Presentation is loading. Please wait.

Presentation is loading. Please wait.

Infrastructure Qualification (What Is a Network?)

Published byMarilynn Evans Modified over 6 years ago

Similar presentations

Presentation on theme: "Infrastructure Qualification (What Is a Network?)"— Presentation transcript:

1 Infrastructure Qualification (What Is a Network?)
David Stephenson Senior Consultant ABB Life Sciences Computer Systems Validation Sept 2003 London, UK Infrastructure Qualification (What Is a Network?)

2 Aim of the Talk To raise awareness for the issues related to the qualification of networked systems including: Understanding what a network is and how it impacts GxP systems The difference between Validation and Qualification Why application validation includes the network Qualifying IT infrastructure Regulatory expectations MY TALK TODAY, ENDEAVOURS TO RAISE AWARENESS FOR THE ISSUES RELATED TO THE QUALIFICATION OF NETWORKED SYSTEMS, AND COVERS THE FOLLOWING :

3 What Is a Network? (Definition)
A system (transmission channels and supporting hardware & software) that connects several remotely located computers via telecommunications (OSI). Two or more connected computers that can share resources such as data, printers, Internet connection, applications, or a combination of these. IN ORDER TO UNDERSTAND BETTER WHAT WE ARE DEALING WITH, WE MUST FIRSTLY UNDERSTAND WHAT A NETWORK IS, I HAVE TWO DEFINITIONS, THE FIRST BEING THE OSI DEFINITION, AND THE SECOND, ONE THAT WAS PUT FORWARD DURING A GAMP SIG MEETING

4 What Can Networks Do? Reliably transmit data and enable communication between locations on the network Provide multi-user multi-site access to centrally managed applications and data Restrict access to applications and data to authorised individuals Provide Reliable and accurate storage of original data Provide synchronised date and time stamps for records and audit trails at multiple locations NOW THAT WE KNOW WHAT A NETWORK IS , WE MUST UNDERSTAND WHAT IT IS CAPABLE OF, IE WHAT CAN IT DO?

5 What Types of Networked Systems?
Site network infrastructure PLC, DCS and SCADA systems Laboratory Information Management Systems (LIMS) Chromatography Data Systems (CDS) Manufacturing Execution Systems (MES) Enterprise Resource Planning Systems (ERP) Clinical Trials Data Management Systems (CTDMS) Electronic Document Management Systems (EDMS) Global network infrastructure The Internet FOLLOWING ON FROM THE DEFINITION AND EXPLANATION OF A NETWORKS FUNCTIONALITY, IT IS PERTINENT TO EXPAND AND EXPLAIN THAT THERE ARE MANY DIFFERENT TYPES OF NETWORK, EACH WITH ITS OWN REQUIREMENTS

6 Validation Vs Qualification
Validation is defined as…. “Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its pre-determined specifications and quality attributes.” (FDA Guidelines on General Principles of Process Validation, May 1987) Qualification is defined as…. “The process to demonstrate the ability to fulfil specified requirements” GAMP 4.0 (Good Automated Manufacturing Practice) FOLLOWING ON, WE NOW COME TO THE POINT OF CONTENTION, VALIDATION OR QUALIFICATION? THESE ARE DEFINED AS:

7 Validation Vs Qualification (The Difference?)
Relies on the use of a unique set of requirements Relies on the use of recognised standards, which can be utilised by other qualifications Designed to ensure product consistency, produces reproducible results and demonstrates that the functions meet the requirements A snapshot of the installed system, with a current configuration derived from current requirements Relies on industry best practice (SDLC, GAMP etc) Relies on individual company best practice (Server builds etc) Requires buy in & acceptance by the users (unique to system) Does not rely on user buy in, (a commodity) THE DIFFERENCES BETWEEN THE TWO ARE:

8 Why Qualify a Network? Some Questions:
Does the network convey instructions for the control of GxP critical operations? Does the network convey GxP critical data? Could the network effect GxP data quality If the answer is Yes to any of these questions, then we must qualify the network IN OUR CASE, WE ARE TAKING THE QUALIFICATION ROUTE, AND THE FIRST QUESTION MUST BE “DO WE REQUIRE QUALIFICATION”?

