Transcript Document
From Initial Risk Assessment Through Successful Audits DCM 15.2 Kevin Stay – Senior Engineer Varian Medical Systems 1 From Initial Risk Assessment Through Successful Audits General Risk Assessment Guidelines Business Applications & Systems General Software Infrastructure & Facilities Building a Validation Package – The ‘V’ Model Specifications Qualifications Documentation 2 Risk Assessment Business Applications & Systems General Software Infrastructure & Facilities 3 Risk Assessment – Business Apps & Systems Generation of Quality Records? Information to Make Quality Decisions? Usage of eSignatures? Generate Information Validated Downstream? Automated Source Code or Designs? Supplier Evaluation or Acceptable Supplier History? Environmental or Manufacturing Controls? Device Labeling Activities? 4 Risk Assessment – General Software Probability Number of Users: User Profile: Ease of Use: Software Build: Platform: Deployment: Select Few vs. Widespread Experts vs. Lay Persons Simple vs. Complex COTS vs. Customized/Internal Robust/Standard vs. Custom Simple/Local vs. WAN/Web 5 Risk Assessment – General Software Severity 5 – May Result in Defective Product 4 – Significant Regulations Non-Compliance 3 – Minor Regulations Non-Compliance 2 – Cost of Quality Impact 2 – Lead to Delays, Inefficiencies 1 – Minor Inconvenience 6 Risk Assessment – General Software Detectability 4 – A fault will NOT be detectable 3 – Fault detectable by customers/field service 2 – Fault detected by admin/power user 1 – Fault detected by normal usage and users 7 Risk Assessment – General Software Final Risk Calculation Probability X Severity X Detectability = Risk Index RI >= 36: Full Detailed Validation + Audit Trail 35 >= RI >= 21: Detailed Validation 20 >= RI >= 3: Reduced Validation/Qualification RI <= 2: No Validation/Qualification 8 Risk Assessment – Infrastructure & Facilities Probability Number of Admins: Admins/SMEs: Admin Activities: Configuration Checks: Reliability: Deploy Complexity: Few vs. Widespread Experienced vs. Newer Proactive vs. Reactive Built In vs. N/A Embedded HA vs. Limited Simple/Local vs. Complex 9 Building a Validation Package Validation Plan & Project Management Integration Specifications Business/User, Functional, and Technical (aka Detailed Design Spec) Requirements Qualifications Installation, Operation, and Performance Specifications and Executions 10 Validation Plan Describes Full Documentation Set Layered Approach Physical Space & Security Electrical & HVAC Hosting Servers, Storage, DC Network Application Servers & Core Services Applications 11 Validation Plan – The “V” Model Business Requirements--------------------------Performance Qualification \ / User Requirements-----------------------Operation Qualification \ / Technical Requirements----Installation Qualification Trace Matrix 12 Validation – Project Management Integration Requirements – Plan & Business Requirements Design – Functional & Technical Requirements (RFP) Build – Installation Qualification* Test – Operation Qualification* Deployment Stabilization – Performance Qualification* *(Specification & Instances) 13 Validation – User Requirements A. Annual Availability & Scheduled Maintenance B. Peak Sustained Load C. Maximum Response Times D. Accessibility E. Lifespan 14 Validation – Functional Requirements A-1. Electrical Redundancy for Required Uptime A-2. Cooling Redundancy for Required Uptime B-1. Sufficient Electricity for Designated Load B-2. Sufficient Cooling Capacity for Load B-3. Sufficient Air Flow for Designated Cooling B-4. Modular to Support Initial and Maximum Load 15 Validation – Technical Requirements A-1-i. Dual UPS to Dual 3 Phase PDU per Rack A-1-ii. Dual Generator Dual Homed to Both UPS A-2-i. N + N Air Handlers A-2-ii. ATS to Generators B-1-i. 6 Phases each 20A per Rack B-2-i. Cooling Capacity > 40kVA per Air Handler B-2-ii. Initial 20 Racks @ 10kVA Each 16 Validation – Installation Qualification Detailed Step – by – Step Instructions Expected Results and Exceptions Screen Capture of Expected Results Per Step Date and Initials Verification of Post Installation Configuration/State 1:1 Correspondence with Technical Requirements 17 Validation – Operation Qualification Detailed Step – by – Step Instructions Scripted Verification of Expected Functionality Screen Capture of Expected Results Per Step Date and Initials Configuration Management & Change Control Standard Operating Procedures 1:1 Correspondence with Functional Requirements 18 Validation – Performance Qualification Monitoring & Alerting Per Step Date and Initials 1:1 Correspondence with Business Requirements 19 Documentation Proper Document of Record Handling Signatures – Approval and Execution Trace Matrix Configuration Management & Change Control Monitoring & Alerting 20 Documentation – Proper Record Handling Creation Process Approval Process Revision Process Validated e-Signature Process Validated Access Controls & Security 21 Documentation – Signatures Document Creator/Editor 1st Block for Approver Signatures per Specification End Block for Instance Execution Signature(s) Per Step Date and Initials for Instances 22 Documentation – Trace Matrix Links Entries Between Documents Up and Down Links BRS – FRS – TRS IQ – OQ – PQ Side to Side Links BRS – PQ, FRS – OQ, TRS – IQ 23 Documentation – Configuration Management Validation Package is NOT a CMS IQ Includes Onboarding to Config. Mgmt. System OQ Includes SOPs for Config. Mgmt. System PQ Includes Reporting from Config. Mgmt. System 24 Documentation – Change Control Routine Changes - Request, Approval, SOP, Disposition Fit/Form/Function Changes - Request, Approval, Change, OQ, Disposition - Revision to BRS*, FRS*, TRS, IQ (Re-Sign 1st and Last Blocks and Initials) 25 Documentation – Monitoring & Alerting Validation Package is NOT a Monitoring System Global System vs. Specialized Systems PQ Includes Onboarding to Monitoring System PQ Includes Required Alert Levels & Recipients - PQ Revision For Changes Automated and Ad-Hoc Reporting 26 Bottom Up Datacenter Validation Physical Requirements Including Security Electrical & Cooling Requirements Networking Requirements Storage Requirements Compute Requirements Basic Services Requirements Standardized Servers Requirements 27 This All Sounds Like a LOT of Work! Education – Methodology and Layered Approach Integration With Project Management Document Management System Assumed Configuration Management System Assumed Change Control System Assumed Monitoring & Alerting System Assumed 28