1 / 29

Infrastructure Qualification (What Is a Network?)

Infrastructure Qualification (What Is a Network?). David Stephenson Senior Consultant ABB Life Sciences Computer Systems Validation 22-23 Sept 2003 London, UK . Aim of the Talk. To raise awareness for the issues related to the qualification of networked systems including:

scarlett
Télécharger la présentation

Infrastructure Qualification (What Is a Network?)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infrastructure Qualification (What Is a Network?) David StephensonSenior ConsultantABB Life Sciences Computer Systems Validation22-23 Sept 2003London, UK

  2. Aim of the Talk • To raise awareness for the issues related to the qualification of networked systems including: • Understanding what a network is and how it impacts GxP systems • The difference between Validation and Qualification • Why application validation includes the network • Qualifying IT infrastructure • Regulatory expectations

  3. What Is a Network? (Definition) • A system (transmission channels and supporting hardware & software) that connects several remotely located computers via telecommunications (OSI). • Two or more connected computers that can share resources such as data, printers, Internet connection, applications, or a combination of these.

  4. What Can Networks Do? • Reliably transmit data and enable communication between locations on the network • Provide multi-user multi-site access to centrally managed applications and data • Restrict access to applications and data to authorised individuals • Provide Reliable and accurate storage of original data • Provide synchronised date and time stamps for records and audit trails at multiple locations

  5. What Types of Networked Systems? • Site network infrastructure • PLC, DCS and SCADA systems • Laboratory Information Management Systems (LIMS) • Chromatography Data Systems (CDS) • Manufacturing Execution Systems (MES) • Enterprise Resource Planning Systems (ERP) • Clinical Trials Data Management Systems (CTDMS) • Electronic Document Management Systems (EDMS) • Global network infrastructure • The Internet

  6. Validation Vs Qualification Validation is defined as…. “Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its pre-determined specifications and quality attributes.” (FDA Guidelines on General Principles of Process Validation, May 1987) Qualification is defined as…. “The process to demonstrate the ability to fulfil specified requirements” GAMP 4.0 (Good Automated Manufacturing Practice)

  7. Validation Vs Qualification (The Difference?)

  8. Why Qualify a Network? • Some Questions: • Does the network convey instructions for the control of GxP critical operations? • Does the network convey GxP critical data? • Could the network effect GxP data quality • If the answer is Yes to any of these questions, then we must qualify the network

  9. Drivers for Qualification • The IT infrastructure is essential to business continuity • Network downtime is time lost to productive activities • Application downtime is time lost to productive activities • Irretrievable loss of data can be extremely costly • Development data • Pre-clinical science data • Clinical data • Manufacturing data • Regulatory non-compliance can be extremely costly(up to and including withdrawal of marketing licence)

  10. Infrastructure Qualification, The Real World • Roles and responsibilities are unclear or inappropriate • IT department operates outside the company QM organisation • The level and formality of documentation is variable • No network management SOP’s in place • Service level agreements between IT and other departments not in place or inadequate • Service delivery procedures not in place, or inadequate • No independent auditing program in place • GxP data and applications are spread over a large number of servers • No awareness training of IT team in regulatory requirements (GxP or 21 CFR Part 11)

  11. Infrastructure Qualification, Planning • Sources of information • The GAMP Guide for the Validation of Automated Systems Version 4.0 (ISPE, Dec 2001) • FDA Guidance for Industry: 21 CFR Part 11 Electronic Records;Electronic Signatures-Scope and Application (Aug 2003) • FDA General Principals of Software Validation; Final Guidance for Industry and FDA Staff (Jan 2002)- Medical Devices • FDA Guidance Computerized Systems Used in Clinical Trials (April 1999) • GAMP IT Infrastructure S.I.G. Best Practice Guide (planned early 2004)

  12. Infrastructure Qualification, Implementation • The stages of implementation are: • Gap Analysis • Identify needs • Plan qualification activities • Document the infrastructure • Develop a testing strategy • Qualify the network

  13. Gap Analysis • Identify the criticality of IT infrastructure components and procedures to data quality, accuracy and integrity • GxP critical • LAN, WAN and hardware supporting GxP Applications • Hardware supporting GxP Meta data: report formats, database table formats • Hardware supporting GxP data storage • Software versions, service packs and configuration • Security and access • Support functions: data backup and restore, audit trails, maintenance, training records etc.

