Computerised Systems. Seeing the Wood from the Trees

Similar documents
Clinical database/ecrf validation: effective processes and procedures

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

Testing Automated Manufacturing Processes

EMA Clinical Laboratory Guidance - Key points and Clarifications PAUL STEWART

Document Number: SOP/RAD/SEHSCT/007 Page 1 of 17 Version 2.0

OECD DRAFT ADVISORY DOCUMENT 16 1 THE APPLICATION OF GLP PRINCIPLES TO COMPUTERISED SYSTEMS FOREWARD

This interpretation of the revised Annex

OMCL Network of the Council of Europe QUALITY ASSURANCE DOCUMENT

Adoption by GCP Inspectors Working Group for consultation 14 June End of consultation (deadline for comments) 15 February 2012

INTRODUCTION. This book offers a systematic, ten-step approach, from the decision to validate to

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

Implementing Title 21 CFR Part 11 (Electronic Records ; Electronic Signatures) in Manufacturing Presented by: Steve Malyszko, P.E.

From paper to electronic data

Assuring E Data Integrity and Part 11 Compliance for Empower How to Configure an Empower Enterprise

Managing & Validating Research Data

Designing a CDS Landscape that Ensures You Address the Latest Challenges of the Regulatory Bodies with Ease and Confidence

Computerized System Audits In A GCP Pharmaceutical Laboratory Environment

Considerations for validating SDS Software v2.x Enterprise Edition for the 7900HT Fast Real-Time PCR System per the GAMP 5 guide

Reflection paper on the Use of Interactive Response Technologies (Interactive Voice/Web Response Systems) in Clinical Trials

Review and Approve Results in Empower Data, Meta Data and Audit Trails

GCP INSPECTORS WORKING GROUP <DRAFT> REFLECTION PAPER ON EXPECTATIONS FOR ELECTRONIC SOURCE DOCUMENTS USED IN CLINICAL TRIALS

GOOD LABORATORY PRACTICE (GLP) GUIDELINES FOR THE VALIDATION OF COMPUTERISED SYSTEMS. Working Group on Information Technology (AGIT)

Manual 074 Electronic Records and Electronic Signatures 1. Purpose

OMCL Network of the Council of Europe QUALITY ASSURANCE DOCUMENT

21 CFR Part 11 Electronic Records & Signatures

Installation and Operational Qualification Protocol (Reference: SOP )

Considerations When Validating Your Analyst Software Per GAMP 5

OPERATIONAL STANDARD

DATA MANAGEMENT IN CLINICAL TRIALS: GUIDELINES FOR RESEARCHERS

GLP vs GMP vs GCP Dominique Pifat, Ph.D., MBA The Biologics Consulting Group

Computer System Validation for Clinical Trials:

Good Clinical Laboratory Practice (GCLP) An international quality system for laboratories which undertake the analysis of samples from clinical trials

Full Compliance Contents

LabChip GX/GXII with LabChip GxP Software

SDLC Methodologies and Validation

Access Control and Audit Trail Software

SOLAARsecurity. Administrator Software Manual Issue 2

The FDA recently announced a significant

Organisation de Coopération et de Développement Économiques Organisation for Economic Co-operation and Development

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

GOOD LABORATORY PRACTICE (GLP) Working Group on Information Technology (AGIT)

AuthentiMax Software for GloMax -Multi+

Reflection paper for laboratories that perform the analysis or evaluation of clinical trial samples

DeltaV Capabilities for Electronic Records Management

GOOD PRACTICES FOR COMPUTERISED SYSTEMS IN REGULATED GXP ENVIRONMENTS

Computer System Validation - It s More Than Just Testing

International GMP Requirements for Quality Control Laboratories and Recomendations for Implementation

Compliance Response SIMATIC SIMATIC PCS 7 V8.1. Electronic Records / Electronic Signatures (ERES) Edition 03/2015. Answers for industry.

