Fit-for-Purpose Program: Solving Problems with the Validation of Legacy Systems Joseph Schenk QA Edge, Inc. (302) 230-5000 x11 Joseph.Schenk@QAedge.com www.QAedge.com Copyright QA Edge, Inc. 2005

Legacy System Problems #1: Some companies have legacy systems that have not been properly validated. Though most of these systems have been operating OK, they would not pass an internal or external audit 18 November 2018

Legacy System Problems #2: Some companies have tried to apply prospective system validation standards to retrospectively validate legacy systems and have met with failures, delays and generally wasted expense. Some have asked: “What is the value of … Doing a User Requirements Specification (URS) when we already have the system? Doing an Installation Qualification when the system has already been installed? Doing complete system testing when the system has been operating OK in production 18 November 2018

Legacy System Problems #3: Many companies have had large exercises conducting “Assessments” using checklists tools that really did not generate actionable information which was commensurate with the investment to do the assessment. Many of the assessments just identified documentation GAPs After considerable investment, companies just validated what they already knew: There is not much in the way of existing validation documentation for some regulated systems. 18 November 2018

Legacy System Problems #4: FDA has been clear that they want regulated systems validated. However, regulations and guidance for computer system compliance and validation are complicated, confusing, and changing. FDA has, however, opened the door to apply a risk-based approach. Still, companies are asking: “How much validation is enough?” 18 November 2018

QA Edge Solution We have developed a rapid methodology to assess and create a computer compliance baseline known as “Fit for Purpose.”tm The process is simple, repeatable and rapidly gives a defense that the system is a high quality system and, if need be, is on the road to full compliance … Important: It provides documented justification to continue to use the system in production. 18 November 2018

Fit for Purposetm Methodology Step 1: Proceduralize the FFP Process Create or modify the company procedures/SOP to distinguish the Fit-for-Purpose process for legacy systems from the of system-lifecycle validation process of new systems. 18 November 2018

Fit for Purposetm Methodology Step 2: System Inventory Create a system inventory list of suspected regulated systems which includes the following information: System name System purpose Architecture description (Application SW; version) Contact info (System Custodian; IT Support; Business Owner) Date of install Business criticality (critical, high, medium, low) 18 November 2018

Fit for Purposetm Methodology For each system: Step 3: Convene the Team Assemble the key players (e.g. system custodian, validation lead, IT support). The system custodian is someone who knows the system and its history (e.g. sys admin, key user). 18 November 2018

Fit for Purposetm Methodology For each system: Step 4: Risk Assessment Determine risk and applicability of computer validation and Part 11 Is the system performing a regulated process? Does the system create electronic records? Could the system be considered incidental to creation of the records? Does the system affect product quality and patient safety? Is the system employing electronic authorization? 18 November 2018

Fit for Purposetm Methodology For each system that is not regulated or could be deemed incidental to creation of the records: Step 5: Screen-out Systems Document the conclusion, update the system inventory, STOP analysis for this system and move to the next system. 18 November 2018

Fit for Purposetm Methodology For each regulated system: Step 6: Assess System History Study the system’s support and maintenance history, lifecycle of regulated records, and all available validation documentation. Question: Is the system a FFP candidate? 18 November 2018

Fit for Purposetm Methodology Step 7: Build Schedule Based on criticality and priority, develop the schedule and budget to complete the Fit for Purpose analysis for all of the qualified regulated systems. 18 November 2018

Fit for Purposetm Methodology For each qualified regulated system: Step 8: System Description Using the Fit-for-Purpose template, write a System Description which includes the following content: System purpose Risk statement (impacts/defenses: product quality & safety) System functions Technical configuration System history Record lifecycle System interfaces 18 November 2018

Fit for Purposetm Methodology Step 9: Record Integrity Testing Limited testing focused on record integrity: Using the Fit for Purpose templates and ready-made scripts, write the Test Plan with scripts covering: Typical workflow Safety Security Audit Trail Protection of records E-Signatures (if applicable) Verify Installation conforms to specifications Setup the test environment and execute the scripts 18 November 2018

