how to validate a vendor purchased application presented by: lisa morton, matt ferdock dataceutics,...

How to Validate a Vendor How to Validate a Vendor Purchased ApplicationPurchased Application

Presented by:Presented by:

Lisa Morton, Matt FerdockLisa Morton, Matt FerdockDataCeutics, Inc.DataCeutics, Inc.

Presented for:Presented for:

Oracle Clinical User Group 4th Annual Meeting, October 25 - 27, Oracle Clinical User Group 4th Annual Meeting, October 25 - 27, 19991999

October 6, 1999 . Copyright 1999, DataCeutics, Inc.

IntroductionsIntroductions DataCeutics, Inc.DataCeutics, Inc.

– Expert Consulting since Expert Consulting since 19931993

– Helping deploy & Validate Helping deploy & Validate Oracle Clinical and ClintrialOracle Clinical and Clintrial

SOPs & GuidelinesSOPs & Guidelines ValidationValidation SAS integrationSAS integration StandardsStandards Validated State MaintenanceValidated State Maintenance


Obvious FactsObvious Facts

““Since 1983, the influence of Since 1983, the influence of computerized systems on all computerized systems on all phases of drug research … has phases of drug research … has increased dramatically....”increased dramatically....”

““FDA regulations are official FDA regulations are official documents that have the force of documents that have the force of law and the courts behind them.” law and the courts behind them.” The Survive and Thrive Guide to Computer ValidationThe Survive and Thrive Guide to Computer Validation, , Interpharm Press, 1994.Interpharm Press, 1994.


Regulations & GuidancesRegulations & Guidances The following GCP regulations and The following GCP regulations and

guidelines apply:guidelines apply:– Guidance on Computerized Systems Used in Guidance on Computerized Systems Used in

Clinical TrialsClinical Trials, FDA, 5/10/99, FDA, 5/10/99– Guidance for Industry - Archiving Submissions in Guidance for Industry - Archiving Submissions in

Electronic Format - NDAsElectronic Format - NDAs– 21 CFR 1121 CFR 11 - GCPs - GCPs– Compliance Policy Guide, Enforcement Policy: 21 Compliance Policy Guide, Enforcement Policy: 21

CFR Part 11CFR Part 11 (CPG 7153.17) (CPG 7153.17)– Providing Regulatory Submissions in Electronic Providing Regulatory Submissions in Electronic

Format, Format, FDA,FDA, 1/28/991/28/99


R & G’s ContinuedR & G’s Continued GLP and GMP regulations and GLP and GMP regulations and

guidelines:guidelines:– Compliance Program Guidance Manual Compliance Program Guidance Manual

7348.8087348.808– Compliance on General Principles of Compliance on General Principles of

Process Validation,Process Validation, 5/1/87 5/1/87– Guide to Inspection of Computerized Guide to Inspection of Computerized

Systems in Drug ProcessingSystems in Drug Processing, , FDA, February, FDA, February, 1983.1983.

– 21 CFR 5821 CFR 58 - GLPs - GLPs– 21 CFR 21021 CFR 210 and and 21 CFR 21121 CFR 211 - GMPs - GMPs


What we need to considerWhat we need to consider GCP SystemsGCP Systems

– 21 CFR 1121 CFR 11– FDA InspectionsFDA Inspections– GCP Systems Validation SOPGCP Systems Validation SOP– IS SOPsIS SOPs– GCP SDLCGCP SDLC– SecuritySecurity– Audit TrailsAudit Trails– ArchivingArchiving– TrainingTraining– DocumentationDocumentation


21 CFR 11 Points21 CFR 11 Points

Demonstrate SecurityDemonstrate Security Automatic Audit TrailAutomatic Audit Trail DocumentationDocumentation Generate Copies of RecordsGenerate Copies of Records Properly Trained PersonnelProperly Trained Personnel Archive ProtectionArchive Protection