OECD SERIES ON PRINCIPLES OF GOOD LABORATORY PRACTICE AND COMPLIANCE MONITORING NUMBER 10 GLP CONSENSUS DOCUMENT

ISCT Cell Therapy Liaison Meeting AABB Headquarters in Bethesda, MD. Regulatory Considerations for the Use of Software for Manufacturing HCT/P

A Pragmatic Approach to the Testing of Excel Spreadsheets

DeltaV Capabilities for Electronic Records Management

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

Data Governance Planning PDA 12 May 2015

GCP Inspection of Ti Trial Master Files

Clinical Data Management (Process and practical guide) Nguyen Thi My Huong, MD. PhD WHO/RHR/SIS

REGULATIONS COMPLIANCE ASSESSMENT

How To Monitor A Municipality

3.11 System Administration

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

Back to index of articles. Qualification of Computer Networks and Infrastructure

Standard Operating Procedure on Training Requirements for staff participating in CTIMPs Sponsored by UCL

Computer validation Guide. Final draft

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Guidance for Industry Computerized Systems Used in Clinical Investigations

Electronic records and electronic signatures in the regulated environment of the pharmaceutical and medical device industries

Using the ISPE s GAMP Methodology to Validate Environmental Monitoring System Software

How to implement a Quality Management System

The use of computer systems

Guidance to Research Ethics Committees on Initial Facility Assessment

CONTENTS. List of Tables List of Figures

Monitoring manufacturing, production and storage environments in the pharmaceutical industry

Technology Update. Validating Computer Systems, Part System plan URS SLA

Welcome Computer System Validation Training Delivered to FDA. ISPE Boston Area Chapter February 20, 2014

Data Management and Good Clinical Practice Patrick Murphy, Research Informatics, Family Health International

Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials

Validating Enterprise Systems: A Practical Guide

Electronic Raw Data and the Use of Electronic Laboratory Notebooks

epblue GxP oftware manual Software version

Data Management Unit Research Institute for Health Sciences, Chiang Mai University

SPREADSHEET VALIDATION 101: CREATE AND VALIDATE FDA-COMPLIANT MS EXCEL SPREADSHEETS

Pharma IT journall. Regular Features

A Guide to Pharmacy Documentation For Clinical Trials

GCP - Records Managers Association

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

Calibration & Preventative Maintenance. Sally Wolfgang Manager, Quality Operations Merck & Co., Inc.

LOW RISK APPROACH TO ACHIEVE PART 11 COMPLIANCE WITH SOLABS QM AND MS SHAREPOINT

Training Course Computerized System Validation in the Pharmaceutical Industry Istanbul, January Change Control

QUESTIONS FOR YOUR SOFTWARE VENDOR: TO ASK BEFORE YOUR AUDIT

Validation Consultant

Information Security Policies. Version 6.1

Resources Based, Manufacturing and Consumer Goods Industries Chemicals Industry

GAMP 5 and the Supplier Leveraging supplier advantage out of compliance

What is the correct title of this publication? What is the current status of understanding and implementation?

GUIDELINES ON VALIDATION APPENDIX 5 VALIDATION OF COMPUTERIZED SYSTEMS

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

21 CFR Part 11 Compliance Using STATISTICA

System Build 2 Test Plan

Best practices for computerised systems in regulated GxP environments.

Transcription:

Computerised Systems Seeing the Wood from the Trees

Scope WHAT IS A COMPUTERISED SYSTEM? WHY DO WE NEED VALIDATED SYSTEMS? WHAT NEEDS VALIDATING? HOW DO WE PERFORM CSV? WHO DOES WHAT? IT S VALIDATED - WHAT NEXT? IN SUMMARY REFERENCES ACKNOWLEDGEMENTS

What is a computerised system? A COMPUTERISED SYSTEM INCLUDES: SOFTWARE OPERATING PROCEDURES & PEOPLE HARDWARE Firmware EQUIPMENT COMPUTER SYSTEM (Controlling System) CONTROLLED FUNCTION OR PROCESS COMPUTERISED SYSTEM OPERATING ENVIRONMENT (Including other networked or standalone computerised systems, media, equipment & procedures)

Why do we need validated systems? TO DEMONSTRATE THAT THE SYSTEM AND ITS USE ARE FIT FOR PURPOSE Oxford English Dictionary definition of Fit for Purpose : (of an institution, facility, etc.) well equipped or well suited for its designated role or purpose. ALL COMPUTERISED SYSTEMS USED FOR THE CAPTURE, PROCESSING, MANIPULATION, REPORTING AND STORAGE OF DATA SHOULD BE DEVELOPED, VALIDATED AND MAINTAINED IN WAYS WHICH ENSURE THE VALIDITY, INTEGRITY AND SECURITY OF THE DATA Guidance document GCP for Laboratories, Issue 1, 2009

