barqa edinburgh final

Copyright © CTG, Inc.

IT Infrastructure Quality & Control

David. K . Stephenson

Life Sciences S.M.E.

CTG UK Ltd

Copyright © CTG, Inc. IT Infrastructure Quality & Control220/10/2010

Agenda

Why Qualify IT Infrastructure

Risk Assessment

Regulatory, Business Expectations And IT Governance

Ongoing Compliance

Conclusions


3

Why Qualify IT Infrastructure?


Why Qualify Infrastructure?

Is it because: Everyone in my industry is doing it

Fear of an upcoming regulatory inspection

We want to get control over our Infrastructure

There is probably a little of all these in our reasoning, but we must also consider the question:

“How can we consider a system to be validated if we are not confident that we have control of the infrastructure on which it runs?”

GAMP GPG IT Infrastructure Control & Compliance


Regulatory Issue

21 CFR 11 only mentions systems never applications. This means that the whole of the computerised system is encompassed by the regulation and this includes: Network components

Applicable infrastructure support functions such as backup etc

Desktop

Utilities and tools necessary to operate the application

GXP Application (currently the main focus of validation and inspection activity)

The operation of the whole system is now impacted, however not all IS departments may appreciate the situation.


Regulatory Issue (Cont)

No direct mention of networks or network infrastructure in regulations or guidance.

Similarly, industry guidelines such as the Good Automated Manufacturing Practice guidelines, concentrate on the application.

Emphasis is changing and Network Infrastructure and IT departments that operate them on behalf of the users are now under regulatory scrutiny and this can open a black hole in many organisations.

“Networks used in a GMP environment should be

Validated.” George Smith FDA September 2003


Qualification v Validation

Infrastructure is treated differently to applications:

A validated application is static, the IT infrastructure is dynamic (CSV methodology is too slow)

IT infrastructure contains a large number of identical platforms, validation occurs for one specific application

Most IT infrastructure components do not have a direct GxP impact

Focus for IT infrastructure is controlled operation rather than fitness for use


10 Aspects Of Qualification

Qualification Planning & Execution

Procedures

Qualification Documentation

Security (Logical & Physical)

Acceptance Testing

Training of Support Personnel

Network Recovery

Support Documentation

Change Control

Periodic Review


“Top Ten” Deficiencies

Security (Logical & Physical)

Testing and Qualification

Change Control/Management

Operating Procedures

Hardware, Equipment Records, and Maintenance

Training Education, and Experience

Development Methodology

Qualification Methodology and Planning

Quality Assurance and Auditing

Electronic Records, Electronic Signatures


10

Risk Assessment


Risk Assessment

Risk Assessment can be considered to comprise of two phases:

Risk Analysis

Provides clarity of the boundaries of the infrastructure being analysed and reviews the history of the threats (hazards) and vulnerabilities in light of the potential impact on the company

Risk Evaluation

Determines whether the identified risk is acceptable to the company, taking into account all of the identified factors


Risk Assessment Method (GAMP 5) “Aims to establish controls such that the combination

of severity, probability of occurrence and detectability of failures is reduced to an acceptable level”

There is a two stage approach, for the identification of each hazard:

A Risk Class is produced, by plotting the severity of impact on patient safety, product quality and data integrity against the likelihood of failure

A Risk Priority is determined by plotting the Risk class against the likelihood of detection before harm occurs

The Risk Priority is then used to focus attention and resources to where they are best utilised


Risk Assessment Method cont


Risk Assessment cont

Once a Risk Priority has been assigned to a particular action or piece of equipment, it should be evaluated to ensure it is acceptable to the company

If not, some level of remediation will be required, and the risk assessment should be re-evaluated following this work

The results of the Risk Assessment, including any assumptions should be documented


Risk Assessment cont

Example Of An Infrastructure Risk Assessment

Document control

Configuration management

Periodic review

HighMedMedHigh

Loss of time in

network recovery

following a disaster

Network

Diagrams not

maintained

Management Processes

Configuration managementLowHighLowHigh

Performance

degradation or

network disruption

Component

Failure

Network Diagrams/RecordsMediumHighMediumHighLoss of functionLoss of physical

connection

ControlsRisk

PriorityDetectability

Likelihood

of

Occurrence

ImpactRisk ScenarioHazard


Risk Due To Infrastructure

Most standard network components now have some form of error detection mechanism (e.g. – Collision Detection at the Ethernet level, datagram checksums on TCP/IP, etc.).

