Life Sciences Insights

Sharing expert knowledge via our latest blog posts

How to keep computerized systems in the operational phase?

Maintaining computerized systems during the operational phase is critical to the proper functioning of organizations. In this article, we explore some of the best practices for doing so.
How to keep computerized systems in the operational phase

Computerized systems play a crucial role in the life sciences, as these systems are used in daily activities such as data management, key processes, and record-keeping, so the GxP assessment of these systems is critical to their proper operation.

The traditional approach of Computerized Systems Validation (CSV) consists of 4 phases: 

  1. Concept phase
  2. Project phase
  3. Operational phase 
  4. Retirement phase

During the “Project” phase, a series of tests and activities are conducted to successfully develop and challenge the system, but the effectiveness of the system is manifested during the operational phase when the system must function consistently and efficiently in a production environment.

It is important to note that even though the project phase is complete, the validated state of the system must be maintained. In this article, we explore some of the best practices for maintaining computerized systems in the operational phase.

A complete guide to Computer System Validation

This +100 page guide aims to bring context and define the necessary and appropriate strategies for the validation of computerized systems for Pharmaceutical Industries, Biologics, Biotechnology, Blood Products, Medicinal Products, and Medical Devices, used in activities related to compliance with Good Practices (GxP). Download it now  for free:

FREE E-BOOK

How to keep computerized systems in the operational phase?

Once a system is tested and released to a production environment, system performance is monitored and evaluated. With daily use of the system by key users, there will be new information to monitor (live data). In addition, changes and incidents may be discovered that require a change to your system. What things should you consider to manage those changes that give your system a GxP impact?

Delivery or Handover

Handover is the process of transferring the computerized system from the project phase to the operational phase. This generally includes the following activities:

Confirmation of the validated status of the Computerized System

The validated status of the system must be confirmed through documentary evidence (approval of release certificates, validation reports). The availability of system usage and support processes should be confirmed (e.g. updated procedures, trained key personnel, etc.). The configuration and components of the application must be protected to carry out disaster recovery, as well as the inclusion of data, application components, and configuration in backup programs. 

Data Migration Completion (as applicable)

The data migration has been successfully completed according to a data migration plan and its report.  

Updating configuration items

Updates to the configuration management database/configuration item list have been completed. Updates have been made to the system inventory or configuration management database to register the new system, module, or infrastructure components have been completed.  

Knowledge and responsibilities transfer

A formal transfer of documentation/records is suggested to ensure that all knowledge gained during the previous phases of CSV (concept, project) has been correctly transferred to the appropriate roles (process owner, system owner, SME). The transfer of knowledge and responsibility includes the expertise and experiences of the team involved in the project to improve efficiency in future projects and should be agreed between both parties.

Hypercare Period

Depending on the complexity of the system, a Hypercare or Hypercare period will be required. In this period the activities pass from the project team to the support team according to defined criteria. The Hypercare period must be defined prior to the implementation of the system in its operational use. The duration of ongoing project team support should be determined by the level of readiness of the business to operate the system, in case of more novel or complex systems will be required for longer.  

Establishment and management of support services

The process for establishing and managing support services ensures that support services (internal or external) are properly documented and managed. Where external services are required, there must be a formal agreement defining the services and responsibilities of the service provider.  

Establish a service agreement: Typically, Service Level Agreement or SLA activities. These SLAs will describe the responsibilities of the supplier and the regulated company. In addition, the regulated company may require that the service provided meet the requirements of a quality agreement.   

Service level agreements should require establishing: 

