barqa edinburgh final
DESCRIPTION
TRANSCRIPT
Copyright © CTG, Inc.
IT Infrastructure Quality & Control
David. K . Stephenson
Life Sciences S.M.E.
CTG UK Ltd
Copyright © CTG, Inc. IT Infrastructure Quality & Control220/10/2010
Agenda
Why Qualify IT Infrastructure
Risk Assessment
Regulatory, Business Expectations And IT Governance
Ongoing Compliance
Conclusions
Copyright © CTG, Inc.
3
Why Qualify IT Infrastructure?
Copyright © CTG, Inc. IT Infrastructure Quality & Control420/10/2010
Why Qualify Infrastructure?
Is it because: Everyone in my industry is doing it
Fear of an upcoming regulatory inspection
We want to get control over our Infrastructure
There is probably a little of all these in our reasoning, but we must also consider the question:
“How can we consider a system to be validated if we are not confident that we have control of the infrastructure on which it runs?”
GAMP GPG IT Infrastructure Control & Compliance
Copyright © CTG, Inc. IT Infrastructure Quality & Control520/10/2010
Regulatory Issue
21 CFR 11 only mentions systems never applications. This means that the whole of the computerised system is encompassed by the regulation and this includes: Network components
Applicable infrastructure support functions such as backup etc
Desktop
Utilities and tools necessary to operate the application
GXP Application (currently the main focus of validation and inspection activity)
The operation of the whole system is now impacted, however not all IS departments may appreciate the situation.
Copyright © CTG, Inc. IT Infrastructure Quality & Control620/10/2010
Regulatory Issue (Cont)
No direct mention of networks or network infrastructure in regulations or guidance.
Similarly, industry guidelines such as the Good Automated Manufacturing Practice guidelines, concentrate on the application.
Emphasis is changing and Network Infrastructure and IT departments that operate them on behalf of the users are now under regulatory scrutiny and this can open a black hole in many organisations.
“Networks used in a GMP environment should be
Validated.” George Smith FDA September 2003
Copyright © CTG, Inc. IT Infrastructure Quality & Control720/10/2010
Qualification v Validation
Infrastructure is treated differently to applications:
A validated application is static, the IT infrastructure is dynamic (CSV methodology is too slow)
IT infrastructure contains a large number of identical platforms, validation occurs for one specific application
Most IT infrastructure components do not have a direct GxP impact
Focus for IT infrastructure is controlled operation rather than fitness for use
Copyright © CTG, Inc. IT Infrastructure Quality & Control820/10/2010
10 Aspects Of Qualification
Qualification Planning & Execution
Procedures
Qualification Documentation
Security (Logical & Physical)
Acceptance Testing
Training of Support Personnel
Network Recovery
Support Documentation
Change Control
Periodic Review
Copyright © CTG, Inc. IT Infrastructure Quality & Control920/10/2010
“Top Ten” Deficiencies
Security (Logical & Physical)
Testing and Qualification
Change Control/Management
Operating Procedures
Hardware, Equipment Records, and Maintenance
Training Education, and Experience
Development Methodology
Qualification Methodology and Planning
Quality Assurance and Auditing
Electronic Records, Electronic Signatures
Copyright © CTG, Inc.
