CONTENTS. 1 Introduction 1

Transcription

1 Prelims 25/7/06 1:49 pm Page iii CONTENTS List of Tables List of Figures Preface Infrastructure Lifecycle Approach Recommendation and Conceptualization Design Design Reviews Development and Integration Implementation Release for Use Operational Life Retirement Retaining Project and Qualification-Related Deliverables Chapter 2 Summary 3 Infrastructure Qualification Overview What is Infrastructure? What is Infrastructure Qualification? Why Qualify the Computer Infrastructure? to the Infrastructure Qualification Process All Together 4 FDA Enforcement FDA Computer Systems Enforcement Ganes Chemicals ( ) Eli Lilly & Company ( ) iii

2 Prelims 25/7/06 1:49 pm Page iv iv Infrastructure Qualification in the FDA Regulated Industry Pharmacia Corporation ( and Warning Letter 2001) Novartis Pharma GmbH ( ) Skele Tech ( ) Company Unknown ( ) Company Unknown (Warning Letter 2004) International Pharm & Biotech Labs (EIR June 2003) 5 Regulatory Requirements Potential Regulatory Consequences US FDA Regulatory Requirements EU Regulatory Guidance 6 21 CFR Part 11 LAN/WAN Server Hardware and Service Components System-level Software 7 Procedural Controls 8 Computer Infrastructure Security Physical Security Network Security Other Key Security Elements OSI Model Security Services Authentication Protection of Records and Audit Trails Protection of Records Audit Trails 9 Infrastructure Qualification Planning Qualification Project Plan Project Schedule 10 Qualification Testing Qualification Testing Lifecycle Test Plan Protocol Summary (Analysis) Report Commissioning Sample Qualification Testing/Commissioning Test Cases System-level Software Application Servers Service Components LAN/WAN

3 Prelims 25/7/06 1:49 pm Page v Contents v Miscellaneous Equipment Network Centers 11 Qualification Testing System-level Software Server and Controllers Operating Systems Qualification Testing Practices for Operating Systems Part 11 Areas of Interest Network Operating Systems Qualification Testing Practices for Operating Systems Qualification Testing Practices for Firmware Part 11 Areas of Interest Security, Diagnostic and Monitoring Tools Qualification Testing Practices for Standard Software Packages Part 11 Areas of Interest Desktop Images Scripts Qualification Testing Practices for Scripts Part 11 Areas of Interest File and Database Management Middleware Part 11 Areas of Interest 12 Qualification Testing Application Servers and Service Components Installation Qualification Operational Qualification 13 Qualification Testing LAN Devices Switch Router Qualification of Other LAN Devices Hub Gateways Repeaters Bridges Brouter 14 Qualification Testing WAN Devices External Router WAN Links Firewall VPN Switches Load Balancing Devices Intrusion Detection Devices 15 Qualification Testing WAN/LAN System

4 Prelims 25/7/06 1:49 pm Page vi vi Infrastructure Qualification in the FDA Regulated Industry 16 Qualification Testing the Storage Area Networks Qualification Strategy Part Qualification Wireless Services WLAN Devices Access Point VPN Server LAN Switch WLAN System Qualification 18 Qualification Testing Network Centers Qualification Testing Installation Qualification Operational Qualification 19 Qualification Testing Database Manager Database Server Single or Cluster Database Server Software Critical Database Server Issues Part 11 Considerations Qualification Testing 20 Change Management Type of Change Change Management Process Emergency Changes Part 11 and Infrastructure Related Change 21 Training 22 Remediation Project Infrastructure Evaluation Corrective Action Planning Interpretation Impact Assessment Training Suppliers Qualification Program Remediation Remediation Project Report 23 Maintaining the State of Qualification

5 Prelims 25/7/06 1:49 pm Page vii Contents vii Security Operational Management Operational Network Management Business Continuity Problem Reporting Control of Changes Periodic Review Retirement On-going Verification Program Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Appendix G Appendix H Appendix I Appendix J Glossary of Terms Abbreviations and/or Acronyms Infrastructure Basics Compliance Policy Guides Documentation: Brief Description OSI and TCP/IP Network Models References Qualification of Computer Networks Words Signifying the Requirements in Specification Case Study: A Network Upgrade Index

6 Prelims 25/7/06 1:49 pm Page viii

7 Prelims 25/7/06 1:49 pm Page ix LIST OF TABLES 5.1 cgmps Regulations Application to Computer Systems 5.2 Comparison GMPs, EU Annex 11 and Part Part 11 Security Related Requirements/Controls 12.1 Category of Servers 23.1 Period/Events Computer Systems Operational Life H1 NEED CAPTION ix