Why do we need validated systems? (2) - Further Regulatory Guidance ALL COMPUTER SYSTEMS USED IN CLINICAL TRIALS, IN PARTICULAR THOSE THAT IMPACT ON THE QUALITY OF THE TRIAL DATA (AND SUBJECT SAFETY), SHOULD BE VALIDATED GCP Guide, MHRA, 2012 (Grey Guide) WHEN USING ELECTRONIC TRIAL DATA HANDLING AND/OR REMOTE ELECTRONIC TRIAL DATA SYSTEMS, THE SPONSOR SHOULD: ENSURE AND DOCUMENT THAT THE ELECTRONIC DATA PROCESSING SYSTEM(S) CONFORMS TO THE SPONSORS ESTABLISHED REQUIREMENTS FOR COMPLETENESS, ACCURACY, RELIABILITY, AND CONSISTENT INTENDED PERFORMANCE (i.e. VALIDATION) ICH E6 (R1) Guideline for Good Clinical Practice

Why do we need validated systems? (2) - UK Regulations STATUTORY INSTRUMENT 2004/1031 (AS AMENDED) Regulation 31A (4) The essential documents relating to a clinical trial are those which (a) enable both the conduct of the clinical trial and the quality of the data produced to be evaluated; and (b) show whether the trial is, or has been, conducted in accordance with the applicable requirements of Directive 2001/83/EC, the Directive, the GCP Directive and Commission Directive 2003/94/EC Schedule 1, Part 2 (9) All clinical information shall be recorded, handled and stored in a way that it can be accurately reported, interpreted and verified, while the confidentiality of records of the trial subjects remain protected.

What needs validating? WHEN IS COMPUTERISED SYSTEM VALIDATION (CSV) REQUIRED? Identify what the system is to be used for. Does or will it directly control, record for use, or monitor laboratory testing or clinical data? Is it or will it be the official, auditable, archive or record of a regulated activity? Does or will it create, update or store data prior to transferring to an existing validated system? If the answer to any of these is YES then validation will be needed. Is it a non configurable product which will or has been subject to testing as part of documented equipment or method qualification processes? If the answer to this is YES then further validation will NOT always be needed* *as long as the qualification processes fully cover the intended use of the computer system

What needs validating? (2) SCOPE AND EXTENT OF VALIDATION Should be linked to the level of regulatory risk, the category of software to be used and the level of functionality that will be used. To do this each has to be defined separately. LEVELS OF REGULATORY RISK Level of Regulatory Risk High Impact Medium Impact Low Impact Type of record utilised (examples of) Data submitted to a regulatory agency Clinical trial data from patients or supporting networks Supporting non-clinical laboratory studies Calibration and validation records Supporting data not directly submitted to a regulatory agency Planning and scheduling of regulated work Monitoring records

What needs validating? (3) CATEGORIES OF SOFTWARE TO BE USED Software Categories Description Types of software (examples of) Custom Applications (GAMP 5) Configured Products (GAMP 4) Non-Configured Products (GAMP 3) Infrastructure Software (GAMP 1) Software custom designed and coded to suit the business process. Software that can be configured by the user to meet the user s specific process needs. Software code is not altered. Run time parameters may be entered and stored but the software cannot be configured to meet the business process. Layered software (upon which applications are built) or software used to manage the operating environment. Spreadsheets (with Macros). Laboratory Information Management Systems (LIMS), Manufacturing Resource Planning (MRPII), Chromatographic Data Systems (CDS), Electronic Document Management Systems (EDMS), Spreadsheets (developed). Firmware based applications Commercial Off The Shelf (COTS) software Laboratory Instruments Operating Systems, database managers, programming languages, middleware, statistical programming tools, spreadsheet packages*, network monitoring software, batch job scheduling tools, security software, antivirus software and configuration management tools. *but not applications developed using these packages.

What needs validating? (3) THE EXTENT OF VALIDATION TO BE CARRIED OUT Using the level of risk and software category: Level of Regulatory Risk Low Medium High Software Category GAMP 5 Full Validation Full Validation Full Validation GAMP 4 Reduced Validation Full Validation Full Validation GAMP 3 Reduced Validation Reduced Validation Reduced Validation GAMP 1 No Validation No Validation No Validation Full Validation requires consideration of the full system validation life cycle (due to the higher levels of risk identified) Reduced Validation requires a more simplified system validation life cycle based on risk and software complexity. No Validation requires no computer system validation at all due to the minimal nature of risk or impact the system is considered to pose to patients or quality.

