VIP Call Girls Pune Vrinda 9907093804 Short 1500 Night 6000 Best call girls S...
Computer systems compliance
1. Computer Systems Compliance
How compliant are your
Computer System
Validation (CSV)
Practices?
Computer System Validation Overview
M. Luqman Ikram
Assistant Manager Validation
2. M.Luqman Assistant Manager
validation2
SESSION SCHEDULE
References
Regulatory Requirements
Best Practices
Quality Risk Management
Life Cycles
– Computer Systems
– Project Management
– Computer Validation
Simplification
Interactive Discussion
3. M.Luqman Assistant Manager
validation3
References
FDA, "General Principles of Software Validation
Guidance," Office of Device Evaluation Center
for Devices and Radiological Health, January
2002.
FDA, "Technical Reference on Software
Development Activities," Reference Materials and
Training Aids for Investigation, July 1987.
GAMP@ 5: A Risk-Based Approach to Compliant
GxP Computerized Systems”, Version 5.0,
ISPE/GAMP Forum, February 2008.
4. M.Luqman Assistant Manager
validation4
References
G. Grigonis, E. Subak, and M. Wyrick,
“Validation Key Practices for Computer Used in
Regulated Operations,” Pharmaceutical
Technology, June 1997.
NIST, “Risk Management Guide for Information
Technology Systems,” Special Publication 800-30.
Pharmaceutical Engineering, Vol 21, No. 3,
May/June 2001.
PIC/S Guidance, “Good Practices for Computerised Systems in
Regulated “GxP”Environments”, PI 011-3, September 2007.
6. M.Luqman Assistant Manager
validation6
There are no laws to regulate Computer
Systems Validation, but . . .
Guidelines and recommendations used by auditors
in order to understand the validation status of IT
systems
Particularly interesting are
– ICH - International Conference on Harmonization of
Technical Requirements for Registration of Pharmaceuticals
for Human Use
– PIC/S - Pharmaceutical Inspection Cooperation Scheme
– GAMP5 - Good Automated Manufacturing Practices
exporting products to US market
– FDA Guidelines
7. M.Luqman Assistant Manager
validation7
Audited Areas
Governance: QMS – Policy – Process – Procedure –
Operating Guideline
Computerized Systems Lifecycle
Document Management System
Datacenter
Back & Recovery
Disaster Recovery
Security
ERES / 21 CFR 11 Compliance
8. M.Luqman Assistant Manager
validation8
Inspection Trends
General GMP/GLP/GAMP
Equipment hardware1990
Computer Validation/Excel/Networks
Security/data integrity
Part 11
1999-2002
New Part 11
approach
2004-2006 GMP Basics, OOS, CAPA
1993-1995 Software/Computer System Validation
2008-2011
CSV (Devices) Data
Integrity
(Pharma)
9. M.Luqman Assistant Manager
validation9
Regulatory Requirements
CGMP Applicability To Hardware and Software, CPG
7132a.11
– Issued October 1984.
– In the absent of explicit regulations addressing
computer systems, the regulations provide the
implicit guidelines necessary to meet
the agency’s expectations.
• Hardware is regarded as equipment.
• Application Software will be regarded as
records.
– Utilized to determine and apply the appropriate
sections of the regulations that address
equipment and records.
10. M.Luqman Assistant Manager
validation10
Regulatory Requirements
I/O Checking, CPG 7132a.07.
– – Issued September 1982.
– Complements the input/output (I/O) checks referenced in
21 CFR211.68.
– Computers I/Os are to be tested for data accuracy as
part of the computer system validation/qualification and,
after the validation/qualification, as part of the computer
system’s on-going performance evaluation process.
– The verification of outputs also ensures that each
reproduced document uses as input(s) reliable and
accurate data.
11. M.Luqman Assistant Manager
validation11
Regulatory Requirements
Identification of "Persons" on Batch Production and
Control Records, CPG 7132a.08.
– Issued November 1982.
