After a successful Project Phase a Validated system is available. The Operation Phase of Validation will ensure that the validated state of the system is maintained during the life cycle of the system. ISPE published a separate Good Practice Guide on this subject.
Major activities and information flows are shown in the diagram below. The diagram divides the processes into the groups Handover, Service Management and Performance Monitoring, Incident Management and CAPA, Change Management, Audits and Review, Continuity Management, Security and System Administration and Records Management.
In the Handover step the responsibility of the system is transferred from the project team to the system owner.
Deliverables for this step are:
- System Handover protocol
- Establishing and Managing Support Services
- Performance Monitoring
Establishing and Managing Support Services
The process for establishing and managing support services (internal or external) is managed through the use of Service level Agreements (SLA).
Provides trends and data for:
- reduce application
- system down time
- change management
- risk & impact assessment
- periodic review
- evaluation of system performance
- Incident Management
The primary objective for incident management is to address unplanned issues before serious harm occurs. The process must be designed to return the system or service to the users as quickly as possible.
Corrective Actions and Preventive Actions
In case of discrepancies, Investigate, understand & correct the issues to prevent recurrence. Meanwhile recognize potential discrepancies to prevent occurrence by looking at the performance monitoring.
- Change Management
- Configuration Management
- Repair Activity
Key requirement is that all changes should be reviewed, impact & risk assessed, authorized, documented, tested and approved before implementation. Each change has to follow the V-model.
Change management controls life cycle of changes end enables beneficial changes made without compromising regulated processes with minimum disruption to services.
Hardware & software configuration must be documented throughout system life.
Activities to repair or replace failed or defective component are implemented following a defined, approved & verified procedure.
A Periodic Review is essential to ensure the validated state of an automation system. In general a periodic review is scheduled every two years.
Subjects for review are:
- Documentation (complete, correct, up to date)
- Change of use
- Level and nature of changes
- Outstanding actions
- Previous reviews, reports, audits
- Prove of unstable or unreliable operation
- Changes in circumstances
- Regulations, environment, product, business, best practices, personnel
- Procedures, incident logs
- Software and data backups
A Periodic Review may be part of an internal audit. The results of the Periodic Review can be used for external audits.
- Backup and Restore
- Business Continuity Planning
- Disaster Recovery Planning
Backup and Restore
Processes and procedures must be available and used to ensure that copies of software are made on a regular base and maintained in a safe and secure environment. Restore procedures should be available. Restores must be tested and tests result must be available. To test a system restore an extra system may be required, to avoid damaging a system with a corrupt backup.
Business Continuity Planning
A Business Continuity Plan (BCP) must be in place to describe continuation of the business when the system is out of use. A documented rehearsal session must be performed.
Disaster Recovery Planning
To restore business processes a Disaster Recovery Plan must be in place.
- Security Management
- Systems administration
Security Management ensures confidentiality, integrity and availability of organization's regulated systems. It Includes:
- Establishing & maintaining security roles & responsibilities, policies, standards & procedures
- Performing security monitoring & periodic testing
- Implementing corrective actions for identified security weakness or incidents
A standard administration procedure must be in place ensuring routine management and support of systems. Key requirements for the support process is that appropriate resources are available and that all system administration tasks are Identified and documented.
- Archive and Retrieval
Policies for retention of regulated recors should be in lace, based on clear understanding of the regulatory requirements and company regulations..
Archive and RetrievalProcedure must be in place for taking records off line to a different location. Key requirements are: Taking records off line to a different location Key requirements GxP records secured against willful or accidental damage during retention period Initially and periodically checked Content and meaning preserved
- GxP records secured against willful or accidental damage during retention period
- Initially and periodically checked (documented)
- Content and meaning is preserved
- Reasonable access by regulators possible