You dont have javascript enabled! Please enable it! VAL-060 Protecting Reliability of Electronic GMP Documents Pharmaceuticals quality assurance & validation procedures GMPSOP

VAL-060 Protecting Reliability of Electronic GMP Documents

DepartmentValidation/Technical ServicesDocument noVAL-060
Prepared by: Date: Supersedes: 
Checked by: Date: Date Issued: 
Approved by: Date: Review Date:

1.0 DOCUMENT OWNER

Validation Manager

2.0 Affected Parties

All Validation, Technical Service, Operations, Quality Assurance, Engineering and Project staffs involved in computer validation projects.

3.0 Purpose

This SOP describes a process for assessing the adequacy of measures that have been implemented to assure the reliability of GxP records created, processed, used or stored electronically.

4.0 SCOPE

This SOP applies to records created, processed, used or stored by (or for) the GMP Manufacturing site, that are the output of a computerised system.  It is of particular relevance to records that have a GMP role, i.e. supporting product quality, patient safety or regulatory compliance.  The guideline may also be used for other computerised systems that are classified as business critical.

The procedure is intended for use primarily with records that have Direct Impact (see SOP VAL 045). Members of the Computer Validation Department will normally execute the procedure.

5.0 Definition

AccuracyThe attribute of record reliability indicating that the data is factually correct; free from error, defect or misrepresentation
Audit TrailData in the form of a logical path linking a sequence of events, used to trace the transactions that have affected the contents of a record.  Will usually contain all original data, the author of the changes, the time and date of the change and the reason for that change.  The audit trail is not the same as an operating system activity log; it is generated at the application level and logs actions performed to a specific electronic record.  The audit trail should also be immutably integrated with the actual record.
AuthenticityThe attribute of record reliability indicating that the data (or record) is genuinely sourced from the reputed author, device or origin.  May include the ability to uniquely trace the data to that entity.
AvailabilityThe attribute of record reliability indicating that the data is suitable or ready for timely, future, authorised use.  Availability may include the restriction of access to only intended purposes and users.
Biometric Electronic SignatureAn electronic signature that uses the automatic checking of an individual’s distinct and measurable physical characteristics (e.g. finger-print, retina pattern).
Control MeasureControl Measures are safeguards that protect the reliability of records from threats.  Control Measures may be technical or non-technical (management or operational) and perform at various levels (supportive, preventive, responsive).
DataDistinct pieces of information usually formatted in a special way (e.g. bits and bytes).
Digital SignatureA particular type of electronic signature that is created and verified using public-key encryption techniques (see “Encryption”). The digital signature is used for authenticating the identity of the signer and may be extended to verify the integrity of the message data.
DocumentA document contains data arranged in a logical context determined by the associated metadata (data about data) and characterised by formatting attributes.  A document is often more textual based, representing a formatted compilation of data elements.  While the term was originally applied in the PC world to Word Processing files, it has come to mean any file produced by an application.
Electronic RecordAny combination of text, graphics, data, audio, pictorial or other information representation in digital form that is created, modified, archived, retrieved or distributed by a computerised system.
Electronic SignatureA computer data compilation of any symbol (or series of symbols) executed, adopted, or authorised by an individual to be the legally binding equivalent of the individual’s hand-written signature.
EncryptionThe translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Encrypted data is often referred to as cipher text. There are two main types of encryption: symmetric encryption (where both the sender and recipient use a single key), and asymmetric or public-key encryption (where the sender uses a public-key, known to everyone, to encrypt the data and the recipient uses a different, private-key to decrypt it).
GMPAcronym for Good Manufacturing Practices
GxPAcronym used to encompass Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP) and Good Clinical Practices (GCP).
Hybrid System / Hybrid RecordA system that produces both electronic and paper records, each of which may be used for a different purpose (e.g. electronic batch record system from which paper batch records are printed and used for manual data collection).  It can also be a system where a printout from an electronic record is authenticated by a hand-written signature.
Impact‘Impact’ describes the level of criticality of a system / record in relation to Product Quality. There are three categories of Impact – Direct, Indirect and No Impact.  The extent of Control Measures (including Validation) for a system is to be scaled according to its level of Impact.  The process for determining the level of Impact is described in SOP VAL 045.
IntegrityThe attribute of record reliability indicating that the data (or record) is complete and entire; not altered in an unauthorised, unanticipated or unintentional manner.
MalwareMalware is a generic term for malicious software; including viruses, worms, Trojan horses, logic bombs and other “uninvited” software.  A Virus is a code segment that replicates by attaching itself to existing executables.  A worm is a self-replicating program.  A Trojan horse is a program that performs a desired task, but also includes unexpected functions.
Non-Biometric Electronic SignatureAn electronic signature that is executed by the use of at least two distinct identification components such as a User-ID and password.
Paper-based RecordA record (usually text based) created using a computer system but used only in its paper form.  Examples may include such things as SOPs, validation documentation, computer system documentation, laboratory test methods, deviation reports, etc.  The actual use of the record will determine if it is actually a Hybrid record; only the author uses the original electronic document (for the sole purpose of creating a paper copy); only the paper copy is made available for general use; and the document is only authorised on paper using hand-written signatures.
Record

A record is the account of actions, activities, conditions or events, preserved on stable medium that contains the essential elements of information needed for reproducing the specific action, activity, condition or event.

In database management systems, a complete set of information.  Records are composed of fields, each of which contains one item of information.  A set of records constitutes a file. For example, a personnel file might contain records that have three fields: a name field, an address field, and a phone number field.

