Here are USDM's Top 10 standard operating procedures (SOPs) required for commercialization and to implement and validate your first GxP regulated IT systems.
Before you can validate your IT systems, you must analyze, optimize, and document your processes. At USDM, we have often seen start-ups or pre-commercial, early-stage life science companies that are unaware of this requirement, and they do not know – what they do not know. Regulatory agencies require that your IT systems be validated to ensure your computer systems do what they are supposed to do, consistently, and that you have the evidence to prove the system is functioning for your intended use.
New pre-commercial companies often lack clearly defined processes in place for validation. Below we guide you to better prepare for validation by advising on the pre-work required in establishing your SOPs.
When beginning your validation efforts, we recommend that the following SOPs be in place.
1. Computer Systems Validation (CSV)
The CSV SOP identifies the activities and documentation required to provide evidence that a system is fit for its intended use, and that risks to product quality, patient safety, and data integrity are managed effectively. It articulates the process for the course of developmental changes through which a system passes from its conception to the termination of its use; e.g., the phases and activities associated with the requirements analysis, design and specification, coding (implementation), testing, deployment (installation), maintenance and retirement (System Development Life Cycle). It should also outline the process for the confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the requirements implemented through software can be consistently fulfilled.
- Risk Management: Defining a systematic process for the assessment, control, communication, and review of risks to product quality, patient safety, and data integrity across the lifecycle.
- Deviation Management: Defines the procedures for reporting, managing, and resolving incidents.
- Periodic Review: Establishes the procedure for conducting regular reviews of validated computerized systems, including, system documentation, system operation, and maintenance SOPs, change control information, access information, and audit trails.
- Also, there should be references to the below SOPs (typically owned by the quality team):
- Supplier Management: Assess the quality and reliability of suppliers and service providers.
- Good Documentation Practice: Establishes the process to measure that, collectively and individually, all documentation, whether paper or electronic, is secure, attributable, legible, traceable, permanent, contemporaneously recorded, original, and accurate.
- Training: Ensures all users are competent and qualified to perform their jobs.
2. Change Control
The formal system by which qualified representatives of appropriate disciplines review proposed or actual changes that might affect the validated status of facilities, systems, equipment, or processes. This SOP should define the methodology to be followed for any in-scope changes for GxP-regulated computer and automated systems. The intent is to determine the need for action to ensure and document that the system is maintained in a validated state.
3. Network Security Policy
Describes the network access and security policy in place for access to the IT controlled computer systems.
4. Electronic Records and Electronic Signatures Policy
This policy needs to be in place before implementing a GxP system that utilizes electronic records and electronic signatures. It defines the framework to achieve 21 CFR Part 11 (Part 11) compliance as it applies to the use of Electronic Records and Electronic Signatures applied to GxP that are equivalent and in place of handwritten signatures.
There are some necessary procedures for ensuring a compliant IT department, which must include the following:
5. Physical Security Procedure
This procedure defines the physical access control methods used to protect company assets from insider and outsider threats. This includes outlining how access to physical IT assets, such as servers and PCs, are controlled.
6. System Administration, Maintenance, and Control Procedure
Describes the process and procedures to be used to assure that the system is maintained under control in its qualified state within the company.
7. Business Continuity & Disaster Recovery
This SOP describes the process to be followed for classification of systems for disaster recovery and the process for recovery after a disaster or system breakdown to ensure continuity of support for computerized systems supporting critical processes (e.g., a manual or alternative system).
8. Backup and Restore
Regular back-ups of all relevant data must be performed. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.
9. Incident/Problem Management
All IT incidents or problems, not only system failures and data errors, should be reported by the business and assessed by IT. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions (CAPAs).
10. System Use and Operation SOP
List the necessary workflows, support SOPs, Work Instructions, end-user SOPs, etc. essential for the operation of the system according to its intended use. It also defines how to gain access to the system.
And one more important consideration: Early on, it is prudent to establish a Record Retention and Archiving procedure to define your security controls that will be in place to ensure the integrity of the record throughout the retention period and validated where appropriate.
The absence of these documents can cause the system to be in a non-controlled state and may allow for data integrity issues, which can result in regulatory authority audit findings.
USDM can help by assessing the quality of your SOPs, advise on any updates or changes needed, and even create your SOPs from our pre-packaged IT Compliance Program Accelerators that can help you rapidly implement your IT Compliance Program.
About the Authors
Elena Mirón has been working in the life science industry for more than six years. She has extensive experience in compliance validation strategy, change management, and quality management. As a CSV and Quality Specialist at USDM, she has led many CSV projects for both on-prem and cloud-based solutions and is a subject matter expert in data integrity and regulatory compliance.
Erin Northington leads USDM’s Emerging Life Science division at USDM, which focuses on helping startup biotech, pharma, medical device and, most recently, medical cannabis and cannabinoid companies to rapidly establish their regulatory compliance strategies and technologies and accelerate their digital transformation. Erin has over two decades of experience in Life Sciences, GxP applications, business relationship management, and IT roadmaps and strategy.