Often when organizations are looking to implement regulated electronic systems for the first time, they overlook the need for IT Standard Operating Procedures (SOP’s). Organizations who fail to create the appropriate IT SOP’s in time can become victim to costly delays later on in their implementation projects.
Identifying which SOPs are required at the beginning of the project and listing them in the validation plan gives you the opportunity to finish them by the time you finish your first validation project. In this blog, I will attempt to provide an overview of the absolutely essential SOPs that you will need to have in place to meet the procedural control requirements of 21 CFR Part 11 Electronic Records.
1. System Maintenance SOP
The system maintenance SOP should describe the controls that you have in place to ensure that appropriate maintenance on your system is carried out in a controlled way, and on a regular basis. Typically you should look to include a maintenance schedule, with links to your Change Control SOP. Your System Maintenance SOP should describe the system monitoring procedures that you have in place, as well as a clear definition of your process for decommissioning systems. Make sure you outline your approach to ensure the integrity of any data contained within the systems.
2. Physical Security SOP
Physical security focuses on controls that you have in place to secure access to your premises. These controls could include things like management of key cards and codes, the management of your building alarm system and intrusion control etc. Physical security should also reference the environmental controls in place to protect your data installations; such as fire detection and suppression, temperature and humidity controls and so on.
3. Logical Security SOP
Logical security is a key area of focus for 21 CFR Part 11 environments. This SOP should detail how access to the systems are managed, and include links to any policies that relate to passwords such as; password format or ageing, technical controls to improve security such as password protected screen savers. Other logical security mechanisms that allow you to ensure data traceability and custody should also be described in the Logical Security SOP. Finally, systems such as VPNs, Firewalls and virus protection applications should also be managed through this procedure.
4. Incident and Problem Management SOP
This SOP should provide you with a process for managing any incidents or problems that are experienced with regulated computerized systems. Typically you will need to describe how incidents or problems are recorded, analyzed and resolved. If you are using a bug management system it would be governed by this SOP. You should also look at covering the communication mechanisms that need to be in place.
5. System Change Control SOP
This is one of the most important activities when managing regulated systems and also one of the areas that can present the most problems. The system change control procedure should be used when changing any component of a computerized system. The change control procedure will typically use a form to allow the documentation of the change control. This form is also an important communication tool. The process should first require that the change rationale and steps be documented. An impact assessment must then be done to determine what else in the system could be impacted. Any revalidation should also be documented including any test scripts to be executed and evidence to produce. It’s important to define a roll back path. Finally the review and approval process both pre and post execution should be clearly defined.
6. Configuration Management SOP
Configuration management should govern how regulated systems configuration should be managed and documented. This SOP is used often in conjunction with change control. Configuration changes typically require verification rather than revalidation. The configuration management procedure should discuss how configuration should be documented and how documentation should be versioned and maintained. It is also important to define a standard process for review and approval of configuration changes. For more on Configuration Management, check this out.
7. Disaster Recovery SOP
Ensuring that data is properly protected and that we are able to recover from a disaster in a timely and controlled manner is imperative when dealing with regulated content and systems. The Disaster Recovery SOP should clearly define what is considered a disaster and provide an overview of what should be contained within the disaster recovery plan. The plan will typically be a separate document and describe the different systems that fall under the plan, how to bring systems up, communication procedures, escalation and prioritization of recovery, supplier and customer contact information and the disaster recovery team composition. This SOP should also have provisions for periodic testing of the disaster recovery plan and how this should be documented.
8. Electronic Signature Policy SOP
21 CFR Part 11 electronic signatures require that individuals sign a non-repudiation form attesting to the fact that their electronic signature is a legally binding equivalent of their hand written signature. This means that they will need to be trained on what an electronic signature is and when it can be applied. This is typically defined in the electronic signature policy. The policy will also govern the non-repudiation form and the process of provisioning electronic signatures.
9. Backup and Restoration SOP
The final SOP and possibly the most important one is Backup and Restoration. The procedure should outline the schema and methods that you use to properly protect your data and systems. You should look to define how backup jobs are created, maintained and verified. A restoration request process will also be defined and should be tested periodically to ensure that you can still restore your data. Finally, long-term archiving of data should also be addressed in this SOP.
Now the above may seem like an exhaustive and painstaking list to complete, however each of these SOPs are fundamental in ensuring compliance with 21 CFR Part 11 – so it’s important they are in place. The processes that these SOPs govern are however fairly standard from one organization to the next and therefore you may consider acquiring standard templates as a starting point…