Discussion Paper on the Validation of Pharmacovigilance Software provided via SaaS

Transcription

1 Discussion Paper on the Validation of Pharmacovigilance Software provided via SaaS June 2012 K Edmonds Page 1 of 10

2 Page 2 of 10

3 Contents 1. Introduction Quality Statement ISO 9001: Software Validation for Hosted Pharmacovigilance Services (SaaS) Definition of Validation System-related Activities Post Vendor Selection What are the Other Matters? Standard Operating Procedures Implementation and Operational Use Next Steps Document History Page 3 of 10

4 1. Introduction Our goal is for you to be running a state-of-the-art pharmacovigilance system in support of your business as quickly as possible after taking the decision to implement such a system. Depending on your internal policies and procedures this may mean anything from a few days to one month. We also hope that resulting from the approach we have taken, companies which have been deterred from implementing such a system due to the size of the task involved, will be encouraged to proceed. In this paper, Assured summarises its validation experience and the steps taken to ensure the validation status of PV-Works and the PV247 system to the maximum extent that is possible for a vendor such that you can be confident of the system, its underlying architecture and theiso 9001:2008 Quality Management System that supports it. 2. Quality Statement ISO 9001:2008 Since its inception in 1996, Assured has worked to a quality system designed to meet the needs of the pharmaceutical industry and relevant regulatory agencies. This position was strengthened by a comprehensive review of the system prior to its submission for accreditation against ISO 9001:2008. This accreditation was attained in 2010 and the quality system has since been subject to annual, external inspection by a UKAS accredited company approved to audit to the ISO 9001:2008 (and other) standards. 2.1 Application Software Before release of all software versions and, in addition to at least two separate instances of comprehensive informal testing, Assured executes a formal Acceptance Test Plan against the specification or specification of change. After this is completed, the software is subjected to an additional Regression Test Plan. When Assured makes a software release available, these steps will have been completed. Assured issues an Acceptance Test Certificate to confirm development and testing of the release and, by implication, adherence to the quality system. 2.2 Server Environment Should any changes be made to the server environment, these are all completed via strict Change Control Procedures which form the key element of Assured s ISO-accredited Quality Management System. 2.3 ISO 9001:2008 Accreditation A certificate of compliance is issued annually, subject to Assured maintaining its high quality standards and passing the annual ISO audit. This authorises Assured to display the ISO 9001:2008 certification logo seen on page 1 to confirm that it has an accredited ISO 9001:2008 Quality Management System in place. Page 4 of 10

5 3. Software Validation for Hosted Pharmacovigilance Services (SaaS) One of the main concerns of a Market Authorisation Holder regarding the use of computer systems in support of its business operations is the extent to which those systems will stand up to rigorous inspection by a third party partner or a regulatory authority. Put simply this concern resolves itself to the question are the systems validated? Assured s senior management has been involved with the development of standards and best practices in this area since the early 1980 s. Their activities include: Contributing author to the FDA s Red Apple Guidance Contributing author to the ACDM s Computer Systems Validation Guide Design, development and delivery of BARQA s Regulatory Compliance & Computing Course Chairman BARQA Computing Committee Leading role in the organisation of two Regulatory Compliance & Computing International Conferences Development and delivery of a training program for OECD inspectors Training in Computer systems validation and operation in a regulatory environment for over 1,000 delegates via public courses / events Delivery of computer compliance related training for leading pharmaceutical manufacturers Performing vendor audits Underpinned by operational and management procedures written to comply with ISO 9001:2008, Assured believes that making its leading Pharmacovigilance systems PV-Works and PV-Works (vet) available via SaaS will reduce significantly the workload and timescale typically associated with the implementation of such systems. In support of its software and services, Assured makes the following documentation available for download via its web site Product Documentation Electronic Reporting with PV-Works Workflow in PV-Works Signal Detection and PV-Works: Making Sense of Safety Data PV-Express Express Pharmacovigilance Validation Documentation Server Installation Qualification Certificate Software Acceptance Test Certificates PV-Works Test Plans PV-Works, PV-Works (vet) and 21 CFR Part 11 Electronic Records and Electronic Signatures This discussion paper Additionally, the following Training Materials are provided: PV-Works Efficient Data Entry Page 5 of 10

6 PV-Works Powerful Query Tools PV-Works Regulatory Compliant Reporting Customers are encouraged to download this documentation and incorporate it into their own validation documentation set in support of their use of PV-Works. This will be of considerable benefit to small to medium sized MAHs where staff levels and expertise in this area may be scarce and the Essentials and Premium options will be of interest. Companies who adopt the more traditional implementation approach which can be selected via Assured s Enterprise solution can still benefit from the validation material available on the PV247 website ( With this approach, Assured can reduce significantly the amount of time its customers have to spend on computer system installation, configuration and validation. This is not to say that our customers have no responsibilities in this area far from it. But the customer s system-related activities can be much reduced and in many cases, eliminated. As such, we believe that Assured is in a strong position to justify its claim to provide a Pre-validated software and environment to accelerate implementation and that this software and environment will withstand scrutiny. 4. Definition of Validation The meaning of the word validation in software terms has evolved over time. Initially it was seen an alternative to the phrase Acceptance Testing, but as understanding has improved the definition has changed and, to quote from the FDA s 21 CFR Part 11 Electronic Records; Electronic Signatures Rule: 4. Subpart B - Electronic Records 4.1. Sec Controls for closed systems a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records Validation of systems (should be performed) to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. To develop this further: to ensure accuracy (and), reliability - Assured s staff has committed tens of thousands of hours to testing its products to confirm intended functionality and to eliminate errors. As such, we are confident that the software is robust and reliable. Although we do not Page 6 of 10