9 Drivers for Qualification
The IT infrastructure is essential to business continuity Network downtime is time lost to productive activities Application downtime is time lost to productive activities Irretrievable loss of data can be extremely costly Development data Pre-clinical science data Clinical data Manufacturing data Regulatory non-compliance can be extremely costly (up to and including withdrawal of marketing licence) SOME OF THE REASONS/DRIVERS FOR QUAIFYING THE NETWORKS ARE :

10 Infrastructure Qualification, The Real World
Roles and responsibilities are unclear or inappropriate IT department operates outside the company QM organisation The level and formality of documentation is variable No network management SOP’s in place Service level agreements between IT and other departments not in place or inadequate Service delivery procedures not in place, or inadequate No independent auditing program in place GxP data and applications are spread over a large number of servers No awareness training of IT team in regulatory requirements (GxP or 21 CFR Part 11) IF WE NOW TAKE A SNAPSHOT OF THE REAL WORLD WITH RESPECT TO NETWORKS AND THEIR COMPLIANCE, WE MAY FIND EXAMPLES OF THE FOLOWING:

11 Infrastructure Qualification, Planning
Sources of information The GAMP Guide for the Validation of Automated Systems Version 4.0 (ISPE, Dec 2001) FDA Guidance for Industry: 21 CFR Part 11 Electronic Records;Electronic Signatures-Scope and Application (Aug 2003) FDA General Principals of Software Validation; Final Guidance for Industry and FDA Staff (Jan 2002)- Medical Devices FDA Guidance Computerized Systems Used in Clinical Trials (April 1999) GAMP IT Infrastructure S.I.G. Best Practice Guide (planned early 2004) THEREFORE IN ORDER TO MOVE FORWARD, WE MUST PLAN, AND ASSISTANCE IN THIS CAN BE GAINED FROM VARIOUS SOURCES

12 Infrastructure Qualification, Implementation
The stages of implementation are: Gap Analysis Identify needs Plan qualification activities Document the infrastructure Develop a testing strategy Qualify the network THE STEPS THAT CAN BE FOLLOWED TO QUALIFY A NETWORK ARE THUS:

13 Gap Analysis Identify the criticality of IT infrastructure components and procedures to data quality, accuracy and integrity GxP critical LAN, WAN and hardware supporting GxP Applications Hardware supporting GxP Meta data: report formats, database table formats Hardware supporting GxP data storage Software versions, service packs and configuration Security and access Support functions: data backup and restore, audit trails, maintenance, training records etc. THE GAP ANALYSIS LOOKS AT THE AREAS OF COMPLIANCE THAT ARE DEFFICIENT, AND ALLOWS THIS INFORMATION TO BE FED FORWARD INTO THE REMEDIATION OF THE NETWORK

14 Identify IT Infrastructure Needs….
New or modified network New or modified hardware platform New or modified procedures Existing qualified network Existing qualified hardware platform Existing approved procedures THE GAP ANALYSIS IS BEST SERVED IF WE CAN IDENTIFY CRITERIA SUCH AS THE FOLLOWING

15 Plan Qualification Activities
Review the current Design and determine GxP critical issues and the sources of risk as the basis for your qualification strategy Focus on critical areas Assess risks and mitigation Plan testing dependent on degree of risk Target scarce resources Reduce time Reduce cost THE NEXT STEP IS TO PLAN THE QUALIFICATION ACTIVITIES

16 Divide Qualification Activities: An Example
Project Validation Master Plan IT Qualification Master Plan Application Validation Plan Server Qualification Plan Network Qualification Plan Desktop Build Qualification Plan THESE ACTIVITIES CAN BE BROKEN DOWN INTO DIFFERENT AREAS OF TECHNOLOGY Validation Report Qualification Report

17 Develop Qualification Plan
GxP critical components must be qualified (IQ/OQ) against pre-defined criteria Non-GxP components should be managed according to industry good practice Qualify each software component based on GAMP category Ensure mechanisms are in place for maintaining the qualified state THE QUALIFICATION PLAN ITSELF SHOULD COVER THE FOLLOWING

18 Document the Existing Network Infrastructure
Document IT infrastructure roles and responsibilities Document equipment and component configurations Create an As-Built specification (requirements, functionality & design) Document current IT infrastructure high-level requirements e.g : Number of users/departments supported Locations served Capacity Availability Helpdesk provision Business continuity provision Disaster recovery plans ONE OF THE MAIN AREAS OF QUALIFICATION IS THE DOCUMENTATION OF THE NETWORK INFRASTRUCTURE, THE TYPES OF INFORMATION REQUIRED ARE:

19 Document the Existing Network Infrastructure
Document services provided Service Level Agreements (or equivalent) between groups Document procedures for operational tasks e.g : Backup and Restore User access management Document outsourced tasks SLAs with third parties e.g. PC maintenance, Archiving etc Document network topology Approved Network topology diagrams of varying detail (Global, Regional, Site, LAN) Logical diagrams illustrating resilience & switching capabilities FOLLOWING ON

20 Document the Existing Network Infrastructure
Document equipment on network (Asset listings) Desktop PCs Servers Storage devices Peripherals (printers, tape drives etc.) Document everything a technically competent person would need to know to rebuild and operate the Network infrastructure AND FINALLY THIS ALL COMES DOWN TO THE INFORMATION REQUIRED SO A TECHNICALLY COMPETENT PERSON COULD REBUILD AND OPERATE THE NETWORK INFRASTRUCTURE

