management
Network equipment additions
Changes in configuration of individual network components
April 27, 2016 Copyright by QACV Consulting, LLC 57
Continuous Monitoring Monitoring Tools
Internal Reviews
Continual review of incident and problem reports
Identification of trends
Review of compliance with procedures
Quality Audits
April 27, 2016 Copyright by QACV Consulting, LLC 58
Networks and the FDA System Selection
Criticality (impact on product quality) ERP, stability, complaints, LIMS
Complexity
Compliance History
What they look at Configuration (diagrams)/Change Control
Specifications
Security/Data Integrity
Testing and verification of transactions
Training
April 27, 2016 Copyright by QACV Consulting, LLC 59
Standard Operating Procedures Use of System
Maintenance
Administration
April 27, 2016 Copyright by QACV Consulting, LLC 60
Types to Consider (1) Physical Environment
Environmental monitoring
Safety (e.g. fire, emergency evacuation procedures)
UPS monitoring
Physical security
Human Resources
System Usage Training
Development and Support Personnel Qualifications
April 27, 2016 Copyright by QACV Consulting, LLC 61
Types to Consider (2) Application Usage
Business Disaster Recovery/Alternative Procedures
Normal System Usage Procedures
System backup
Control of Change for Data Modification (Audit Trail)
Management of End-User Documentation
Definition of Application Raw Data and Archiving Requirements
Service Level Agreements
April 27, 2016 Copyright by QACV Consulting, LLC 62
Types to Consider (3)Technical Support (Infrastructure)
Shift Turnover
Problem Escalation
System Incident monitoring or reporting
Hardware & Infrastructure Change Control
System Software /Utilities Change Control (platform and network)
Move to the Test (or validation) environment
Move to the Production Environment
Retrieval of Off-Site Media
Platform Security Administration
Preventative Maintenance and Repair
Emergency Repair
Remote/Modem Access and Administration
Management of Technical Manuals
Database Monitoring, Maintenance and Services
System Startup
System Shutdown (normal and emergency)
April 27, 2016 Copyright by QACV Consulting, LLC 63
Types to Consider (4) System Development
System Life Cycle Management
Project Initiation and Tracking
Usage of Technology Tools (design, coding, testing)
Design Standards
Programming Standards
Development Testing
Configuration Management (of requirements, design specifications, code)
Software Version Control
Software Archiving
April 27, 2016 Copyright by QACV Consulting, LLC 64
Types to Consider (5) Vendor/Supplier
Assessment procedures
Audit Procedures
Qualification procedures
April 27, 2016 Copyright by QACV Consulting, LLC 65
AgendaDetermining the Magnitude
The 5W’s Who are the
Stakeholders What are the Elements &
Risk Management When should it be
Completed Where can I find
Information Why is NIQ necessary
Data Bases & Operating Systems Qualification vs
Validation Upgrades
Network Management Cloud Computing
April 27, 2016 Copyright by QACV Consulting, LLC 66
Cloud Computing Research carefully
Make sure audit vendor
SaaS (Software as a Service)
Use the vendor documentation to support your validtion effort, if can.
Consider the security involved if doing internally
Complexity and Adequate Firewalls
Consider the testing involved to insure Data Integrity.
Absolute key – Where is your data and who owns and has the security over it?
April 27, 2016 Copyright by QACV Consulting, LLC 67
VALIDATION
HOW MUCH IS ENOUGH?
April 27, 2016 Copyright by QACV Consulting, LLC 68
“Vision” Problem
April 27, 2016 Copyright by QACV Consulting, LLC 69
IFYOUWOULDJUS
TTELLMEWHATTODOTHENIWOULDNOTH
AVE TOTHINKATALL
“VISION”Problem Correction
CVM Symptoms
Wanting a cookbook approach
Validated every project with the same intensity
CVM Results
Under-validates (quality loss)
Over-validates (resource waste)
Right Things need to be in Focus
Understand the principles
Then, the detailed application will become a matter of rational trial and error.
April 27, 2016 Copyright by QACV Consulting, LLC 70
Exercise
April 27, 2016 Copyright by QACV Consulting, LLC 71
Q U E S T I O N S
April 27, 2016 Copyright by QACV Consulting, LLC 72
Thank You
April 27, 2016 Copyright by QACV Consulting, LLC 73
Sharon Strause
Senior Consultant
QACV Consulting, LLC
215/510-2065