Where Do You Start and End? - · PDF fileValidation Process, GAMP 4 April 27, ... GAMP 5....

Where Do You Start and End?

April 27, 2016 Copyright by QACV Consulting, LLC 1

Sharon StrauseSenior Consultant

QACV Consulting, LLC

17th Annual Computer and Software Validation Conference

Hilton at Penn’s L:anding

Philadelphia, PA

April 26-28, 2016

Sharon Strause

15 years - Pharmaceutical industry

Documentation

Computer System Validation

Quality Assurance in

Information Management.

12 years - Consulting

LifeScience Industries

Consumer Product Industries

Software Development Companies


Where are you from?


AgendaDetermining the Magnitude

The 5 W’s Who are the

Stakeholders What are the Elements &

Risk Management When should it be

Completed Where can I find

Information Why is NIQ necessary

Data Bases & Operating Systems Qualification vs

Validation Upgrades

Network Management



The 5W’s Who are the






Validation Upgrades

Network Management


Identifying Stakeholders A person or organization (e.g. customer, sponsor,

performing organization, or the public) that is actively involved in the project, or whose interest may be positively or negatively affected by the execution or completion of the project.

A stakeholder may also exert influence over the project and its deliverables. (PMBOK® Third Edition)


Key Stakeholders

Management

User Community

Project Team

Technical Team

Power Users

Support Team


Team Concept for Qualification/Validation

With computers and infrastructures becoming more specialized and complex, the skills needed for the project can rarely be provided by one individual.


Who Does Work in Qualification/Validation..

Team

With Assistance From....

Consultants

System Analysts

End Users

Operations

Quality Assurance

Technical Services

Vendors


FDA GXP’s

GMP (Drug) 21 CFR 210, 211

GMP (Medical Device) 21 CFR 820

GLP 21 CFR 58

GCP 21 CFR 50, 54, 56, 312, 314, 316, 601, 812, 814

Part 11 21CFR 11


Guidance Guide to Inspection of Computerized Systems in

Drug Processing: Blue Book 1983 Computerized Systems Used in Clinical Trials:

4/99 Guide To Inspections of Computerized System In

The Food Processing Industry General Principles of Software Validation; Final

Guidance for Industry and FDA Staff: Jan ‘02 Guidance for Industry Part 11, Electronic Records;

Electronic Signatures — Scope and Application: Feb ‘03


Additional Governing Agencies/Regulatory Acts

HIPAA

OSHA

EPA

DEA

DOD

MHRA (Formerly MCA)

Sarbanes-Oxley


Computer System Validation In A Global Environment


•Outside of the U.S., other guidelines exist for Good Manufacturing

Practice, electronic records, and electronic signatures. These

guidelines include:

•European Community Guideline to GMP for Medicinal Products, Annex

11, Computerised Systems

•Pharmaceutical Inspection Convention (PIC) GMP Guideline PI 011-3

Good Practices for Computerized Systems in Regulated “GXP”

Environment.

•ICH, Q8, 9, 10








Validation Upgrades

Network Management


Elements of NIQ


Infrastructure


Areas Directly

Controlled by the

End User

Area NOT

Directly

controlled by

The End User

Software

Application

Equipment

System

Documentation

And Procedures

Computer System

Network Infrastructure

Know Everything at Any Time


SV04

SV03

DH08

SV02

`

SV01

Bench 1 Bench 2

Review

Clients

Bench 3

DH09

DH08DH03

DH02

DH01

DH05

DH06

DH07DH04

N01N02N04N05N03

WANNetwork

05

CS01 CS02

SD FIBER

GB-Ethernet

100BaseT

`

CORE

ACCESS

DISTRIBUTION

Information on each component and how they interact, at any time

Ultimate Goal – Highest System Uptime

• Equipment Hardware

• Computer Hardware

• Network Components

• Operating Systems

• Application Software

• Specifications

• Qualification/Validation

status

• Documentation

Courtesy of Ludwig Huber

Data Management Procedures

Back-up scheduling, logging Deviation reporting Media labeling and storage

on-site & off-site

Restoration Process

Minimum Documentation Back-Up Logs Restoration Logs Risk Analysis Reports Event Logs


