Computer System Configuration Management and Change Control

Similar documents
Computer System Configuration Management and Change Control

Release & Deployment Management

Validating Enterprise Systems: A Practical Guide

Service Support Kasse Initiatives, LLC. ITIL Configuration Management - 1. version 2.0

Release and Deployment Management Software

What is a life cycle model?

CONTENTS. List of Tables List of Figures

General Platform Criterion Assessment Question

This interpretation of the revised Annex

SACM and CMDB Strategy and Roadmap. David Lowe ActionableITSM.com March 20, 2012

ITIL Version 3.0 (V.3) Service Transition Guidelines By Braun Tacon

GENERAL PLATFORM CRITERIA. General Platform Criterion Assessment Question

Network Configuration Management

GAMP 4 to GAMP 5 Summary

Internal Audit Report ITS CHANGE MANAGEMENT PROCESS. Report No. SC-11-11

GAMP5 - a lifecycle management framework for customized bioprocess solutions

Configuration Management System:

Risk-Based Validation of Computer Systems Used In FDA-Regulated Activities

IT Service Continuity Management PinkVERIFY

Implementing Change Management in a Regulated Environment

TechExcel. ITIL Process Guide. Sample Project for Incident Management, Change Management, and Problem Management. Certified

Service Asset & Configuration Management PinkVERIFY

Closed Loop Incident Process

INTRODUCTION. This book offers a systematic, ten-step approach, from the decision to validate to

How To Improve Your Business

Cloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity

TrackWise - Quality Management System

Computerized System Audits In A GCP Pharmaceutical Laboratory Environment

Testing Automated Manufacturing Processes

Considerations When Validating Your Analyst Software Per GAMP 5

Using the ISPE s GAMP Methodology to Validate Environmental Monitoring System Software

CM00 Change Management High Level

State of Oregon. State of Oregon 1

Achieving ITSM Excellence Through Availability Management

IT Governance. What is it and how to audit it. 21 April 2009

SOFTWARE CONFIGURATION MANAGEMENT GUIDEBOOK

HP Service Manager. Process Designer Content Pack Processes and Best Practices Guide

ITIL A guide to service asset and configuration management

Service Transition. ITIL is a registered trade mark of AXELOS Limited.. The Swirl logo is a trade mark of AXELOS Limited.. 1

Welcome Computer System Validation Training Delivered to FDA. ISPE Boston Area Chapter February 20, 2014

Adoption by GCP Inspectors Working Group for consultation 14 June End of consultation (deadline for comments) 15 February 2012

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

White Paper. Change Management: A CA IT Service Management Process Map

Configuration Management. Process Guide

INTRODUCTION. Specifically we looked at:

Training Management with TrackWise

3:15 Networking and Refreshment Break. 3:45 Cloud Computing Manage Risk in a

LOW RISK APPROACH TO ACHIEVE PART 11 COMPLIANCE WITH SOLABS QM AND MS SHAREPOINT

Applying ITIL v3 Best Practices

The FDA recently announced a significant

Avaya Patch Program Frequently Asked Questions (For All Audiences)

SaaS Adoption Lifecycle in Life-Sciences Companies

Change Management Living with Change

November 12, I.T. Change Management Why Bother?

An ITIL Perspective for Storage Resource Management

Microsoft s Compliance Framework for Online Services

Real world experiences for CMDB Success

Configuration control ensures that any changes to CIs are authorized and implemented in a controlled manner.

Implementation of ANSI/AAMI/IEC Medical Device Software Lifecycle Processes.

Risk based monitoring using integrated clinical development platform

ITSM Maturity Model. 1- Ad Hoc 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimizing No standardized incident management process exists

1 Why should monitoring and measuring be used when trying to improve services?

HP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Processes and Best Practices Guide

Operational Risk. The new FSA requirements. Contents. February 2004

CMDB Essential to Service Management Strategy. All rights reserved 2007

Service Automation to implement and operate your Cloud initiatives

How To Create A Help Desk For A System Center System Manager

How to Survive an FDA Computer Validation Audit

STS Federal Government Consulting Practice IV&V Offering

Overview of EAM Services. A Fully Integrated Global EAM Service Provider

Business Benefits. Infrastructure Management. Adrian Parry Technical Consultant.

Masterminding Data Governance

Enabling ITIL Best Practices Through Oracle Enterprise Manager, Session # Ana Mccollum Enterprise Management, Product Management

Clinical database/ecrf validation: effective processes and procedures

SIEM Implementation Approach Discussion. April 2012

The CMDB at the Center of the Universe

Page 1 of 8. Any change, which meets the following criteria, will be managed using IM/IT Change Management Process.

Implementing Title 21 CFR Part 11 (Electronic Records ; Electronic Signatures) in Manufacturing Presented by: Steve Malyszko, P.E.

CA Service Desk Manager

Qualification Guideline

Page 1 of 7 Effective Date: 12/18/03 Software Supplier Process Requirements

Cover Page. Title Configuration Management Database. Category Enterprise IT Management Initiatives

Designing a Windows Server 2008 Applications Infrastructure

Altiris Client Management Suite

Extend the value of your service desk and integrate ITIL processes with IBM Tivoli Change and Configuration Management Database.

