Upload
doanhuong
View
320
Download
2
Embed Size (px)
Citation preview
GAMP 5A Risk Based Approach toA Risk-Based Approach toCompliant GxPCompliant GxP Computerized SystemsStephen Shields8 October 2013ASQ O S ti M ti P t 2ASQ – Orange Section Meeting – Part 2
Disclaimer
• This presentation is made at the request of ASQ.
• The presenter is a full-time employee and stockholder of Allergan, Inc.
• The information provided and opinions expressed during this presentationThe information provided and opinions expressed during this presentation are those of the presenter and are not the position of and may not be attributed to Allergan, Inc.
Agenda
Operation Phase• Hanover• Service and Performance MonitoringService and Performance Monitoring• Incident Management and CAPA• Change Management• Periodic Review• Continuity Management• Security and System Administration• Record Management
Retirement Phase• Withdrawal• Decommissioning• Disposition
Operation Phase The approach and required activities should be selected and scaled
according to the nature, risk, and complexity of the system in question. The regulated company should ensure that appropriate operational
d d l h b i l t d dprocesses, procedures, and plans have been implemented, and are supported by appropriate training.
Compliance and fitness for intended use must be maintained throughout the systems operational lifesystems operational life.
The integrity of the system and its data should be maintained at all times and verified as part of periodic review.
Opportunities for process and system improvements should be sought Opportunities for process and system improvements should be sought based on periodic review and evaluation, operational and performance data, and root-cause analysis of failures (Incident Management and CAPA).
Change management should provide a dependable mechanism for prompt implementation of technically sound improvements following the approach to specification, design, and verification.
Operation Phase – Information Flows
Operation Phase - ProcessesProcess Group ProcessHandover Handover Process
Service Management and Performance Establishing and Managing Support ServicesMonitoring Performance Monitoring
Incident Management and CAPA Incident ManagementCAPA
Change Management Change ManagementConfiguration ManagementConfiguration ManagementRepair Activity
Audits and Review Periodic ReviewInternal Quality Audits
Continuity Management Backup and Restorey g pBusiness Continuity PlanningDisaster Recovery Planning
Security and System Administration Security ManagementSystems Administration
Records Management RetentionArchive and Retrieval
Training Training Management
Handover Handover is the process for transfer of responsibility of a
computerized system from a project team or a service group to a new service group.
Typical conditions for handover to business• Fit for Intended Use• Compliant• Trained Users• Operation Security & Roles Established• SOPs Effective (operational & support)• Unique Configuration Elements Established• Issues Closed/Resolved• Rollback Strategy
Handover Process
Service Management & Performance Monitoring
Maintaining a system in a state of compliance is often dependent upon services provided by organizationsdependent upon services provided by organizations outside the direct control of the system owner.
• A Service Level Agreement (SLA) establishes responsibilities between the IT Service Provider and the Customer.
• A Operating Level Agreement (OLA) defines the goods or Services to be provided to the IT Service Provider by another part of the same Organization and the responsibilities of both parties
• An Underpinning Contract (UC) defines targets and responsibilities of a Third Party to meet d S i L l T t i SLAagreed Service Level Targets in an SLA.
Where appropriate, performance of the system should be monitored to capture problems in a timely manner. It also may be possible to anticipate failure through the use of monitoring tools and techniques.
Support Services Process
Incident Management and CAPA
Incident Management process should address:
• Categorize incidents
CAPA process should address:
• Investigation understanding• Categorize incidents• Triage to the most appropriate
resource or complimentary process
• Investigation, understanding and correcting discrepancies based on root-cause analysis
• Preventing recurrence of p• Document• Review• Prioritization
gdiscrepancies
• Preventing occurrences of a possible/predicted di i
• Progress towards resolution• Escalation• Closure
discrepancies• Effectiveness
Change Management
Critical activity fundamental to maintaining the compliant status of systems and processes
• Software (including middleware) configuration hardware• Software (including middleware), configuration, hardware, infrastructure, or use of the system
• Reviewed to assess impact and risk of implementing the change• Suitably evaluated, authorized, documented, tested, and approvedSuitably evaluated, authorized, documented, tested, and approved
before implementation, and subsequently closed• Scaled based on the nature, risk, and complexity of the change• Continuous process and system improvements based on periodic p y p p
review and evaluation, operational and performance data, and root-cause analysis of failures.
• Emergency changes performed change management process or repair SOPSOPs
Periodic Review
Verify system remain compliant with regulatory requirements, fit for intended use, and meet company policies and procedurespolicies and procedures.
• Interval appropriate to the impact and operation history of the system• Pre-defined process• Documented with corrective actions tracked to satisfactory completion• Documented with corrective actions tracked to satisfactory completion
Continuity Management Backup and Restoration
• software, records, and data are made, maintained, and retained for a defined period within safe and secure areas
• Restore procedures should be established, tested, and the results of that testing documented
Business Continuity Planningy g• Plans established and exercised to ensure the timely and effective
resumption of these critical business processes and systems
Disaster Recovery Planning Disaster Recovery Planning• Details the precautions taken to minimize the effects of a disaster,
allowing the organization to either maintain or quickly resume critical functions (focus on disaster prevention).( p )
Security and System Administration
Adequately protected against willful or accidental loss, damage, or unauthorized change
• Procedures for managing secure access including adding and• Procedures for managing secure access, including adding and removing privileges for authorized users, malware management, password management, and physical security measures
• Role-based securityy• Apply to all users, including administrators, super-users, users, and
support staff (including supplier support staff)• Procedures for administrative support for systems
Record Management
Records must be maintained and accessible throughout their retention period
• Establish policies for retention of regulated records• Retain data on-line or archive• Establish procedures for archival and retrieval
Retirement Phase
Systematic process of permanently removing a system from use
• Withdrawal system decommissioning system disposal and migration• Withdrawal, system decommissioning, system disposal, and migration of required data
• Withdraw the system from active operations, i.e., users are deactivated, interfaces disabled. No data should be added to the system from this ypoint forward. Special access should be retained for data reporting, results analysis and support.
• Decommission the system• Determine disposition of data, documentation, software, and hardware
(permanently destroyed, re-tasked, archived, migrated).
Questions?
Stephen ShieldsWWQA DirectorWWQA DirectorComputerized System Compliance and Quality
All IAllergan, [email protected]