Computer System Validation Perform a Gap Analysis of your CSV Processes

Transcription

1 Computer System Validation Perform a Gap Analysis of your CSV Processes Chris Wubbolt, QACV Consulting Computer and Software Validation Conference April 27,

2 Objectives Computer System Validation Programs Understand regulatory requirements which pertain to your CSV processes Evaluate policies and procedures which govern CSV Identify systems which must be included in your CSV program. 2

3 Objectives Establish Processes to Perform a Gap Analysis Create a gap analysis plan, including governance, prioritization, tracking and management reporting Develop a team to conduct the gap analysis Develop standard forms and checklists to perform the gap analysis 3

4 Objectives Remediation Activities Establish a process to remediate any gaps identified through the gap analysis process Prioritize remediation activities Identify metrics and key performance indicators for monitoring and future continuous improvement activities 4

5 CSV Requirements Regulations General Principles of Software Validation Guidance Part 11 Scope and Application Policies E-Records; E-Signatures Security Training CSV Change Control Validation Plans Procedures Validation Records Risk Assessments System Access Backup / Restore Protocols 5

6 21 CFR Part 11 Subpart A: General Provisions Subpart B: Electronic Records Closed systems Open systems Signature manifestations Signature/record linking Subpart C: Electronic Signatures Electronic signature components and controls Controls for identification codes/passwords 6

7 Electronic Signatures Validation Accurate and complete copies of records Records protection / retention Authorized system access Audit trails Operational System Checks Authority checks Device checks Personnel qualification Develop Maintain Use Policies and Procedures System Documentation Controls 7

8 Electronic Signatures E-Signature Certifications Electronic Signature Manifestations Full name of signer Date and time of signature Meaning of signature Electronic Signature / Record Linking Electronic Signature Components and Controls At least 2 distinct components (e.g., user ID and password) Must be used only by owner Controls for Identification Codes and Passwords 8

9 Principle General Risk management Personnel Suppliers and Service Providers Project Phase Validation Annex 11 Operational Phase Data Accuracy Checks Data Storage Printouts Audit Trails Change Management Periodic Evaluation Security Incident Management Business Continuity 9

10 Principle Annex 11 This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated. IT infrastructure should be qualified. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process 10

11 Risk Management Annex 11 - General Applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. Decisions on the extent of validation and data integrity controls should be based on a justified and documented. 11

12 Personnel Annex 11 - General All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties. Suppliers and Service Providers Formal Agreements required to include clear statements of responsibilities IT departments should be considered analogous 12

13 Annex 11 - Validation Validation should cover relevant steps of the life cycle. Validation should be based on risk assessment. Change control Inventory of systems User requirements should describe required functions. User requirements should be traceable throughout the life cycle. System developed in accordance with quality system. The supplier should be assessed appropriately. Automated test tools and environments should have documented assessments for adequacy. Data migration when transfer between systems. 13

14 Annex 11 Operational Phase Data - checks for correct and secure entry of data. Accuracy checks For critical data, additional checks of data accuracy are required. Data storage secured by physical and logical means. Stored data should be checked for accessibility, readability, and accuracy. Access to data throughout the retention period. Regular backups should be done. Test of back-up data and ability to restore data should be checked during validation and monitored periodically. Printouts It must be possible to obtain clear printed copies of electronic records. 14

15 Annex 11 Operational Phase Audit Trails Based on risk assessment Reason for change is required Need to be available, convertible to a generally intelligible form, regularly reviewed. Change and Configuration Management Periodic Evaluation Security Authorised personnel Use of keys, pass cards, codes with passwords, biometrics, restricted access Security authorisations should be recorded 15

16 Annex 11 Operational Phase Incident Management Electronic Signatures Same impact as hand-written signatures Linked to respective record Include date and time they were applied Business Continuity Archiving 16

17 Elements of a Gap Analysis 1. Assess current CSV processes against applicable regulatory requirements 2. Complete the assessment against regulatory requirements 3. Remediate as necessary 17

18 Elements of a Gap Analysis Annex 11 Data Accuracy Checks Data Storage Printouts Audit Trails Change and Configuration Management Periodic Evaluation Security Incident Management Business Continuity Archiving Policies Policy A Policy B etc Procedures SOP 100 SOP 101 etc 18

19 Elements of a Gap Analysis 4. Assess current validated systems against CSV policies and procedures 5. Prioritize assessment based on system criticality Patient Safety Product Quality Data Integrity 6. Assess any gaps based on risk assessment 19

20 Elements of a Gap Analysis Assess Gaps Determine Impact Validation status of system Record integrity Security Change control program Personnel status 20

21 Elements of a Gap Analysis Potential Issues System not being used as intended System documentation not current Periodic reviews not completed Training not current Inadequate testing Record integrity questions 21

22 Elements of a Gap Analysis 7. Prioritize remediation based on impact assessment 8. Incorporate remediation activities into CAPA program 22

23 Elements of a Gap Analysis Remediation Revision of procedures Update system documentation Provide additional training Regression testing 23

24 Gap Analysis Plan Governance Responsibilities Assign project leader Team Members IT / Engineering QA Users, System Owners Incorporate Elements of Gap Analysis Prioritization Criteria Tracking Progress 24

25 Gap Analysis Plan Management Reporting Frequency Format, etc. Attachments Assessment Checklists Impact Assessments 25

26 Summary Understand regulatory requirements Elements of a gap analysis Assess impact Prioritize Remediation 26

27 Questions Chris Wubbolt QACV Consulting, LLC Telephone: