Information Systems Department – Compliance Overhaul
Problem Definition
A sterile manufacturing facility was looking for consulting help to assist their Information Systems (IS) department to support the validation / compliance department. The consulting assistance was needed for the following reasons:
- The IS department had historically been providing help desk, email and other basic functionality such as file and print services to the facility employees. Most computerized systems were stand alone systems with each system owner responsible for the maintenance and administration of their system. This was changing fast, as more and more systems started utilizing the network infrastructure. The IS department had no procedures / processes for the following, which greatly hindered the compliance effort for any GxP system implementation:
- Validation methodology for computerized / IT systems.
- Change control SOP for computerized systems (A facility change control SOP existed, but that did not tackle IT based systems effectively).
- Security procedures (granting, revoking, modifying access).
- Hardware / software procurement; Hardware / Software standards.
- Data management, data backup, archival, recovery and disaster recovery.
- Installation best practices.
- Problem reporting.
- The IS department had internal operating procedures, but they were not up to the facilities’ SOP standards.
- The IS team were also given the responsibility of development work on an as-needed basis on GxP systems / software within the facilities. The IS team had no formalized software development methodology.
- The network infrastructure was not qualified.
- IT applications, including their enterprise backup system, maintenance management system, etc. needed to be deployed and validated.
- The IS staff were not trained on GxPs.
ValiMation’s Role
ValiMation was hired to ensure that the IS department can support compliance / validation efforts. Some of the activities performed by ValiMation are described below:
Validation Methodology Establishment
ValiMation revised the facility’s validation methodology to better incorporate software / IT based systems. Specific emphasis was given to IS’s role in the entire validation lifecycle, starting from the inception of a project. The validation methodology included incorporating risk assessments and the latest industry views on scientific approaches to validation.
Change Control and Configuration Management
The facility change control methodology was updated to incorporate IT / software systems.
Data Management Policy
ValiMation developed a data management policy. The objective of this policy was to outline the standards and requirements for the following:
- Data backup and archival.
- Data retention (e.g. data retention time).
- Data destruction.
- System retirement and its effect on existing data (e.g. fossilization of systems, data migration).
- Documentation retention for systems.
Security Policies
ValiMation developed security policies and procedures whose objectives were the following:
- To define granting, revoking and modifying access to personnel to IS resources.
- To define user name and password requirements (e.g. formats, password history, minimum lengths).
- To manage the clocks in the facility (including network and workstation clocks).
- To ensure only authorized personnel enter the areas / buildings containing critical IS infrastructure.
- To ensure the tracking of personnel entering and exiting these areas. (e.g. by the use of card readers, cameras etc.).
- To periodically inspect, maintain and test the security devices as well as the perimeter of the facility, network and other infrastructure.
- To install access control procedures that address personal identification and clearance, key controls, visitor logs, escorts for outside service vendors, remote locks, and lock change schedules (including upon changes in employees) with respect to controlled IS resources and infrastructure.
- To construct physical and logical barriers that prevent access to controlled IS infrastructure (e.g. servers, network, network devices, network power supply).
- To evaluate potential crime impacts on the facility and IS infrastructure.
- To periodically audit the internal security procedures of the IS.
- To maintain and periodically audit security logs and security records.
Hardware / Software Procurement Procedure
ValiMation developed a hardware / software procurement procedure that included the following:
- Standards establishment for hardware / software
- Vendor assessment process
- Guidance in choosing the right hardware / software for the requirements.
Software Development Methodology
ValiMation developed an in-house software development methodology. In addition ValiMation assisted in the development of coding standards for specific programming platforms.
System Installation Best Practices
ValiMation developed best practice processes for the installation of servers, workstations, network hardware and cables.
Training
The IS staff were trained on all SOPs developed for this project. In addition, GMP and 21 CFR Part 11 training was provided to the personnel as well.
Network Infrastructure Qualification
The network was qualified utilizing a service based approach with the validation methodology developed by ValiMation as a basis. This has been described earlier in the document.
IT Systems Validation
IT applications were deployed in the facility and were validated by ValiMation, using the principles laid down by the validation methodology SOP developed by ValiMation. The effort also included vendor audits of the software vendors. Some of the applications validated were:
- Microwest Software’s Advanced Maintenance Management System.
- Blue Mountain’s Calibration Management System.
- Veritas’ Netbackup Enterprise Backup System.
- Agilent’s Chemstation / Chemstore infrastructure with multiple Analytical Instruments.
- Particle Measuring Systems’ PharmNet software.
- Etc.
ValiMation's Impact - Our Unique Value Proposition
- Developing processes and procedures that enabled IS personnel to work within a compliant (GxP) environment.
- Qualifying the network using our service based model.
- Validating IT systems using a risk based / scientific approach.
- Trained IS personnel on compliance.
- We bridged Technology and Compliance.