10
Risk Assessment
Copyright © CTG, Inc. IT Infrastructure Quality & Control1120/10/2010
Risk Assessment
Risk Assessment can be considered to comprise of two phases:
Risk Analysis
Provides clarity of the boundaries of the infrastructure being analysed and reviews the history of the threats (hazards) and vulnerabilities in light of the potential impact on the company
Risk Evaluation
Determines whether the identified risk is acceptable to the company, taking into account all of the identified factors
Copyright © CTG, Inc. IT Infrastructure Quality & Control1220/10/2010
Risk Assessment Method (GAMP 5) “Aims to establish controls such that the combination
of severity, probability of occurrence and detectability of failures is reduced to an acceptable level”
There is a two stage approach, for the identification of each hazard:
A Risk Class is produced, by plotting the severity of impact on patient safety, product quality and data integrity against the likelihood of failure
A Risk Priority is determined by plotting the Risk class against the likelihood of detection before harm occurs
The Risk Priority is then used to focus attention and resources to where they are best utilised
Copyright © CTG, Inc. IT Infrastructure Quality & Control1320/10/2010
Risk Assessment Method cont
Copyright © CTG, Inc. IT Infrastructure Quality & Control1420/10/2010
Risk Assessment cont
Once a Risk Priority has been assigned to a particular action or piece of equipment, it should be evaluated to ensure it is acceptable to the company
If not, some level of remediation will be required, and the risk assessment should be re-evaluated following this work
The results of the Risk Assessment, including any assumptions should be documented
Copyright © CTG, Inc. IT Infrastructure Quality & Control1520/10/2010
Risk Assessment cont
Example Of An Infrastructure Risk Assessment
Document control
Configuration management
Periodic review
HighMedMedHigh
Loss of time in
network recovery
following a disaster
Network
Diagrams not
maintained
Management Processes
Configuration managementLowHighLowHigh
Performance
degradation or
network disruption
Component
Failure
Network Diagrams/RecordsMediumHighMediumHighLoss of functionLoss of physical
connection
ControlsRisk
PriorityDetectability
Likelihood
of
Occurrence
ImpactRisk ScenarioHazard
Copyright © CTG, Inc. IT Infrastructure Quality & Control1620/10/2010
Risk Due To Infrastructure
Most standard network components now have some form of error detection mechanism (e.g. – Collision Detection at the Ethernet level, datagram checksums on TCP/IP, etc.).
While the correct function of any infrastructure will be largely undetectable to human eyes, these built-in detection mechanisms will make it extremely unlikely that an error will be propagated by the infrastructure without its detection.
In the event of a significant infrastructure failure, the applications that utilise the infrastructure will typically either report the fault or completely fail, so the failure would not go undetected.
This therefore represents a low system vulnerability.
Copyright © CTG, Inc.
17
Regulatory, Business Expectations & IT Governance
Copyright © CTG, Inc. IT Infrastructure Quality & Control1820/10/2010
Regulatory Expectations
You should understand and be compliant with the multi-national regulations applicable to your operation and your job function
In addition to your professional technical, managerial, and business skills……….once aware and trained (including self study) in GxP and validation methodology, it is expected that you comply with the applicable regulations at all times, including where you are responsible for “sign-off” of validation tasks
As with any quality driven process, you are also expected to help identify the training you need to fulfil designated tasks in the regulated environment
Copyright © CTG, Inc. IT Infrastructure Quality & Control1920/10/2010
Regulatory Expectations cont
“The validated status of GxP applications that are dependant upon an underlying IT Infrastructure is compromised if that IT Infrastructure is not maintained in a demonstrable state of control and regulatory compliance”
“The Infrastructure should be brought into initial compliance with the company’s established standards through a planned qualification process building upon acknowledged IT practices”
Copyright © CTG, Inc. IT Infrastructure Quality & Control2020/10/2010
Business Expectations
Cost Effective Solution
Pragmatic Qualification
Control Over Processes
Control Over Procedures
Control Over people
Increased Control Of Data
Confidentiality
Integrity
Availability
Confidence In Regulatory Inspections
Adherence To Best Practice
Copyright © CTG, Inc. IT Infrastructure Quality & Control2120/10/2010
IT Governance CoBIT cont CoBIT supports IT Governance by providing a
framework, which can ensure that:
The IT strategy is aligned with the business
IT acts as an enabler for the business and maximises its benefits
IT resources are utilised both responsibly and effectively
IT risks are managed and mitigated appropriately
Copyright © CTG, Inc. IT Infrastructure Quality & Control2220/10/2010
IT Governance IT Infrastructure Library
ITIL is a Best Practice Framework
Integrated into OGC and BSI guidance
ITIL Philosophy – Scaleable Process driven approach
Key Objective 1
Align IT services with the Current and Future needs of the business and its Customers
Key Objective 2
To improve Quality of the services delivered
Key Objective 3
Reduce long term Cost of service provision
Copyright © CTG, Inc. IT Infrastructure Quality & Control2320/10/2010
How It All Fits Together
PERFORMANCE:
Business Goals
CONFORMANCE
FDA Reg’s, MHRA,
SOX etc.
