Computer System Validation Perform a Gap Analysis of your CSV Processes Computer and Software Validation Conference April 29, 2015 5/1/2015 www.QACVConsulting.com 1 Chris Wubbolt, QACV Consulting
Computer System ValidationPerform a Gap Analysis of your CSV Processes
Computer and Software Validation
ConferenceApril 29, 2015
5/1/2015 www.QACVConsulting.com 1
Chris Wubbolt, QACV Consulting
Objectives
5/1/2015 www.QACVConsulting.com 2
Computer System Validation Programs
Understand regulatory requirements which
pertain to your CSV processes
Evaluate policies and procedures which
govern CSV
Identify systems which must be included in
your CSV program.
Objectives
5/1/2015 www.QACVConsulting.com 3
Establish Processes to Perform a Gap Analysis
Create a gap analysis plan, including governance, prioritization, tracking and management reporting
Develop a team to conduct the gap analysis
Develop standard forms and checklists to perform the gap analysis
Objectives
5/1/2015 www.QACVConsulting.com 4
Remediation Activities
Establish a process to remediate any gaps
identified through the gap analysis process
Prioritize remediation activities
Identify metrics and key performance
indicators for monitoring and future
continuous improvement activities
CSV Requirements
5/1/2015 www.QACVConsulting.com 5
Regulations
Guidance
Policies
Procedures
Validation Records
Part 11 Scope and ApplicationGeneral Principles of
Software Validation
E-Records; E-Signatures Security Training
CSV
Change Control
System Access
Backup / Restore
Validation Plans Protocols
Risk Assessments
21 CFR Part 11
• Subpart A: General Provisions
• Subpart B: Electronic Records– Closed systems
– Open systems
– Signature manifestations
– Signature/record linking
• Subpart C: Electronic Signatures– Electronic signature components
and controls
– Controls for identification codes/passwords
5/1/2015 www.QACVConsulting.com 6
Electronic Signatures
Validation
Accurate and complete copies
of records
Records protection / retention
Authorized system access
Audit trails
Operational System Checks
Authority checks
Device checks
Personnel qualification
Develop
Maintain
Use
Policies and Procedures
System Documentation
Controls
5/1/2015 www.QACVConsulting.com 7
Electronic Signatures
E-Signature Certifications
Electronic Signature
Manifestations
– Full name of signer
– Date and time of signature
– Meaning of signature
Electronic Signature / Record
Linking
Electronic Signature
Components and Controls
– At least 2 distinct components
(e.g., user ID and password)
– Must be used only by owner
Controls for Identification Codes
and Passwords
5/1/2015 www.QACVConsulting.com 8
Annex 11
Principle
General
Risk management
Personnel
Suppliers and Service
Providers
Project Phase
Validation
Operational Phase
Data
Accuracy Checks
Data Storage
Printouts
Audit Trails
Change Management
Periodic Evaluation
Security
Incident Management
Business Continuity 5/1/2015 www.QACVConsulting.com 9
Annex 11
Principle This annex applies to all forms of computerised systems
used as part of a GMP regulated activities.
A computerised system is a set of software and hardware
components which together fulfill certain functionalities.
The application should be validated.
IT infrastructure should be qualified.
Where a computerised system replaces a manual operation,
there should be no resultant decrease in product quality,
process control or quality assurance.
There should be no increase in the overall risk of the process
5/1/2015 www.QACVConsulting.com 10
Annex 11 - General
Risk Management Applied throughout the lifecycle of the computerised
system taking into account patient safety, data integrity
and product quality.
Decisions on the extent of validation and data integrity
controls should be based on a justified and
documented.
5/1/2015 www.QACVConsulting.com 11
Annex 11 - General
Personnel All personnel should have appropriate qualifications,
level of access and defined responsibilities to carry out
their assigned duties.
Suppliers and Service Providers
Formal Agreements required to include clear statements
of responsibilities
IT departments should be considered analogous
5/1/2015 www.QACVConsulting.com 12
Annex 11 - Validation Validation should cover relevant steps of the life cycle.
