contents · 22 remediation project introduction infrastructure evaluation corrective action...
TRANSCRIPT
CONTENTS
List of TablesList of FiguresPreface
1 Introduction 1
2 Infrastructure Lifecycle ApproachRecommendation and ConceptualizationDesignDesign ReviewsDevelopment and IntegrationImplementationRelease for UseOperational LifeRetirementRetaining Project and Qualification-Related DeliverablesChapter 2 Summary
3 Infrastructure Qualification OverviewWhat is Infrastructure?What is Infrastructure Qualification?Why Qualify the Computer Infrastructure?Introduction to the Infrastructure Qualification ProcessAll Together
4 FDA EnforcementIntroductionFDA Computer Systems EnforcementGanes Chemicals (483 — 1999)Eli Lilly & Company (483 — 2001)
iii
Prelims 25/7/06 1:49 pm Page iii
www.pda.org/bookstore
Pharmacia Corporation (483 — 2000 and Warning Letter — 2001)Novartis Pharma GmbH (483 — 2002)Skele Tech (483 — 2003)Company Unknown (483 — 20904)Company Unknown (Warning Letter — 2004)International Pharm & Biotech Labs (EIR — June 2003)
5 Regulatory RequirementsIntroductionPotential Regulatory ConsequencesUS FDA Regulatory RequirementsEU Regulatory Guidance
6 21 CFR Part 11IntroductionLAN/WANServer Hardware and Service ComponentsSystem-level Software
7 Procedural Controls
8 Computer Infrastructure SecurityPhysical SecurityNetwork SecurityOther Key Security Elements
OSI Model Security ServicesAuthentication
Protection of Records and Audit TrailsProtection of RecordsAudit Trails
9 Infrastructure Qualification PlanningIntroductionQualification Project PlanProject Schedule
10 Qualification TestingIntroductionQualification Testing Lifecycle
Test PlanProtocolSummary (Analysis) Report
CommissioningSample Qualification Testing/Commissioning Test Cases
System-level SoftwareApplication ServersService ComponentsLAN/WAN
Infrastructure Qualification in the FDA Regulated Industryiv
Prelims 25/7/06 1:49 pm Page iv
www.pda.org/bookstore
Miscellaneous EquipmentNetwork Centers
11 Qualification Testing System-level SoftwareIntroductionServer and Controllers Operating Systems
Qualification Testing Practices for Operating SystemsPart 11 Areas of Interest
Network Operating SystemsQualification Testing Practices for Operating SystemsQualification Testing Practices for FirmwarePart 11 Areas of Interest
Security, Diagnostic and Monitoring ToolsQualification Testing Practices for Standard Software PackagesPart 11 Areas of Interest
Desktop ImagesScripts
Qualification Testing Practices for ScriptsPart 11 Areas of Interest
File and Database ManagementMiddleware
Part 11 Areas of Interest
12 Qualification Testing Application Servers and Service ComponentsInstallation QualificationOperational Qualification
13 Qualification Testing LAN DevicesSwitchRouterQualification of Other LAN Devices
HubGatewaysRepeatersBridgesBrouter
14 Qualification Testing WAN DevicesExternal RouterWAN LinksFirewallVPN SwitchesLoad Balancing DevicesIntrusion Detection Devices
15 Qualification Testing WAN/LAN System
Contents v
Prelims 25/7/06 1:49 pm Page v
www.pda.org/bookstore
16 Qualification Testing the Storage Area NetworksIntroductionQualification StrategyPart 11
17 Qualification Wireless ServicesWLAN Devices
Access PointVPN ServerLAN Switch
WLAN System Qualification
18 Qualification Testing Network CentersIntroductionQualification TestingInstallation QualificationOperational Qualification
19 Qualification Testing Database ManagerIntroductionDatabase Server — Single or ClusterDatabase Server SoftwareCritical Database Server IssuesPart 11 ConsiderationsQualification Testing
20 Change ManagementIntroductionType of ChangeChange Management ProcessEmergency ChangesPart 11 and Infrastructure Related Change
21 Training
22 Remediation ProjectIntroductionInfrastructure EvaluationCorrective Action Planning
InterpretationImpact AssessmentTrainingSuppliers Qualification Program
RemediationRemediation Project Report
23 Maintaining the State of QualificationIntroduction
Infrastructure Qualification in the FDA Regulated Industryvi
Prelims 25/7/06 1:49 pm Page vi
www.pda.org/bookstore
SecurityOperational ManagementOperational Network ManagementBusiness ContinuityProblem ReportingControl of ChangesPeriodic ReviewRetirementOn-going Verification Program
Appendix A Glossary of TermsAppendix B Abbreviations and/or AcronymsAppendix C Infrastructure BasicsAppendix D Compliance Policy GuidesAppendix E Documentation: Brief DescriptionAppendix F OSI and TCP/IP Network ModelsAppendix G ReferencesAppendix H Qualification of Computer NetworksAppendix I Words Signifying the Requirements in SpecificationAppendix J Case Study: A Network Upgrade
Index
Contents vii
Prelims 25/7/06 1:49 pm Page vii
www.pda.org/bookstore
Prelims 25/7/06 1:49 pm Page viii
www.pda.org/bookstore
LIST OF TABLES
5.1 cGMPs Regulations Application to Computer Systems5.2 Comparison GMPs, EU Annex 11 and Part 118.1 Part 11 Security Related Requirements/Controls12.1 Category of Servers23.1 Period/Events Computer Systems Operational LifeH1 NEED CAPTION
ix
Prelims 25/7/06 1:49 pm Page ix
www.pda.org/bookstore
Prelims 25/7/06 1:49 pm Page x
www.pda.org/bookstore
LIST OF FIGURES
