GAMP 5 ARiskBased Risk-Based Approach to. Computerized Systems

Transcription

1 GAMP 5 ARiskBased Risk-Based Approach to Compliant GxP Computerized Systems Stephen Shields 8 October 2013 ASQ Orange Section Meeting Part 2

2 Disclaimer This presentation is made at the request of ASQ. The presenter is a full-time employee and stockholder of Allergan, Inc. The information provided and opinions expressed during this presentation The information provided and opinions expressed during this presentation are those of the presenter and are not the position of and may not be attributed to Allergan, Inc.

3 Agenda Operation Phase Hanover Service and Performance Monitoring Incident Management and CAPA Change Management Periodic Review Continuity Management Security and System Administration Record Management Retirement Phase Withdrawal Decommissioning Disposition

4 Operation Phase The approach and required activities should be selected and scaled according to the nature, risk, and complexity of the system in question. The regulated company should ensure that appropriate operational processes, procedures, and plans have been implemented, and are supported by appropriate training. Compliance and fitness for intended use must be maintained throughout the systems operational life. The integrity of the system and its data should be maintained at all times and verified as part of periodic review. Opportunities for process and system improvements should be sought based on periodic review and evaluation, operational and performance data, and root-cause analysis of failures (Incident Management and CAPA). Change management should provide a dependable mechanism for prompt implementation of technically sound improvements following the approach to specification, design, and verification.

5 Operation Phase Information Flows

6 Operation Phase - Processes Process Group Handover Process Handover Process Service Management and Performance Monitoring Incident Management and CAPA Change Management Audits and Review Establishing and Managing Support Services Performance Monitoring Incident Management CAPA Change Management Configuration Management Repair Activity Periodic Review Internal Quality Audits Continuity Management Backup and Restore Business Continuity Planning Disaster Recovery Planning Security and System Administration Records Management Training Security Management Systems Administration Retention Archive and Retrieval Training Management

7 Handover Handover is the process for transfer of responsibility of a computerized system from a project team or a service group to a new service group. Typical conditions for handover to business Fit for Intended Use Compliant Trained Users Operation Security & Roles Established SOPs Effective (operational & support) Unique Configuration Elements Established Issues Closed/Resolved Rollback Strategy

8 Handover Process

9 Service Management & Performance Monitoring Maintaining a system in a state of compliance is often dependent upon services provided by organizations outside the direct control of the system owner. A Service Level Agreement (SLA) establishes responsibilities between the IT Service Provider and the Customer. A Operating Level Agreement (OLA) defines the goods or Services to be provided to the IT Service Provider by another part of the same Organization and the responsibilities of both parties An Underpinning Contract (UC) defines targets and responsibilities of a Third Party to meet agreed dservice Level ltargets in an SLA. Where appropriate, performance of the system should be monitored to capture problems in a timely manner. It also may be possible to anticipate failure through the use of monitoring tools and techniques.

10 Support Services Process

11 Incident Management and CAPA Incident Management process should address: Categorize incidents Triage to the most appropriate resource or complimentary process Document Review Prioritization Progress towards resolution Escalation Closure CAPA process should address: Investigation, understanding and correcting discrepancies based on root-cause analysis Preventing recurrence of discrepancies Preventing occurrences of a possible/predicted discrepanciesi Effectiveness

12 Change Management Critical activity fundamental to maintaining the compliant status of systems and processes Software (including middleware), configuration, hardware, infrastructure, or use of the system Reviewed to assess impact and risk of implementing the change Suitably evaluated, authorized, documented, tested, and approved before implementation, and subsequently closed Scaled based on the nature, risk, and complexity of the change Continuous process and system improvements based on periodic review and evaluation, operational and performance data, and rootcause analysis of failures. Emergency changes performed change management process or repair SOPs

13 Periodic Review Verify system remain compliant with regulatory requirements, fit for intended use, and meet company policies and procedures. Interval appropriate to the impact and operation history of the system Pre-defined process Documented with corrective actions tracked to satisfactory completion

14 Continuity Management Backup and Restoration software, records, and data are made, maintained, and retained for a defined period within safe and secure areas Restore procedures should be established, tested, and the results of that testing documented Business Continuity Planning Plans established and exercised to ensure the timely and effective resumption of these critical business processes and systems Disaster Recovery Planning Details the precautions taken to minimize the effects of a disaster, allowing the organization to either maintain or quickly resume critical functions (focus on disaster prevention).

15 Security and System Administration Adequately protected against willful or accidental loss, damage, or unauthorized change Procedures for managing secure access, including adding and removing privileges for authorized users, malware management, password management, and physical security measures Role-based security Apply to all users, including administrators, super-users, users, and support staff (including supplier support staff) Procedures for administrative support for systems

16 Record Management Records must be maintained and accessible throughout their retention period Establish policies for retention of regulated records Retain data on-line or archive Establish procedures for archival and retrieval

17 Retirement Phase Systematic process of permanently removing a system from use Withdrawal, system decommissioning, system disposal, and migration of required data Withdraw the system from active operations, i.e., users are deactivated, interfaces disabled. No data should be added to the system from this point forward. Special access should be retained for data reporting, results analysis and support. Decommission the system Determine disposition of data, documentation, software, and hardware (permanently destroyed, re-tasked, archived, migrated).

18 Questions? Stephen Shields WWQA Director Computerized System Compliance and Quality Allergan, Inc