Managing and Maintaining Windows Server 2008 Servers

The ITIL Foundation Examination

IT Service Management with System Center Service Manager

HP Change Configuration and Release Management (CCRM) Solution

ITIL Change, Configuration & Release Management Agency Impacts and Challenges

Peregrine. AssetCenter. Product Documentation. Asset Tracking solution. Part No. DAC-441-EN38

QUALITY CONTROL AND QUALITY ASSURANCE IN CLINICAL RESEARCH

Change Management Process. June 1, 2011 Version 2.7

Using SharePoint 2013 for Managing Regulated Content in the Life Sciences. Presented by Paul Fenton President and CEO, Montrium

Sharon Strause 9/10/ years with the

MANDATORY CRITERIA. 1. Does the tool facilitate the creation, modification, fulfillment and closure of Service Request records?

SYLOGENT DEDICATED HOSTING

ITIL: Service Operation

5 CMDB GOOD PRACTICES

IT Service Management with System Center Service Manager

Transcription:

Computer System Configuration Management and Change Control What Your IT Department Is Really Doing Justin J. Fisher, Pfizer IT Quality and Compliance Manager

Agenda 1. Background 2. Audience Demographics 3. Scope 4. Introduction 5. Overview 6. Computer System Configuration Management 7. Computer System Change Control 8. The Valuable Interaction between Change Control and Configuration Management 9. Interactive Exercise 10.Summary

Background Education B.A. Education, Flagler College, St. Augustine, FL Experience Financial/Mortgage Industry IT Service Manager/ IT Change Manager Pharmaceutical Industry Internal and Independent Quality and Compliance Roles Computer Systems Validation and Infrastructure Qualification Quality systems Change Control, Incident Mgmt, CAPA/Investigations and Commitments Document and Records Management, etc. Lifecycle (Validation, Qualification, Project/Operational)

Getting To Know You Audience Poll Are you in IT? Delegated Quality or Compliance unit? Current Role in Change and Configuration Mgmt in your organization? Are you in Quality? Computerized Systems Quality?

Scope In Scope: Guidance for process expectations based on risk, scale, and complexity Out of Scope: Definitive application of processes at the technology level Risk of different architecture is varied, and we will not affix a risk categorization or specific process expectation to technologies (ie. Enterprise computer system used at multiple sites versus a desktop solution) Theoretical definitions of Validation and Qualification Multiple resources available on understanding evolving industry expectations Terms will be used as they apply to historical use and experience

Introduction Configuration Management Change Control Computer System Configuration Management Appropriate configuration Mgmt processes should be established such that a computerized system and all its constituent components can be identified and defined at any point. 1 Computer System Change Control Change management procedures should be established. The point at which change management is introduced should be defined. Appropriate change processes should be applied to both project and operational phases. 1 1 ISPE. (2008). GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems.

Clear hand-off from one phase to another Overview Increased rigor and formality Project Operations Configuration Management Configuration Management Change Control Change Control

Computer System Configuration Management a computerized system and all its constituent components can be identified and defined at any point. 1

Computer System Configuration Management Configuration Identification Configuration Control Configuration Status Accounting Configuration Evaluation

Identify Configuration Identification (What to keep under control) Configuration Item: Component of the system which does not change as a result of the normal operation of the system. 1 Deliverables that support the computer system User Requirements Functional Requirements Technical Architecture Configuration Specifications, etc. Computer System components Application modules and code Infrastructure Hardware Mid-tier solutions

Define Use a risk-based approach to determine the scale and complexity of a computer system configuration management process Finding the right granularity Scale, complexity, and risk Elements are controlled through Change Control Tell the story of the system through time Aids in Investigations

Key Elements of an Effective Configuration Management Solution Accessible Allows for more appropriate Impact Analysis and decision making Updateable Sufficient controls in place to prevent unauthorized modifications Accountability Change controls should adequately plan for configuration mgmt updates and follow through

Computer System Change Control Change management procedures should be established. The point at which change management is introduced should be defined. Appropriate change processes should be applied to both project and operational phases. 1 URS 1.0 FS 1.1 FS 1.2 FS 1.3

Computer System Change Control Describe the proposed change Document and Justify the change Evaluate Risks and Impact of the Change Accept or Reject the Request Develop and Verify the change Approve and Implement the Change Close the Change

Risk Based Change Control Increase rigor and formality as we move up the chart Applying the same rigor and formality to a server change as we would new functional code to support new business processes is not risk-based decision making Impact continuum Impact cannot be viewed solely as outage, but the further down the pyramid, the greater likelihood of a failure causing outage rather than functional failure Consistent processes must be scalable for risk The same SOPs and Change Control processes can be used for all categories, however the rigor and formality that is prescribed by the process should be scaled accordingly. Increase formality and rigor of change control Category 5: Custom applications Category 4: Configured products Category 3: Non- Configured products Category 1: Infrastructure Software

