Computer System Validation Perform a Gap Analysis of your CSV Processes Chris Wubbolt, QACV Consulting Computer and Software Validation Conference April 27, 2017 www.qacvconsulting.com 1
Objectives Computer System Validation Programs Understand regulatory requirements which pertain to your CSV processes Evaluate policies and procedures which govern CSV Identify systems which must be included in your CSV program. www.qacvconsulting.com 2
Objectives Establish Processes to Perform a Gap Analysis Create a gap analysis plan, including governance, prioritization, tracking and management reporting Develop a team to conduct the gap analysis Develop standard forms and checklists to perform the gap analysis www.qacvconsulting.com 3
Objectives Remediation Activities Establish a process to remediate any gaps identified through the gap analysis process Prioritize remediation activities Identify metrics and key performance indicators for monitoring and future continuous improvement activities www.qacvconsulting.com 4
CSV Requirements Regulations General Principles of Software Validation Guidance Part 11 Scope and Application Policies E-Records; E-Signatures Security Training CSV Change Control Validation Plans Procedures Validation Records Risk Assessments System Access Backup / Restore Protocols www.qacvconsulting.com 5
21 CFR Part 11 Subpart A: General Provisions Subpart B: Electronic Records Closed systems Open systems Signature manifestations Signature/record linking Subpart C: Electronic Signatures Electronic signature components and controls Controls for identification codes/passwords www.qacvconsulting.com 6
Electronic Signatures Validation Accurate and complete copies of records Records protection / retention Authorized system access Audit trails Operational System Checks Authority checks Device checks Personnel qualification Develop Maintain Use Policies and Procedures System Documentation Controls www.qacvconsulting.com 7
Electronic Signatures E-Signature Certifications Electronic Signature Manifestations Full name of signer Date and time of signature Meaning of signature Electronic Signature / Record Linking Electronic Signature Components and Controls At least 2 distinct components (e.g., user ID and password) Must be used only by owner Controls for Identification Codes and Passwords www.qacvconsulting.com 8
Principle General Risk management Personnel Suppliers and Service Providers Project Phase Validation Annex 11 Operational Phase Data Accuracy Checks Data Storage Printouts Audit Trails Change Management Periodic Evaluation Security Incident Management Business Continuity www.qacvconsulting.com 9
Principle Annex 11 This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated. IT infrastructure should be qualified. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process www.qacvconsulting.com 10
Risk Management Annex 11 - General Applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. Decisions on the extent of validation and data integrity controls should be based on a justified and documented. www.qacvconsulting.com 11
Personnel Annex 11 - General All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties. Suppliers and Service Providers Formal Agreements required to include clear statements of responsibilities IT departments should be considered analogous www.qacvconsulting.com 12
Annex 11 - Validation Validation should cover relevant steps of the life cycle. Validation should be based on risk assessment. Change control Inventory of systems User requirements should describe required functions. User requirements should be traceable throughout the life cycle. System developed in accordance with quality system. The supplier should be assessed appropriately. Automated test tools and environments should have documented assessments for adequacy. Data migration when transfer between systems. www.qacvconsulting.com 13
Annex 11 Operational Phase Data - checks for correct and secure entry of data. Accuracy checks For critical data, additional checks of data accuracy are required. Data storage secured by physical and logical means. Stored data should be checked for accessibility, readability, and accuracy. Access to data throughout the retention period. Regular backups should be done. Test of back-up data and ability to restore data should be checked during validation and monitored periodically. Printouts It must be possible to obtain clear printed copies of electronic records. www.qacvconsulting.com 14
Annex 11 Operational Phase Audit Trails Based on risk assessment Reason for change is required Need to be available, convertible to a generally intelligible form, regularly reviewed. Change and Configuration Management Periodic Evaluation Security Authorised personnel Use of keys, pass cards, codes with passwords, biometrics, restricted access Security authorisations should be recorded www.qacvconsulting.com 15
Annex 11 Operational Phase Incident Management Electronic Signatures Same impact as hand-written signatures Linked to respective record Include date and time they were applied Business Continuity Archiving www.qacvconsulting.com 16
Elements of a Gap Analysis 1. Assess current CSV processes against applicable regulatory requirements 2. Complete the assessment against regulatory requirements 3. Remediate as necessary www.qacvconsulting.com 17
Elements of a Gap Analysis Annex 11 Data Accuracy Checks Data Storage Printouts Audit Trails Change and Configuration Management Periodic Evaluation Security Incident Management Business Continuity Archiving Policies Policy A Policy B etc Procedures SOP 100 SOP 101 etc www.qacvconsulting.com 18
Elements of a Gap Analysis 4. Assess current validated systems against CSV policies and procedures 5. Prioritize assessment based on system criticality Patient Safety Product Quality Data Integrity 6. Assess any gaps based on risk assessment www.qacvconsulting.com 19
Elements of a Gap Analysis Assess Gaps Determine Impact Validation status of system Record integrity Security Change control program Personnel status www.qacvconsulting.com 20
Elements of a Gap Analysis Potential Issues System not being used as intended System documentation not current Periodic reviews not completed Training not current Inadequate testing Record integrity questions www.qacvconsulting.com 21
Elements of a Gap Analysis 7. Prioritize remediation based on impact assessment 8. Incorporate remediation activities into CAPA program www.qacvconsulting.com 22
Elements of a Gap Analysis Remediation Revision of procedures Update system documentation Provide additional training Regression testing www.qacvconsulting.com 23
Gap Analysis Plan Governance Responsibilities Assign project leader Team Members IT / Engineering QA Users, System Owners Incorporate Elements of Gap Analysis Prioritization Criteria Tracking Progress www.qacvconsulting.com 24
Gap Analysis Plan Management Reporting Frequency Format, etc. Attachments Assessment Checklists Impact Assessments www.qacvconsulting.com 25
Summary Understand regulatory requirements Elements of a gap analysis Assess impact Prioritize Remediation www.qacvconsulting.com 26
Questions Chris Wubbolt QACV Consulting, LLC Telephone: 610-442-2250 E-mail: chris.wubbolt@qacvconsulting.com www.qacvconsulting.com 27