Business Continuity Disaster Recovery

Continuance of service provision in event of catastrophe

Disaster Recovery Plan

Contingency

Continuance of service provision in event of less serious contingencies

Business Continuity Plan


Risk & NIQ


Definition - Risk A measure of the probability and severity of

undesired effects. Often taken as the simple product of probability and consequence. (IEEE)

Risk level - A quantitative estimate that describes the level of degree of risk. The value is additive based on quantitative values assigned for public health (severity), regulatory risk, and business risk.


Definition – Risk Assessment A comprehensive evaluation of the risk and its

associated impact. (DOD)

Risk Analysis - Investigation of available information to identify hazards and to estimate impacts and costs of risks


Definition – Risk Management

Systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating and controlling.

Risk management includes analysis, evaluation, mitigation and on-going monitoring and updates.


Tools for Evaluation GAMP 5

Lifecycle approach

Phased to Project Management and Qualification/Validation Process

FMEA

Quality Tools

Six Sigma


Feasibility Stage

Is

Validation

Required

?

User

Requirements

Specification

Response to User

Requirements

Specification

Supplier

Assessment and

Purchase

Functional Spec

and Design

Test System

Validated System

Change Control

Determine Scope

of Validation

Document Justification

of Validation Approach

Update Validation

Plan

Develop Test

Plans

Decision

Documented

No

Yes

R

R

R

R

R

Validation ActivitiesProject Implementation Activities

Risk Assessment and

Validation Process, GAMP 4



Quality Risk Management Process

Step 1

Step 2

Step 3

Step 4

Step 5

Perform Initial Risk Assessment

And Determine System Impact

Identify Functions with Impact on Patient

Safety, Product Quality, and Data Integrity

Perform functional Risk Assessments

And Identify Controls

Implement and Verify Appropriate Controls

Review Risks and Monitor Controls

GAMP 5

Risk Management

Identify the system Identify hazards and possible harms


Risk Analysis

Risk Evaluation

Risk Mitigation/Control

On-going Evaluation

Estimate, justify and document risk level(probability/severity)

Estimate costs of mitigationvs. non-mitigation

Define and take actions for mitigation

Monitor for new harms Monitor risk levels Update plan and take

actions

Risk

assessm

ent

Key criteria: product quality (public health), business continuity

ISO 14971-1:1998

Risk Assessment Start with a Process Flow Chart

Determine potential risks of the process relative to intended use

List critical control points for each identified hazard

List critical limits for each of the critical control points

List procedures used to monitor each of the critical control points









Validation Upgrades

Network Management


Evolution of Computer Infrastructure


Dedicated

Environment

OS/390

One Client

One Server

Unix

Client/Server

Multi-Client

One Server

PC Client

UNIX Server

Multi-Client

Multi-Server

Web Client

Db. App. Server

Compute

Abstraction

SAN. Grid

1970’s 1980’s 1990’s Today Tomorrow

Today Validate applications & process

Qualify infrastructure

No longer possible to draw the box around all the infrastructure components


Examples of In-Scope Infrastructure

Desktop Computers PC, Workstation, Laptop

Servers OS/400, UNIX, Windows

Network Services ID Management, Network O/s, LDAP, E-Mail, Citrix, Time

Server

Network Management Software, Media, Network Equipment,

Telecomm Vendors, VPN’s

Data Center HVAC, Power, Fire Suppression, Card Readers









Validation Upgrades

Network Management


GAMP(Good Automated Manufacturing Practices)

Publication developed from a UK initiative to aggregate best industry practices helping healthcare communities to achieve validated and compliant automated systems meeting current GxP regulations