FDA InspectionFDA Inspection

Warning LetterWarning Letter– Installation Installation

Qualification (IQ)Qualification (IQ)– Worse Case testingWorse Case testing– Functional testingFunctional testing– Include ALL locations Include ALL locations

within the validationwithin the validation– 21 CFR, Part 11 21 CFR, Part 11

deviationsdeviations


21 CFR, Part 11 Deviations21 CFR, Part 11 Deviations Audit TrailAudit Trail Written Procedures for Electronic Written Procedures for Electronic

Signature AccountabilitySignature Accountability Documentation/Testing system’s ability Documentation/Testing system’s ability

to “discern invalid or altered records”to “discern invalid or altered records” Generation of “accurate and complete Generation of “accurate and complete

copies of records in electronic form”copies of records in electronic form” Prevention of unauthorized use of Prevention of unauthorized use of

electronic signatureselectronic signatures


GCP Systems Validation GCP Systems Validation SOPSOP

One needs to be One needs to be written for GCP written for GCP systems orsystems or

Modify existing Modify existing one from GMP or one from GMP or GLPGLP

Must discuss VPAs Must discuss VPAs if they are if they are handled handled differentlydifferently


Required Elements (?)Required Elements (?) User requirementsUser requirements Vendor Vendor

Audit/ReportAudit/Report Validation Validation

Plan/ProtocolPlan/Protocol IQ Plan/ReportIQ Plan/Report PQ Plan/ReportPQ Plan/Report Functional Tests (?)Functional Tests (?) User Acceptance User Acceptance

Tests (?)Tests (?) SOP Audit/ReportSOP Audit/Report

Training File Training File Audit/ReportAudit/Report

System System Documentation Documentation Audit/ReportAudit/Report

Security Audit/ReportSecurity Audit/Report Back-up and Back-up and

Recovery Recovery Testing/ReportTesting/Report

Final Comprehensive Final Comprehensive Validation ReportValidation Report


IS SOPsIS SOPs Backup & RestoreBackup & Restore Disaster RecoveryDisaster Recovery HW/SW Change HW/SW Change

ManagementManagement Operational Operational

ProceduresProcedures Physical Security Physical Security

for IS Systemsfor IS Systems Helpdesk/Service Helpdesk/Service

LevelLevel Compliance SOPCompliance SOP

Logical Security for Logical Security for IS SystemsIS Systems

Account Account MaintenanceMaintenance

SDLC/ERPSDLC/ERP Vendor Vendor

AssessmentAssessment IQ/OQ/PQ SW/HWIQ/OQ/PQ SW/HW Archiving SW/HWArchiving SW/HW TrainingTraining GCP Sys. ValidationGCP Sys. Validation


GCP SDLCGCP SDLC

Must Consider CFRs Must Consider CFRs and Quality and Quality StandardsStandards

User and System User and System RequirementsRequirements

Vendor Assessment Vendor Assessment instead of traditional instead of traditional development life development life cyclecycle


User RequirementsUser Requirements

We have a Data Management groupWe have a Data Management group We need a SystemWe need a System Let’s buy A, B, C, or DLet’s buy A, B, C, or D What are the User Requirements?What are the User Requirements?

– What do we want the system to do?What do we want the system to do?– What DON”T we want the system to What DON”T we want the system to

do?do?


Vendor AssessmentVendor Assessment

Develop Questionnaire with Develop Questionnaire with Regulations and User Requirements Regulations and User Requirements in mindin mind

Audit for compliance Audit for compliance beforebefore buying buying IF the app falls short, prepare a gap IF the app falls short, prepare a gap

analysisanalysis Attain vendor certification that Attain vendor certification that

system will be updated or write system will be updated or write customized codecustomized code


Vendor Audit Vendor Audit QuestionnaireQuestionnaire

1. Does the system generate record in 1. Does the system generate record in human readable and electronic form?human readable and electronic form?

2. Does the system protect records for 2. Does the system protect records for accurate and ready retrieval later.accurate and ready retrieval later.

