Risk- Based Validation of Computer Systems

Standard Operating Procedure

Risk-Based Validation of Computer Systems

This is an example of a Standard Operating Procedure. It is a proposal and starting point only. The type and extent of documentation depends on the process environment. The proposed documentation should be adapted accordingly and should be based on individual risk assessments. There is no guarantee that this document will pass a regulatory inspection.

Publication from www.labcompliance.com Global on-line resource for validation and compliance

Copyright by Labcompliance. This document may only be saved and viewed or printed for personal use. Users may not transmit or duplicate this document in whole or in part, in any medium. Additional copies and licenses for department, site or corporate use can be ordered from www.labcompliance.com/solutions. While every effort has been made to ensure the accuracy of information contained in this document, Labcompliance accepts no responsibility for errors or omissions. No liability can be accepted in any way. Labcompliance offers books, master plans, complete Quality Packages with validation procedures, scripts and examples, SOPs, publications, training and presentation material, user club membership with more than 300 downloads and audio/web seminars. For more information and ordering, visit www.labcompliance.com/solutions STANDARD OPERATING PROCEDURE Page 2 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems Company Name:

Controls:

Superseded Document N/A, new

Reason for Revision N/A

Effective Date Jan 1, 2004

Signatures: Author I indicate that I have authored or updated this SOP according to applicable business requirements and our company procedure: Preparing and Updating Standard Operating Procedures. Name: ______Signature: ______Date: ______

Approver I indicate that I have reviewed this SOP, and find it meets all applicable business requirements and that it reflects the procedure described. I approve it for use. Name: ______Signature: ______Date: ______

Reviewer I indicate that I have reviewed this SOP and find that it meets all applicable quality requirements and company standards. I approve it for use. Name: ______Signature: ______Date: ______

www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 3 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems

1. PURPOSE

Software and computer systems should be validated for compliance and business reasons. The extent of validation depends on the risk the system can have on product quality and safety and on the complexity. This SOP gives guidelines on what the extent of validation should be for risk categories as defined by the SOP in Reference 4.2.

2. SCOPE

Risk-based validation of software and computer systems and other computer related GxP requirements such as limited access, system audits and change control.

3. GLOSSARY/DEFINITIONS

Item Explanation GAMP Good Automated Manufacturing Practice (Forum). The GAMP Forum exists to promote the understanding of the regulation and use of computer and control systems within the pharmaceutical manufacturing industry. GAMP Standard software package. All applications problems are solved Category 3 with standard functions. However, typically not all available functions are exercised by the user’s application. GAMP Configurable software package. Provides standard interfaces and Category 4 functions that enable configuration of user specific applications. GAMP Custom software package. Developed to meet specific needs of Category 5 an application. Custom software may be a complete system or add on to a standard package. Custom software may be developed and supported in-house or by an external supplier. Standard Function that comes with software GAMP Category 3. Function Critical Requirement that the user determines to be critical for the Requirement effective use of the system.

www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 4 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems Note: For other definitions, see www.labcompliance.com/glossary.

4. REFERENCE DOCUMENTS

4.1. GAMP 4 Guide: “Validation of Automated Systems”, ISPE, Brussels, 2001 (order from www.ispe.org).

4.2. SOP S-134 “Risk Assessment for Systems Used in GxP Environments”. Available through www.labcompliance.com/solutions/sops

4.3. “Risk Management Master Plan”. Available through www.labcompliance.com/books/risk.

5. RESPONSIBILITIES

5.1. System Owner

5.1.1. Owns the process to define and document extent of validation for a specific system.

5.1.2. Drafts documentation.

5.2. Operation’s Manager

5.2.1. Reviews and approves documentation.

5.3. Quality Assurance

5.3.1. Advises on regulations and guidelines related to GxP and 21 CFR Part 11.

5.3.2. Reviews documentation for compliance with internal policies and guidelines.

5.3.3. Approves documentation.

6. FREQUENCY OF USE

www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 5 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems 6.1. Initially whenever equipment is qualified and software and computer systems are validated.

