Barqa Edinburgh Final

Download Barqa Edinburgh Final

Post on 22-Jan-2015




5 download

Embed Size (px)




<ul><li> 1. IT Infrastructure Quality &amp; ControlDavid. K . StephensonLife Sciences S.M.E.CTG UK LtdCopyright CTG, Inc.</li></ul><p> 2. Agenda Why Qualify IT Infrastructure Risk Assessment Regulatory, Business Expectations And ITGovernance Ongoing Compliance ConclusionsCopyright CTG, Inc.20/10/2010 2 IT Infrastructure Quality &amp; Control 3. Why Qualify ITInfrastructure?Copyright CTG, Inc.3 4. Why Qualify Infrastructure? Is it because: Everyone in my industry is doing it Fear of an upcoming regulatory inspection We want to get control over our Infrastructure There is probably a little of all these in our reasoning,but we must also consider the question:How can we consider a system to be validated ifwe are not confident that we have control ofthe infrastructure on which it runs?GAMP GPG IT Infrastructure Control &amp; ComplianceCopyright CTG, Inc.20/10/2010 4 IT Infrastructure Quality &amp; Control 5. Regulatory Issue 21 CFR 11 only mentions systems never applications.This means that the whole of the computerisedsystem is encompassed by the regulation and thisincludes: Network components Applicable infrastructure support functions such asbackup etc Desktop Utilities and tools necessary to operate the application GXP Application (currently the main focus ofvalidation and inspection activity) The operation of the whole system is now impacted,however not all IS departments may appreciate thesituation.Copyright CTG, Inc. 20/10/2010 5 IT Infrastructure Quality &amp; Control 6. Regulatory Issue (Cont) No direct mention of networks or network infrastructure in regulations or guidance. Similarly, industry guidelines such as the Good Automated Manufacturing Practice guidelines, concentrate on the application. Emphasis is changing and Network Infrastructure and IT departments that operate them on behalf of the users are now under regulatory scrutiny and this can open a black hole in many organisations.Networks used in a GMP environment should be Validated. George Smith FDA September 2003Copyright CTG, Inc.20/10/2010 6IT Infrastructure Quality &amp; Control 7. Qualification v Validation Infrastructure is treated differently to applications: A validated application is static, the IT infrastructure isdynamic (CSV methodology is too slow) IT infrastructure contains a large number of identicalplatforms, validation occurs for one specificapplication Most IT infrastructure components do not have adirect GxP impact Focus for IT infrastructure is controlled operationrather than fitness for useCopyright CTG, Inc.20/10/2010 7 IT Infrastructure Quality &amp; Control 8. 10 Aspects Of Qualification Qualification Planning &amp; Execution Procedures Qualification Documentation Security (Logical &amp; Physical) Acceptance Testing Training of Support Personnel Network Recovery Support Documentation Change Control Periodic ReviewCopyright CTG, Inc.20/10/2010 8IT Infrastructure Quality &amp; Control 9. Top Ten DeficienciesSecurity (Logical &amp; Physical)Testing and QualificationChange Control/ManagementOperating ProceduresHardware, Equipment Records, and MaintenanceTraining Education, and ExperienceDevelopment MethodologyQualification Methodology and PlanningQuality Assurance and AuditingElectronic Records, Electronic SignaturesCopyright CTG, Inc.20/10/2010 9IT Infrastructure Quality &amp; Control 10. Risk AssessmentCopyright CTG, Inc.10 11. Risk Assessment Risk Assessment can be considered to comprise oftwo phases: Risk Analysis Provides clarity of the boundaries of the infrastructurebeing analysed and reviews the history of the threats(hazards) and vulnerabilities in light of the potentialimpact on the company Risk Evaluation Determines whether the identified risk is acceptable tothe company, taking into account all of the identifiedfactorsCopyright CTG, Inc. 20/10/2010 11 IT Infrastructure Quality &amp; Control 12. Risk Assessment Method (GAMP 5) Aims to establish controls such that the combinationof severity, probability of occurrence and detectabilityof failures is reduced to an acceptable level There is a two stage approach, for the identification ofeach hazard: A Risk Class is produced, by plotting the severity ofimpact on patient safety, product quality and dataintegrity against the likelihood of failure A Risk Priority is determined by plotting the Risk classagainst the likelihood of detection before harm occurs The Risk Priority is then used to focus attention andresources to where they are best utilisedCopyright CTG, Inc. 20/10/2010 12IT Infrastructure Quality &amp; Control 13. Risk Assessment Method contCopyright CTG, Inc. 20/10/2010 13 IT Infrastructure Quality &amp; Control 14. Risk Assessment cont Once a Risk Priority has been assigned to aparticular action or piece of equipment, it should beevaluated to ensure it is acceptable to the company If not, some level of remediation will be required, andthe risk assessment should be re-evaluated followingthis work The results