7 guarantee that our software is bug-free, we are proud of its proven, operational track record in this respect. consistent intended performance - Assured s software is warranted to meet its functional specification. As it is this specification against which it is tested, we are also confident that the software meets its intended performance criteria. As for consistency, if no software or infrastructure changes are made, then performance will be consistent. When necessary, all changes to the software and / or infrastructure are made under strict change control procedures and hence the risk to consistent intended performance is managed and controlled. discern invalid or altered records - Assured s software products are based on the industry standard database management system Oracle. As such, high levels of security and data integrity are to be delivered: Techniques are implemented to prevent access to the database from 3 rd party programs thus the risk of unauthorised database access to amend records is well within the accepted standards for such security PV-Works and PV-Works (vet) both feature a full regulatory audit trail which operates in line with regulatory expectation and in compliance with 21 CFR Part 11 Every database record is stamped with the name of the user who created and its date/time of creation. In addition to this definition, there is also the expectation that systems are properly installed and documented - including the controls exercised over their establishment and operational use in the business environment. Assured supports this with the provision of relevant documentation available via and by delivering services under its ISO 9001:2008 accredited Quality Management System. 5. Vendor Validation is it realistic? Historically, it has always been accepted that a vendor cannot provide pre-validated software. This statement was certainly true in the pre-saas era. Now, this assertion can be challenged. In the traditional licensed software style of implementation, the onus was on the vendor to supply high quality software and on the end-user to install, configure and test it within their computing environment. Once they had accomplished this significant step, and also established the production environment in a similar manner, end-users could then turn their attention to Other Matters (see section 5). Page 7 of 10

8 Now these responsibilities are shared with the vendor providing the computing environment and so also undertaking much of the validation task. This change of implementation methodology does not change the fundamental responsibility that a SaaS user has for the data and so it is important that each customer is satisfied with the level of validation undertaken by the vendor and extends it if considered appropriate. 6. System-related Activities Post Vendor Selection Once the task of selecting a suitable software vendor has been completed, the task of establishing the system and its environment begins in earnest. Typical steps are in a Validation Activity List: 1 Hardware Installation / Configuration 2 Software Installations / Configuration 3 Preparation / Execution of an Acceptance Test Plan 4 Preparation of the Test Documentation Results Set 5 Establishment / Documentation of the Production Environment 6 Establishment of Operational Procedures / Documentation 7 Implementation Process / Operational Use In Assured s PV247 SaaS model, the following steps: server build server configuration application software testing application software installation application software configuration and routine operational procedures (e.g. data backup, software upgrades etc.) are all done for you under the auspices of an ISO 9001:2008 accredited Quality Management System. Certificates of quality / compliance are provided for download confirming this see and follow the links to Validation. The creation and configuration of the customer-specific database schema, user accounts etc. (i.e. your technical environment) has been fully automated, documented and tested and will typically be completed within minutes of your initial request. Page 8 of 10

9 The result? Steps 1 5 of the Validation Activity List above are completed for you. With a suitable PC with browser / internet connection, you can concentrate on finalising the Other Matters that remain your responsibility. The IT elements are all taken care of for you. 7. What are the Other Matters? By accepting Assured s validation approach and documentation set, steps 1 5 of the Validation Activity List above are completed for you. You may decide to repeat some or all tests from Assured s Regression Test Plan (possibly modified where you think fit to meet any of your own specific requirements). You may wish to develop your own test plan. In this event, completion of this additional testing should be performed in line with your company-specific procedures. Assured s SaaS models allows for the establishment of a discrete test system / database should you opt for this service level, or you may test in a single database and delete your test cases on completion of your testing and prior to going live. The choice is yours. Note that the PV247 system allows 30 days of free use. We advise that you use this period to create your test cases to meet your additional validation needs. With an Essentials system you can delete these test cases before you start a production system; for a Premium system your test database is completely separate from your production system. You will also need to address the areas below. 8. Standard Operating Procedures (Section 4, step 6 above) There is an expectation that the use of a system such as PV-Works or PV-Works (vet) will be covered by Standard Operating Procedures (SOPs). These are entirely under your control and it is your responsibility to ensure that they exist and are suitable. It is also your responsibility to ensure that your staff is trained in both system use and your operational procedures. Assured has provided some training videos to help in this area and there is context-sensitive help available within the application. Evidence (documented) of such training will be expected to support the fact that adequately trained, competent staff are retained to perform the duties which result from the use of such Pharmacovigilance software. 9. Implementation and Operational Use (Section 4, step 7 above) The level and depth of the above documentation will depend to some extent on the implementation model you have chosen and your own company expectations and procedures. You may wish to discuss this with your Quality Assurance function. Page 9 of 10

10 10. Next Steps Thank you for your interest in Assured s PV-Works and PV-Works (vet) application software which are now available in a SaaS environment ( Thank you also for taking the time to download and read this white paper. By making this significant advance in the delivery of Pharmacovigilance software to industry, Assured believes that many more companies will feel able to implement such applications in order to meet the ever changing and increasing regulatory needs and thus take Pharmacovigilance in to new areas. We are continuing to develop our thoughts and deliverables in this area and if you wish to contribute to this by offering ideas, comments etc., please do get in touch. Our preferred method is , but all our contact details can be found on our PV-247 web site. 11. Document History Document Version Date Revision Details 1.0 June 2012 Initial issue for this version Page 10 of 10