Regulatory Compliance for IT Professionals

THE REGULATORS REQUIREMENTS: WHAT YOU NEED TO KNOW
Computerised systems operating in the pharmaceutical, biotechnology and medical device industries, as well as Contract Research Organisations supporting them, are subject to specific EU and FDA regulations governing computerised systems. The relevant sections of the regulations will be highlighted and explained.

• What are the regulations applicable to computerised systems and network infrastructure: Good Manufacturing Practice (GMP), Good Laboratory Practice (GLP), Good Clinical Practice (GCP)
• What are the Electronic Records and Electronic Signatures regulations (21 CFR 11) and what is their impact on the IT department?

COMPUTER VALIDATION - WHAT IS REQUIRED?
All regulations and guidelines place the responsibility for computer validation on the end user management. Quality Assurance and Information Science departments must help the end user community to ensure that systems are developed, validated, operated and maintained in a compliant manner.

• The key terms defined and explained
• Roles and responsibilities defined and explained: End User, Quality Assurance and IT
• System Development Life Cycle (SDLC) planning and why is documented evidence important?
• Role of IT in the SDLC and the importance of regulatory compliance
• Aids to help validation and qualification: GAMP Guide and PDA technical reports
• Understanding:
  
  • How the FDA carry out inspections
  • Some typical questions you may be asked
  • The results of inspections: FDA Warning Letters and 483 Observations

HOW DO THE REGULATIONS IMPACT ON AN IT DEPARTMENT?
The FDA's rule of enforcement on 21 CFR 11 now includes the IT Department. This law that brings IT departments under the new legislation: RAPID ADJUSTMENT TO THE NEW RULE IS NOW ESSENTIAL.

• Are your computer room facilities to standard and the environment monitored?
• Do you have procedures and documented evidence of activities ?
• Do your personnel have current training records, position descriptions and CVs?
• Do you have security and access control policie
• Understanding what the regulators want?
• What minimum written procedures are required by the regulations
• Do you have them and do you follow them?
• What is the impact of GXP regulations on IT operations, especially on change control and configuration management?
• Do you generate of electronic records during normal operations
• Are these managed correctly?

QUALIFYING A NETWORK AND IT INFRASTRUCTURE
All networked applications run on a network. Is this adequately designed, installed correctly and qualified to show how it works? The operational network must be under change control to ensure that the applications that run on it remain validated.

• How to define the scope and boundaries of the network to be qualified
• Documentation of components and the overall topology
• Managing the cabling contractors to ensure adequate records of activities
• Initial qualification of the network and how to proceed
• Change control and the impact of change on the networks validated applications.
• Advantages and disadvantages of Common/Standard Operating Environments for the Desktop

REGULATORY COMPLIANCE ISSUES THAT MUST BE CONSIDERED WHEN OUTSOURCING YOUR IT OPERATIONS?
Most pharmaceutical companies now outsource at least some of their IT work. These outsourcing organisations now fall under new legislation and it is your responsibility to ensure they are compliant with regulations.

• Does the outsourcing organisation understand the regulations especially 21 CFR 11? What to do if they don't. Training and education in the context of outsourcing
• How to audit the outsourcing organisation for compliance with regulations before you sign the contract
• Case studies of auditing outsourcing
• Inputs required in the service level agreement for compliance
• When outsourcing can generate open systems

AUDITING IT OPERATIONS
One of the most important aspects of ensuring quality is through an audit and IT departments are no different. Auditing is good way to ensure ongoing quality - knowing when and how to audit effectively is vitally important.

• How to define the scope and boundaries of the audit: people, procedures, infrastructure and/or applications
• How to planing the audit: should you use a checklist?
• How to execute the audit: objective facts, not subjective views
• How to report non-compliance and design, and implement corrective actions