ReliabilityThe quality a record has when it can be used, for its intended purpose, with confidence and without impairment.  Within this SOP, reliability is considered to comprise four separate attributes: accuracy, authenticity, availability and integrity.
ThreatAny circumstance or event with the potential to compromise the reliability of a record. Threats operate through specific vulnerabilities either intentionally or accidentally.  Common threat-sources are human, computer and the environment (i.e. operational).
Volatile DataVolatile data is transient data that is electronically gathered but not stored on electronic media for future retrieval.
VulnerabilityA flaw or weakness in system procedures, design, implementation, or controls that could result in a compromise to a record’s reliability.

Related Documents

Form 710Record Reliability Controls
VAL 040Computerised Systems Validation
VAL 045Impact Assessment for Computerised Systems

6.0 EHS Statement

While this procedure is concerned with the maintenance of records in support of GMP compliance, the method could be useful for managing critical EHS documentation.  The procedure involves clerical activities that do not introduce additional EHS risks.

7.0 Procedure

1.            Principle

“Good documentation constitutes an essential part of the quality assurance system” – Code of GMP).  Documentation is used to:

a. Identify the components and operations to be used (e.g. specifications, procedures)

b. Record the actions, activities, or events that occur (e.g. records, alarm logs)

c. Capture the outcome of operations, testing or assessments (e.g. certificate of analysis)

d. Respond to deviations or complaints (e.g. investigation reports, distribution records)

e. Demonstrate authorisation by appropriate persons (e.g. batch release).

It is clear that documents that support GMP compliance must be reliable.

Figure 1:

The elements of Reliability

This SOP considers reliability to comprise four separate attributes:

·       Accuracy: data is factually correct; free from error, defect or misrepresentation

·       Authenticity: data is genuinely sourced from the reputed author, device or origin. May include the ability to uniquely trace the data to that entity.

·       Availability: data is suitable or ready for timely, future, authorised use. May include restriction of access to intended purposes / users.

·       Integrity: data is complete and entire; not altered in an unauthorised, unanticipated or unintentional manner.

A compromise to any of these attributes reduces the reliability of a record.

There are very many potential threats to the reliability of data.  These can be split into various categories (e.g. Human-related; Computer-related and Operation-related).  Table 1 provides some examples of how reliability attributes are vulnerable to potential threats.

A wide range of Control Measures can be deployed against the various threats to data reliability.  Controls perform in various means – supportive (enabling other control measures to be implemented), preventive (providing initial defence against threats) and responsive (detecting and recovering from a failure of other controls).  Control measures must address all three general threat sources (human, computer and operation) and may be classified as either technical or non-technical (management and operational):

a. Management controls focus on the development of policies, guidelines and standards to be carried out through operational procedures (e.g. access authorisations, responsibility definitions, continuity support plans and system performance auditing).

b. Technical controls are safeguards that are incorporated into computer hardware, software or firmware (e.g. access control mechanisms, identification and authentication mechanisms, encryption methods, intrusion detection software).

c. Operational controls are procedures and systems implemented alongside technical controls to address computer system deficiencies that might result in loss of reliability (e.g. virus protection software, data backup, physical security measures and environmental controls).

Table 1: Examples of Threats to Record Reliability

 Attribute Threatened
 AccuracyAuthenticityAvailabilityIntegrity

Human – related

(accidental or deliberate)

    
Data-entry errorY  Y
Data-change errorY  Y
Program-change errorYYYY
Fraudulent entry / changeY  Y
Unauthorised access YYY
Unauthorised changeYY Y
Undetectable changeYY Y
Deletion of file / directory  YY
Wrong access rights Y  
Computer – related    
Hardware undersized  Y 
Hardware loss – Disk crash  YY
Input-sensor failureY  Y
Software fails or stopsY YY
Wrong version of software YY 
Multiple versions of software YY 
Software lost or deleted  Y 
Software failureY YY
– Incorrect user identification Y  
– Link to incorrect record Y  
– Calculation errorY   
– Incomplete operationY YY
– Above-capacity access  Y 
Printer error / failure  Y 
Transmission errorY YY
Virus attack  YY
Operation – related    
Lightning  Y 
Power surge / failure  Y 
Fire / Smoke / Water  Y 
Theft of hardware / software  Y 

A fundamental principle for implementing control measures is the use of multiple, overlapping methods to address the human, computer and operational related aspects of a system.  This principle recognises that a system cannot be secured unless all interconnecting elements are secured adequately.

Figure 2: Control Measures protect Record Reliability

Control measures prevent the reliability of records being compromised by threats.  However, if the measures provide inadequate coverage, a vulnerability exists which can be exploited by a threat, thereby putting data at risk (Figure 2).  Effective control strategies include both technical and non-technical measures.  The use of diverse, overlapping controls ensures a single-point failure will not leave the system unprotected.

A control strategy is designed by choosing from a combination of Technical, Management, and Operational controls.  This involves trade-offs in cost, complexity and effectiveness.  For instance, reliability might be improved by implementing user passwords, or by issuing a user procedure.  The Technical control (a security software add-on) might be more complex and expensive than the Management control, however it is likely to be more effective because the enforcement is automated.

Given the variety in computer-system construction, features and functionality it is not feasible to tightly prescribe which control measures to select. Such an approach would likely result in either under-specifying or over-specifying requirements or inhibit the development of appropriate new methods to increase assurance.  Rather, the selection process should be a matter of judgement and risk appraisal, based primarily on the mode of usage (which presents the threat-opportunity) and the GMP Impact (which relates to the level of assurance required for a document).

This procedure provides such a risk-based approach to selecting control measures; using a gap-assessment approach, rather than designing measures for a ‘naked’ system.  The SOP presents an inventory of industry-standard control measures and suggests where each might be considered appropriate for selection.  The System Owner is presented with an assessment of the residual risk associated with an existing or proposed system after auditing the actual measures implemented.

