Qualifying Network Infrastructure - A Risk-Based Approach

Feb 15, 2004

A risk-based approach to the validation and qualification of computerized systems used in regulated environments must focus on systems and components that have a potentially high impact (in other words, represent a high risk) on product quality and consumer safety. This is generally the case for systems and system components that form the computer network infrastructure. Hence, the role of network monitoring hardware and software for the qualification of networks, and maintaining the qualification status of the network infrastructure will be increasingly important.

Risk and Pharmaceutical cGMPs In August 2002, FDA announced an initiative to merge scientific risk management and an integrated quality systems approach.1 This risk-based approach will help industry, suppliers, and regulatory agencies focus resources on critical issues for public health and consumer safety, while adopting innovations made in pharmaceutical engineering.

Practical guidelines for conducting risk assessments have been published in appendix M3 of the GAMP4 guide.2 However, it is important to note that assessing risk is very different from risk management. The goal of risk assessment is the analysis of risks viewed from a specific angle, such as risk for the consumer or commercial risk to a business. Risk assessments result in a risk register and the classification of particular risks. The classification typically assigns a risk severity based on its impact and its probability.

The task of risk management is to define how identified risks can be controlled, minimized, or compensated. Risk management typically asks the following questions:

1. What risks exist, how do they affect us, and how can we manage them?

  • Risk Triggers: What is the trigger for us to change the risk severity classification? What is the trigger for us to address the risk as a real problem?
  • Risk Mitigation: What are we doing now to avoid or reduce the risk?

2. What will we do if the risk (the potential problem) becomes a real problem?

  • Risk Contingency Plan: What actions will we take if the risk is triggered?

3. The risky situation occurred! how do we deal with it?

  • What actions do (did) we take? What is the impact of the risky situation so far?

For more information, refer to the recently published guidebook on the development of risk management master plans.3

Risk and Electronic Records In December 2002, the ISPE submitted a whitepaper to FDA on a risk-based approach to computer system validation.4 The paper was based on the concepts emphasized by FDA's new cGMP initiative. This whitepaper appears to have contributed to the new guidance on 21 CFR Part 11.5, 6 The paper concluded that internal system information not identified by any predicate rule was likely to be of low impact. Therefore, it is acceptable not to have additional Part 11 controls for these records provided that adequate procedures are in place and the required paper records are kept.

The authors of the whitepaper opposed the existing interpretation that software be considered GxP electronic records subject to Part 11, mainly because industry had already developed, in collaboration with FDA, "approaches for dealing with hardware and software in the GxP environment based on validation of systems, configuration management, change control, and adequate procedures and plans for maintaining the validated state. These approaches have been widely adopted and very successful in meeting GxP requirements. Considering software as GxP electronic records has little practical benefit, as well as discouraging firms from adopting innovative technological solutions."

The publication of the Part 11 guidance and FDA's statements about enforcement discretion for certain requirements led some to conclude that it was acceptable to revert back to paper records, (for instance, by defining the printed analysis report with the analysis chromatogram as the raw data and subsequently deleting the electronic record from the computer's hard disk). However, whether an electronic record is subject to Part 11 requirements depends on the predicate rules and whether the established business practices of the firm rely on the electronic version record to perform FDA-regulated activities.

In other words, it is not acceptable to delete the electronic record and just keep the paper record for the FDA auditor. FDA clearly states that it may take business practices into account in order to determine whether an electronic record is used instead of the paper record. It is therefore recommended to determine and document in advance whether the electronic record or the paper record will be used to perform regulated activities. Networked or chromatography data systems, laboratory information management systems (LIMS), and enterprise resource planning (ERP) systems manage critical decision-support data and continue to be a focus of GxP enforcement. The trustworthiness and reliability of the data managed by these systems is highly dependent on efficient technical controls that ensure access security, data integrity, and traceability.

lorem ipsum