The document discusses computer system validation and change control. It outlines four common themes in regulations around management control of processes, system reliability, data integrity, and providing documented evidence. It notes the importance of computer systems to business processes and maintaining validated states as the environment changes. It proposes restarting IT steering meetings as a Change Control Board to approve change requests with documentation and signoff from relevant departments. Failing to properly manage validation and change control could lead to audit failures and loss of business.

1. IT Systems Validation & Change Control

2. Presentation Objectives Define Computer SystemsValidation & change Control Where are we currently and what are the challenges. Raise Inter-departmental Awareness of the challenges. Highlight the time and effort required.

3. Some Background History (Whats been happening ?)

4. Common themes in all regulations Theme One All regulations expect management to stay in control of the regulated work process, the computerized system, and the regulated electronic data. Management tools to address these themes Policies, Directives, SOPs, Work Instructions, Guidelines, Training, Compliance Monitoring, Business Priorities, Resource Allocation (time, people, money, equipment, facilities), and Sanctions.

5. Common themes in all regulations Theme Two All regulations expect hardware and software systems to perform as intended in a reliable manner on an ongoing basis until retired from the regulated work process. IT Department tools to address these themes Installation Qualification, Configuration Management, Periodic Testing, Environmental monitoring, Disaster Recovery, Backup, Archive, Escrow, Firewalls, Supplier Management, Security Practices.

6. Common themes in all regulations Theme Three All regulations expect data to be trustworthy and to have its integrity protected for the relevant retention period. Various privacy directives also require secure, restricted access for defined protected health information (PHI). IT Department tools to address these themes Audit Trails, Automated Checks for Data, Logic, and Sequence of Events, Password Control, E-signatures, Encrypted Communications, Data Backup and Archive.

7. Common themes in all regulations Theme Four All regulations expect that audits and inspections will find documented evidence of work process, system, and data quality, e.g., documented evidence of Management Control, System Reliability, and Data Integrity. IT, Quality & Business Department tools to address themes Internal Audits of GXP Systems, Work Processes, and CSV Packages to Check for approved Plans, Policies, SOPs, WIs, Guidelines, Logs, Reports, Test Documents, and Ongoing Training and Support Records.

8. The Common Themes

9. Auditable Quality The business departments have their part to play Auditable Quality User Requirement Specifications Clear, precise descriptions of requirements No one liners Business management awareness of changes. Performance Qualification Requester and business manager signoff.

10. How is this practical ? The cost of any request for change increases as you near “Go-Live” date. (from Boehm, Barry W. Software Engineering Economics . Englewood Cliffs, NJ: Prentice-Hall, 1981) 0 10 20 30 40 50 60 70 Requirements Design Code Development Testing Acceptance Testing Operation Development Phase Cost/Effort to Correct a Problem

11. The regulation that best fits. GxP – Good “X” Practice Good Distribution Practice (GDP) Good Logistics Practice (GLP) Good Information Systems Practice (GIST) Good Information Technology Practice (GITP) The purpose of the GxP regulations is to ensure that pharmaceutical product manufactured and distributed to end patient is safe, effective and fit for purpose. Is there a potential for the manufacture or distribution of the product to have a life threatening effect on the patient.

12. The importance of Computer Systems To the business processes. In the last 20 years, the number of previously manual GxP and business processes now computer controlled has increased dramatically.

13. What does this mean? “ PROVE to our Principals and OURSELVES that the computer systems meet their intended use via documented evidence and supporting processes.”

14. If we ignore the challenge ? Fail assessments and audits by externals. KPMG, NSAI, IMB, All Principals Lose Existing or Potential Business (DTP, Principals) Lose Reputation Over reliance on a few very key individuals. Non-compliant computer systems. The business potentially will not have another option if ERP is replaced in the future.

15. The Wrong Approach The “IT Validation Guy”

16. The Correct Approach Participation and commitment by all departments (IT,Quality,Business) Standard Policy across company Continual Education

17. Where Are We In Relation To This #1 Computer Systems Validated 2005/2006 Validated Systems has been audited by current and prospective Principals multiple times. Validation has been audited by IMB, KPMG and NSAI. Critical Computer Software changes are Change Controlled.

18. Where Are We In Relation To This #2 Ballina Validation plan generated and scheduled. Dublin Validation plan generated and scheduled. Change control processes being rolled out.

19. The Validation Exercise. A retrospective validation of all existing GxP related computer systems. IT / Quality Department activity. Change Control future requests for system changes using Quality Documents and Quality Forms. IT / Business / Quality Department activity.

20. Identifying Risks The key part of the whole validation exercise. The most time consuming & useful part for company. GxP Risk Assessment Conclusion Based On: Function of the System Risks if the System Were to Malfunction Is the System Supported By Secondary Systems or Processes.

21. Maintaining The Validated State The Business Environment Changes. You Cannot Assume That Just Because the System Was Validated Last Year That It Is Still In a Validated State… ( A continual process ) Remember, Validation Includes Both System and Process!!!

22. Maintaining our Validated State Some Scenarios: Employee Turnover. Despite the SOPs, Do You Still Have User IDs in the computer Systems For Former Employees? Processes Change With Time and Business Partners. Are the Supporting SOPs Being Updated, Trained On and Followed ? Is business management aware of the number of changes requested to the system ? Will all the changes requested add value ? Changes without business notification or approval. Are IT changes occurring without the knowledge or approval from business ?

23. Maintaining our Validated State This Can All Be Addressed By a Change Management Plan: Establish a Workflow for Changes Made in All Stages of the System’s Life Cycle. This Should Address the Who, What, Where, When and Why. ALL IT CHANGES MUST BE RECORDED

24. Change Control Boards (CCBs) A formal group of people responsible for approving or rejecting changes to a system. CCB’s provide guidelines for preparing change requests, evaluate change requests, and manage the implementation of approved changes. Includes members from across the business spectrum. A CCB can say “NO” to a change request before it reaches the IT Department.

25. Control Board Function CCBs may only meet occasionally, so it may take too long for changes to occur !!?? Some organizations have policies in place for time-sensitive changes (jump the process!!) The ultimate decision on whether a required IT functional change is necessary. Agreement and signoff approval on Requests For Change.

26. What are the advantages of a change control board A form of IT Governance. What is IT being asked to do and for what purpose ? Empowers management in the change cycle. A greater spread of information. Allows monitoring of IT performance. Allows prioritising of issues for the IT department. Reduces the need of heroics by certain IT individuals. Allows business to risk assess changes to IT functions in relation to their business processes.

27. Proposal A User Requirement Specification needs detailing of change request where deemed necessary in relation to GxP. Signoff of User Requirement Specification by department manager and quality department prior to change being made. Restart IT Steering Meetings under guise of Change Control Board.

28. If we ignore the challenge ? Fail assessments and audits by externals. KPMG, NSAI, IMB, All Principals Lose Existing or Potential Business (DTP, Principals) Lose Reputation Over reliance on a few very key individuals. Non-compliant computer systems.