2. Assessment Procedure

The process of assessing the Control Measures supporting specific records is illustrated in Figure 3.  The outcomes of this assessment are to be documented on Form 710.  The steps involved in this process are described below:

Figure 3: Flowchart for Risk-Assessment Procedure

2.1. Identify the Record

Identify the record to be assessed and the host computer system(s) where the record is generated, processed or stored.  Briefly describe the Record’s role and use.  Note these and the computerised system Inventory number on Form 710.

Computer systems will typically support a number of records and care should be taken to identify the precise record being considered (especially as each may have different control measures, modes of use and / or GMP significance).  Often records may be saved as multiple, independent files generated from a standard template or computer program (e.g. on a per batch basis).  In this case the analysis may be performed on the standard template or report and this should be noted.  Where reports are generated from a consolidated database, the database and the report function should be considered together.

2.2. Assess the GMP Impact

Assess the GMP significance of the record being analysed.  The record will be assigned one of three possible levels of Impact – Direct, Indirect or No-Impact – reflecting the role of the record in supporting product quality, patient safety or GMP compliance. SOP VAL 045 describes the process for determining the level of Impact and includes suggested ratings for various common record types.

Note that the host computer system will also be rated according to SOP VAL 045, however, the record itself may have a different rating.  A record might have a lower level of Impact than its associated computer system (but should never have a higher level of Impact).

In general the stringency and extent of control measures should increase with the level of Impact.

2.3. Determine the Mode of Use

Determine the actual mode in which the record is used; paper copy, electronic copy or both.  The usage method presents different threat opportunities and consequently requires different control measures.

Computer systems often generate or process records only in order to produce a paper-copy.  In such cases the computer system is incidental and there are no copies of the record stored (or used) in an electronic format after the paper-copy is produced.  An obvious example of this situation is a word-processed document that is printed, then authorised, distributed and only used in its hard copy format.  In this case, only the author uses the original electronic document.  For such record types it is appropriate to require less Technical (i.e. computer-based) control measures.

On the other hand, a record might be fully used and maintained in an electronic format.  In such cases, a printed copy would typically be considered uncontrolled, temporary and potentially out-of-date.  The Technical control measures for such a record type become more significant and extensive.

On some occasions a combination of the paper-copy and the electronic-copy of a record might be used.  This situation (called a Hybrid) requires special attention because of the difficulty of keeping both copies aligned throughout their lives.  Hybrid records require the Technical control measures applicable to electronic records (e.g. audit-trail, encryption, un-editable format) plus Management measures to ensure alignment of the paper and electronic copies.  Hybrid systems require procedures to document their control (and justify their existence).  In some cases, the paper copy may not be a ‘complete’ record if not accompanied by other data stored electronically (e.g. any audit trail).  Often, records that are considered paper-only copies may, in fact, be Hybrid because the electronic record continues to be stored and even used for reference or further processing.  The actual pattern of use will determine when a record is a Hybrid.

(To assist understanding the mode of use, a simple flow diagram of the process involved in creating the record is suggested.  This should also identify when any electronic files are printed or deleted).

2.4. Determine Mode of Approval

The record may be subjected to review, confirmation or approval in order to demonstrate its validity.  Determine how this is signified; handwritten signature on a paper copy, ‘electronic signature’ to an electronic copy, both forms (or none).  Record this on Form 710.

The mode of approval will likely be affected by the mode of use that has been selected (Section 2.3) but may not fully align.  Electronic signatures will require additional measures to ensure authenticity.  As noted above, Hybrid signatures require even further management procedures to ensure that the alignment of paper and electronic copies is maintained.

Section 3.1 includes guidance on when records may require approval to satisfy GMP requirements.

2.5. Audit the Control Measures

Form 710 presents a list of industry-standard control measures.  A more detailed explanation of each of these measures is included in Appendix 1.  (Appendix 1 also references relevant sections of regulatory guidelines where these measures are indicated).  The following steps are to be repeated for each of these control measures:

2.5.1. Identify Control Measures Present

Consider if the control measure (as described in Appendix 1) has been implemented for this record and system.

2.5.2. Assess the Attributes Protected

If a control measure has been implemented mark a ‘Y’ (Yes) in the column corresponding to the reliability-attribute that is protected by this measure.

Conversely mark ‘N’ (No) where the attribute is not protected.

Some control measures can support more than one reliability-attribute, in such cases mark all columns affected.  Some control measures cannot be implemented for the type of record that is generated (e.g. electronic backups of paper records) – in this case mark the cell as ‘N/R’ (Not Required).

To assist this assessment, certain cells on Form 710 have been shaded where it is considered unlikely that a control measure will provide any benefit.  Shaded cells may be left blank where the answer would otherwise be ‘No’ or ‘N/R’.

2.5.3. Compare against Minimum Reference Standard

Each control measure on Form 710 has been assigned a Minimum Reference Standard, suggesting the lowest level of Impact at which it might be considered appropriate.  This determination was based on the nature of the measure (how complex, costly and common it is to implement) and any specific GMP requirements.  Appendix 1 includes references to cGMP and PIC/S documents suggesting each measure.  The most basic and fundamental measures have been labelled “No-Impact”, while the more rigorous as “Direct” Impact.

Compare the Minimum Reference Standard label for each control measure with the GMP Impact rating for the record, determined in Step 2.2 (above).  Control measures that are labelled “Direct”, “Indirect” or “No-Impact” should be considered for records with Direct Impact.  Records with No-Impact may be adequately protected by “No-Impact” measures alone.