Generally accepted as a standard for achieving compliance

Accelerates implementation of application validation standards

www.ispe.org/gamp


ITIL(IT Infrastructure Library) Set of publications

Service Management

Public domain framework

Best practice framework

Quality approach and standards

itSMF is the ITIL user group


ITIL and GAMP

can be used together

to achieve

both compliance and efficiency

in support

of your network infrastructure


Web Sites for Information

PDA

www.pda.org

ISPE

www.ispe.org

GAMP www.ispe.org/gamp

FDA

www.fda.gov

IVT

www.ivtnetwork.com

Agilent

www.chem.agilent.com

Lab Compliancewww.labcompliance.com

ITIL

www.itil-officialsite.com


http://www.pda.org/

http://www.ispe.org/

http://www.ispe.org/gamp

http://www.fda.gov/

http://www.ivthome.com/

http://www.chem.agilent.com/

http://www.labcompliance.com/

http://www.itil-officialsite.com/








Validation Upgrades

Network Management


Regulation Impact

IT professionals are responsible for the company’s network – the infrastructure must be qualified (servers, routers, storage area, networks, etc.

IT records are subject to regulatory inspection

11.1 Scope (e) “Computer systems (including hardware and software) controls, and attendant documentation maintained under this part shall be readily available for and subject to, FDA inspection.

IT personnel control, maintain, and support systems that must be compliant.


Documentation - have available for inspection

Network qualification plan Descriptions, specifications Vendor qualification documents Qualification documentation

Installation, test protocols, summary report

User access lists, signed and updated Security procedures, password policies Change Control procedures Change logs Monitoring Charts Audit Documentation


FDA Warning Letter Examples (1) Complete diagrams and text descriptions

identifying other network program interfaces with xxxx, and which specify the data being exchanged between the xxxx and oher programs have not been maintained or updated from original design specifications

Local Area Network diagrams (LAN) with appropriate definition documentation identifying the locations on site that use xxxx have not been included in any xxxx validation documents.


FDA Warning Letter Examples (2) Networked system testing was not conducted to

ensure that each system as configured could handle high sample rates.

Validation of the networked system did not include critical system tests such as volume, stress, performance, boundary, and compatibility.


FDA Warning Letter Examples (3) Lack of computer hardware and software change

control procedure.

Written procedures to differentiate between revision or version changes are not employed.

No validation after hardware and software upgrades and configuration changes.









Validation Upgrades

Network Management


Validation Documented

evidence that the item under consideration does what it is supposed to do


Qualification Identification of

particular attributes of equipment, utilities, or processes related to the performance of a particular function, the allocation of certain limits or boundaries to those attributes, and the measurement of those attributes within the functions boundary ranges.









Validation Upgrades

Network Management


Total System(Computerized System)

7


7

Controlling System(Computer System)

3

Controlled Process

6

Hardware

2

Software

1

Equipment

4

Operating

Procedures and

Documentation

5

Operational Environment8

... and

all the links

between the boxes

... and

all the links

between the boxes

Original Validation-

What needs to be qualified/validated?



7


7


3

Controlled Process

6

Hardware

2

Software

1

Equipment

4

Operating

Procedures and

Documentation

5


Upgrades, etc. - What Needs To Be Re-qualified/re-validated?

Releases/versions

Operating systems

Database

ERP Application

Desktop Applications

fixes

Bug fixes

Patches

Software Configuration

Enhancements/Reports

Interfaces



7


7


3

Controlled Process

6

Hardware

2

Software

1

Equipment

4

Operating

Procedures and

Documentation

5


What Needs To Be Re-validated?