6.2. After system updates or other changes and the change indicates that the extent of qualification or validation may need to be changed.

6.3. Whenever system reviews indicate that the extent of qualification or validation may need to be changed.

7. PROCEDURE

8.1. System owner defines validation steps for life cycle phases and tasks using Tables 8.1.1 to 8.1.9 as guidelines.

8.1.1. Planning

Validation Steps – Planning

System GAMP 3 GAMP 4 GAMP 5

H D Deta Det et iled aile ail valid d ed atio vali va n dati lid plan on ati with plan on all with pl activ all an ities, acti wi deliv vitie th erab s, all les, deli ac own vera tiv ers, bles iti and , es time own , tabl ers, de es. and liv time er tabl ab es. le s, o w ne rs, an d ti m et ab le www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 7 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems s.

M Hi High Hig gh - h- - level leve le plan l ve with plan l key with pl activ key an ities. acti wi vitie th s. ke y ac tiv iti es .

L N High Hig o - h- sp level leve ec plan l ifi with plan c key with pl activ key an ities. acti . vitie s.

8.1.2. Setting Specifications

Validation Steps – Setting Specifications

H D Doc Doc oc ume ume u nt all nt m requ all en irem requ t ents irem all . ents re . qu Uniq ire uely Uni m num quel en ber y ts. all num requ ber U irem all ni ents requ qu . irem el ents y Defi . nu ne m critic Defi be al ne r vs. criti all non- cal re critic vs. qu al. non- ire criti m cal. en ts.

D efi ne cri tic al vs . no n- cri tic al. www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 9 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems M D Doc Doc oc ume ume u nt all nt m requ all en irem requ t ents irem all . ents re . qu Uniq ire uely Uni m num quel en ber y ts. all num requ ber irem all ents requ . irem ents Defi . ne critic Defi al ne vs. criti non- cal critic vs. al non- criti cal.

L Hi Defi Defi gh ne ne - and and le doc doc ve ume ume l nt all nt sy non- all st stan non- e dard stan m requ dard de irem requ sc ents irem rip . ents tio . ns .

8.1.3. Vendor Assessment

Validation Steps – Vendor Assessment

www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 10 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems System GAMP 3 GAMP 4 GAMP 5

H R Ven Ven ev dor dor ie audi audi w t. t. of ve nd or do cu m en tat io n.

M D Revi Ven oc ew dor u of audi m ven t. en dor t doc ex ume pe ntati rie on. nc e wi th ve nd or an d sy st e m.

L N Non Non on e. e. e.

8.1.4. Installation

Validation Steps – Installation

H V Verif Veri eri y fy fy corr corr co ect ect rr soft soft ec war war t e e so insta inst ft llatio allat w n. ion. ar e Doc Doc in ume ume st nt nt all syst syst ati em em on and and . all all com com D pon pon oc ents ents u and and m confi conf en gura igur t tions atio sy . ns. st e Doc Doc m ume ume an nt nt d soft soft all war war co e e m versi vers po ons. ions ne . nt s an d co nfi gu rat www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 12 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems io ns .

D oc u m en t so ft w ar e ve rsi on s.

M D Doc Doc oc ume ume u nt nt m syst syst en em em t and and sy all all st com com e pon pon m ents ents an and and d confi conf all gura igur co tions atio m . ns. po ne Doc Doc nt ume ume s nt nt an soft soft d war war co e e nfi versi vers gu ons. ions rat . io ns .

D oc u m www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 13 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems en t so ft w ar e ve rsi on s.

L D Doc Doc oc ume ume u nt nt m syst syst en em em t and and sy all all st com com e pon pon m ents ents an and and d confi conf all gura igur co tions atio m . ns. po ne Doc Doc nt ume ume s nt nt an soft soft d war war co e e nfi versi vers gu ons. ions rat . io ns .

D oc u m en t so ft w ar e ve www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 14 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems rsi on s.