2.5.4. Comment on any Variations

Assess and document on Form 710 the outcome of the comparison (step 2.4.3) for each control measure.  Table 2 illustrates some suggested comments for various conditions of implementation:

Table 2: Sample Comments on Control Measures
Outcome of Control Measure AssessmentSuggested Assessment
The control measure has been implemented effectively“Adequate”
The control measure has been implemented, but its effectiveness is restricted by certain factors or circumstances“Limited by …”
The control measure has not been implemented and the Impact rating of the record is less than the Reference Standard for the measure.“Appropriate omission”
The control measure has not been implemented and the Impact rating of the record is not less than the Reference Standard for the measure.

“Potential Vulnerability”

OR

“Not Required because .. (usage mode, presence of other controls, other factors)

The comment field may also be used to document any additional information relevant to the Control Measure (e.g. names of SOPs, implemented features).

Note that control measures corresponding to Impact ratings greater than that of the record might be implemented for reasons other than GMP compliance (e.g. to comply with IT security standards or to protect other business risks).  The presence of these measures should be documented.

2.6. Assess the Total Control Strategy

After assessing all of the control measures separately, the adequacy of the total control strategy should be assessed.  The following factors are relevant to this consideration:

a. Are all reliability-attributes covered by the strategy?

b. Do a variety of control measure types protect each reliability-attribute?

c. Have any limitations to the effectiveness of specific controls been identified?

d. Have any potential vulnerabilities been identified?

Consider the assessment for each separate reliability attribute (i.e. accuracy, authenticity, availability and integrity) by referring to the corresponding columns.  Condense the evaluation into an overall assessment of record reliability.  Record each assessment on
Form 710 along with a justification.

Completion of this process may highlight particular vulnerabilities.  The control measures associated with these vulnerabilities will help to identify some suggested improvements to protect the record.  Document these improvements on Form 710 under Management, Technical and Operation categories.  The list of improvements may overlap and is not intended to exclude solutions using measures that are not identified; rather it is a reference and starting point for future remedial work.

If the System Owner is not comfortable with the residual risk associated with the assessed record the suggested (or other) control measure improvements should be implemented to mitigate this risk.

2.7.  Authorise and Store the Assessment

The completed assessment form will be signed by the author and reviewed by a Technical Expert and the Computer Systems Validation Manager (or Validation Manager).  The System Owner will authorise the assessment indicating that they are satisfied with the assessed status of the record and will take responsibility for any necessary remedial work.

The completed form should be updated after the implementation of any risk mitigation activity.  The reason for, and nature of, the change is to be recorded in the version table at the bottom of Form 710  (along with the associated Manufacturing Change Request).  Conversely, any change that reduces the level of protection is also to be documented on an updated form.

3. Further Considerations

3.1. Electronic Signatures

Regulators advise that:

“the use of a computerised system does not reduce the requirements that would be expected for a manual system of data control and security” (PIC/S 011 – Section 19.1).

When paper records are used, critical GMP actions and decisions are traced to individuals through a hand-written signature.  This approach applies readily when a computer-system produces a record as a paper-copy.  ‘Electronic signatures’ are the analogous authentication process for fully computerised, ‘paperless’, systems.  A wide variety of technical solutions are available for implementing ‘electronic signatures’ (e.g. biometric, non-biometric).  The key requirement of any ‘electronic signature’ is that it should serve the same purpose, have the same meaning and same legal significance as a hand-written signature.  Assurance of the authenticity of any electronic signature will require a range of procedures and control measures to ensure security, integrity, confidentiality and non-transferability (i.e. unable to be cut-and-pasted).  The electronic signature should also form an integral part of the completed record.  These measures can be drawn from those used for protecting the reliability of electronic records in general (as per Appendix 1).  Whatever measures are selected must be validated.

As noted already, electronic records do not necessarily imply a requirement for ‘electronic signatures’.  Hand-written authorisation of the paper-copy is suitable where the electronic record is not subject to further update or electronic use.  If both paper and electronic versions are to be used (i.e. a Hybrid record) additional control measures are required.  The electronic record and hand-written signature should be linked together in a completely unambiguous manner (eg including specific document or file name references on the signed print-out). Procedures are required to ensure that changes to the electronic record are reflected in the paper version or vice versa.

The need for a personal identification will be determined by the GxP regulations (as a minimum).  Two types of requirement for identification exist.  The first is where a ‘signature’, ‘initials’, ‘authorisation’, ‘approval’ or ‘review’ is required.  Examples of these can be found in Table 3.  The use of an electronic signature in these cases gives added assurance to the reliability of the record.  The author must perform such ‘signings’ specifically and intentionally on each occasion (rather than being an incidental product of operating the system).

 

Table 3 – Examples of Activities / Records requiring Approval / Authorisation

Description
Analytical testing methods
Batch Processing Records
Batch Quality Records
Certificate of conformance
Changes that have product / process impact
Changes to computer system or program
Contract manufacturers
Critical data entry and/or modification
Design of facilities, systems and equipment
Disposition of rejected materials / products
Distribution Records
Incorporation of earlier batches into subsequent batches
In-process control testing methods
Manufacturing Deviations
Manufacturing Formulae
Material & Product Specifications
Procedures (e.g. for cleaning, clothing, environmental control & monitoring, sampling, inspection & testing, equipment operations, packaging materials, intermediate, bulk & finished product, reprocessing of rejected products, quality control)
Processing & Packaging Instructions
Processing method
Providers of contract analysis
Re-introduction of products from an unusual event
Release of Finished Product
Release of materials & components for use
Repairs and modifications to sterilizing equipment
Return to use for sterile equipment
Sampling methods
Sterilisation records
Suppliers of material
Training programs
Validation (protocols, progress and use of concurrent strategy)

Another class of identification is inferred when particular actions are restricted to authorised persons (perhaps without the need for specifically recording that person).  In these cases there is no ‘signing’ and, although electronic-signature technology may be used for this purpose, it may be acceptable to use other system security controls to prove authenticity of the person.  Table 4 illustrates examples from the code of GMP where persons require authorisation and/or identification.