How do we perform CSV? WHERE TO START? Planning: Parallels with analytical method validation Analytical Method Validation Establish outline strategy Establish method requirements Identify, develop and finalise method Validation plan of testing Execute validation testing Validation report Routine Use: Controls & Monitoring e.g. on-going QC monitoring, trending, etc. Computerised System Validation Validation Master Plan Establish system requirements (URS) Identify, develop and finalise system functionality (FS/DS) Validation plan or individual qualification test protocols (IQ, OQ, PQ, UAT) Execute qualification or user acceptance testing Validation (summary) report Routine Use: System Controls and Monitoring e.g. on-going PQ testing, Change Control, Fault resolution mechanisms, etc.

How do we perform CSV? (2) WHERE TO START? (CONTINUED) Planning: The Validation Master Plan Its purpose is to define, describe and document the overall strategy and responsibilities for the CSV activities to be performed. This should include (but not be limited to): Purpose and Scope (What is being validated) Objectives (What is to be achieved) Roles & Responsibilities (Who is involved and what do they do) Methodology to be used (e.g. URS, IQ, OQ, UAT, PQ, etc.) System Risk Assessment (What vulnerabilities there are) System Life Cycle (Including Operation and Maintenance) Approvals and Authorisation (e.g. Who reviews/accepts for use)

How do we perform CSV? (3) WHERE TO START? (CONTINUED) Planning: The User Requirements Specification (URS) Must define clearly and precisely what the end user wants the computerised system to do. Including ensuring the validity, integrity and security of the data. All end users of the computerised system must be consulted to capture requirements. Each requirement should be SMART. Specific, Measurable, Achievable, Realistic and Testable. Each requirement should also be unambiguous, clear, precise and self contained. Each requirement should be numbered to enable traceability to test documentation.

How do we perform CSV? (4) AN EXAMPLE OF USER REQUIREMENTS URS # Description 3.0 Compliance Requirements 3.1 21 CFR Part 11 Requirements Security 3.1.1 The system must expire the current password 90 days after password creation/modification, and not allow the user to control or change this period of time. 3.1.2 The system must not allow the user to log on with the old password if the password has expired. 3.1.3 If the user enters the wrong password, the system must prompt a message Invalid user ID/Password or equivalent. 3.1.4 If the user enters the wrong password 3 times, the system must not allow the user to log on. 3.1.5 The system must not allow the password and the user name to be the same. 3.1.6 The system must require passwords to be a minimum of 7 characters in length.

How do we perform CSV? (5) SCOPE AND EXTENT OF VALIDATION (AGAIN) Each of the user requirements should be individually risk assessed (to identify the level of functionality to be tested). The rationale and methodology of the risk assessment must be clearly defined and documented. Two examples from a document management system: URS # Description Mandatory or Desirable? GCP Critical or Non Critical? 3.1.1 The system must expire the current password 90 days after password creation or Mandatory Critical modification, and not allow the user to control or change this period of time. 4.5.1 The SOPs folder is to contain a list of effective GCP SOPs. Desirable Non Critical

How do we perform CSV? (6) WHERE TO DOCUMENT TESTING? Test Script Protocols and Proforma should be developed. Each test should be traceable to the identified requirement(s). Ultimately you define where testing is documented (in the validation plan). For more complex systems It may be more appropriate to provide protocols and completed test scripts/reports for each part of the qualification performed (IQ, OQ, etc.) Additionally this can apply to each functional area tested (e.g. Project management or sample management modules within a LIMS). For less complex systems It may be possible to create a single test script protocol/proforma

How do we perform CSV? (7) AN EXAMPLE OF A TEST SCRIPT PROFORMA Log-in Security URS # Test steps required Results/Comments 3.1.5 Access the change password menu in the My Account tab (sidebar), via the GCP Portal, and change the current password to be the same as the User ID. If this is successful, the user is to log-out of the portal and then log back in using the same User ID/Password combination. (User role: Any except System Administrator) 3.1.3 (a) Log into the GCP Portal using an incorrect password. (User role: Any except System Administrator) (delete where applicable) Could the password be changed to match the User ID? Yes/No If Yes, could the user log-out of the portal and then log back in again using the same User ID/Password combination? Yes/No Access to the Portal denied? Warning message displayed? Yes/No Yes/No If Yes, then describe message below or take screenshot: Result (delete where applicable) Pass/Fail Pass/Fail User (Initials) Witness (Initials) Date

How do we perform CSV? (8) EXECUTE TESTING The easiest part of the process. As usual, all recording should be contemporaneous. Should deviations from the protocol or test scripts occur these must be documented and the impact on the validation status considered and justified. Should test failures occur these must be investigated, documented and the impact on the validation status considered and justified. Is the system fit for purpose? Is reconfiguration and retesting required?

