How to Validate a Vendor Purchased Application Presented by: Lisa Morton, Matt Ferdock DataCeutics, Inc. Presented for: Oracle Clinical User Group 4th Annual Meeting, October 25 - 27, 1999

. Copyright 1999, DataCeutics, Inc. Introductions DataCeutics, Inc. Expert Consulting since 1993 Helping deploy & Validate Oracle Clinical and Clintrial SOPs & Guidelines Validation SAS integration Standards Validated State Maintenance October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Obvious Facts “Since 1983, the influence of computerized systems on all phases of drug research … has increased dramatically....” “FDA regulations are official documents that have the force of law and the courts behind them.” The Survive and Thrive Guide to Computer Validation, Interpharm Press, 1994. October 6, 1999 . Copyright 1999, DataCeutics, Inc.

Regulations & Guidances The following GCP regulations and guidelines apply: Guidance on Computerized Systems Used in Clinical Trials, FDA, 5/10/99 Guidance for Industry - Archiving Submissions in Electronic Format - NDAs 21 CFR 11 - GCPs Compliance Policy Guide, Enforcement Policy: 21 CFR Part 11 (CPG 7153.17) Providing Regulatory Submissions in Electronic Format, FDA, 1/28/99 October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. R & G’s Continued GLP and GMP regulations and guidelines: Compliance Program Guidance Manual 7348.808 Compliance on General Principles of Process Validation, 5/1/87 Guide to Inspection of Computerized Systems in Drug Processing, FDA, February, 1983. 21 CFR 58 - GLPs 21 CFR 210 and 21 CFR 211 - GMPs October 6, 1999 . Copyright 1999, DataCeutics, Inc.

What we need to consider GCP Systems 21 CFR 11 FDA Inspections GCP Systems Validation SOP IS SOPs GCP SDLC Security Audit Trails Archiving Training Documentation October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. 21 CFR 11 Points Demonstrate Security Automatic Audit Trail Documentation Generate Copies of Records Properly Trained Personnel Archive Protection October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. FDA Inspection Warning Letter Installation Qualification (IQ) Worse Case testing Functional testing Include ALL locations within the validation 21 CFR, Part 11 deviations October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. 21 CFR, Part 11 Deviations Audit Trail Written Procedures for Electronic Signature Accountability Documentation/Testing system’s ability to “discern invalid or altered records” Generation of “accurate and complete copies of records in electronic form” Prevention of unauthorized use of electronic signatures October 6, 1999 . Copyright 1999, DataCeutics, Inc.

GCP Systems Validation SOP One needs to be written for GCP systems or Modify existing one from GMP or GLP Must discuss VPAs if they are handled differently October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Required Elements (?) User requirements Vendor Audit/Report Validation Plan/Protocol IQ Plan/Report PQ Plan/Report Functional Tests (?) User Acceptance Tests (?) SOP Audit/Report Training File Audit/Report System Documentation Audit/Report Security Audit/Report Back-up and Recovery Testing/Report Final Comprehensive Validation Report Regardless of whether the system has been purchased or developed in-house, the Systems Validation SOP needs to describe the process used to ensure that the computer system maintain the integrity, correctness and completeness of the data that it manages. This includes performing an IQ/OQ/PQ, having the appropriate SOPs (system and process), maintaining and documenting adequate security, back up and recovery procedures, performing User Acceptance Testing and Functional Testing, verifying that the system maintains an appropriate Audit Trail, that there is appropriate system documentation, that the users have been trained on the use of the system and that archiving procedures exist and are followed. October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. IS SOPs Backup & Restore Disaster Recovery HW/SW Change Management Operational Procedures Physical Security for IS Systems Helpdesk/Service Level Compliance SOP Logical Security for IS Systems Account Maintenance SDLC/ERP Vendor Assessment IQ/OQ/PQ SW/HW Archiving SW/HW Training GCP Sys. Validation October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. GCP SDLC Must Consider CFRs and Quality Standards User and System Requirements Vendor Assessment instead of traditional development life cycle *SDLC -User Requirements Doc - traditionally used to assist IS in developing system based on the user’s needs, can be used as “wish list” for ideal system when evaluating systems for purchase. -specification doc -coding and testing cycle -user testing and bug identification -user testing and acceptance -user validation and traceability matrix October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. User Requirements We have a Data Management group We need a System Let’s buy A, B, C, or D What are the User Requirements? What do we want the system to do? What DON”T we want the system to do? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Vendor Assessment Develop Questionnaire with Regulations and User Requirements in mind Audit for compliance before buying IF the app falls short, prepare a gap analysis Attain vendor certification that system will be updated or write customized code 1. Does the system generate record in human readable and electronic form? 2. Does the system protect records for accurate and ready retrieval later. 3. Is system access limited to authorized persons only? 4. Is the audit trail secure, computer generated, time stamped and independent? 5. Are there built in system checks to enforce the sequencing of steps, as appropriate? 6. Does the system distinguish between levels of access for different users? 7. Does the system have the capability to perform data validation checks at data input? 8. Is the vendor’s staff qualified to develop the application software? 9. Does the software enable the use of SOPs to ensure the security and integrity of the data and processes? 10. How does the vendor control access to system documentation? 11. How does the vendor demonstrate system maintenance and change control? 12. Is there an audit trail on system documentation? 13. Does the system meet the user requirements? 14. Can the system be validated to ensure the accuracy, reliability, consistent intended performance and the ability to discern invalid/altered records? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

Vendor Audit Questionnaire 1. Does the system generate record in human readable and electronic form? 2. Does the system protect records for accurate and ready retrieval later. 3. Is system access limited to authorized persons only? 4. Is the audit trail secure, computer generated, time stamped and independent? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Questionnaire cont. 5. Are there built in system checks to enforce the sequencing of steps, as appropriate? 6. Does the system distinguish between levels of access for different users? 7. Does the system have the capability to perform data validation checks at data input? 8. Is the vendor’s staff qualified to develop the application software? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Questionnaire cont. 9. Does the software enable the use of SOPs to ensure the security and integrity of the data and processes? 10. How does the vendor control access to system documentation? 11. How does the vendor demonstrate system maintenance and change control? 12. Is there an audit trail on system documentation? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Questionnaire cont. 13. Does the system meet the user requirements? 14. Can the system be validated to ensure the accuracy, reliability, consistent intended performance and the ability to discern invalid/altered records? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Security - Physical Access to Plant restricted (By Whom and How) Computer Room must be locked with access restricted to authorized personnel Can un-authorized personnel gain access via unconventional methods (thru ceiling panels or under a raised floor)? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Security - Logical Secure workstations Data security No unauthorized copies Network access Passwords NEVER WRITE DOWN Expiration time Not obvious Not recycled Use on screen saver October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Audit Trail Does the system have one? Is the Audit Trail adequate? Independence Automatic / Electronic Does not obscure original record Contains necessary items (who, when, what and why) October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Archiving Records need to be protected Easily accessible Records cannot be changed October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Training Has the staff been trained? SOPs Application Software Are there Training Files and are they up-to-date? Is there an SOP on Training? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. System Documentation Has the manufacturer supplied documentation for the user? for the system administrator? Is the documentation complete and adequate? October 6, 1999 . Copyright 1999, DataCeutics, Inc.

. Copyright 1999, DataCeutics, Inc. Conclusions Validation is no longer a “business decision” “How much” is enough Level of risk Vendor Audit is important for a successful validation 21 CFR, Part 11 Compliance is CRITICAL October 6, 1999 . Copyright 1999, DataCeutics, Inc.