Table 4 – Examples of Persons requiring Authorisation / Identification

Description of PersonTo be AuthorisedTo be Recorded
Person accessing packaging materialsYes 
Person accessing production premisesYes 
Person accessing quarantined goodsYes 
Person amending dataYesYes
Person carrying out in-process controls Yes
Person checking critical data Yes
Person checking different steps of production Yes
Person conducting internal auditsYes 
Person conducting validation, calibrations, maintenance, cleaning or repair operations on major or critical equipment. Yes
Person dealing with reject materialsYes 
Person deputizing for responsible peopleYes 
Person dispensing starting materialsYes 
Person entering dataYesYes
Person investigating eventsYesYes
Person issuing packaging materialsYes 
Person performing analytical tests Yes
Person performing different steps of production / packaging. Yes
Person responsible for each stage of production / packaging Yes
Person responsible to execute recallsYes 
Person responsible to handle complaints and deciding responseYes 
Person releasing batchYesYes
Person taking samplesYes 
Person verifying analytical tests Yes

In summary, cGMP (and company procedures) identify where ‘signatures’ are required.  The way that a system is implemented or operated determines whether the ‘signature’ is to be electronic or hand-written.  This is at the discretion of the company.  If an electronic ‘signature’ is used it must be supported with appropriate control measures to ensure that it is a reliable component of the completed record.  The measures identified in Appendix 1 should be considered for this role.

3.2. Approach for data that is not a Record

This procedure is only concerned with data that is output as a record.  The following guidance, based on the principles in this SOP, may be useful when dealing with other data types.

3.2.1. Volatile Data and Temporary Files

Computer systems often handle and process data without saving it permanently.  Two main ways of doing this are volatile data and temporary files.

Temporary files are records that are created by a system to support its operation.  These may provide the ability to undo previous steps or recover from an error or power-loss.  Such files are transient and only available for the system to use.  Usually there is only one such file for each system in use and they are deleted at specific milestones, (e.g. saving a file; restarting a system).  Most of the control measures available for records may be applied to temporary files.  If the computer system manages these files in a secure fashion and continues to delete, (rather than accumulate) them, they are considered outside the scope of this procedure.

Volatile data is kept within a system’s run-time memory and will be lost with a power-down.  Consequently, volatile data is not a record.  Control measures available for such transient data are more limited than for records and include:

a. Infrastructure protection – physical access restrictions and environmental controls

b. Security management – access controls, passwords

c. Validation – in-use testing, system qualification

d. Software controls – data-validity checking, error handling, data transfer protocols

e. Policies, procedures, training – user training, defined responsibilities, procedures.

In many systems a selection of these measures will provide sufficient assurance of reliability.

One example of volatile data is transient, user-entered, input data that is used in control-equipment.  In this case the stringency of controls should reflect the degree of discretion that a user is permitted, (e.g. freedom to enter any value, versus restriction to a choice or range of values) and the fault-tolerance of the system itself (including any GMP impact of a user-entered value).  Where the system is open to external-access, (i.e. off-site via Internet or similar) the maximum level of controls should be considered.

Another example is intermediate, in-operation data that is gathered and processed to generate a result.  The result may be used to produce records (which may have GxP impact).  The captured raw data may not need to be stored for the final record to be considered reliable.  For instance a check-weigher, that measures millions of tablet weights for each batch, is used to generate a curve showing that the batch weight distribution falls within specified norms.  When the check-weigher performance has been validated, the individual data points do not need to be recorded for each use.

Some systems generate, process and then transmit volatile data to other systems for storage (and perhaps further processing).  Again, there is no need for the initial system to produce its own record and the relevant control measures for this system relate to the accuracy, authenticity and integrity of the transmitted data.  (The control measures of the receiving system may be eligible for review under this procedure).

Methods to capture and store volatile data (as a record) should be considered when:

a. The effort required to re-establish lost data is substantial

b. The actual value of data is critical as evidence, (i.e. for traceability or reprocessing)

c. The identity of the user performing a data entry activity needs to be recorded.

3.2.2. Programs

Software programs and configuration files may be thought of as ‘data’ that prescribe the way a system will perform its functions.  This procedure does not consider software as a record.

Software is usually the output of a development environment, where programmers work with data in a human-readable form, which is converted to a machine-readable form within the target computer system.  Changes to software require the ability to access this data and possibly also to interrupt the operating run-time environment before they can be made.  The restriction of this access is a key means of ensuring software authenticity.

Validation and Change Control are the other main means of ensuring the reliability of software, particularly its accuracy.  The practices associated with this approach are already described in SOP VAL 040.  Other control measures, however, may be appropriate to support other aspects of software reliability, (e.g. authenticity, availability and integrity):

a. Infrastructure protection – physical access restrictions and “malware” protection

b. Security management – external-access checks, centralised storage and user access profiles

c. Backup and restore – back-up procedure, checking of outcome and redundant copies

d. Disaster recovery – response capability

e. Audit trail – author identification and author authentication

f. Software controls – error handling, automated generation (development aids) and independent checking (validation)

g. Policies, procedures, training – developer selection & training, activity history, reviews and audits, defined responsibilities and operational procedures.

