DI Considerations when Purchasing Computerized Systems
Electronic records and electronic signatures generated by computerized systems have gained rapid significance due to their growing role in GxP decision-making and record keeping in the Biotechnology and Pharmaceutical industry. According to the FDA, Data Integrity is the degree to which data are complete, consistent, and accurate throughout the data lifecycle.
Working with diverse clients, Brevitas assessed their systems and practices to come up with some common themes regarding Data Integrity. In this blog we have provided a snapshot of the salient points that system owners should keep in mind when purchasing computerized systems to meet their business and regulatory needs.
- In today’s technological landscape, degree of software sophistication varies across systems. Therefore, prudent choice dictates selecting a system that incorporates data integrity elements to reduce reliance on excessive procedural controls.
- At the very least, features such as secured storage and retrieval of electronic records, segregation of duties (user roles), user authentication, sound password management, and audit trail are now standard solutions in majority of the systems operating in GxP space.
System’s Intended Use
- Businesses need to consider which part of their processes and systems generate GxP versus non-GxP records. This will help reduce the cost of GxP compliance and focus resources where it is needed most.
- Once a GxP system has been identified, the need and extent of software configurability plays a critical role in choosing the appropriate technological solution. Newer technologies offer greater automation of tasks/steps and better software configurability (simplifying and securing setups) leading to improved data control and data reliance compared to manual or semi-automated systems. Therefore, moving from manually controlled systems to more automated systems is beneficial in the longer run as it offers a cost-effective means to meet the compliance challenges.
- Prior to sourcing a technology, it is highly recommended that the system owner undertakes a formal vendor qualification. Vendor qualification ensures supplier competency in providing system and control software compliance with current GxP regulations. It also ensures suppliers have adequate Quality Systems of their own to support manufacturing/distribution of the product/ solution being marketed.
- For commercial off-the-shelf solutions, simple documentation such as a questionnaire that includes GxP compatibility questions and vendor submittals can help establish system capability. For complex customizable systems, software demonstration should be mandatory along with documentation. Agreements between system owner and vendor are typically captured in Quality Technical Agreements and/or Service Level Agreements (SLA).
System Owner Responsibility
- Greater automation and software sophistication geared towards better data integrity reduces but does not eliminate procedural controls. However, procedures written for automated systems are less extensive than systems that require manual intervention for ensuring data integrity. System owners need to ensure procedural controls (such as SOPs) exist that fix responsibilities for various users, as well as create sound management principles for the use of control software.
- Assigning hierarchical user roles (access security), good password policy, regular backup of GxP critical data, IT management of secondary storage location, periodic review of user access and audit trail, are some key procedural controls that ensure compliance and business continuity.
- Procedures must exist that allow computer system validation to be performed prior to their deployment. Often, formal risk-based assessment precedes validation that helps classify systems based on their level of configurability and relative importance in the GxP process.
- SLAs with vendors are integral to GxP compliance and business continuity especially for systems where Customer’s IT capabilities are limited. These agreements typically include system software changes (Bug fixes, improvements, etc.) and disaster recovery service.
Change and Contingency Management
- Software changes (upgrades) need to be carefully managed prior to upgrade. Unexpected changes can impact system performance leading to loss of validated state and eventually, loss of GxP compliance. System owners must have procedures for conducting impact assessment of software upgrades prior to their implementation.
- Contingency plan such as disaster recovery need to be in place to ensure system failure does not lead to permanent loss of GxP data.
- Software upgrades and contingency plans are typically included in Service Level Agreement (SLA) especially where supplier’s procedures and expertise in software upgrade, backup and recovery are essential.
Although the stakes are high for failure in providing adequate Data Integrity assurance for GxP processes, thanks to technological advancement, availability of quality suppliers, and choice of systems, the industry has responded well to take on this challenge and help businesses achieve their compliance objectives.