2.1 Infrastructure Qualification Lifecycle2.2 Conceptualization2.3 Design Evaluation Cycle2.4 Design2.5 Design Reviews2.6 Development and Integration2.7 Implementation2.8 Release for Use2.9 Operational Life3.1 A Computer System and the Operating Environment3.2 Application/Infrastructure Development and Installation Correlation8.1 Security Issues to Consider8.2 Security Services Provided by OSI Layers8.3 SSL 3.0 Protocol9.1 Systems Development Distribution11.1 OSI and the TCP/IP Reference Models17.1 NEED CAPTION22.1 Complete Part 11 Remediation ProjectFI The Seven Layers of OSIF2 Comparison between OSI and TCP/IP ModelsH1 System Block DiagramJ1 Previous “Hub and Spoke” TechnologyJ2 New “Ring” TechnologyJ3 Project Plan Table of ContentsJ4 Sample Installation Checklist
xi
Prelims 25/7/06 1:49 pm Page xi
www.pda.org/bookstore
Prelims 25/7/06 1:49 pm Page xii
www.pda.org/bookstore
PREFACE
The need to validate computerised systems supporting the development, manufacture, andsupply of medicinal products is well understood. The validation of applications has been theprimary focus and quite rightly too with the impact these systems can have on the quality,safety and efficacy of drug products. Now however with modern IT solutions there is a growingdependency on robust and secure infrastructure [1,2]. Deficiencies in the IT infrastructure (egvirus protection, persoßnal identity authentication, password management, and electronicrecords management) will compromise the validate status of computerised systems. It isimportant therefore that IT infrastructure is developed and maintained to support the regulatorycompliance of the applications they support. Desktop configuration, networks design andmanagement, and the use of internet/intranet/extranets are just some of the topics that need tobe addressed.
It is important to appreciate that IT infrastructure has its own special character. It is moreorganic than computer applications in the sense that it grows and evolves to meet the changingneeds of the multitude of applications being supported. It cannot be thought of as a discreteelement like an individual computer application. This is often reflected by the organisation of theIT department responsible for IT infrastructure. A different approach and procedures is required.
Regulatory authorities have made numerous citations for what they consider non-compliant IT infrastructure [2]. Regulatory expectations for IT infrastructure however are notexplicitly defined although some regulatory guidance does exist [3]. ISPE/GAMP has beenworking on the topic of IT infrastructure for many years to clarify requirements and hasdeveloped some guidance material [4]. PDA has also developed some guidance material [5].The definition of requirements to date however largely presents principles rather than a workingmanual for compliance.
The management and controls for IT infrastructure must always be cognisant of therelative risk posed to patients. IT infrastructure will normally be considered as having anindirect impact on patient safety. Consequently IT infrastructure does not normally require thesame validation approach adopted for computerised systems with a direct impact on patient
xiii
Prelims 25/7/06 1:49 pm Page xiii
www.pda.org/bookstore
safety. This is not to undermine the key role infrastructure plays to assuring the reliableoperation and record integrity required by applications. However care must be taken not toinadvertently over-engineer solutions on the basis of perceived regulatory compliance. Whatever is done needs to be done on the basis of tangible benefits.
This book presents some of the latest thinking on how to tackle what can often be quitedaunting questions on how to assure IT infrastructure for regulatory compliance. OrlandoLopez gives clear direction on how to approach IT Infrastructure based on personal experienceand industry discussions. The principles behind the guidance given in this book are consistentwith the latest edition of the GAMP4 Guide [6]. Lopez takes these principles into practice witha working level of detail that will be welcomed by practitioners. Inexperienced and experiencedpractitioners alike will find valuable insights into how best to address IT Infrastructure.
References
[1] Wingate, G.A.S. (2000) Validating Corporate Computer Systems: Good IT Practice forPharmaceutical Manufacturers, Interpharm Press.
[2] Wingate, G.A.S. (2004) Computer Systems Validation: Quality Assurance, RiskManagement and Regulatory Compliance for Pharmaceutical and Healthcare CompaniesInterpharm Press.
[3] Pharmaceutical Inspection Co-operation Scheme (2005) Good Practices forComputerised Systems in Regulated GxP Environments, Pharmaceutical InspectionConvention, PI 011-1, Geneva.
[4] GAMP Forum (2004) GAMP Good Practice Guide for IT Infrastructure Control andCompliance, published by International Society for Pharmaceutical Engineering(www.ispe.org).
[5] Crosson, J.E., Campbell, M.W., Noonan, T. (2000) Network Management in an FDA-Regulated Environment, PDA Journal of Pharmaceutical Science and Technology.
[6] GAMP Forum (2001) GAMP Guide for Validation of Automated Systems (known asGAMP4), published by International Society for Pharmaceutical Engineering(www.ispe.org).
Infrastructure Qualification in the FDA Regulated Industryxiv
Prelims 25/7/06 1:49 pm Page xiv
www.pda.org/bookstore