GLP Regulations on Computerized Systems
All through in recent years there has been an anemones increase in the use of computerized systems by test facilities undertaking health and environmental safety testing. These computerized systems are involved either in direct or indirect way in different functionality of analytical laboratory such as capture of data, processing, reporting and storage of data, and increasingly as an integral part of automated equipment. Because of these different activities, computerized systems are varying from a programmable analytical instrument, or a personal computer to a laboratory information management system (LIMS) - with multiple functions. These computerized systems are plays a critical and important role and conducting studies intended for regulatory purposes. That’s why it is essential that they are developed, validated, operated and maintained in accordance with the Principles of GLP. Whatever the scale of computer involvement, the GLP Principles should be applied.
Scientific measurements (whether they be concern to monitoring contaminants in pharmaceutical products, clinical determinations of blood sugar, characterization of forensic evidence, or testing materials for space missions) are generally recognized as affecting decisions. As delicate acknowledgement of their responsibility, scientists have traditionally adopted sound laboratory practices directed at assuring the quality of their data. However, until recently these practices were not consistently adopted, enforced, or audited. Because of some notorious historic examples where erroneous data have lead to tragic consequences, national and international agencies have developed guidelines directed at various industries (food, agriculture, pharmaceutical, clinical, environmental, etc.), which fall in the general category of Good Laboratory Practices (GLP).
GLP is concerned with the organizational process and the conditions under which laboratory studies are planned, performed, monitored, recorded, and reported. The application of GLP to studies assures the quality and integrity of the data generated and allows this data to be used with confidence by relevant Regulatory Authorities in hazard and risk assessment. GLP regulations and guidelines have a significant impact on the daily operation of an analytical laboratory.
All through in recent years there has been an anemones increase in the use of computerized systems by test facilities undertaking health and environmental safety testing. These computerized systems are involved either in direct or indirect way in different functionality of analytical laboratory
such as capture of data, processing, reporting and storage of data, and increasingly as an integral part of automated equipment. Because of these different activities, computerized systems are varying from a programmable analytical instrument, or a personal computer to a laboratory information management system (LIMS) - with multiple functions. These computerized systems are plays a critical and important role and conducting studies intended for regulatory purposes. That’s why it is essential that they are developed, validated, operated and maintained in accordance with the Principles of GLP. Whatever the scale of computer involvement, the GLP Principles should be applied.
Computerized systems associated with the conduct of studies destined for regulatory submission should be of appropriate design, adequate capacity and suitable for there intended purposes. There should be appropriate procedures to control and maintain these systems, and the systems should be developed, validated and operated in a way, which is in compliance with the GLP Principles. The following considerations will assist in the application of the GLP Principles to computerized systems:
- Appointment and efficient organization of a sufficient number of significantly qualified and experienced staff.
- To ensure that the facilities, equipment and data handling procedures are of up to the mark of adequate standard.
- Maintain that computerized systems are suitable for their intended purposes.
- Establishment of computing policies and procedures to ensure that systems are developed, validated, operated and maintained in accordance with the GLP Principles.
- Designate personnel with specific responsibility for the development, validation, operation and maintenance of computerized systems, and ensure that such personnel should have required qualification, with relevant experience and appropriate training to perform their duties in accordance with the GLP Principles.
b) Study Directors has overall responsibility for the technical conduct of the safety studies, as well as for the interpretation, analysis, documentation and reporting of the results.
- He or she is designated by and receives support from management.
- The study director serves as the single point of study control. It is important that this is a single individual person and not a department or any other grouping of people.
c) Personnel who develop, validate, operate and maintain computerized systems are responsible for performing such activities in accordance with the GLP Principles and recognized technical standards.
d) Quality Assurance (QA) responsibilities for computerized systems must be defined by management and described in written policies and procedures. The quality assurance programme should include procedures and practices that will assure that established standards are met for all phases of the validation, operation and maintenance of computerized systems. It should also include procedures and practices for the introduction of purchased systems and for the process of in-house development of computerized systems. Quality Assurance personnel are required to monitor the GLP compliance of computerized systems and should be given training in any specialist techniques necessary.
The GLP Principles require that a test facility has properly qualified and experienced personnel and that there is standard training programmes including both on-the-job training and, where apposite, external training courses and records of all such training should be maintained.
Facilities and Equipment
All GLP Principles, which apply to equipment, therefore apply to both hardware and software. A sufficient facilities and equipment should be available for the proper conduct of studies in compliance with GLP. For computerized systems there will be a number of specific considerations:
· Appropriate consideration should be given to the physical location of computer hardware, peripheral components, communications equipment and electronic storage media.