IT Governance
ISO
9001:2000
ISO
27001
ISO
20000Best Practice Standards
QA
ProceduresProcesses and Procedures
Drivers
COBIT
Security
PrinciplesITIL
Copyright © CTG, Inc. IT Infrastructure Quality & Control2420/10/2010
Common Areas
A framework of best practice
Infrastructure In Control
Control Over Processes
Control Over Procedures
Control Over People
Support of Regulatory Compliance
Clear policy development and implementation of good practice for IT control within an organisation
Aligns IT services with the current and future needs of the business and its Customers
Copyright © CTG, Inc.
25
Pragmatic Infrastructure Qualification
Copyright © CTG, Inc. IT Infrastructure Quality & Control2620/10/2010
Methodology
We must define the infrastructure clearly, taking into consideration the scope of the formal infrastructure qualification, this can have many approaches:
Partition the infrastructure into Regulated and non Regulated critical components.
Qualify only the Regulated components and use good IT practices to commission and maintain the non Regulated components
Take a blanket approach and qualify all components
Apply a Risk Based Assessment
We can categorise infrastructure into component types based on the service or function they provide within the infrastructure (components of the same type should require the same qualification activities)
Copyright © CTG, Inc. IT Infrastructure Quality & Control2720/10/2010
Types Of Qualification
Green field site, where we are creating the infrastructure from new and will adopt prospective qualification
A working site, where the infrastructure is already in situ and we need to adopt retrospective qualification
A combination of the two
Copyright © CTG, Inc. IT Infrastructure Quality & Control2820/10/2010
•Produce a URS to tender
•Receive FDS
•Produce a Qualification Plan (including Risk
assessment and supplier assessments)
•Produce IQ Protocols,
•Produce OQ Protocols
•Produce a Requirements Traceability Matrix
•Produce Standard Operating Procedures
•Execute IQ & OQ
•Produce IQ Reports,
•Produce OQ Reports
•Produce a Qualification Summary Report
•Possible PIR
Prospective
Copyright © CTG, Inc. IT Infrastructure Quality & Control2920/10/2010
Prospective Qualification Deliverables
TRACEABILITY
URS FDS
Qualification
Plan
Risk
Assessment
Supplier
Assessment
IQ
Protocol
IQ
Protocol
IQ
Protocol
IQ
Protocol
IQ
Protocol
IQ Report
IQ Report
IQ Report
IQ Report
IQ Report
OQ
Report
OQ
Report
OQ
Report
OQ
Report
OQ
Report
OQ
Protocol
OQ
Protocol
OQ
Protocol
OQ
Protocol
OQ
Protocol
Qualification
Summary Report
Copyright © CTG, Inc. IT Infrastructure Quality & Control3020/10/2010
Typical Component Qualification Activities (Prospective)
User Requirements
Specification
System
Specification
Qualification Plan
Installation/
Operational
Qualification
Qualification Report
Configuration
Specification
Reduced IQ/OQ &
Report
Change Control/
Periodic Review
Initial
Qualification
Subsequent
Qualification
(Fast Track)
Ongoing
Compliance
Copyright © CTG, Inc. IT Infrastructure Quality & Control3120/10/2010
Retrospective
Carry out a Site Survey
Produce a Gap Analysis
Produce a Remediation Plan (Including Qualification Plan)
Produce IQ/OQ Protocols
Produce an AS-Built Specification for the whole Network Infrastructure
Produce a Requirements Traceability Matrix
Produce Standard Operating Procedures
Produce IQ/OQ Reports for the executed Protocols
Produce a Qualification Summary Report
Copyright © CTG, Inc. IT Infrastructure Quality & Control3220/10/2010
Retrospective Qualification Deliverables
