Chapter 1
Introduction
Regulatory authorities acknowledge the use of computer systems*
performing operations covered by the medicinesā manufacturing practices regulation, and the applicable controls that must be in place to ensure that such computer systems are trustworthy. The essentials of complying with these regulations are outlined in Chapter 14.
To demonstrate that a computer system is trustworthy, the Development Period needs to follow a documented system life cycle (SLC) (Chapters 6 and 7) and, during the operational life period the system needs to be subjected to the Current Good Manufacturing Practice (CGMP) controls associated with the Operational Life (Chapter 12).
This book complements the basic features referenced above. A computer system performing operations covered by the medicinesā manufacturing practices regulation and the applicable controls must be developed following software engineering and operational current practices. The output of these two key processes will provide a trustworthy system.
Chapter 2 contains a high-level description of the validation process applicable to computer systems to achieve and maintain proper performance, correct operation, system integrity and product quality by computer systems in a manufacturing environment.
The key required expectation of regulatory authorities and competent authorities covering medicine manufacturing practices are discussed in Chapter 3. This chapter considers expectations by regulatory authorities from the US, Australia, Brazil, Canada, China, United Kingdom, and Japan. In addition, it covers expectations by worldwide healthcare-related entities such as the Pharmaceutical Inspection Cooperation/Scheme (PIC/S), the World Health Organization (WHO) and the International Conference on Harmonization (ICH).
Chapters 4 and 5 cover common factors and e-compliance practices followed in computer systems validation (CSV). In case of new technologies, these common practices can be used during implementation and operation.
A typical SLC is described in Chapter 6. The SLC comprises the framework and activities to develop a system and operate a computer system.
Chapter 7 discusses the SLC documentation and its relationship with CSV and e-compliance.
The management of requirements is discussed in Chapter 8. This is an important element in the CSV. The success or failure of a project is based on the correct definition and the attributes of requirements. Key issues in the implementation and maintenance of the requirements are discussed as well.
The concept of risk based validation was introduced in the regulated industry back in the early 2000s. The extent of the software validation effort should be commensurate with the associated risk. This practice is introduced in Chapter 9.
For complex systems, the validation plan should be developed after establishing the validation approach. The approach should be based on a risk assessment. validation plans are discussed in Chapter 10.
The integration of project management, SLC and production CSV processes managing the validation of a computer system is discussed in Chapter 11. The focus is on production systems.
After the deployment of computer systems, the validation activities are not over. Chapter 12 gives details of the procedural control during the Operational Life.
Since I wrote the first revision of this book in 2004, one big shift in the information technology (IT) sector is the use of service providers (including Software as a Service [SaaS], Infrastructure as a Service [IaaS] and/or Platform as a Service [PaaS]) by regulated entities. This shift reduces the regulated entity IT budget. The IT Department should be considered a service provider. Suppliers and service providers are discussed in Chapter 13. A key instrument to establish the roles and responsibilities of the suppliers and service providers is the service level agreement (SLA). This tool is discussed in Chapter 22.
A key chapter in this book is Chapter 14, Trustworthy Computer Systems. Trustworthy computer systems consist of computer infrastructure, applications, and procedures that:
ā Are reasonably suited to performing their intended functions
ā ā Provide a reasonably reliable level of availability, reliability and correct operation
ā ā Are reasonably secure from intrusion and misuse
ā Adhere to generally accepted security principles
The above key items are summarized in the quality-related attributes at the end of the development and during the operational processes of computer systems.
In computer systems, electronic recordsā integrity is a critical element of an organizationās quality program, and recently oversights have been brought to the forefront by regulatory agencies citing violations and inadequacies in findings from inspections, audits, and warning letters. Based on ISO/IEC 17025, the integrity requirements for electronic records are reviewed in Chapter 15. In addition, Chapter 16 compliments Chapter 15 by providing cryptographic-based technologies supporting the integrity of electronic records.
CGMP applications in the manufacturing operating environment must run in qualified infrastructure. The infrastructure is basically a transport means that is used to move information from one location to another. This information may establish the quality of a product. Chapter 17 provides the concepts for the qualification of infrastructure.
As a result of not following good configuration management practices, new expectations from the regulatory agency/competent authority, outdated technologies, and so on, computer systems fall out of CGMP compliance. For reasons explained before, systems need from time to time be remediated. Chapter 18 is dedicated to remediation related activities.
Chapter 19 suggests an organization structure supporting CSV programs.
Chapter 20 recommends an approach to the correlation between the system life cycle (SLC) and e-records life cycle using the EU Annex 11 SLC.
One of the most important services in e-records integrity and e-signatures ā digital date and time stamps ā is described in Chapter 21.
Access Management, Big Data, Clouds Environments, Internet of Things (IoT), SLAs, and Wireless are areas in e-compliance that are, at present, under regulated user and regulatory agencies attention. Chapter 22 reviews these technologies and critical processes.
Based on the earlier revision of the ISO 12207 (1995), Chapter 23 guides the reader on how to put together all the elements discussed in this book.
As stated in the first edition of this book (2004), quality is built into a computer system during its conceptualization, development, and operational life periods. The validation of computer systems cannot be tested into the system. The validation of computer systems is an ongoing process that it is integrated into the entire SLC. The intention of this book is to provide the key processes to build quality into computer systems performing operations covered by medicine manufacturing practices regulation.
The recommendations of the controls, as described in this book, are purely from the standpoint and opinion of the author, and should serve as a suggestion only. They are not intended to serve as the regulatorsā official implementation process.
Notes
* System: A group of related objects designed to perform or control a set of specified actions.
Chapter 2
What Is a Computer Systems Validation (CSV)?
In the context of the regulated users* and Regulatory Authorities, computer systems used in the manufacturing of regulated products should be developed and operated to assure proper performance, correct operation, system integrity, and product quality.
Computer systems provide an effective method to perform routine and repetitive tasks. Although generally more reliable than manual equivalents, such systems demand adequate controls for equipment setup and programming/configuration.
All regulatory authorities call for manufacturersā to implement quality systems to ensure the correctness and appropriateness of the computer systems functionality based on the intended use, changes, interfaces, data inputs/outputs, and data processing, as applicable. This āensures accurate results and reduces the risk of failure of the system.āā” The validation process is ensured by following āappropriate development methodology using a quality system approach.āĀ¶
Specifically to ensure accurate functionality and the protection of e-records, certain controls must be in place* :
ā Access to the system by authorized personnel only
ā Use of passwords
ā Creation of backup copies
ā Independent checking of critical e-records
ā Safe storage of e-records for the required time
ā The systematic use of an accurate, secure, audit trail (where appropriate)
The controls referenced above are specified, implemented, tested, and maintained during the SLC.
The SLC is based upon good engineering practices that have been in existence for many years. In addition, it is expected that documented evidence will be produced and maintained during the SLC.
The deliverables that are natural byproducts of the SLC are very closely aligned with the ādocumented evidenceā that is required in the CSV to ensure a high degree of assurance that the computer system will consistently meet its predetermined specifications and quality attributesā .
CORE PRINCIPLE
The computer systems validation process incorporates āplanning, verification, testing, traceability, configuration management, and many other aspects of good software engineering that together help to support a final conclusion that software is validated.ā
ā PIC/S CSV PI 011-3,
September 2007
PI 011-3ā” defines CSV as the
āformal assessment and reporting of quality and performance measu...