While the correct function of any infrastructure will be largely undetectable to human eyes, these built-in detection mechanisms will make it extremely unlikely that an error will be propagated by the infrastructure without its detection.

In the event of a significant infrastructure failure, the applications that utilise the infrastructure will typically either report the fault or completely fail, so the failure would not go undetected.

This therefore represents a low system vulnerability.


17

Regulatory, Business Expectations & IT Governance


Regulatory Expectations

You should understand and be compliant with the multi-national regulations applicable to your operation and your job function

In addition to your professional technical, managerial, and business skills……….once aware and trained (including self study) in GxP and validation methodology, it is expected that you comply with the applicable regulations at all times, including where you are responsible for “sign-off” of validation tasks

As with any quality driven process, you are also expected to help identify the training you need to fulfil designated tasks in the regulated environment


Regulatory Expectations cont

“The validated status of GxP applications that are dependant upon an underlying IT Infrastructure is compromised if that IT Infrastructure is not maintained in a demonstrable state of control and regulatory compliance”

“The Infrastructure should be brought into initial compliance with the company’s established standards through a planned qualification process building upon acknowledged IT practices”


Business Expectations

Cost Effective Solution

Pragmatic Qualification

Control Over Processes

Control Over Procedures

Control Over people

Increased Control Of Data

Confidentiality

Integrity

Availability

Confidence In Regulatory Inspections

Adherence To Best Practice


IT Governance CoBIT cont CoBIT supports IT Governance by providing a

framework, which can ensure that:

The IT strategy is aligned with the business

IT acts as an enabler for the business and maximises its benefits

IT resources are utilised both responsibly and effectively

IT risks are managed and mitigated appropriately


IT Governance IT Infrastructure Library

ITIL is a Best Practice Framework

Integrated into OGC and BSI guidance

ITIL Philosophy – Scaleable Process driven approach

Key Objective 1

Align IT services with the Current and Future needs of the business and its Customers

Key Objective 2

To improve Quality of the services delivered

Key Objective 3

Reduce long term Cost of service provision


How It All Fits Together

PERFORMANCE:

Business Goals

CONFORMANCE

FDA Reg’s, MHRA,

SOX etc.

IT Governance

ISO

9001:2000

ISO

27001

ISO

20000Best Practice Standards

QA

ProceduresProcesses and Procedures

Drivers

COBIT

Security

PrinciplesITIL


Common Areas

A framework of best practice

Infrastructure In Control

Control Over Processes

Control Over Procedures

Control Over People

Support of Regulatory Compliance

Clear policy development and implementation of good practice for IT control within an organisation

Aligns IT services with the current and future needs of the business and its Customers


25

Pragmatic Infrastructure Qualification


Methodology

We must define the infrastructure clearly, taking into consideration the scope of the formal infrastructure qualification, this can have many approaches:

Partition the infrastructure into Regulated and non Regulated critical components.

Qualify only the Regulated components and use good IT practices to commission and maintain the non Regulated components

Take a blanket approach and qualify all components

Apply a Risk Based Assessment

We can categorise infrastructure into component types based on the service or function they provide within the infrastructure (components of the same type should require the same qualification activities)


Types Of Qualification

Green field site, where we are creating the infrastructure from new and will adopt prospective qualification

A working site, where the infrastructure is already in situ and we need to adopt retrospective qualification

A combination of the two


•Produce a URS to tender

•Receive FDS

•Produce a Qualification Plan (including Risk

assessment and supplier assessments)