– "Double Check" issue.
- Can computers perform functions that the GMP regulation require
a person to perform? Yes, if the computer has been qualified and
the qualification documentation is available.
• 211.188(b)(11)
• 211.101(c)
• 211.103 • 211.182
12. M.Luqman Assistant Manager
validation12
Regulatory Requirements
Identification of “Persons” on Batch
Production and Control Records, CPG
7132a.08 (Cont’d).
– The required double check can be replaced by
an automated single check if it demonstrably
provides at least as much assurance of
correctness.
– Verification by a second individual may not be
necessary when automated equipment is used as
described under 21 CFR 211.68
13. M.Luqman Assistant Manager
validation13
Regulatory Requirements
Source Code for Process Control Application Programs,
CPG7132a.15.
– Issued April 1987.
– Source code may be part of the master production and control
records. Refer to CPG 7132a.11.
– Structural testing shall be performed to assure that process
specifications, conditions, sequencing, decision criteria, and
formulas have been properly incorporated.
– Detect and remove dead code.
14. M.Luqman Assistant Manager
validation14
Regulatory Requirements
Vendor Responsibility, CPG7132a.12.
– Issued January 1985.
– The user is responsible for the suitability of computer
systems used in manufacture, processing or holding of a
medical device.
– The vendor may also be liable under the FD&A Act.
16. M.Luqman Assistant Manager
validation16
Regulatory Requirements
Current good manufacturing practices (cGMP)
applicable to computer systems are:
– Computer systems can be used to perform operations covered by
the drugs GMP regulation. These computer systems require a written
validation process.
– Computers systems documentation and validation documentation
shall be maintained.
– There must be procedural controls for managing changes to
infrastructure and application software, including documentation.
– Computer systems electronic records must be controlled including
records retention, backup, and security.
17. M.Luqman Assistant Manager
validation17
Regulatory Requirements
Current good manufacturing practices (cGMP) applicable to
computer systems are (Cont’d):
– Based on the complexity and reliability of computer systems there must
be procedural controls and technologies to ensure the accuracy and
security of computer systems I/Os electronic records and data.
– Computer systems must have adequate controls to prevent
unauthorized access or changes to data, inadvertent erasures, or loss.
– There must be written procedural controls describing the maintenance
of the computer system, including an on-going performance evaluation
and periodic reviews.
19. M.Luqman Assistant Manager
validation19
Today’s Operating Environment
-In the regulatory context, computer systems are integrated into
the operating environment. The operating environment may include
the process or operation being controlled or monitored by the
computer system, the procedural controls, process-related
documentation, and the people.
20. M.Luqman Assistant Manager
validation20
System Life
Cycle
SLC adapted to different system acquisition strategies and software
development models. It is focused on software engineering key
practices.
24. M.Luqman Assistant Manager
validation24
Best Practices Guidance
ISO/IEC 12207
– Information Technology—Software Life-Cycle Processes
– This standard describes the major component processes of a
complete software life cycle, their interfaces with one another, and the
high-level relations that govern their interactions. This standard covers
the life cycle of software from conceptualization of ideas through
retirement. ISO/IEC 12207 describes the following lifecycle processes:
• Primary Processes: Acquisition, Supply, Development,
Operation, and Maintenance.
• Supporting Processes: Documentation, Configuration
Management, Quality Assurance, Verification Validation, Joint
Review, Audit, and Change Control.
• Organization Processes: Management, Infrastructure,
Improvement, and Training
25. M.Luqman Assistant Manager
validation25
Best Practices Guidance
ISO/IEC 12119
– Information Technology – Software Packages
Quality requirements and testing
– This standard is applicable to software packages.
Examples are text processors, spread-sheets, data
base programs, graphics packages, programs for
technical or scientific functions, and utility programs.
