Standard Operating Procedures (SOPs) are documents that ensure essential tasks and processes are performed consistently, correctly, and in conformance with company-approved procedures.
In this blog, USDM highlights the Top 10 IT SOPs that are required for commercialization and to implement and validate your first GxP-regulated IT systems.
Regulatory agencies require your IT systems to be validated to ensure they perform consistently and that you have the evidence to prove they are functioning according to their intended use. Before you can validate your IT systems, you must analyze, optimize, and document your processes. What exactly does that mean and where do you start? Sometimes you don’t know what you don’t know when it comes to implementation and validation.
If you find you are struggling to define and document your processes for validation, let these best practices from USDM guide you in establishing your SOPs.
1. Computer System Validation (CSV)
The CSV SOP identifies the activities and documentation required to provide evidence that a system is fit for its intended use, and that risks to product quality, patient safety, and data integrity are managed effectively. It defines all phases through which a system passes—from its first use through its last—including requirements analysis, design and specifications, coding (implementation), testing, deployment (installation), maintenance, and retirement. It should also provide objective evidence that software specifications conform to user needs and intended uses and that requirements for risk management, deviation management, and periodic review are met.
Also, there should be references to supplier management, good documentation practice, and training SOPs, which are typically owned by the quality team.
2. Change Control
This SOP defines the methodology for in-scope changes within GxP-regulated computer and automated systems. Qualified representatives define the review process for proposed or actual changes that might affect the validated status of facilities, systems, equipment, or processes. The intent is to determine the need for action and document that the system is maintained in a validated state. Non-GxP changes do not need to be tested or managed via Change Control.
3. Network Security
As life sciences companies do more to leverage digitalization, evolving technologies, and third-party providers, cybersecurity vulnerabilities are introduced. Understanding these threats and knowing how to deal with them is critical to protecting intellectual property, data, and patient privacy, and to ensure continuous regulatory compliance. Having one or more SOPs that describe network access, user accounts and passwords, and security policies for your computer systems is imperative.
4. Physical Security
This SOP defines the physical access control methods used to protect company assets from insider and outsider threats, which includes access to servers and PCs. This SOP typically involves IT, HR, Facilities, and Legal, and addresses access management for any physical sites an organization may have.
5. Electronic Records and Electronic Signatures
Your patients, investigators, and employees are global and your processes should allow them to complete agreements quickly, easily, and securely while adhering to regulatory standards. This SOP must be in place before implementing a GxP system that uses electronic records and electronic signatures. It defines the framework required to achieve 21 CFR Part 11 compliance as it applies to the use of electronic records and electronic signatures. All employees of an organization should be trained on this SOP and sign an acknowledgment that their training is complete.
6. System Administration, Maintenance, and Control
No matter where your company is in its cloud journey, reducing compliance risk, expanding your compliance knowledge, and achieving continuous compliance are a must. Your SOP for system administration, maintenance, and control describes the processes and procedures used to ensure a system is continuously compliant.
7. Business Continuity and Disaster Recovery
This SOP describes the process for classification of systems for disaster recovery and to ensure continuity for systems that support critical processes.
8. Backup and Restore
Every organization should have a plan to ensure operations and business continuity are not severely impacted by a disaster or significant event. The integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. This SOP must document your plan for regularly backing up all relevant data.
9. Incident and Problem Management
This SOP explains how to report all IT incidents or problems—not just system failures and data errors—so they can be assessed by IT. The root cause of a critical incident should be identified and form the basis of corrective and preventive actions (CAPAs).
10. System Use and Operation
This SOP lists the necessary workflows, support SOPs, work instructions, and end-user SOPs essential for system operation according to its intended use. It also defines how to gain access to the system.
One more important consideration
Early on, it is prudent to establish a Record Retention and Archiving procedure to define security controls that will ensure the integrity of records throughout the retention period and how they are validated.
How USDM Can Help
Without the procedures contained in these documents, your system could be in a non-compliant state and invite data integrity issues that often result in regulatory authority audit findings.
USDM offers two solutions:
- Pre-packaged SOPs: Includes templates for select IT or Quality processes based on common regulatory requirements and industry best practices.
- Customized SOPs: Includes the pre-packaged SOPs, plus customized SOP development to meet your specific needs and intended use cases.
The pre-packaged solution includes:
- IT SOP templates and related forms for change control, security administration, record retention, and more.
- Validation SOP templates and related forms for CSV, Part 11 assessment, risk assessment, and more.
- Computer Software Assurance (CSA) templates and related forms include system life cycle, IT change control for regulated systems, and more.
- Supporting Process SOP templates for vendor and supplier management, data integrity, document management, and more.
Contact USDM to learn more.
About the Authors
Elena Mirón has been working in the life sciences industry for more than six years. She has extensive experience in compliance validation strategy, change management, and quality management. As a CSV and Quality Specialist at USDM, she has led several CSV projects for on-prem and cloud-based solutions and is a subject matter expert in data integrity and regulatory compliance.
Erin Northington leads USDM’s Emerging Life Sciences division, which focuses on helping start-up biotech, pharma, medical device, and medical cannabis and cannabinoid companies establish their regulatory compliance strategies and technologies and accelerate their digital transformation. Erin has more than two decades of experience in the life sciences industry, including GxP applications, business relationship management, and IT roadmaps and strategy.