of the Risk Assessment, including anyassumptions should be documentedCopyright CTG, Inc.20/10/2010 14IT Infrastructure Quality &amp; Control 15. Risk Assessment cont Example Of An Infrastructure Risk AssessmentLikelihoodRisk HazardRisk Scenario Impact of DetectabilityControls PriorityOccurrence Loss of physicalLoss of functionHigh MediumHighMedium Network Diagrams/Records connectionPerformance ComponentManagement Processesdegradation orHigh Low High Low FailureConfiguration managementnetwork disruption NetworkLoss of time inDocument control Diagrams not network recoveryHigh Med MedHighConfiguration management maintained following a disasterPeriodic reviewCopyright CTG, Inc.20/10/2010 15 IT Infrastructure Quality &amp; Control 16. Risk Due To Infrastructure Most standard network components now have someform of error detection mechanism (e.g. CollisionDetection at the Ethernet level, datagram checksumson TCP/IP, etc.). While the correct function of any infrastructure will belargely undetectable to human eyes, these built-indetection mechanisms will make it extremely unlikelythat an error will be propagated by the infrastructurewithout its detection. In the event of a significant infrastructure failure, theapplications that utilise the infrastructure will typicallyeither report the fault or completely fail, so the failurewould not go undetected. This therefore represents a low system vulnerability.Copyright CTG, Inc. 20/10/2010 16IT Infrastructure Quality &amp; Control 17. Regulatory, BusinessExpectations &amp; ITGovernanceCopyright CTG, Inc.17 18. Regulatory Expectations You should understand and be compliant with themulti-national regulations applicable to your operationand your job function In addition to your professional technical, managerial,and business skills.once aware and trained(including self study) in GxP and validationmethodology, it is expected that you comply with theapplicable regulations at all times, including whereyou are responsible for sign-off of validation tasks As with any quality driven process, you are alsoexpected to help identify the training you need to fulfildesignated tasks in the regulated environmentCopyright CTG, Inc.20/10/2010 18 IT Infrastructure Quality &amp; Control 19. Regulatory Expectations cont The validated status of GxP applications that aredependant upon an underlying IT Infrastructure iscompromised if that IT Infrastructure is notmaintained in a demonstrable state of control andregulatory compliance The Infrastructure should be brought into initialcompliance with the companys establishedstandards through a planned qualification processbuilding upon acknowledged IT practicesCopyright CTG, Inc. 20/10/2010 19IT Infrastructure Quality &amp; Control 20. Business Expectations Cost Effective Solution Pragmatic Qualification Control Over Processes Control Over Procedures Control Over people Increased Control Of Data Confidentiality Integrity Availability Confidence In Regulatory Inspections Adherence To Best PracticeCopyright CTG, Inc.20/10/2010 20 IT Infrastructure Quality &amp; Control 21. IT Governance CoBIT cont CoBIT supports IT Governance by providing aframework, which can ensure that: The IT strategy is aligned with the business IT acts as an enabler for the business and maximises its benefits IT resources are utilised both responsibly and effectively IT risks are managed and mitigated appropriatelyCopyright CTG, Inc.20/10/2010 21 IT Infrastructure Quality &amp; Control 22. IT Governance IT Infrastructure Library ITIL is a Best Practice Framework Integrated into OGC and BSI guidance ITIL Philosophy Scaleable Process driven approach Key Objective 1 Align IT services with the Current and Future needs ofthe business and its Customers Key Objective 2 To improve Quality of the services delivered Key Objective 3 Reduce long term Cost of service provisionCopyright CTG, Inc. 20/10/2010 22 IT Infrastructure Quality &amp; Control 23. How It All Fits Together CONFORMANCEDriversPERFORMANCE: FDA Regs, MHRA, Business Goals SOX etc. IT GovernanceCOBITISOISO ISO Best Practice Standards 9001:200027001 20000Processes and ProceduresQASecurity ITIL ProceduresPrinciplesCopyright CTG, Inc. 20/10/2010 23IT Infrastructure Quality &amp; Control 24. Common Areas A framework of best practice Infrastructure In Control Control Over Processes Control Over Procedures Control Over People Support of Regulatory Compliance Clear policy development and implementation ofgood practice for IT control within an organisation Aligns IT services with the current and future needsof the business and its CustomersCopyright CTG, Inc.20/10/2010 24 IT Infrastructure Quality &amp; Control 25. Pragmatic InfrastructureQualificationCopyright CTG, Inc.25 26. Methodology We must define the infrastructure clearly, taking intoconsideration the scope of the formal infrastructurequalification, this can have many approaches: Partition the infrastructure into Regulated and non Regulated critical components. Qualify only the Regulated components and use good ITpractices to