As with volatile input-data, where the system is open to external-access a very high level of control should be considered.

Note that the software development environment, (i.e. source-code tool) does not have the same level of GMP significance or impact as the system that is controlled by the code.  Consequently the tools do not necessarily require the same level of assurance, or control measures, as the developed process.  (For instance, software that operates an automatic audit trail function does not require its development environment to have the same functionality – a manual system of change control could be adequate).

Examples of software files that are considered to be outside the scope of this procedure include:

o    Vision system models,

o    Autoclave-cycle configurations,

o    HPLC recipes,

o    Exacta Filter-test configurations.

4. Appendix 1 – Checklist / Explanation of Control Measures

Control CategoryControl MeasureControl TypeComments and Description of Control MeasureReliability-Attribute SupportedSuggested Min. Level for InclusionPIC/S Ref.s
Infrastructure ProtectionPhysical securityOperational

Is physical access to system and operating software limited?

·  Measures include system-based hardware features (such as keys) or environment-based controls (such as site / room security / physical restraints or attachments).

Authenticity, AvailabilityIndirect19.3, 19.7, 23.15
 Environmental controlsOperational

Is a suitable environment for system operation maintained?

·  Measures include controls over humidity, temperature, and electrical supply; monitoring and alarms for fire, smoke and power failure.

AvailabilityIndirect23.12,
 “Malware” protectionTechnical

Is the system protected against “Malware” (i.e. viruses, Trojan-horses and worms) that can cause interference with system operation and damage to stored data?

·  Measures include firewalls, scanning software, hardware configuration and operating system patches.

Accuracy, Authenticity, Availability, IntegrityIndirect 
Security ManagementAccess controlTechnical

Does the software restrict access to the system and confirm presence of an authentic user?

·  Measures may range according to level of Impact from ‘group-access’ (No Impact), through to ‘individuated-access’ and ‘automated-log out’ (Direct Impact).  Physical measures (e.g. keys) are part of Infrastructure Protection

AuthenticityNo-Impact19.3, 21.2, 21.8
 Password managementManagement

Are there procedures for the management of password effectiveness and confidentiality?

·  Measures include enforced password changing; guidelines for formatting; periodic checking; controls over temporary ids; and management of lost or compromised passwords.  Includes passwords supporting ‘electronic-signatures’.

AuthenticityIndirect19.3, 21.2, 23.15
 Authorisation processManagement

Is there a formal process for granting access privileges to personnel?

·  Process should include confirming the identity / status / privilege of new user.

AuthenticityIndirect19.1, 19.2, 23.15
 External-access checksTechnical

If the system is ‘open’ to access from outside, does it have measures to confirm that access and inputs come only from authorised clients in the correct format?

·  Measures include encryption, digitally signed mail or data packets and should include a mechanism to identify, quarantine, notify and sentence external inputs where security conditions are not met; tracking of all external access; logging and monitoring for each element of the processing stage. Requirements could be reduced for ‘read-only’ access.

Accuracy, Authenticity, IntegrityIndirect21.5, 21.12
 Centralised storageOperational

Is data stored in a network server location rather than on satellite PC hard discs?

(This assists in managing security and restricts private, uncontrolled versions that compromise authenticity).

Authenticity, AvailabilityIndirect 
 User function profilesTechnical

Are user functions segregated and assigned to distinct groups, such as privileged functions (e.g. system administration) versus standard functions (e.g. data entry)?

·  Critical systems should also include limitations to ensure that no single user may perform the entire range of operations (i.e. independent review and approval).

AuthenticityDirect19.3, 21.8, 23.15
 User access profilesTechnical

Is the ability to Write, Update, or Delete records (and storage directories) limited to specific groups of users?

·  May include multiple layers of access segregation. (May overlap application-based Function Profiles).

AuthenticityDirect19.2, 21.10, 23.15
 Unique accountsOperational

Do users have distinct profiles including individual identifiers and passwords?

·  This measure should include the protection of account identifiers / passwords. Identities of non-current users should be maintained but not re-used.  All identities (but not passwords) should be kept in a Register of Users (that includes definitions of the user’s privileges).

AuthenticityDirect20.4, 21.8, 21.9
 Breach responseTechnical

Is there pro-active monitoring for attempted breaches and an automated response to attempted unauthorised access (e.g. lock out, notification)?

·  A log of response measures enacted may be recorded.

·  Measures should escalate for critical functions (e.g. batch release) and features (e.g. “electronic-signatures”)

AuthenticityDirect19.3, 21.9, 21.10
Backup & RestoreBack-up procedureOperational

Is the computer system subjected to a back-up procedure?

·  Backing-up is a standard expectation for all computer systems.  The back-up method for systems should be defined and documented (including the storage location).  Frequency of back-up should reflect data criticality; life-cycle milestones (i.e. system changes) and the effort involved to recreate the data.  Media used for critical data back-up should be documented and justified for reliability.

AvailabilityNo-Impact19.5, 19.6, 21.2, 21.10
 Checking of outcomeOperational

Is the success of backup activity verified on a regular basis?

·  The degree of checking should vary with record impact.

·  A log of testing and specific test results should be available to support critical data.

Accuracy, Availability, IntegrityNo-Impact 19.3, 19.5, 19.6, 23.15
 Redundant copiesOperational

Are multiple tapes used in the back-up cycle?

This provides additional assurance (i.e. if latest copy fails).

AvailabilityIndirect 
 Remote storageOperational

Is the storage media kept in a separate physical location (i.e. off-site)?

Storage conditions should be suitable for this function.