Flexibility Different types of technological components of a computer system require nuanced management For many application changes, the change moves through a pre-production workflow for appropriate development and verification prior to moving into the production environment. For many changes to infrastructure, there is no concept of moving a change through prerequisite environments, but if using one Change Control process, it must allow for both types of movements of change. Shared infrastructure Infrastructure that is not allocated for one computer system and has an inherent design that does not relate back to a business process Data Centers and Computer Rooms Shared Databases Physical and virtual Server Farms Storage arrays A Change control process that is overly focused on application change control will be impossible to implement for shared infrastructure concepts

Priority Automate as much of the regulatory and internal requirements into the process as possible to keep the business running Expectations to understand regulatory impact and requirements is scaled based on the category of technology supported A server technician doesn t need to know the GMP regulatory requirements for the business processes supported by a Customized application hosted on their server, but they need to know how GMP regulations apply to how they are expected to exhibit control over a component of a regulated computer system Communicate process design to the business to level-set expectations

Impact Analysis Category 5: Custom applications Category 4: Configured products Category 3: Non-Configured products Category 1: Infrastructure Software Less likelihood of functional impact Change control process should provides sufficient guidance for evaluating the impact of a proposed change Reasonable estimate of the positive and/or negative impact to: Computer system configuration items Business processes Functions Availability Other scheduled activities (scheduled backups, disaster recovery activities, other planned changes) Reasonable and Scalable

Proceduralizing Change Control Much of what happens in IT is repeatable in nature, therefore duplicate changes may be implemented repeatedly Not a part of the normal use of the computer system or component Not used for novel or one-off changes Build the elements of the repeatable change into procedures Reduces documentation during change control execution Built in planning in accordance with known impact Greater likelihood of repeatable changes Category 5: Custom applications Category 4: Configured products Category 3: Non- Configured products Category 1: Infrastructure Software

The Valuable Interaction between Change Control and Configuration Management Configuration Management Change Control

Benefits of Strong Process Design Accurate, dependable, and defendable decision making Improved integration into other Quality Systems processes Audit and Inspection efficiencies Reporting capabilities Metrics and greater visibility for process improvements Improved communication with business partners

Approval and Notification Clearly defined Configuration Items Notification to stakeholders Approval from relevant and required groups

Activity Impact Analysis and Mitigation

ISSUE Common Issues encountered in Computer System Configuration Management and Change Control Processes and Solution IMPACT Discuss possible negative impacts RESOLUTION Discuss possible resolutions

Scenario 1 ISSUE The configuration documented within the CMDB is out of date IMPACT Decisions may be made based on inaccurate information May lead to rework and project delays RESOLUTION Increase accountability and verification Periodic auditing of system/solution

Scenario 2 ISSUE Configuration is not detailed enough IMPACT Inability to perform thorough impact analysis of a proposed change or a reported event Critical changes to configuration may not be appropriately controlled RESOLUTION Clearly define the configuration expectations within your Configuration Management plan or SOPs

Scenario 3 ISSUE Configuration is too detailed IMPACT Unable to determine true impact of a proposed change or a reported event Difficult to maintain RESOLUTION Consider the risk of a configuration item to the overall system and the intended use of the system when determining the granularity that is appropriate for the CI Do not include configurations that change as a part of the normal use of the system

Scenario 4 ISSUE Configuration Management solution is too cumbersome and difficult to update IMPACT Easy to overlook/avoid CM expectations because it slows down the ability for IT to get the job done. RESOLUTION Develop CM solutions to ensure that the system is user friendly, intuitive, and makes sense to an IT professional. Consider the use of Industry Standard tools and processes.

Scenario 5 ISSUE The Change Control system is a glorified Word document IMPACT Very little automation in alignment with process requirements Greater variability in how the records are documented SME is required to be able to achieve sufficient documentation RESOLUTION Implement a common solution that meets process requirements (TrackWise, HP OpenView ServiceCenter) Configure a solution in alignment with the process

Scenario 6 ISSUE The Change Control process is not appropriately linked to configuration management processes Inability to meet requirements IMPACT Lack of understanding of how to use the processes Two separate processes are triggered independently and inconsistently Create technical and procedural linkages between the two systems RESOLUTION Automate changes to CIs within the CC system Increase periodic configuration evaluation

Scenario 7 ISSUE Change Controls are scheduled without regard to other scheduled activities IMPACT Greater potential for failure Significant potential for impact to other scheduled events RESOLUTION Embed Change Control coordination into process Ensure Impact Analysis includes review of scheduled activities

Scenario 8 ISSUE The Change Control process design is very focused on Application Change Control Open to significant interpretation by the other teams IMPACT May drive multiple processes; creating wrapper documents and sub-procedures to meet the requirements of the SOP by different technologies RESOLUTION Integrate perspective of all IT teams and technologies into process development

Summary Computerized System Configuration Management and Change Control are interrelated processes fundamental to the defendable control of a system through its lifecycle Strong process design, inclusive of the needs of different technologies, requiring appropriate analyses and mitigation strategies, leads to reduction of potential negative impact

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information