•Produce IQ Protocols,

•Produce OQ Protocols

•Produce a Requirements Traceability Matrix

•Produce Standard Operating Procedures

•Execute IQ & OQ

•Produce IQ Reports,

•Produce OQ Reports

•Produce a Qualification Summary Report

•Possible PIR

Prospective


Prospective Qualification Deliverables

TRACEABILITY

URS FDS

Qualification

Plan

Risk

Assessment

Supplier

Assessment

IQ

Protocol

IQ

Protocol

IQ

Protocol

IQ

Protocol

IQ

Protocol

IQ Report

IQ Report

IQ Report

IQ Report

IQ Report

OQ

Report

OQ

Report

OQ

Report

OQ

Report

OQ

Report

OQ

Protocol

OQ

Protocol

OQ

Protocol

OQ

Protocol

OQ

Protocol

Qualification

Summary Report


Typical Component Qualification Activities (Prospective)

User Requirements

Specification

System

Specification

Qualification Plan

Installation/

Operational

Qualification

Qualification Report

Configuration

Specification

Reduced IQ/OQ &

Report

Change Control/

Periodic Review

Initial

Qualification

Subsequent

Qualification

(Fast Track)

Ongoing

Compliance


Retrospective

Carry out a Site Survey

Produce a Gap Analysis

Produce a Remediation Plan (Including Qualification Plan)

Produce IQ/OQ Protocols

Produce an AS-Built Specification for the whole Network Infrastructure

Produce a Requirements Traceability Matrix

Produce Standard Operating Procedures

Produce IQ/OQ Reports for the executed Protocols

Produce a Qualification Summary Report


Retrospective Qualification Deliverables

TRACEABILITY

Remediation

Plan

Qualification

Plan

IQ

Protocol

IQ

Protocol

IQ

Protocol

IQ

Protocol

IQ

Protocol

IQ Report

IQ Report

IQ Report

IQ Report

IQ Report

OQ

Report

OQ

Report

OQ

Report

OQ

Report

OQ

Report

OQ

Protocol

OQ

Protocol

OQ

Protocol

OQ

Protocol

OQ

Protocol

Qualification

Summary Report

Site Survey

Gap Analysis


Typical Component Qualification Activities (Retrospective)

As-Built

SpecificationQualification Plan

Installation/

Operational

Qualification

Qualification Report

Configuration

Specification

Reduced IQ/OQ &

Report

Change Control/

Periodic Review

Initial

Qualification

Subsequent

Qualification

(Fast Track)

Ongoing

Compliance

Experience Report


Benefits of Infrastructure Qualification

Control over processes

Increased Integrity of data

Confidence in Regulatory Inspections

Transparent view of the infrastructure and how it functions

Ease of management and upgrades

Procedures available to all IT staff

Adherence to best practice

Reduction in duplication of duties


35

Ongoing Compliance


Periodic Review And Critical Processes

All critical activities should be included in a Periodic Review Strategy

Initial Qualification Activities

On-going maintenance and support activities

Periodic Reviews can be conducted internally, but FDA inspection observations have set an expectation that the independent Quality group should play an appropriate oversight role


Policies should define appropriate roles for IT and Quality

Processes and Procedures should be interlinked, with defined roles

i.e. Disaster Recovery relies on Configuration Management, which is related to Change Control

There should be a consistent set of processes

Periodic Review And Critical Processes cont


Documentation A Warning!

As with everything else in the Regulatory world, documentation is key

Infrastructure Qualification can simply be considered as documented Good IT Practice

Most organisations know the right things to do

Most organisations are doing them

Not all organisations have documented them


SOP’s

General Management

Data Centre Management

Platform Management

Server Management

Network Management

Client Management

Security Management

Data Management

Quality Management

Continuity Management


40

Conclusions


Conclusions

We can achieve and maintain a pragmatic qualification of IT Infrastructure, which meets both Regulatory and Business requirements by: Adopting a Risk Based Approach to Qualification

Adopting and implementing a best practice framework CoBIT ITIL

Introducing a systematic approach to the initial qualification of components, based on their use and criticality

Introducing an ongoing approach to the qualification of components, based on the previous testing of their type

Introducing an ongoing compliance program


Review

Why Qualify IT Infrastructure

Risk Assessment

Regulatory, Business Expectations And IT Governance

Ongoing Compliance

Conclusions


Thank You!

Questions/Comments

[email protected]

+44(0)7891 343814

+44(0)118 931 0249

mailto:[email protected]

barqa edinburgh final

Documents