  14. Identify IT Infrastructure Needs…. • New or modified network • New or modified hardware platform • New or modified procedures • Existing qualified network • Existing qualified hardware platform • Existing approved procedures

  15. Plan Qualification Activities • Review the current Design and determine GxP critical issues and the sources of risk as the basis for your qualification strategy • Focus on critical areas • Assess risks and mitigation • Plan testing dependent on degree of risk • Target scarce resources • Reduce time • Reduce cost

  16. Project Validation Master Plan Application Validation Plan Network Qualification Plan IT Qualification Master Plan Desktop Build Qualification Plan Validation Report Qualification Report Divide Qualification Activities: An Example Server Qualification Plan

  17. Develop Qualification Plan • GxP critical components must be qualified (IQ/OQ) against pre-defined criteria • Non-GxP components should be managed according to industry good practice • Qualify each software component based on GAMP category • Ensure mechanisms are in place for maintaining the qualified state

  18. Document the Existing Network Infrastructure • Document IT infrastructure roles and responsibilities • Document equipment and component configurations • Create an As-Built specification (requirements, functionality & design) • Document current IT infrastructure high-level requirements e.g : • Number of users/departments supported • Locations served • Capacity • Availability • Helpdesk provision • Business continuity provision • Disaster recovery plans

  19. Document the Existing Network Infrastructure • Document services provided • Service Level Agreements (or equivalent) between groups • Document procedures for operational tasks e.g : • Backup and Restore • User access management • Document outsourced tasks • SLAs with third parties e.g. PC maintenance, Archiving etc • Document network topology • Approved Network topology diagrams of varying detail(Global, Regional, Site, LAN) • Logical diagrams illustrating resilience & switching capabilities

  20. Document the Existing Network Infrastructure • Document equipment on network (Asset listings) • Desktop PCs • Servers • Storage devices • Peripherals (printers, tape drives etc.) Document everything a technically competent person would need to know to rebuild and operate the Network infrastructure

  21. Classification Level one Risk probability Level two Low Med High Risk Impact Level three High Medium Low Develop Testing Strategy • Plan qualification testing according to risk classification • Priority on high risk areas (Level one)

  22. Finalise the Qualification • Summarise the completion of the qualification in a Qualification report • Refer to the qualification report in the Application Qualification Report • Maintain the qualified state of the IT infrastructure

  23. Why Application Validation Includes the Network • Transmission of data to users and peers • Backup & recovery of data • Connection methodology (remote access & logons) • Security

  24. References to Networked Systems • FDA Guide to Inspection of Computerised Systems in Drug Processing (Feb, 1983) • Refers to need to know • Outputs sent to other parts of the network • Inputs (instructions, programs) received • Identity and locations of establishments which interact with the firm • Extent and nature of monitoring and controlling activities exercised by on-net establishments • Security measures to prevent unauthorised access and possible drug process sabotage

  25. References to Networks • FDA Guidance for Industry, FDA Reviewers and Compliance on Off-the-Shelf software use in Medical Devices (Sept. 1999) • Requirements analysis for LANs • Speed • LAN Architecture • Network Operating Systems • Data Integrity • Network Management and Security

  26. Warning Letters and 483 Inspection Observations • The client/server system was never validated to ensure data could be correctly passed between the hardware and software environment in which the system operated • There was no validation data to demonstrate that an authorised user of the corporate network have access to the analytical data on the laboratory network • The firm did not monitor or keep track of changes to the hardware, application or operating system software changes

  27. Regulatory Expectations for Networked Systems • Warning letters (Pharmacia 2001) referring to a bespoke networked application and an off-the-shelf networked application • No revision control system • Failure to update and maintain structural and functional diagrams and design descriptions • Failure to update and maintain diagrams with text descriptions identifying interfaces to other network programs • Inadequate standard operation procedures to ensure that records are included with validation documentation, maintained and updated when changes are made • The (WAN) was not included in the validation efforts and therefore lacked adequate documentation controls

  28. Contact Details at ABB Life Sciences Group David K Stephenson Senior Consultant ABB Ltd Belasis Hall Technology Park Billingham Cleveland, TS23 4YS Tel: +44 (0)1642 372133 Fax: +44 (0)1642 372166 Mob: +44 (0)7715 700240 e-mail: David.Stephenson@gb.abb.com

More Related