Periodic Review of Config & DR Evidence

Published on 02/12/2025

Periodic Review of Configuration and Disaster Recovery Evidence

The pharmaceutical industry is under constant scrutiny concerning compliance with Good Manufacturing Practices (cGMP) and regulatory requirements set forth by bodies such as the FDA, EMA, and MHRA. Computer System Validation (CSV) is a crucial element in this framework, particularly when it comes to cloud and SaaS applications. This article provides a detailed step-by-step tutorial on the periodic review of configuration and disaster recovery (DR) evidence, emphasizing the importance of intended use risk assessment and various compliance aspects such as configuration/change control, backups, and audit trails.

Understanding the Importance of Periodic Review

Periodically reviewing configuration and disaster recovery systems is not just advantageous; it is a regulatory requirement. The review process ensures that the systems remain in compliance with applicable regulations, as well as maintaining the integrity and availability of the data processed within these systems. In the context of drug development and manufacturing, maintaining accurate computerized data is of utmost importance to ensure patient safety and product efficacy.

  • Regulatory Expectations: Regulatory authorities such as the FDA stipulate that organizations must ensure that computerized systems are validated, maintained, and remain in a state of control throughout their lifecycle.
  • System Integrity: A well-structured periodic review process mitigates the risks associated with system downtimes, data loss, and compliance violations.
  • Risk Management: An accurate intended use risk assessment is essential to determining the actual impact of any system changes on business operations.

Step 1: Defining the Scope of Review

Defining the scope of the periodic review is critical. This should encompass the systems that fall under the purview of Computer Software Assurance (CSA) and Computer System Validation (CSV), which includes cloud-based systems and applications critical to drug development processes.

  • Identify Systems: List all computerized systems in use, focusing primarily on those that are critical to compliance — e.g., laboratory systems, manufacturing equipment interfaces, and document management systems.
  • Documentation Review: Collect all existing documentation pertinent to each system, including validation reports, configuration management records, and disaster recovery plans.
  • Stakeholder Engagement: Involve relevant stakeholders such as IT personnel, quality assurance, and compliance officers during this initial phase.

Step 2: Configuration and Change Control Assessment

Configuration Management is vital to maintain the integrity of computer systems throughout their lifecycle. This involves an in-depth review of configuration records and change control logs to ensure systems are operating within their validated state.

  • Change Control Procedures: Verify that all changes made to the systems are documented correctly and have undergone required approvals. This may include software updates, hardware changes, and process adjustments.
  • Audit Trail Review: Examine the audit trails generated by the software systems to confirm that changes and modifications are logged correctly. This will usually involve inspecting User IDs, timestamps, and previous states of the data.
  • Compliance with Part 11/Annex 11: Ensure that all electronic signatures and the electronic record processes comply with 21 CFR Part 11 for the US and Annex 11 for the EU, which includes validation of affirmative electronic authentication and record retention.

Step 3: Data Backup and Disaster Recovery Planning

The next step in the periodic review is to assess the backup and disaster recovery strategies in place for the computerized systems. Proper backup procedures are essential to maintaining data integrity and availability in case of unforeseen events.

  • Review Backup Procedures: Evaluate the frequency of data backups and the methodologies used. Ensure that backups are being performed as scheduled and verify that the data can be restored swiftly and accurately.
  • Conduct DR Testing: Regularly conducting disaster recovery tests is crucial. This should involve simulating hardware failures, natural disasters, or other incidents that might interrupt access to critical systems and data.
  • Documentation of Tests: Documenting the outcomes of DR tests and integrating findings into system improvements will help organizations meet compliance requirements and enhance system resilience.

Step 4: Validation of Reports and Spreadsheets

While electronic systems are critical, many organizations still rely on spreadsheet software for data management and reporting. Ensuring the validity and integrity of reports generated from these spreadsheets is an essential step in the periodic review process.

  • Spreadsheet Controls: Implement controls over spreadsheet creation and modification. Use templates and automate calculations to minimize the risk of human error.
  • Validation Processes: Validate any reports generated from spreadsheets to ensure data accuracy. This includes reconciling report outputs with source data and ensuring that all necessary calculations are performed correctly.
  • Data Retention and Archive Integrity: Establish a clear data retention policy that aligns with regulatory expectations, ensuring that archived data is accessible and remains unaltered.

Step 5: Conducting the Intended Use Risk Assessment

A comprehensive intended use risk assessment is central to validating that the computerized systems are functioning within their defined purpose and regulatory compliance thresholds. This assessment should be thorough and must address potential risks associated with the functional scope of your systems.

  • Identify Risks: List potential risks associated with system usage, changes in software, hardware failures, or inadequate training of system users.
  • Assess Impact: Evaluate the potential impact of each identified risk on product quality, patient safety, and compliance with regulatory requirements.
  • Mitigation Strategies: Develop mitigation strategies for any significant risks found, ensuring that these strategies incorporate best practices from industry standards such as ICH guidelines.

Step 6: Documentation of Findings and Action Plans

It is essential to document all findings from the periodic review process comprehensively. This documentation serves both as a reference for compliance and as a proactive measure for continuous improvement.

  • Compile Findings: Gather all findings related to configuration assessments, DR testing results, report validations, and risk assessments in a centralized repository.
  • Action Plans: Create action plans for any identified shortcomings or compliance gaps, specifying responsible parties, timelines for resolution, and follow-up assessments to confirm effectiveness.
  • Management Review: Engage senior management to review findings and action plans, ensuring that there is accountability and prioritization of system integrity.

Conclusion

The periodic review of configuration and disaster recovery evidence is an essential component of ensuring compliance with cGMP regulations and maintaining the integrity of systems used in drug development and manufacturing. By following the steps outlined above, organizations can systematically review and enhance their Computer Software Assurance policies and ensure rigorous adherence to regulatory expectations. Regular engagement with regulatory bodies and continuous updates to policies and procedures will bolster the quality management system, ultimately delivering better outcomes for patients and stakeholders alike.