- The environment should be free from humidity, dust, and electromagnetic interference and there should not be any extremes of temperature and proximity to high voltage cables until unless the equipment is specifically designed to operate under such conditions.
- There should be appropriate electrical supply for computer equipment and, wherever sudden failure can affect the results of a study there should be appropriate back-up or uninterruptible supplies available for computerized systems.
- Sufficient facilities should be there for the secure retention of electronic storage media.
- It’s required that the test facility has the access to the source code of software used there or they ensure that it will be available to the validation committee if required.
- Appropriate controls for security and system integrity must be adequately addressed during the development, validation, operation and maintenance of any computerized system.
Maintenance and Disaster Recovery
All computerized systems should be installed and maintained in a manner to ensure the continuity of accurate performance.
- There should be documented procedures covering both routine defensive maintenance and fault repair, with clearly detail the roles and responsibilities of personnel involved.
- Every time whenever maintenance activities have necessitate changes to hardware and/or software a system validation required.
- A Record of any problems or inconsistencies detected and any remedial action taken during the daily operation of the system must be maintained.
- There should be procedures in place describing the actions to be taken in the occurrence of partial or total failure of a computerized system.
- All emergency plans need to be well documented, validated and should ensure continued data integrity and should not compromise the study in any way.
- Personnel involved in the conduct of studies according to the GLP Principles should be aware of such contingency plans.
GLP Principles define Raw Data refers to any laboratory worksheets, records, memoranda, notes, or exact copies thereof, that are the results of original observations and activities of a study. Computerized systems operating in compliance with GLP Principles may be associated with raw data in a variety of forms, for example, electronic storage media, computer or instrument printouts and microfilm/fiche copies. It is necessary that raw data be defined for each computerized system.
- Transcriptions to computers - If raw data is transferred to a computer data base, neither the electronically stored data nor its paper print out can substitute for the original. System design should always provide for the retention of full audit trails to show all changes to the data without obscuring the original data.
- Direct data capture by a computer- Special rules apply in the case of automated data collection systems: the person responsible for data collection must be identified at the time of data input. Changes in automated data entries must be made in such a way that the original entry is saved, and the person responsible for making the changes must be identified. If a hard copy is retained, the magnetic copy may be deleted. If magnetic media are treated as raw data, you must retain an ability to display that data in readable form for the entire period, which that information is required to be retained (for example 30 years).
- Modification of raw data- With the exception of automated data collection systems, recording the corrected information and the date of change, and indicating a reason for the change. The reason making the change should be identified by a signature or initial.
- Procedures for the operation of a computerized system should also describe the alternative data capture procedures to be followed in the event of system failure. In such circumstances any manually recorded raw data subsequently entered into the computer should be clearly identified as such, and should be retained as the original record. Manual back-up procedures should serve to minimize the risk of any data loss and ensure that these alternative records are retained.
Documented security procedures should be in place for the protection of hardware, software and data from corruption or unauthorized modification, or loss.
- Physical Security measures should be in place to restrict access to computer hardware, communications equipment, peripheral components and electronic storage media to authorized personnel only.
- Logical Security measures must be in place to prevent unauthorized access to the computerized system, applications and data. It is essential to ensure that only approved versions and validated software are in use. Logical security may include the need to enter a unique user identity with an associated password.
- Data Integrity is a primary objective of the GLP Principles. Management should ensure that personnel are aware of the importance of data security, the procedures and system features that are available to provide appropriate security and the consequences of security breaches.
- Backup copies of all software and data should be maintain to allow for recovery of the system following any failure which compromises the integrity of the system e.g., disk corruption.
The items listed below are a guide to the minimum documentation for the development, validation, operation and maintenance of computerized systems.
- Policies- There should be written management policies covering, inter alia, the acquisition, requirements, design, validation, testing, installation, operation, maintenance, staffing, control, auditing, monitoring and retirement of computerized systems.
- Application Description- For each application there should be documentation fully describing:
- The name of the application software or identification code and a detailed and clear description of the purpose of the application.
- The hardware (with model numbers) on which the application software operates.
- The operating system and other system software (e.g., tools) used in conjunction with the application.
- The application programming language(s) and/or data base tools used.
- The major functions performed by the application
- An overview of the type and flow of data/data base design associated with the application.
- File structures, error and alarm messages, and algorithms associated with the application.