3. Is system access limited to 3. Is system access limited to authorized persons only?authorized persons only?

4. Is the audit trail secure, computer 4. Is the audit trail secure, computer generated, time stamped and generated, time stamped and independent? independent?


Questionnaire cont.Questionnaire cont. 5. Are there built in system checks to 5. Are there built in system checks to

enforce the sequencing of steps, as enforce the sequencing of steps, as appropriate?appropriate?

6. Does the system distinguish between 6. Does the system distinguish between levels of access for different users?levels of access for different users?

7. Does the system have the capability 7. Does the system have the capability to perform data validation checks at to perform data validation checks at data input?data input?

8. Is the vendor’s staff qualified to 8. Is the vendor’s staff qualified to develop the application software?develop the application software?


Questionnaire cont.Questionnaire cont. 9. Does the software enable the use of 9. Does the software enable the use of

SOPs to ensure the security and SOPs to ensure the security and integrity of the data and processes?integrity of the data and processes?

10. How does the vendor control access 10. How does the vendor control access to system documentation?to system documentation?

11. How does the vendor demonstrate 11. How does the vendor demonstrate system maintenance and change system maintenance and change control?control?

12. Is there an audit trail on system 12. Is there an audit trail on system documentation?documentation?


Questionnaire cont.Questionnaire cont.

13. Does the system meet the user 13. Does the system meet the user requirements?requirements?

14. Can the system be validated to 14. Can the system be validated to ensure the accuracy, reliability, ensure the accuracy, reliability, consistent intended performance and consistent intended performance and the ability to discern invalid/altered the ability to discern invalid/altered records?records?


Security - PhysicalSecurity - Physical Access to Plant Access to Plant

restricted (By Whom restricted (By Whom and How)and How)

Computer Room must Computer Room must be be lockedlocked with access with access restricted to authorized restricted to authorized personnelpersonnel

Can un-authorized Can un-authorized personnel gain access personnel gain access via unconventional via unconventional methods (thru ceiling methods (thru ceiling panels or under a raised panels or under a raised floor)?floor)?


Security - LogicalSecurity - Logical Secure workstationsSecure workstations Data securityData security

– No unauthorized copiesNo unauthorized copies– Network accessNetwork access

PasswordsPasswords– NEVER WRITE DOWNNEVER WRITE DOWN– Expiration timeExpiration time– Not obviousNot obvious– Not recycledNot recycled– Use on screen saverUse on screen saver


Audit TrailAudit Trail

Does the system have one?Does the system have one? Is the Audit Trail adequate?Is the Audit Trail adequate?

– IndependenceIndependence– Automatic / ElectronicAutomatic / Electronic– Does not obscure original recordDoes not obscure original record– Contains necessary items (who, Contains necessary items (who,

when, what and why)when, what and why)


ArchivingArchiving

Records need to Records need to be protectedbe protected

Easily accessible Easily accessible Records cannot Records cannot

be changedbe changed


TrainingTraining

Has the staff been trained?Has the staff been trained?– SOPsSOPs– Application SoftwareApplication Software

Are there Training Files and are Are there Training Files and are they up-to-date?they up-to-date?

Is there an SOP on Training?Is there an SOP on Training?


System DocumentationSystem Documentation

Has the manufacturer supplied Has the manufacturer supplied documentationdocumentation– for the user?for the user?– for the system administrator?for the system administrator?

Is the documentation complete Is the documentation complete and adequate?and adequate?


ConclusionsConclusions

Validation is no longer a Validation is no longer a “business decision”“business decision”

““How much” is enoughHow much” is enough Level of riskLevel of risk Vendor Audit is important Vendor Audit is important

for a successful for a successful validationvalidation

21 CFR, Part 11 21 CFR, Part 11 Compliance is CRITICALCompliance is CRITICAL

how to validate a vendor purchased application presented by: lisa morton, matt ferdock dataceutics,...

Documents

system n

points n

introductions n dataceutics

n gcp systems

n fda regulations

gcp sdlc n

mind n audit

copies of records n