8 Prelims 25/7/06 1:49 pm Page x

9 Prelims 25/7/06 1:49 pm Page xi LIST OF FIGURES 2.1 Infrastructure Qualification Lifecycle 2.2 Conceptualization 2.3 Design Evaluation Cycle 2.4 Design 2.5 Design Reviews 2.6 Development and Integration 2.7 Implementation 2.8 Release for Use 2.9 Operational Life 3.1 A Computer System and the Operating Environment 3.2 Application/Infrastructure Development and Installation Correlation 8.1 Security Issues to Consider 8.2 Security Services Provided by OSI Layers 8.3 SSL 3.0 Protocol 9.1 Systems Development Distribution 11.1 OSI and the TCP/IP Reference Models 17.1 NEED CAPTION 22.1 Complete Part 11 Remediation Project FI The Seven Layers of OSI F2 Comparison between OSI and TCP/IP Models H1 System Block Diagram J1 Previous Hub and Spoke Technology J2 New Ring Technology J3 Project Plan Table of Contents J4 Sample Installation Checklist xi

10 Prelims 25/7/06 1:49 pm Page xii

11 Prelims 25/7/06 1:49 pm Page xiii PREFACE The need to validate computerised systems supporting the development, manufacture, and supply of medicinal products is well understood. The validation of applications has been the primary focus and quite rightly too with the impact these systems can have on the quality, safety and efficacy of drug products. Now however with modern IT solutions there is a growing dependency on robust and secure infrastructure [1,2]. Deficiencies in the IT infrastructure (eg virus protection, persoßnal identity authentication, password management, and electronic records management) will compromise the validate status of computerised systems. It is important therefore that IT infrastructure is developed and maintained to support the regulatory compliance of the applications they support. Desktop configuration, networks design and management, and the use of internet/intranet/extranets are just some of the topics that need to be addressed. It is important to appreciate that IT infrastructure has its own special character. It is more organic than computer applications in the sense that it grows and evolves to meet the changing needs of the multitude of applications being supported. It cannot be thought of as a discrete element like an individual computer application. This is often reflected by the organisation of the IT department responsible for IT infrastructure. A different approach and procedures is required. Regulatory authorities have made numerous citations for what they consider noncompliant IT infrastructure [2]. Regulatory expectations for IT infrastructure however are not explicitly defined although some regulatory guidance does exist [3]. ISPE/GAMP has been working on the topic of IT infrastructure for many years to clarify requirements and has developed some guidance material [4]. PDA has also developed some guidance material [5]. The definition of requirements to date however largely presents principles rather than a working manual for compliance. The management and controls for IT infrastructure must always be cognisant of the relative risk posed to patients. IT infrastructure will normally be considered as having an indirect impact on patient safety. Consequently IT infrastructure does not normally require the same validation approach adopted for computerised systems with a direct impact on patient xiii

12 Prelims 25/7/06 1:49 pm Page xiv xiv Infrastructure Qualification in the FDA Regulated Industry safety. This is not to undermine the key role infrastructure plays to assuring the reliable operation and record integrity required by applications. However care must be taken not to inadvertently over-engineer solutions on the basis of perceived regulatory compliance. What ever is done needs to be done on the basis of tangible benefits. This book presents some of the latest thinking on how to tackle what can often be quite daunting questions on how to assure IT infrastructure for regulatory compliance. Orlando Lopez gives clear direction on how to approach IT Infrastructure based on personal experience and industry discussions. The principles behind the guidance given in this book are consistent with the latest edition of the GAMP4 Guide [6]. Lopez takes these principles into practice with a working level of detail that will be welcomed by practitioners. Inexperienced and experienced practitioners alike will find valuable insights into how best to address IT Infrastructure. References [1] Wingate, G.A.S. (2000) Validating Corporate Computer Systems: Good IT Practice for Pharmaceutical Manufacturers, Interpharm Press. [2] Wingate, G.A.S. (2004) Computer Systems Validation: Quality Assurance, Risk Management and Regulatory Compliance for Pharmaceutical and Healthcare Companies Interpharm Press. [3] Pharmaceutical Inspection Co-operation Scheme (2005) Good Practices for Computerised Systems in Regulated GxP Environments, Pharmaceutical Inspection Convention, PI 011-1, Geneva. [4] GAMP Forum (2004) GAMP Good Practice Guide for IT Infrastructure Control and Compliance, published by International Society for Pharmaceutical Engineering ( [5] Crosson, J.E., Campbell, M.W., Noonan, T. (2000) Network Management in an FDA- Regulated Environment, PDA Journal of Pharmaceutical Science and Technology. [6] GAMP Forum (2001) GAMP Guide for Validation of Automated Systems (known as GAMP4), published by International Society for Pharmaceutical Engineering (