How do we perform CSV? (9) REPORTING Each requirement identified for testing must be reported. Deviations from the test protocols or scripts must be recorded and justified. All test failures should be investigated and corrective actions implemented where necessary. Limitations should be described in the final (summary) report. There should be a statement of fitness for purpose in the final (summary) report.

How do we perform CSV? (10) EXAMPLE FINAL REPORT TABLE Including a test that had originally failed. URS # Test steps required Acceptance Criteria Result Comments 3.1.4 Log into the GCP Portal using an incorrect password on 3 consecutive occasions and then log into the GCP Portal using a correct password. (User role: Any except System Administrator) 3.1.5 Access the change password menu in the My Account tab (sidebar), via the GCP Portal, and change the current password to be the same as the User ID. If this is successful, the user is to logout of the portal and then log back in using the same User ID/Password combination. (User role: Any except System Administrator) Access to the GCP Portal /GCLP Drive must be denied on all 4 occasions. The password cannot be changed to match the User ID. Alternatively, the same User ID/Password combination cannot be used to access the portal. Pass Pass* None * Initially the test was found to Fail (See Appendix A for details). The GCP Portal had not been configured to prevent the password from matching the User ID or using the same User ID/Password combination to access the portal. The software was reconfigured to correct this issue. The test was then repeated and passed the original acceptance criteria.

Who does what? ROLES & RESPONSIBILITIES Management (a.k.a. the Process Owner) Ultimately responsible for compliance and operation. Provides adequate resources to support development and operation. System Administrator (a.k.a. the System Owner) Responsible for availability, support, maintenance, security and compliant operation. Subject Matter Experts Responsible for providing scientific input (Technical, Process or Product understanding).

Who does what? (2) ROLES & RESPONSIBILITIES (CONTINUED) End Users Responsible for using the system, reporting issues and identifying improvement opportunities. May also be involved with providing input to the URS and CSV testing. IT Department QA Responsible for providing a controlled (stable) platform or network for the computerised system to operate from. Responsible for System (Network) Security & Maintenance, Disaster Recovery and Back-up processes. Responsible for providing an independent role focusing on the quality critical aspects of the system.

It s Validated - What next? During implementation or operation the following will be required: Supporting Documentation and Infrastructure (Support processes/ SOPs/ Forms/ Maintenance/ Change Control/ etc.). Training (for the roles required). Process for migration from any superceded system. Retirement and archiving of the superceded system, data and documentation.

In Summary DON T FORGET A computerised system is a tool. Planning computerised system validation is key. Especially the User Requirement Specification (Identifying what we want). Document Everything. Including decision making, risk assessments, test failures and deviations. It is a team effort. Many individuals have responsibilities within the process. Maintaining the validation status of a system is an on-going process.

References GOOD CLINICAL PRACTICE GUIDE, MHRA, 2012 MHRA GOOD CLINICAL PRACTICE: GUIDANCE ON THE MAINTENANCE OF REGULATORY COMPLIANCE IN LABORATORIES THAT PERFORM THE ANALYSIS OR EVALUATION OF CLINICAL TRIAL SAMPLES, ISSUE 1, JULY 2009 INS-GCP-3 ANNEX III - TO PROCEDURE FOR CONDUCTING GCP INSPECTIONS REQUESTED BY THE EMEA: COMPUTER SYSTEMS ICH E6 (R1) GUIDELINE GUIDELINE FOR GOOD CLINICAL PRACTICE ICH Q9 GUIDELINE QUALITY RISK MANAGEMENT 21 CFR PART 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES GOOD AUTOMATED MANUFACTURING PRACTICE (GAMP) 5 A RISK BASED APPROACH TO COMPLIANT GXP COMPUTERISED SYSTEMS

Acknowledgements THANKS TO: Jeff Cummings CEP QA Team Paul Stewart Bill Greenhalf Rebecca Gallagher Richard Sugar Hannah Brown

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information