- The application software components with version numbers.
- Configuration and communication links among application modules and to equipment and other systems.
- Source Code- Some OECD Member countries require that the source code for application software should be available at, or retrievable to, the test facility.
- Standard Operating Procedures (SOPs)- Much of the documentation covering the use of computerized systems will be in the form of SOPs. These should cover but not be limited to the following:
· Procedures for the operation of computerized systems (hardware/software), and the responsibilities of personnel involved.
· Procedures for security measures used to detect and prevent unauthorized access and
· programme changes.
· Procedures and authorization for programme changes and the recording of changes.
· Procedures and authorization for changes to equipment (hardware/software) including testing before use if appropriate.
· Procedures for the periodic testing for correct functioning of the complete system or its component parts and the recording of these tests.
· Procedures for the maintenance of computerized systems and any associated equipment.
· Procedures for software development and acceptance testing, and the recording of all acceptance testing.
· Back-up procedures for all stored data and contingency plans in the event of a breakdown.
· Procedures for the archiving and retrieval of all documents, software and computer data.
· Procedures for the monitoring and auditing of computerized systems.
The GLP Principles for archiving data must be applied consistently to all data types.
· Electronic data are stored with the same levels of access control, indexing and expedient retrieval as other types of data. Where electronic data from more than one study are stored on a single storage medium (e.g., disk or tape), a detailed index will be required.
· No electronically stored data should be destroyed without management authorization and relevant documentation.
· Other data held in support of computerized systems, such as source code and development, validation, operation, maintenance and monitoring records, should be held for at least as long as study records associated with these systems.
Definition Of Terms
Acceptance Criteria: -The documented criteria that should be met to successfully complete a test phase or to meet delivery requirements.
Acceptance Testing: - Formal testing of a computerized system in its anticipated operating environment to determine whether all acceptance criteria of the test facility have been met and whether the system is acceptable for operational use.
Archives: - An organization, or part of an organization responsible for the secure retention and maintenance of materials accumulated by an organization in the conduct of regulatory studies.
Back up: - Provisions made for the recovery of data files or software, for the restart of processing, or for the use of alternative computer equipment after a system failure or disaster.
Change Control: - Ongoing evaluation and documentation of system operations and changes to determine whether a validation process is necessary following any changes to the computerized system.
Computerized System: - A group of hardware components and associated software designed and assembled to perform a specific function or group of functions.
Computer Support Staff: - Designated personnel given responsibility for providing technical support to other staff using a computerized system.
Electronic Record: - Information recorded in electronic form that requires a computerized system to access or process it.
Electronic Signature: - The entry in the form of magnetic impulses or computer data compilation of any symbol or series of symbols, executed, adapted or authorized by a person to be equivalent to the person’s handwritten signature.
Hardware: - The physical components of a computerized system, including the computer unit itself and its peripheral components.
Metadata: - Information associated with raw data that provides context and understanding. Most commonly data that describes the structure, data elements, interrelationships and other characteristics of electronic records.
Migration: - The transfer of data from one format or system to another.
Peripheral Components: - Any interfaced instrumentation, or auxiliary or remote components such as printers, modems and terminals, etc.
Quality Assurance Programme: - means an internal control system designed to ascertain that the study is in compliance with these Principles of Good Laboratory Practice
Raw data: - means all original laboratory records and documentation, or verified copies thereof, which are the result of the original observations and activities in a study. Raw data may include hand-written notes, photographs, microfiche copies, computer printouts, magnetic media, dictated observations, and recorded data from automated instruments. Examples include records of animal receipt, results of environmental monitoring, instrument calibration records, and integrator output from analytical equipment. Raw data may also be entries in a worksheet used to read and note information from an LED display of an analytical instrument
Software (Application): - A programme acquired for or developed, adapted or tailored to the test facility requirements for the purpose of controlling processes, data collection, data manipulation, data reporting and/or archiving.
Source Code: - An original computer programme expressed in human-readable form (programming language) which must be translated into machine-readable form before it can be executed by the computer.
Validation of a Computerized System: The demonstration that a computerized system is suitable for its intended purpose.
Standard Operating Procedures (SOPs): - means written procedures which describe how to perform certain routine laboratory tests or activities normally not specified in detail in study plans or test guidelines.
Storage media: - The different materials on which information may be recorded. Examples include paper, photographic film, magnetic media, microforms and optical devices
Computer validation process: - The demonstration that a computerized system is suitable for its intended purpose is of fundamental importance and is referred to as computer validation process.