8.1.5. Functional Testing

Validation Steps – Functional Testing

H Te Test Test st critic criti cri al cal tic stan stan al dard dard fu func func nc tions tion tio . s. ns . Test Test all all Li non- non- nk stan stan te dard dard st func func s tions tion to . s. re qu Link Link ire tests test m to s to en requ requ ts. irem irem ents ents . .

www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 15 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems M Te Test Test st all criti cri critic cal tic al stan al stan dard fu dard func nc and tion tio non- s. ns stan . dard Test func all tions non- . stan dard Link func tests tion to s. requ irem Link ents test . s to requ irem ents .

L N Test Test o critic criti te al cal sti non- non- ng stan stan . dard dard func func tions tion . s.

8.1.6. Ongoing Maintenance and Performance Control

Validation Steps – Ongoing Control

H R Reg Reg eg ular ular ul virus viru ar chec s vir k. che us ck. ch Reg ec ular www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 16 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems k. regr Reg essi ular R on regr eg testi essi ul ng. on ar testi re ng. gr es si on te sti ng .

M R Reg Reg eg ular ular ul virus viru ar chec s vir k. che us ck. ch Reg ec ular Reg k. regr ular essi regr on essi testi on ng. testi ng.

L R Reg Reg eg ular ular ul virus viru ar chec s vir k. che us ck. ch ec k.

8.1.7. Security Controls

Validation Steps – Security Controls

www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 17 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems High Risk R Reg Reg eg ular ular ul revi revi ar ew ew re of of vi user user e acce acc w ss ess of lists. lists. us er Reg Reg ac ular ular ce chec che ss k of ck lis acce of ts. ss acc cont ess R rols. cont eg rols. ul ar ch ec k of ac ce ss co ntr ol s.

Medium Risk R Reg Reg eg ular ular ul revi revi ar ew ew re of of vi user user e acce acc w ss ess of lists. lists. us er ac ce ss lis ts.

Low Risk R Reg Reg eg ular ular ul revi revi www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 18 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems ar ew ew re of of vi user user e acce acc w ss ess of lists. lists. us er ac ce ss lis ts.

8.1.8. Change Control

Validation Steps – Change Control

H All All All ch cha cha an nge nge ge s s s appr appr ap ove ove pr d by d by ov syst syst ed em em by own own sy er er st and and e QA. QA. m o w ne r an d Q A.

M All All All ch cha cha an nge nge ge s s s appr appr ap ove ove pr d by d by www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 19 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems ov syst syst ed em em by own own sy er. er. st e m o w ne r.

L All All All ch cha cha an nge nge ge s s s doc doc do ume ume cu nted nted m by by en user user te . . d by us er.

8.1.9. Audits

Validation Steps – Audits

H R Reg Reg eg ular ular ul audi audi ar t of t of www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 20 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems au syst syst dit em em of and and sy subs sub st yste syst e ms. ems m . an Reg d ular Reg su revi ular bs ew revi ys of ew te the of m audi the s. t audi plan t R . plan eg . ul ar re vi e w of th e au dit pl an .

M “F “For “For or caus cau ca e” se” us audi audi e” ts in ts in au case cas dit of e of s prob prob in lems lem ca . s. se of pr ob le m s.

L N “For “For on caus cau www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE STANDARD OPERATING PROCEDURE Page 21 of 21 Document Number: S-252 Version Beta Risk-Based Validation of Computer Systems e. e” se” audi audi ts in ts in case cas of e of prob prob lems lem . s.

8.2. Review and Approval

8.2.1. The documents as developed in sections 8.1.1 to 8.1.9 are reviewed and approved by the operation’s manager for compliance with business practices.

8.2.2. The documents as developed in sections 8.1.1 to 8.1.9 are reviewed and approved by the QA management for compliance with regulations and internal standards and guidelines.

8.3. Regular Review and Updates

8.3.1. Definition of validation steps is an ongoing process. The system owner reviews Tables 8.1.1 to 8.1.9 every year and updates the tables, if necessary.

8.3.2. Updates from 8.3.1 are reviewed and approved following sections 8.2.1 and 8.2.2.

www.labcompliance.com (Replace with your company’s name) FOR INTERNAL USE