Validation should be based on risk assessment.
Change control
Inventory of systems
User requirements should describe required functions.
User requirements should be traceable throughout the
life cycle.
System developed in accordance with quality system.
The supplier should be assessed appropriately.
Automated test tools and environments should have
documented assessments for adequacy.
Data migration when transfer between systems.
5/1/2015 www.QACVConsulting.com 13
Annex 11 – Operational Phase Data - checks for correct and secure entry of data.
Accuracy checks – For critical data, additional checks of
data accuracy are required.
Data storage
secured by physical and logical means.
Stored data should be checked for accessibility, readability, and
accuracy.
Access to data throughout the retention period.
Regular backups should be done.
Test of back-up data and ability to restore data should be
checked during validation and monitored periodically.
Printouts – It must be possible to obtain clear printed
copies of electronic records.5/1/2015 www.QACVConsulting.com 14
Annex 11 – Operational Phase Audit Trails
Based on risk assessment
Reason for change is required
Need to be available, convertible to a generally intelligible form, regularly reviewed.
Change and Configuration Management
Periodic Evaluation
Security
Authorisedpersonnel
Use of keys, pass cards, codes with passwords, biometrics, restricted access
Security authorisations should be recorded
5/1/2015 www.QACVConsulting.com 15
Annex 11 – Operational Phase Incident Management
Electronic Signatures
Same impact as hand-written signatures
Linked to respective record
Include date and time they were applied
Business Continuity
Archiving
5/1/2015 www.QACVConsulting.com 16
Elements of a Gap Analysis
5/1/2015 www.QACVConsulting.com 17
1. Assess current CSV processes against applicable regulatory requirements
2. Complete the assessment against regulatory requirements
3. Remediate as necessary
Elements of a Gap Analysis
5/1/2015 www.QACVConsulting.com 18
Annex 11 Data Accuracy Checks Data Storage Printouts Audit Trails Change and Configuration
Management Periodic Evaluation Security Incident Management Business Continuity Archiving
Policies
Policy A
Policy B
etc…
Procedures
SOP 100
SOP 101
etc…
Elements of a Gap Analysis
5/1/2015 www.QACVConsulting.com 19
4. Assess current validated systems against CSV policies and procedures
5. Prioritize assessment based on system criticality Patient Safety
Product Quality
Record Integrity
6. Assess any gaps based on risk assessment
Elements of a Gap Analysis
5/1/2015 www.QACVConsulting.com 20
Assess Gaps – Determine Impact
Validation status of system
Record integrity
Security
Change control program
Personnel status
Elements of a Gap Analysis
5/1/2015 www.QACVConsulting.com 21
Potential Issues
System not being used as intended
System documentation not current
Periodic reviews not completed
Training not current
Inadequate testing
Record integrity questions
Elements of a Gap Analysis
5/1/2015 www.QACVConsulting.com 22
7. Prioritize remediation based on impact assessment
8. Incorporate remediation activities into CAPA program
Elements of a Gap Analysis
5/1/2015 www.QACVConsulting.com 23
Remediation
Revision of procedures
Update system documentation
Provide additional training
Regression testing
Gap Analysis Plan
5/1/2015 www.QACVConsulting.com 24
Governance
Responsibilities
Assign project leader
Team Members
IT / Engineering
QA
Users
Incorporate Elements of Gap Analysis
Prioritization Criteria
Tracking Progress
Gap Analysis Plan
5/1/2015 www.QACVConsulting.com 25
Management Reporting
Frequency
Format, etc.
Attachments
Assessment Checklists
Impact Assessments
Summary
5/1/2015 www.QACVConsulting.com 26
Understand regulatory requirements
Elements of a gap analysis
Assess impact
Prioritize
Remediation
Questions
5/1/2015 www.QACVConsulting.com 27
Chris Wubbolt
QACV Consulting, LLC
www.QACVConsulting.com
Telephone: 610-442-2250
E-mail: [email protected]
Contact Information
5/1/2015 www.QACVConsulting.com 28