  • The scope of services/support for computerized systems  
  • Descriptions of services as appropriate, some of which may include: 
    • Software updates, enhancements, and bug fixes: Define how the vendor will notify you about updates required to the software, so you can anticipate their impact on daily processes and, if applicable, perform an impact assessment before the change becomes effective.  Also, software vendors regularly release updates and patches to address security bugs and vulnerabilities, the way these changes are monitored should also be documented.  
    • IT infrastructure services: If your system is on a qualified server provided by an audited vendor, ensure that you receive the necessary information about server infrastructure validation. 
    • IT Security: Cyber threats are becoming more common, and it’s essential that the service provider has a plan to deal with them. This also includes regular training for employees, monitoring suspicious activity, and implementing security protocols. Regular security audits can help you identify and address security vulnerabilities in your systems. This includes checking for unauthorized access, monitoring suspicious activity, and ensuring all security protocols are up to date. 
    • Backup and recovery: These steps will be discussed later, but it is important to note that this activity can be performed by external service providers and service levels must be documented. The supplier’s assessment shall be carried out in accordance with risk management.  
    • Information security and data privacy controls: Vendors must ensure that the system is secure, this can be done by implementing access controls, password policies, authentication factors, as well as role-based access are key controls to keep information secure. Encrypted information is an effective way to protect sensitive data and confidential information  
    • Data or archiving and record retention: Service providers must have records retention policies based on legal and business aspects to ensure that information is not kept longer than required, causing storage costs or increasing risks of information leakage. When the information is not required any longer, it must be securely deleted.  
    • System maintenance, administration and repair: Maintenance activities shall be carried out regularly in accordance with the supplier’s internal plans and procedures. The way in which the system is administered by the service provider is different from our internal management of the system, there are certain functions that will not be part of the day-to-day productive use of the system that require to be carried out by the provider, these activities must be documented. Providers should provide regular system status reports so that informed system decisions can be made. Defective parts of a computerized system must be replaced in accordance with procedures and authorized by the expert of the hardware or equipment to be replaced. 
    • Expectations of the maintenance of different environments: During the productive use of the system, it is important that the changes that the supplier makes in the environments are documented in order to be traced, as well as the proven results and related incidents investigated to be able to be used when required again. It is important to remember that each environment has a different purpose and therefore must be treated separately (what was done in one environment does not imply that it has been done in others in the same way).  
    • Routine testing and calibrations: Routine testing and calibrations help ensure that the system operates properly and that the information generated in the system is accurate. When suppliers are in charge of calibration tests it is important to verify their accreditation, certificates, and qualification and define the frequency of the tests. 
    • Training: Employees play a crucial role in maintaining computerized systems.  When we acquire a system it is important that the provider trains key users on the use of it, as well as helps implement best practices for system maintenance. The training of new users, as well as training derived from major changes in the system, can be agreed with the provider. 
    • System support tools: For example, a service desk for the attention of problems detected in the daily operation, helps a quick resolution of problems, so that you can agree with the provider your level of service after the validation of the system. 
  • Roles and responsibilities of the service provider and regulated company 
  • Reporting, prioritization, and  response times for support in requests and errors 

Responsibilities can be passed on to alternative suppliers. A termination of the contract must be made to reduce the impact on the service of the system.  

System Monitoring

System monitoring is used to monitor and report system failures, availability, performance, and security issues. Feedback obtained through monitoring processes can be used to anticipate and respond to system incidents and improve environmental controls. Monitoring activities should be based on business risks, patient safety, product quality, and data integrity, as well as external threats.

By visualizing the performance of your system, you can detect any problems early and mitigate issues before they occur; problems can be addressed through incident and problem management. Monitoring can be done with tools such as performance monitors, log files, and error reports.

Incident and Problem Management

An incident relates to the effect of an unplanned disruption to a service or reduction in service quality, typically linked to a gap in SLA, user observation, or feedback from monitoring tools.

Problems related to the root cause of one or more incidents. They can be reported in response to a single incident or multiple related incidents.

The way in which each of the processes is carried out must be established procedures. Incident management helps categorize incidents and direct them to the most appropriate way to resolve them in a timely resolution, while problem management involves analyzing root causes and preventing incidents from occurring in the future.

Corrective and Preventive Actions (CAPA)

CAPA stands for Corrective and Preventive Action, which is a systematic approach to identifying and addressing quality. how? By correction and prevention. Correction is a reactive measure that addresses an immediate problem, while corrective action involves investigating the root cause of the problem and implementing measures to prevent it from recurring. Preventive action aims to anticipate and address potential problems before they occur and is a proactive measure to reduce or eliminate the likelihood of problems in the future.  

Once an incident or problem is detected, CAPA can be used to implement actions to address the problem, this can include fixing bugs, patching security vulnerabilities, and improving processes. CAPA also helps us prevent recurrences, this may include changes in policies and procedures, employee training, etc. 

Effective CAPAs investigate and resolve problems, identify causes, take corrective actions, and prevent root cause recurrence. The CAPA process should be established in local procedures and derived risk-based actions and impact on patient safety, product quality, and data integrity. 

Operational changes and configuration management 

Change management is an essential part of maintaining computerized systems. Implementing a process to manage changes to your systems can help ensure they run smoothly and minimize the risk of disruption.  Change management includes changes to configuration items (e.g. business processes, application software, application configuration, data, IT infrastructure, services, etc.). 

Not all configuration changes should be handled by the same management process, so it is important to create a procedure that helps us identify, define and establish a baseline of configuration items to manage the activities necessary to evaluate and implement the different types of changes.  