21 Develop Testing Strategy
Plan qualification testing according to risk classification Priority on high risk areas (Level one) High Medium Low Med Risk probability Risk Impact Level one Level two Level three Classification THE TESTING STRATEGY SHOULD BE CREATED AROUND A RISK BASED ASSESSMENT, TAKING INTO ACCOUNT THE HIGH RISK AREAS

22 Finalise the Qualification
Summarise the completion of the qualification in a Qualification report Refer to the qualification report in the Application Qualification Report Maintain the qualified state of the IT infrastructure FINALLY, ALL OF THE WORK SHOULD BE BROUGHT TOGETHER IN A QUALIFICATION REPORT

23 Why Application Validation Includes the Network
Transmission of data to users and peers Backup & recovery of data Connection methodology (remote access & logons) Security WHEN VALIDATING AN APPLICATION, THE NETWORK SHOULD BE INCLUDED, THE REASONING FOR THIS, IS THAT THE APPLICATION USES THE NETWORK FOR THE FOLLOWING

24 References to Networked Systems
FDA Guide to Inspection of Computerised Systems in Drug Processing (Feb, 1983) Refers to need to know Outputs sent to other parts of the network Inputs (instructions, programs) received Identity and locations of establishments which interact with the firm Extent and nature of monitoring and controlling activities exercised by on-net establishments Security measures to prevent unauthorised access and possible drug process sabotage ON THE REGULATORY SIDE OF THINGS, THE FDA REFERS TO A NEED TO KNOW:

25 References to Networks
FDA Guidance for Industry, FDA Reviewers and Compliance on Off-the-Shelf software use in Medical Devices (Sept. 1999) Requirements analysis for LANs Speed LAN Architecture Network Operating Systems Data Integrity Network Management and Security THERE ARE ALSO REQUIREMENTS WITHIN

26 Warning Letters and 483 Inspection Observations
The client/server system was never validated to ensure data could be correctly passed between the hardware and software environment in which the system operated There was no validation data to demonstrate that an authorised user of the corporate network have access to the analytical data on the laboratory network The firm did not monitor or keep track of changes to the hardware, application or operating system software changes THERE HAVE BEEN A NUMBER OF WARNING LETTERS SURROUNDING NETWORKS, THESE ARE JUST A FEW:

27 Regulatory Expectations for Networked Systems
Warning letters (Pharmacia 2001) referring to a bespoke networked application and an off-the-shelf networked application No revision control system Failure to update and maintain structural and functional diagrams and design descriptions Failure to update and maintain diagrams with text descriptions identifying interfaces to other network programs Inadequate standard operation procedures to ensure that records are included with validation documentation, maintained and updated when changes are made The (WAN) was not included in the validation efforts and therefore lacked adequate documentation controls THE FINAL ONE I WOULD LIKE TO LOOK AT IS:

28 Contact Details at ABB Life Sciences Group
David K Stephenson Senior Consultant ABB Ltd Belasis Hall Technology Park Billingham Cleveland, TS23 4YS Tel: +44 (0) Fax: +44 (0) Mob: +44 (0) THAT CONCLUDES MY TALK FOR TODAY, I WILL NOW TAKE ANY QUESTINS, AND IF YOU WOULD LIKE TO CONTACT ME IN THE FUTURE MY DETAILS ARE:

29

Download ppt "Infrastructure Qualification (What Is a Network?)"

Similar presentations

How to Validate a Vendor Purchased Application

How to Validate a Vendor Purchased Application
PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM

PRINCIPLES OF A CALIBRATION MANAGEMENT SYSTEM
Radiopharmaceutical Production

Radiopharmaceutical Production
The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.

The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.
Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen Sue Gregory.

Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen Sue Gregory.
ITIL: Service Transition

ITIL: Service Transition
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.

GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
Computer Systems & Software

Computer Systems & Software
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.
Www.methoda.com MethodGXP The Solution for the Confusion.

MethodGXP The Solution for the Confusion.
Introduction to ISO 15189 New and modified requirements.

Introduction to ISO New and modified requirements.
Term 2, 2011 Week 3. CONTENTS The physical design of a network Network diagrams People who develop and support networks Developing a network Supporting.

Term 2, 2011 Week 3. CONTENTS The physical design of a network Network diagrams People who develop and support networks Developing a network Supporting.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
FDA Docket No. 2004N-0133 Themes for Renewal of 21 CFR Part 11 Rule & Guidance by Dr. Teri Stokes, GXP International www.GXPInternational.com.

FDA Docket No. 2004N-0133 Themes for Renewal of 21 CFR Part 11 Rule & Guidance by Dr. Teri Stokes, GXP International
David N. Wozei Systems Administrator, IT Auditor.

David N. Wozei Systems Administrator, IT Auditor.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS-7493-01 Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Similar presentations

Ads by Google