TRACEABILITY
Remediation
Plan
Qualification
Plan
IQ
Protocol
IQ
Protocol
IQ
Protocol
IQ
Protocol
IQ
Protocol
IQ Report
IQ Report
IQ Report
IQ Report
IQ Report
OQ
Report
OQ
Report
OQ
Report
OQ
Report
OQ
Report
OQ
Protocol
OQ
Protocol
OQ
Protocol
OQ
Protocol
OQ
Protocol
Qualification
Summary Report
Site Survey
Gap Analysis
Copyright © CTG, Inc. IT Infrastructure Quality & Control3320/10/2010
Typical Component Qualification Activities (Retrospective)
As-Built
SpecificationQualification Plan
Installation/
Operational
Qualification
Qualification Report
Configuration
Specification
Reduced IQ/OQ &
Report
Change Control/
Periodic Review
Initial
Qualification
Subsequent
Qualification
(Fast Track)
Ongoing
Compliance
Experience Report
Copyright © CTG, Inc. IT Infrastructure Quality & Control3420/10/2010
Benefits of Infrastructure Qualification
Control over processes
Increased Integrity of data
Confidence in Regulatory Inspections
Transparent view of the infrastructure and how it functions
Ease of management and upgrades
Procedures available to all IT staff
Adherence to best practice
Reduction in duplication of duties
Copyright © CTG, Inc.
35
Ongoing Compliance
Copyright © CTG, Inc. IT Infrastructure Quality & Control3620/10/2010
Periodic Review And Critical Processes
All critical activities should be included in a Periodic Review Strategy
Initial Qualification Activities
On-going maintenance and support activities
Periodic Reviews can be conducted internally, but FDA inspection observations have set an expectation that the independent Quality group should play an appropriate oversight role
Copyright © CTG, Inc. IT Infrastructure Quality & Control3720/10/2010
Policies should define appropriate roles for IT and Quality
Processes and Procedures should be interlinked, with defined roles
i.e. Disaster Recovery relies on Configuration Management, which is related to Change Control
There should be a consistent set of processes
Periodic Review And Critical Processes cont
Copyright © CTG, Inc. IT Infrastructure Quality & Control3820/10/2010
Documentation A Warning!
As with everything else in the Regulatory world, documentation is key
Infrastructure Qualification can simply be considered as documented Good IT Practice
Most organisations know the right things to do
Most organisations are doing them
Not all organisations have documented them
Copyright © CTG, Inc. IT Infrastructure Quality & Control3920/10/2010
SOP’s
General Management
Data Centre Management
Platform Management
Server Management
Network Management
Client Management
Security Management
Data Management
Quality Management
Continuity Management
Copyright © CTG, Inc.
40
Conclusions
Copyright © CTG, Inc. IT Infrastructure Quality & Control4120/10/2010
Conclusions
We can achieve and maintain a pragmatic qualification of IT Infrastructure, which meets both Regulatory and Business requirements by: Adopting a Risk Based Approach to Qualification
Adopting and implementing a best practice framework CoBIT ITIL
Introducing a systematic approach to the initial qualification of components, based on their use and criticality
Introducing an ongoing approach to the qualification of components, based on the previous testing of their type
Introducing an ongoing compliance program
Copyright © CTG, Inc. IT Infrastructure Quality & Control4220/10/2010
Review
Why Qualify IT Infrastructure
Risk Assessment
Regulatory, Business Expectations And IT Governance
Ongoing Compliance
Conclusions
Copyright © CTG, Inc.
Thank You!
Questions/Comments
+44(0)7891 343814
+44(0)118 931 0249