Fit for Purposetm Methodology Step 10: Quick Compliance Fixes Implement low-cost rapid stop gap measures (pick “low hanging fruit”) to improve the level of compliance e.g. Production control SOPs covering system admin, security, backups, IT support, change control 18 November 2018

Fit for Purposetm Methodology Step 11: FFP Report Has this system achieved full compliance? If Yes: Write a validation report If No: Write a “Fit-for-Purpose” report which includes: Declaration why this system is “Fit for Purpose” Test summary List of validation documents with status List acceptable problems with action plan for compliance improvements – (i.e. updates from vendors, centralized record management solutions). 18 November 2018

Fit for Purposetm Methodology Step 11 (continued): The Fit for Purpose Report develops a roadmap which puts the system on a path to achieve full compliance in a timeframe which is appropriate for risk and business needs. 18 November 2018

Fit for Purposetm Methodology Step 12: Change Control Place the system under the normal change control process. Begin to execute the action plan as changes and compliance needs warrant. 18 November 2018

Fit for Purposetm Methodology Determine if there are any more systems that should be added to the inventory. Repeat process for these systems if necessary. 18 November 2018

Fit for Purposetm Methodology Keys to Success: Monitor progress Expect an increase in speed Ensure consistency Build and share knowledgebase in order to leverage System Description, Test Script, and procedural assets that can be used for similar systems. Close the loop to ensure that change control is in place and that the path to full compliance for the high risk systems is implemented 18 November 2018

Benefits The Fit for Purposetm methodology is more than a document assessment but less than a full validation. The process is simple, repeatable and rapidly gives a defense that the system is a High Quality System and, if need be, is on the road to full compliance. Jump starts a computer compliance program Process is more efficient and costs less Provides quick justification for continued use of the system in production 18 November 2018

Take the Next Step Services from QA Edge: We can help ready your organization for completing the Fit for Purpose for many systems: (Step 1) Assess Corporate Computer Validation policies and procedures Identify gaps and issue recommendations for modification (Step 2) Create system inventory (Step 3) Assemble the key players Conduct internal readiness training (1-day) (Step 4) Analyze risk and applicability of computer validation (Step 5) Document risk and regulatory determination (Step 6) Assess system history and existing system documentation (Step 7) Develop the schedule and cost estimate 18 November 2018

Take the Next Step Services from QA Edge: We can execute the Fit for Purpose methodology for an individual system: (Step 8) Write the System Description (Step 9) Write and execute the Test Plan for Record Integrity Testing (Step 10) Perform rapid compliance gap closure (e.g. procedural controls) (Step 11) Write the “Fit for Purpose” Report 18 November 2018

Take the Next Step Services from QA Edge: For individual systems that have completed the Fit for Purpose process: (Step 12) Change Control and execution of the compliance action plan 18 November 2018

Quotes From Clients “The “Fit-for-Purpose” validation documentation plan developed for our company by QA Edge has proven to be worth its weight in gold. It has allowed us to assemble the various pieces of our validation documentation into the format expected by our many pharmaceutical client companies. Recent audits by pharmaceutical clients of the validation documentation processed under the Fit-for-Purpose scenario have yielded excellent results.” Director QA/RA CRO, St. Louis, MO 18 November 2018

Quotes From Clients “We know the FDA is coming. The Fit-for-Purpose approach has given us a common sense path to a defensible position for our legacy systems. The QA Edge consultants were professional, knowledgeable and great to work with. Thanks QA Edge!” Director IT Biotech firm in Phase III San Diego, CA 18 November 2018

Please Call for More Details Joseph Schenk President & CEO QA Edge, Inc. 3515 Silverside Road – Suite 205 Wilmington, DE 19810 (302) 230-5000 x11 Joseph.Schenk@QAedge.com www.QAedge.com Thank You Very Much! 18 November 2018