Database & Apps. Servers

Workstations

Network

Peripherals









Validation Upgrades

Network Management


Network An arrangement of nodes and interconnecting

branches

A system (transmission channels and supporting hardware and software) that connects several remotely located computers via telecommunications


Network Qualification Cycle


Define

Requirements &

Standards Introduction of

New Technology

Design

Network

Implementation

Routine

Operation

Manage

Configuration &

Change

Continuously

Monitor

Performance

Install &

Verify

Equipment

Define Requirements Capacity

Numbers of sites, users, data volumes

Performance

Response Time, Transmission Latency

Reliability

Up Time, Redundancy, Integrity

Security

Physical & Logical Access Controls

Authentication


Define Standards Equipment Rooms/Wiring Closets

Network Devices

Cabling

Design Considerations

Installation and Test Instructions

Operating Procedures


Document Network Design Network Diagrams

Risk Assessments Risk Factors

Loss of service Data loss

Operational errors Data Corruption

Inadequate security Data Security

Risk Mitigation Design Redundancy

Physical & Logical Network Segregation

Physical Security

Technical Security Capabilities


Configuration & Change Management

Procedures governing network configuration and change management

Network equipment additions

Changes in configuration of individual network components


Continuous Monitoring Monitoring Tools

Internal Reviews

Continual review of incident and problem reports

Identification of trends

Review of compliance with procedures

Quality Audits


Networks and the FDA System Selection

Criticality (impact on product quality) ERP, stability, complaints, LIMS

Complexity

Compliance History

What they look at Configuration (diagrams)/Change Control

Specifications

Security/Data Integrity

Testing and verification of transactions

Training


Standard Operating Procedures Use of System

Maintenance

Administration


Types to Consider (1) Physical Environment

Environmental monitoring

Safety (e.g. fire, emergency evacuation procedures)

UPS monitoring

Physical security

Human Resources

System Usage Training

Development and Support Personnel Qualifications


Types to Consider (2) Application Usage

Business Disaster Recovery/Alternative Procedures

Normal System Usage Procedures

System backup

Control of Change for Data Modification (Audit Trail)

Management of End-User Documentation

Definition of Application Raw Data and Archiving Requirements

Service Level Agreements


Types to Consider (3)Technical Support (Infrastructure)

Shift Turnover

Problem Escalation

System Incident monitoring or reporting

Hardware & Infrastructure Change Control

System Software /Utilities Change Control (platform and network)

Move to the Test (or validation) environment

Move to the Production Environment

Retrieval of Off-Site Media

Platform Security Administration

Preventative Maintenance and Repair

Emergency Repair

Remote/Modem Access and Administration

Management of Technical Manuals

Database Monitoring, Maintenance and Services

System Startup

System Shutdown (normal and emergency)


Types to Consider (4) System Development

System Life Cycle Management

Project Initiation and Tracking

Usage of Technology Tools (design, coding, testing)

Design Standards

Programming Standards

Development Testing

Configuration Management (of requirements, design specifications, code)

Software Version Control

Software Archiving


Types to Consider (5) Vendor/Supplier

Assessment procedures

Audit Procedures

Qualification procedures









Validation Upgrades

Network Management Cloud Computing


Cloud Computing Research carefully

Make sure audit vendor

SaaS (Software as a Service)

Use the vendor documentation to support your validtion effort, if can.

Consider the security involved if doing internally

Complexity and Adequate Firewalls

Consider the testing involved to insure Data Integrity.

Absolute key – Where is your data and who owns and has the security over it?


VALIDATION

HOW MUCH IS ENOUGH?


“Vision” Problem


IFYOUWOULDJUS

TTELLMEWHATTODOTHENIWOULDNOTH

AVE TOTHINKATALL

“VISION”Problem Correction

CVM Symptoms

Wanting a cookbook approach

Validated every project with the same intensity

CVM Results

Under-validates (quality loss)

Over-validates (resource waste)

Right Things need to be in Focus

Understand the principles

Then, the detailed application will become a matter of rational trial and error.


Exercise


Q U E S T I O N S


Thank You


Sharon Strause

Senior Consultant

QACV Consulting, LLC

[email protected]

215/510-2065

Date post:	05-Feb-2018
Category:	Documents
Upload:	vonga
View:	241 times
Download:	3 times

Where Do You Start and End? - · PDF fileValidation Process, GAMP 4 April 27, ... GAMP 5....

Documents