AvailabilityDirect19.6
 Automated processTechnicalIs backup implemented on a regular basis using an automated (rather than a manual) process?AvailabilityDirect 
 High-availability systemTechnical

Is the IT hardware designed to provide backup and ‘failover’ (i.e. automatic fault-based switching) capabilities?

·  Approaches include the use of RAID or SAN technology.

AvailabilityDirect 
Disaster RecoveryResponse capabilityOperational

Have appropriate response capabilities been established?

·  Measures should be known and may vary with criticality.  No-Impact systems should have an identified support resource capable of a restart.  Direct Impact systems (e.g. to support a product recall) should have alternative arrangements / systems identified (perhaps including hot stand-by and 24×7 support).

AvailabilityNo-Impact 
 Agreed plan / goalManagement

Have plans for recovery of service been documented, including a defined allowable outage time?

·  Plan should be agreed with the Business System Owner.  Recovery time should reflect the criticality of record availability for GMP.  Plan should align with the Response Capability.

AvailabilityIndirect19.6
 Tested processManagement

Is the recovery plan tested regularly and formally (i.e. this is documented)?

·  Frequency of testing the Disaster Recovery plan should reflect record and system criticality.

Accuracy, Authenticity, Availability, IntegrityIndirect19.3, 19.6
Validation & Change ControlSpecificationManagement

Have requirements for the system or change been described and documented (e.g. in a User Specification)?

·  Level of detail should be appropriate to the GMP impact.

· Stored documentation should be updated as required

Accuracy, IntegrityNo-Impact21.9, 23.12, 23.13
 Authorisation processManagement

Does an authorization process control the implementation of changes?

·  Includes the review and approval of requirements; go-live / implementation.  Includes QA involvement where GMP impact exists.

Authenticity, IntegrityNo-Impact 
 Implementation TestingManagement

Was the system operation subjected to a test program?

·  Includes Validation testing where there is GMP impact.

·  Consider security features, audit trails, data verification in addition to the system functionality.

Accuracy, IntegrityNo-Impact20.1, 21.10
 In-use TestingManagement

Is the system performance challenged on a regular basis?

·  Includes revalidation, calibration and batch-wise, set-up challenges.  Results of these tests should be recorded.

·  Critical components may require specific focus (e.g. counters, scanners, printers)

Accuracy, IntegrityIndirect 
Audit TrailAuthor IdentificationTechnical

Is the identity of a user making data-entry recorded with the data?

·  At the simplest level this may be a manual text entry.

AuthenticityIndirect20.1, 21.6, 21.9
 Author AuthenticationTechnicalIs the identity of a user making data-entry verified and confirmed (e.g. using password)?AuthenticityDirect21.2, 21.5
 Sequence RecoveryTechnical

Does the record permit the recovery of the sequence of critical operations and data-entry?

·  Where the data-entry sequence is important the system may also constrain the order process steps are executed

Accuracy, AuthenticityDirect 
 Approval-Content LinkTechnical

Is it possible to confirm the actual contents of the record at the time that it is approved?

·  Electronic records may achieve this with a time / date stamp, and/or a freeze on changes.  Hybrid records may require additional measures (e.g. reference to record name, record size, record time / date, and a record checksum or other unique data on a signed print-out).

Authenticity, IntegrityDirect20.3, 21.6
 Retain previous dataTechnical

Are changes to data transparent?

·  This means original data is retained along with updates.  Comments should be included to explain context / reason for change.

·  Applies to data additions, modifications and deletions

Accuracy, IntegrityDirect20.1, 20.2
 Automatic creationTechnical

Is an audit trail record generated automatically by the system, including a time/date stamp?

·  Manual generation may be suitable for simple user-identification records, where GMP impact is Indirect.

·   The system may require a consistent time / date clock

Accuracy, AuthenticityDirect20.1, 21.6,  21.8, 21.10
 Secure trail storageTechnical

Is the audit trail record kept in a secure format?

·  Preferably this means that the audit trail is integral with the actual record; is included in the same Backup and Security Management processes.

Authenticity, Availability, IntegrityDirect20.1, 21.2, 21.6, 21.10
 Alteration ApprovalManagement

Are changes to data-entries reviewed and approved?

·  Any critical data-entry that is altered should be authorised

Accuracy, Authenticity, IntegrityDirect 
Electronic SignaturesSignature CaptureTechnicalAre “electronic signatures” applied where key decisions / actions are undertaken electronically?AuthenticityDirect21.5, 21.13
 Signature ResponsibilityManagement

Are users aware of the meaning, responsibility and accountability implied when they ‘sign’

·  This should be specifically covered by training and procedures. System prompts may reinforce this.

Accuracy, AuthenticityDirect21.9, 22.3, 22.6
 Signature ContentTechnical

Does the “electronic signature” provide complete and unique identification

·  Should include user name, time and date, meaning (Requirements are similar to those for audit trails)

AuthenticityDirect21.9
 Signature AuthorisationTechnical

Does the system limit the ability of users to execute a critical  “electronic signature”?

·  For instance the system should only permit Authorised Persons to release batches – no User should have this authority who is not qualified or intended to exercise it.

·  Maintenance of the signatories requires procedures and reviews (as noted for Authorisation Process)

AuthenticityDirect21.7
 Non Transferable IdentityTechnical

Is the “electronic signature” secured?

·  e.g. passwords or keys are confidential; combinations / biometric data are unique; signatures cannot be copied or transferred; ‘default’ signatures (within a session) are confirmed by at least one identifier component..

·  Requires the support of systems and processes to detect and respond to attempted unauthorised “signature” usage

Authenticity, IntegrityDirect19.3, 21.3, 21.9,  23.15
Record RetentionDisposal ApprovalManagement

Is approval given before disposing of retained records?

