Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Validate a Vendor Purchased Application Presented by: Lisa Morton, Matt Ferdock DataCeutics, Inc. Presented for: Oracle Clinical User Group 4th.

Similar presentations


Presentation on theme: "How to Validate a Vendor Purchased Application Presented by: Lisa Morton, Matt Ferdock DataCeutics, Inc. Presented for: Oracle Clinical User Group 4th."— Presentation transcript:

1 How to Validate a Vendor Purchased Application Presented by: Lisa Morton, Matt Ferdock DataCeutics, Inc. Presented for: Oracle Clinical User Group 4th Annual Meeting, October , 1999

2 October 6, Copyright 1999, DataCeutics, Inc. Introductions n DataCeutics, Inc. –Expert Consulting since 1993 –Helping deploy & Validate Oracle Clinical and Clintrial n SOPs & Guidelines n Validation n SAS integration n Standards n Validated State Maintenance

3 October 6, Copyright 1999, DataCeutics, Inc. Obvious Facts n Since 1983, the influence of computerized systems on all phases of drug research … has increased dramatically.... n FDA regulations are official documents that have the force of law and the courts behind them. The Survive and Thrive Guide to Computer Validation, Interpharm Press, 1994.

4 October 6, Copyright 1999, DataCeutics, Inc. Regulations & Guidances n The following GCP regulations and guidelines apply: –Guidance on Computerized Systems Used in Clinical Trials, FDA, 5/10/99 –Guidance for Industry - Archiving Submissions in Electronic Format - NDAs –21 CFR 11 - GCPs –Compliance Policy Guide, Enforcement Policy: 21 CFR Part 11 (CPG ) –Providing Regulatory Submissions in Electronic Format, FDA, 1/28/99

5 October 6, Copyright 1999, DataCeutics, Inc. R & Gs Continued n GLP and GMP regulations and guidelines: –Compliance Program Guidance Manual –Compliance on General Principles of Process Validation, 5/1/87 –Guide to Inspection of Computerized Systems in Drug Processing, FDA, February, –21 CFR 58 - GLPs –21 CFR 210 and 21 CFR GMPs

6 October 6, Copyright 1999, DataCeutics, Inc. What we need to consider n GCP Systems –21 CFR 11 –FDA Inspections –GCP Systems Validation SOP –IS SOPs –GCP SDLC –Security –Audit Trails –Archiving –Training –Documentation

7 October 6, Copyright 1999, DataCeutics, Inc. 21 CFR 11 Points n Demonstrate Security n Automatic Audit Trail n Documentation n Generate Copies of Records n Properly Trained Personnel n Archive Protection

8 October 6, Copyright 1999, DataCeutics, Inc. FDA Inspection n Warning Letter –Installation Qualification (IQ) –Worse Case testing –Functional testing –Include ALL locations within the validation –21 CFR, Part 11 deviations

9 October 6, Copyright 1999, DataCeutics, Inc. 21 CFR, Part 11 Deviations n Audit Trail n Written Procedures for Electronic Signature Accountability n Documentation/Testing systems ability to discern invalid or altered records n Generation of accurate and complete copies of records in electronic form n Prevention of unauthorized use of electronic signatures

10 October 6, Copyright 1999, DataCeutics, Inc. GCP Systems Validation SOP n One needs to be written for GCP systems or n Modify existing one from GMP or GLP n Must discuss VPAs if they are handled differently

11 October 6, Copyright 1999, DataCeutics, Inc. Required Elements (?) n User requirements n Vendor Audit/Report n Validation Plan/Protocol n IQ Plan/Report n PQ Plan/Report n Functional Tests (?) n User Acceptance Tests (?) n SOP Audit/Report n Training File Audit/Report n System Documentation Audit/Report n Security Audit/Report n Back-up and Recovery Testing/Report n Final Comprehensive Validation Report

