CONTENTS. 1 Introduction 1

(1)

LIST OF TABLES

5.1 cGMPs Regulations Application to Computer Systems 5.2 Comparison GMPs, EU Annex 11 and Part 11 8.1 Part 11 Security Related Requirements/Controls 12.1 Category of Servers

23.1 Period/Events Computer Systems Operational Life H1 NEED CAPTION

ix

Prelims 25/7/06 1:49 pm Page ix

(8)

Prelims 25/7/06 1:49 pm Page x

(9)

LIST OF FIGURES

2.1 Infrastructure Qualification Lifecycle 2.2 Conceptualization

2.3 Design Evaluation Cycle 2.4 Design

2.5 Design Reviews

2.6 Development and Integration 2.7 Implementation

2.8 Release for Use 2.9 Operational Life

3.1 A Computer System and the Operating Environment

3.2 Application/Infrastructure Development and Installation Correlation 8.1 Security Issues to Consider

8.2 Security Services Provided by OSI Layers 8.3 SSL 3.0 Protocol

9.1 Systems Development Distribution 11.1 OSI and the TCP/IP Reference Models 17.1 NEED CAPTION

22.1 Complete Part 11 Remediation Project FI The Seven Layers of OSI

F2 Comparison between OSI and TCP/IP Models H1 System Block Diagram

J1 Previous “Hub and Spoke” Technology J2 New “Ring” Technology

J3 Project Plan Table of Contents J4 Sample Installation Checklist

xi

Prelims 25/7/06 1:49 pm Page xi

(10)

Prelims 25/7/06 1:49 pm Page xii

(11)

PREFACE

The need to validate computerised systems supporting the development, manufacture, and supply of medicinal products is well understood. The validation of applications has been the primary focus and quite rightly too with the impact these systems can have on the quality, safety and efficacy of drug products. Now however with modern IT solutions there is a growing dependency on robust and secure infrastructure [1,2]. Deficiencies in the IT infrastructure (eg virus protection, persoßnal identity authentication, password management, and electronic records management) will compromise the validate status of computerised systems. It is important therefore that IT infrastructure is developed and maintained to support the regulatory compliance of the applications they support. Desktop configuration, networks design and management, and the use of internet/intranet/extranets are just some of the topics that need to be addressed.

It is important to appreciate that IT infrastructure has its own special character. It is more organic than computer applications in the sense that it grows and evolves to meet the changing needs of the multitude of applications being supported. It cannot be thought of as a discrete element like an individual computer application. This is often reflected by the organisation of the IT department responsible for IT infrastructure. A different approach and procedures is required.

Regulatory authorities have made numerous citations for what they consider non-compliant IT infrastructure [2]. Regulatory expectations for IT infrastructure however are not explicitly defined although some regulatory guidance does exist [3]. ISPE/GAMP has been working on the topic of IT infrastructure for many years to clarify requirements and has developed some guidance material [4]. PDA has also developed some guidance material [5]. The definition of requirements to date however largely presents principles rather than a working manual for compliance.

The management and controls for IT infrastructure must always be cognisant of the relative risk posed to patients. IT infrastructure will normally be considered as having an indirect impact on patient safety. Consequently IT infrastructure does not normally require the same validation approach adopted for computerised systems with a direct impact on patient

xiii

Prelims 25/7/06 1:49 pm Page xiii

(12)

safety. This is not to undermine the key role infrastructure plays to assuring the reliable operation and record integrity required by applications. However care must be taken not to inadvertently over-engineer solutions on the basis of perceived regulatory compliance. What ever is done needs to be done on the basis of tangible benefits.

This book presents some of the latest thinking on how to tackle what can often be quite daunting questions on how to assure IT infrastructure for regulatory compliance. Orlando Lopez gives clear direction on how to approach IT Infrastructure based on personal experience and industry discussions. The principles behind the guidance given in this book are consistent with the latest edition of the GAMP4 Guide [6]. Lopez takes these principles into practice with a working level of detail that will be welcomed by practitioners. Inexperienced and experienced practitioners alike will find valuable insights into how best to address IT Infrastructure.

References

[1] Wingate, G.A.S. (2000) Validating Corporate Computer Systems: Good IT Practice for Pharmaceutical Manufacturers, Interpharm Press.

[2] Wingate, G.A.S. (2004) Computer Systems Validation: Quality Assurance, Risk Management and Regulatory Compliance for Pharmaceutical and Healthcare Companies

Interpharm Press.

[3] Pharmaceutical Inspection Co-operation Scheme (2005) Good Practices for Computerised Systems in Regulated GxP Environments, Pharmaceutical Inspection Convention, PI 011-1, Geneva.

[4] GAMP Forum (2004) GAMP Good Practice Guide for IT Infrastructure Control and Compliance, published by International Society for Pharmaceutical Engineering (www.ispe.org).

[5] Crosson, J.E., Campbell, M.W., Noonan, T. (2000) Network Management in an FDA-Regulated Environment, PDA Journal of Pharmaceutical Science and Technology.

[6] GAMP Forum (2001) GAMP Guide for Validation of Automated Systems (known as GAMP4), published by International Society for Pharmaceutical Engineering (www.ispe.org).

Infrastructure Qualification in the FDA Regulated Industry xiv

Prelims 25/7/06 1:49 pm Page xiv