commission and maintain the non Regulatedcomponents Take a blanket approach and qualify all components Apply a Risk Based Assessment We can categorise infrastructure into componenttypes based on the service or function they providewithin the infrastructure (components of the sametype should require the same qualification activities)Copyright CTG, Inc.20/10/2010 26 IT Infrastructure Quality &amp; Control 27. Types Of Qualification Green field site, where we are creating theinfrastructure from new and will adopt prospectivequalification A working site, where the infrastructure is already insitu and we need to adopt retrospective qualification A combination of the twoCopyright CTG, Inc.20/10/2010 27IT Infrastructure Quality &amp; Control 28. Prospective Produce a URS to tender Receive FDS Produce a Qualification Plan (including Risk assessment and supplier assessments) Produce IQ Protocols, Produce OQ Protocols Produce a Requirements Traceability Matrix Produce Standard Operating Procedures Execute IQ &amp; OQ Produce IQ Reports, Produce OQ Reports Produce a Qualification Summary Report Possible PIRCopyright CTG, Inc. 20/10/2010 28IT Infrastructure Quality &amp; Control 29. Prospective Qualification Deliverables TRACEABILITY URSFDSIQ OQOQ IQ Report ProtocolProtocol ReportIQ OQOQ IQ Report ProtocolProtocol ReportQualification IQ OQOQ Qualification IQ Report PlanProtocolProtocol ReportSummary ReportIQ OQOQ IQ Report ProtocolProtocol Report RiskSupplierAssessmentAssessmentIQ OQOQ IQ Report ProtocolProtocol ReportCopyright CTG, Inc. 20/10/201029 IT Infrastructure Quality &amp; Control 30. Typical Component QualificationActivities (Prospective)User RequirementsSpecificationInitialQualificationInstallation/Qualification Plan Operational Qualification Report QualificationSystemSpecificationSubsequentQualification(Fast Track)ConfigurationReduced IQ/OQ &amp;SpecificationReportOngoing Change Control/ Compliance Periodic ReviewCopyright CTG, Inc.20/10/2010 30IT Infrastructure Quality &amp; Control 31. Retrospective Carry out a Site Survey Produce a Gap Analysis Produce a Remediation Plan (Including QualificationPlan) Produce IQ/OQ Protocols Produce an AS-Built Specification for the wholeNetwork Infrastructure Produce a Requirements Traceability Matrix Produce Standard Operating Procedures Produce IQ/OQ Reports for the executed Protocols Produce a Qualification Summary ReportCopyright CTG, Inc.20/10/2010 31IT Infrastructure Quality &amp; Control 32. Retrospective Qualification Deliverables Site SurveyTRACEABILITY IQ OQOQ IQ ReportProtocolProtocol ReportGap Analysis IQ OQOQ IQ ReportProtocolProtocol Report IQ OQOQQualification IQ ReportRemediation Qualification ProtocolProtocol Report Summary Report PlanPlan IQ OQOQ IQ ReportProtocolProtocol Report IQ OQOQ IQ ReportProtocolProtocol ReportCopyright CTG, Inc.20/10/2010 32IT Infrastructure Quality &amp; Control 33. Typical Component QualificationActivities (Retrospective)Installation/ InitialOperational Qualification Report QualificationQualification As-Built Qualification Plan SpecificationExperience Report Subsequent Qualification (Fast Track)ConfigurationReduced IQ/OQ &amp; SpecificationReport OngoingChange Control/CompliancePeriodic ReviewCopyright CTG, Inc.20/10/2010 33 IT Infrastructure Quality &amp; Control 34. Benefits of Infrastructure QualificationControl over processesIncreased Integrity of dataConfidence in Regulatory InspectionsTransparent view of the infrastructure and how it functionsEase of management and upgradesProcedures available to all IT staffAdherence to best practiceReduction in duplication of dutiesCopyright CTG, Inc.20/10/2010 34IT Infrastructure Quality &amp; Control 35. Ongoing ComplianceCopyright CTG, Inc.35 36. Periodic Review And Critical Processes All critical activities should be included in a Periodic Review Strategy Initial Qualification Activities On-going maintenance and support activities Periodic Reviews can be conducted internally, but FDA inspection observations have set an expectation that the independent Quality group should play an appropriate oversight roleCopyright CTG, Inc. 20/10/2010 36IT Infrastructure Quality &amp; Control 37. Periodic Review And Critical Processescont Policies should define appropriate roles for IT andQuality Processes and Procedures should be interlinked, withdefined roles i.e. Disaster Recovery relies on ConfigurationManagement, which is related to Change Control There should be a consistent set of processesCopyright CTG, Inc.20/10/2010 37IT Infrastructure Quality &amp; Control 38. Documentation A Warning! As with everything else in the Regulatory world,documentation is key Infrastructure Qualification can simply be consideredas documented Good IT Practice Most organisations know the right things to do Most organisations are doing them Not all organisations have documented themCopyright CTG, Inc. 20/10/2010 38IT Infrastructure Quality &amp; Control 39. SOPs General Management Data Centre Management Platform Management Server Management Network Management Client...</p>