12 October 6, Copyright 1999, DataCeutics, Inc. IS SOPs n Backup & Restore n Disaster Recovery n HW/SW Change Management n Operational Procedures n Physical Security for IS Systems n Helpdesk/Service Level n Compliance SOP n Logical Security for IS Systems n Account Maintenance n SDLC/ERP n Vendor Assessment n IQ/OQ/PQ SW/HW n Archiving SW/HW n Training n GCP Sys. Validation

13 October 6, Copyright 1999, DataCeutics, Inc. GCP SDLC n Must Consider CFRs and Quality Standards n User and System Requirements n Vendor Assessment instead of traditional development life cycle

14 October 6, Copyright 1999, DataCeutics, Inc. User Requirements n We have a Data Management group n We need a System n Lets buy A, B, C, or D n What are the User Requirements? –What do we want the system to do? –What DONT we want the system to do?

15 October 6, Copyright 1999, DataCeutics, Inc. Vendor Assessment n Develop Questionnaire with Regulations and User Requirements in mind n Audit for compliance before buying n IF the app falls short, prepare a gap analysis n Attain vendor certification that system will be updated or write customized code

16 October 6, Copyright 1999, DataCeutics, Inc. Vendor Audit Questionnaire n 1. Does the system generate record in human readable and electronic form? n 2. Does the system protect records for accurate and ready retrieval later. n 3. Is system access limited to authorized persons only? n 4. Is the audit trail secure, computer generated, time stamped and independent?

17 October 6, Copyright 1999, DataCeutics, Inc. Questionnaire cont. n 5. Are there built in system checks to enforce the sequencing of steps, as appropriate? n 6. Does the system distinguish between levels of access for different users? n 7. Does the system have the capability to perform data validation checks at data input? n 8. Is the vendors staff qualified to develop the application software?

18 October 6, Copyright 1999, DataCeutics, Inc. Questionnaire cont. n 9. Does the software enable the use of SOPs to ensure the security and integrity of the data and processes? n 10. How does the vendor control access to system documentation? n 11. How does the vendor demonstrate system maintenance and change control? n 12. Is there an audit trail on system documentation?

19 October 6, Copyright 1999, DataCeutics, Inc. Questionnaire cont. n 13. Does the system meet the user requirements? n 14. Can the system be validated to ensure the accuracy, reliability, consistent intended performance and the ability to discern invalid/altered records?

20 October 6, Copyright 1999, DataCeutics, Inc. Security - Physical n Access to Plant restricted (By Whom and How) n Computer Room must be locked with access restricted to authorized personnel n Can un-authorized personnel gain access via unconventional methods (thru ceiling panels or under a raised floor)?

21 October 6, Copyright 1999, DataCeutics, Inc. Security - Logical n Secure workstations n Data security –No unauthorized copies –Network access n Passwords –NEVER WRITE DOWN –Expiration time –Not obvious –Not recycled –Use on screen saver

22 October 6, Copyright 1999, DataCeutics, Inc. Audit Trail n Does the system have one? n Is the Audit Trail adequate? –Independence –Automatic / Electronic –Does not obscure original record –Contains necessary items (who, when, what and why)

23 October 6, Copyright 1999, DataCeutics, Inc. Archiving n Records need to be protected n Easily accessible n Records cannot be changed

24 October 6, Copyright 1999, DataCeutics, Inc. Training n Has the staff been trained? –SOPs –Application Software n Are there Training Files and are they up-to-date? n Is there an SOP on Training?

25 October 6, Copyright 1999, DataCeutics, Inc. System Documentation n Has the manufacturer supplied documentation –for the user? –for the system administrator? n Is the documentation complete and adequate?

26 October 6, Copyright 1999, DataCeutics, Inc. Conclusions n Validation is no longer a business decision n How much is enough n Level of risk n Vendor Audit is important for a successful validation n 21 CFR, Part 11 Compliance is CRITICAL


Download ppt "How to Validate a Vendor Purchased Application Presented by: Lisa Morton, Matt Ferdock DataCeutics, Inc. Presented for: Oracle Clinical User Group 4th."

Similar presentations


Ads by Google