Ideally the appropriate authority is identified in a procedure.

AvailabilityNo-Impact 
 Defined storage periodManagement

Is the storage period for this record, defined and followed?

Regulations identify storage periods for critical records. Internal site requirements may however exceed these periods and should be defined to support disposal approval.

AvailabilityIndirect21.1, 21.2, 21.10
 Periodic testingOperational

Is the storage media tested, periodically throughout retention time, to ensure accessibility, durability and accuracy?

A media refresh should accompany this activity (i.e. another copy is made prior to expiry of the media).

Accuracy, AvailabilityIndirect21.1, 21.2, 21.10
 Transient copy removalOperational

Where data is transmitted to other systems, or printed, does the system ensure that transient copies are deleted?

This is to restrict the possibility of duplicate but conflicting ‘master’ files, or hybrid records.

AuthenticityIndirect 
 Un-editable formatTechnical

Are records protected from change by retaining in a format that resists change (e.g. PDF, Encryption)?

·  As a minimum, data should only be editable via its native application (i.e. not available in a simple text format).  If changes precede the format conversion an audit trail may be required to be attached.  Conversion should only occur after all processing is complete.

Authenticity, IntegrityIndirect 
 Human readable formTechnical

Is data readily available to regulators in legible form (e.g. print-out or PDF copy)?

This requires an operational print-program for each stored format.  Where data is encrypted auditors may want to be given decrypting ability or to witness decryption on site.

Copy should include audit trails and “electronic signatures”

AvailabilityIndirect19.4, 21.1, 21.10
Software ControlsData-validity checkingTechnical

Are checks performed to ensure entered data is compatible with the application?

Examples of invalid data include values:

–   With an unrecognisable data type (e.g. non-numeric);

–   Outside acceptable ranges for the proper functioning of the system, and

–   that contain a ‘read-error’ (i.e. corrupt or unrecognisable).

Accuracy, IntegrityNo-Impact23.15
 Error handlingTechnical

Does the system include functionality to identify error conditions and respond appropriately?

·  May include alarms and user prompts to notify of failure.

Accuracy, Availability, IntegrityNo-Impact 
 Data transfer protocolsTechnical

Where data is transmitted to other systems, are measures used to ensure accurate and complete transmittal?

·  Various approaches may be adopted depending on criticality (e.g. standard protocols for No-Impact records; receipt-confirmation, checksum and perhaps encryption for Direct Impact).  The system may even keep copies of data, until the receiving system confirms it as processed, so that loss or corruption at a later stage can be addressed. Measures should be validated.

Accuracy, IntegrityNo-Impact19.3, 20.5, 21.12
 Confirmation promptingTechnical

Is the operator requested to confirm data entry or activity prior to final committal?

·  Should be used for important entries or activities.

AccuracyIndirect 
 Automated generationTechnical

Is the data sourced from automated systems (e.g. barcode readers, scales) rather than manually entered?

This approach reduces potential for operator error but requires validation.

Accuracy, AuthenticityDirect20.2
 Independent checkingTechnical

Is the value of data entry verified?

·  Should be applied to critical data.  May use independent checking with a second operator (e.g. redundant data-entry) or electronic means.

·  Automated data-entry (e.g. bar-codes) may be considered to be verified by Validation, Calibration, etc.

·  Real-time systems may also utilise watchdog timers (or other indirect checks) to ensure consistent performance of critical parameters.

AccuracyDirect20.2, 21.2
Policies, Procedures, TrainingSelection & TrainingManagement

Do key personnel have the appropriate training, skills and knowledge for their roles?

This includes operators, developers and administrators of systems.

As appropriate, training should be documented and effectiveness assessed

Accuracy, Authenticity, IntegrityNo-Impact19.3, 20.1, 21.9, 22.1, 22.2, 22.5, 22.6, 22.7, 23.12
 Activity HistoryOperational

Are logs used to record activities, faults and responses?

· Examples include logs of backups, changes, configuration modifications, security breaches, system faults, and back-up faults. Critical systems may include monitoring tools that generate event or error logs to aid in troubleshooting or maintenance (note these are not the same as ‘audit trails’).

Accuracy, Availability, IntegrityNo-Impact 
 Reviews and AuditsManagement

Is evidence supporting the reliable management of records subjected to review and internal audit (beyond this procedure)?

· Relevant evidence may include logs (users, backups, faults), Validation and Change records, Procedures, Audit trail content.

Accuracy, Authenticity, Availability, IntegrityIndirect 
 Defined ResponsibilitiesManagement

Are personnel (including external agencies) given guidance regarding the nature and scope of their responsibilities in relation to maintaining record reliability?

Should include System Owners, Administrators, Users, Maintainers and Developers.

AuthenticityIndirect17.3, 19.1, 19.2, 21.9, 22.3
 Operational proceduresOperational

Are operational procedures documented?

· Subjects for documenting include when a change request is needed, what content to enter in an audit trail, the meaning associated with approval activities, etc.

Authenticity, IntegrityIndirect19.2, 20.1, 23.15
 Alignment proceduresManagement

Are there documented procedures for ensuring that electronic and paper copies remain aligned (i.e. changes are kept up to date in both)?

·  Where electronic records are used, it should be clear that paper copies are ‘uncontrolled’.

· Where Hybrid records are used a range of activities are required.  These may include retrieval and control of obsolete paper copies; fresh approval of new paper copies; references updated with new version information; re-entry of hand-marked changes into electronic record / audit trail; and reprinting of the audit-trail with the paper copy.  Procedures for Hybrid records should also include justification for their use.

Authenticity, IntegrityDirect21.6