Periodic reviews

By performing periodic reviews, we can detect if all the points discussed above were affected and the validated state of the system is affected.  Impacts on data integrity, regulatory requirements, and suitability for intended use should be assessed and assessed, in case there is an impact, a revalidation of our system may be necessary.  

Periodic reviews should be performed according to a predefined process at an interval appropriate to the impact and operational history of the system.  

Backup and recovery

It is important to define the steps and eventualities to carry out the backup and restoration (Backup and Recovery) of the system. Regular backup of your data can help you recover quickly in case of a system failure or data corruption.  Restoration procedures should also be documented and tested to ensure that there is no data loss during the process. 

Business continuity management

You must have a Business Continuity Plan (BCP) which should define the alternative processes to be followed during the disruption. They can be manual processes or with alternative computerized systems and must be able to bring to a level of operation during failure or keep the business operational during the disaster.

Disasters such as natural disasters, power outages, or cyberattacks can cause significant damage to computer systems. As a subset of the Business Continuity Plan, there should be a disaster recovery plan in place to help you recover quickly from such incidents, this plan should be rehearsed so that it can help us minimize the effects of a disaster.

Security management

Regularly review and update your policies

Reviewing and updating your policies regularly can help ensure they are up-to-date and effective. This includes security policies, data management, and system maintenance. 

Perform regular backups and restore

If your system is hosted on your servers, data loss can be a major problem for computerized systems. Regular backup of your data can help you recover quickly in case of a system failure or data corruption.  If your system is on a qualified server provided by an audited vendor, ensure that you receive the necessary information about server infrastructure validation.  Restoration procedures should also be documented and tested to ensure that there is no data loss during the process.  

Conduct regular security audits

Regular security audits can help you identify and address security vulnerabilities in your systems. This includes checking for unauthorized access, monitoring suspicious activity, and ensuring all security protocols are up to date. It is important that you create a procedure for account management and security before the system is in use.

Have a plan for dealing with cyber threats

Cyber threats are becoming more common, and it is essential to have a plan for dealing with them. This includes regular training for employees, monitoring suspicious activity, and implementing security protocols. 

Conclusion

The maintenance of computerized systems during the operational phase is crucial for the proper functioning of organizations. By following the best practices described below, you can ensure that your systems are operating at optimal performance and are safe from potential threats.  

  • Regularly review and update your policies. 
  • Perform regular backups and restore. 
  • Conduct regular security audits 
  • Have a plan for dealing with cyber threats 
Delivery or Handover
  • Confirmation of the validated status of the Computerized System 
  • Data Migration Completion (as applicable) 
  • Updating configuration items 
  • Knowledge and responsibilities transfer 
  • Hypercare Period 
Establishment and management of support services
  • Establish a service agreement 
    • Software updates, enhancements, and bug fixes 
    • IT infrastructure services 
    • IT Security 
    • Backup and recovery 
    • Information security and data privacy controls 
    • System maintenance, administration and repair 
    • Expectations of the maintenance of different environments 
    • Routine testing and calibrations: 
    • Training 
System monitoring
  • Incident and Problem Management 
  • Corrective and Preventive Actions (CAPA)
Operational changes and configuration management
  • Change Management 
  • Configuration Management 
Periodic reviews
  • Periodic reviews
Backup and recovery
  • Plans for Backup and Recovery 
Business continuity management
  • Business Continuity Plan (BCPs) 
  • Disaster Recovery Plan
Security management
  • Regularly review and update your policies. 
  • Perform regular backups and restore. 
  • Conduct regular security audits 
  • Have a plan for dealing with cyber threats 

Running periodic reviews and performing regional maintenance, safety audits, and employee training, along with having a disaster recovery plan and investing in monitoring and management tools, are the essential steps to take to keep your computerized system under control and compliant.  

Need help setting up your automated software testing? Or do you have additional questions? Our experts will be happy to help you!

Please do not hesitate to contact us.

Expert knowledge in Computer Systems Validation

Our validation solution guarantees maximum return on investment. Check our off-the-shelf validation solution for you.

Did you find this article interesting? Thanks for sharing it with your network:

Subscribe to the Blog
Here you will find interesting articles and news related to your industry.

Table of Contents

Stay up to date with the latest in life sciences

Come visit our booth at CPHI Barcelona 2023

Come to see the QbD Group at stand #3G73 at CPHI Conference in Barcelona. And after the conference…Eat & Connect with lifescience professionals at our QbD’s CPHI Networking Drink.