26. M.Luqman Assistant Manager
validation26
Best Practices Guidance
IEEE Std 15288-2008
– Systems and Software Engineering— System Life Cycle
Processes
– This standard establishes a common process framework for
describing the life cycle of man-made systems. It defines a set
of processes and associated terminology for the full life cycle,
including conception, development, production, utilization,
support and retirement. This standard also supports the
definition, control, assessment, and improvement of these
processes. These processes can be applied concurrently,
iteratively, and recursively to a system and its elements
throughout the life cycle of a system.
– Revision of ISO/IEC 15288-2004.
27. M.Luqman Assistant Manager
validation27
Best Practices Guidance
ISO/IEC 16085:2006
– Systems and Software Engineering -- Life Cycle Processes
-- Risk management--
– It defines a process for the management of risk in the
life cycle. It can be added to the existing set of
system and software life cycle processes
defined by ISO/IEC 15288 and ISO/IEC 12207,
or it can be used independently.
29. M.Luqman Assistant Manager
validation29
What Is a Risk-Based Approach?
Many interpretations, many alternatives
How granular does the risk-based process need to be?
Is it a method to differentiate one system from another?
Differentiate one process from another?
Differentiate specific functions within one system?
30. M.Luqman Assistant Manager
validation30
Goals of a Risk-Based Approach
Establish a mechanism that will provide a
documented standard approach to justify the
prioritization and the risk strategies that will be
employed for each system
Categorize and prioritize the universe of systems
that are impacted by the regulatory requirements
within the organization, department, unit, etc.
Develop specific risk reduction/remediation
strategies based on a documented analysis of the
system and the process that is supported
32. M.Luqman Assistant Manager
validation32
Risk Management – A Dynamic Process
Risk
Identification
Risk Assessment
Risk Analysis
Risk Evaluation
Risk Control
Identify possible risk events
Estimate the level of risk
Determine acceptability of the risk
Implement
protective
measures
33. M.Luqman Assistant Manager
validation33
Risk Management Plan
Analysis techniques
Estimate likelihood of each risk
Estimate severity of each risk
Propose risk reduction and remediation techniques
Implement and assess effectiveness
Verification or validation activities that will demonstrate risk
reduction
34. M.Luqman Assistant Manager
validation34
Risk Management – Three-Level
Approach
Process – What processes to remediate and control?
– Risks from critical processes
– e.g. clinical data management
System – What systems to remediate and control?
– Risk from entire system supporting a critical process
– e.g. Laboratory data management system
Function – What functions require controls?
– Risk from specific functions that a system performs
–pieces and parts of systems need to be treated differently
– e.g. clinical data entry
Higher risk/complexity = deeper drill-down
35. M.Luqman Assistant Manager
validation35
Processes Level
Examine your processes
Understand each process and how the results are used
Which ones are the most critical?
– To patient safety
– To product efficacy & quality
– To the business
– To approval of your product
36. M.Luqman Assistant Manager
validation36
Systems Level
Not all systems support critical pieces of the overall process
Must understand all the parts and pieces that make up the
process
What systems touch the critical processes and how do they do
it?
Is data created, deleted, changed?
What would happen if the data was incorrect?
37. M.Luqman Assistant Manager
validation37
Functions Level
Not all functions of a specific system are critical to the overall
operation of the system
What are the functions that are used by the systems that are
involved in the critical steps?
How are they used and what effect do they have on the records
that the system contains?
Which ones are critical to the system and therefore to the
process?
39. M.Luqman Assistant Manager
validation39
Risk Analysis
Objective examination of risks to determine
quantitative and qualitative attributes of each
risk and the overall risk
Determine intended use/intended purpose
Identify known or foreseeable hazards
Estimate risks for each hazard
40. M.Luqman Assistant Manager
validation40
Risk Management Report
• Description of analysis techniques used
• Estimated likelihood of each risk and how it was
estimated
•Estimated severity of each risk and how it was
categorized Risk reduction and remediation techniques
implemented and assessment of effectiveness
•Verification and validation activities that demonstrated
risk reduction controls