Often when organizations are looking to implement regulated electronic systems for the first time, they overlook the need for IT Standard Operating Procedures (SOP’s). Organizations who fail to create the appropriate IT SOP’s in time can become victim to costly delays later on in their implementation projects.
Identifying the required SOPs at the beginning of the project and listing them in the validation plan allows you to finish them by the time you finish your first validation project. In this blog, I will attempt to provide an overview of the essential SOPs that you will need to have in place to meet the procedural control requirements of 21 CFR Part 11 Electronic Records.
1. System Maintenance SOP
The system maintenance SOP should describe the controls that you have in place to ensure that appropriate maintenance on your system is carried out in a controlled way and regularly. Typically it would help if you looked to include a maintenance schedule, with links to your Change Control SOP. Your System Maintenance SOP should describe the system monitoring procedures that you have in place, as well as a clear definition of your process for decommissioning systems. Make sure you outline your approach to ensure the integrity of any data contained within the systems.
2. Physical Security SOP
Physical security focuses on controls that you have in place to secure access to your premises. These controls could include things like management of key cards and codes, the management of your building alarm system and intrusion control and more. Physical security should also reference the environmental controls in place to protect your data installations; such as fire detection and suppression, temperature and humidity controls.
3. Logical Security SOP
Logical security is a key area of focus for 21 CFR Part 11 environments. This SOP should detail how access to the systems are managed and include links to any policies that relate to passwords such as; password format or ageing, technical controls to improve security such as password-protected screen savers. Other logical security mechanisms that allow you to ensure data traceability and custody should be described in the Logical Security SOP. Finally, systems such as VPNs, Firewalls and virus protection applications should also be managed through this procedure.
4. Incident and Problem Management SOP
This SOP should provide you with a process for managing any incidents or problems experienced with regulated computerized systems. Typically you will need to describe how incidents or problems are recorded, analyzed and resolved. If you are using a bug management system, it would be governed by this SOP. It would help if you also looked at covering the communication mechanisms that need to be in place.
5. System Change Control SOP
This SOP is one of the most important activities when managing regulated systems and also one of the areas that can present the most problems. The system change control procedure is used when changing any component of a computerized system. The change control procedure will typically use a form to allow the documentation of the change control. This form is also an important communication tool. The process should first require that the change rationale and steps be documented. An impact assessment must then be done to determine what else in the system could be impacted. Any revalidation should also be documented including any test scripts to be executed and evidence to produce. It’s important to define a roll back path. Finally, the review and approval process both pre and post execution should be clearly defined.
6. Configuration Management SOP
Configuration management should govern how regulated systems configuration should be managed and documented. This SOP is used often in conjunction with change control. Configuration changes typically require verification rather than revalidation. The configuration management procedure should discuss how configuration should be documented and how documentation should be versioned and maintained. It is also important to define a standard process for review and approval of configuration changes.
7. Disaster Recovery SOP
Ensuring that data is properly protected and that we can recover from a disaster in a timely and controlled manner is imperative when dealing with regulated content and systems. The Disaster Recovery SOP should clearly define what is considered a disaster and provide an overview of what should be contained within the disaster recovery plan. The plan will typically be a separate document and describe the different systems that fall under the plan, how to bring systems up, communication procedures, escalation and prioritization of recovery, supplier and customer contact information and the disaster recovery team composition. This SOP should also have provisions for periodic testing of the disaster recovery plan and how this should be documented.
8. Electronic Signature Policy SOP
21 CFR Part 11 electronic signatures require that individuals sign a non-repudiation form attesting to the fact that their electronic signature is a legally binding equivalent of their hand written signature. This means that they will need training on what an electronic signature is and when it can be applied as defined in the electronic signature policy. The policy will also govern the non-repudiation form and the process of provisioning electronic signatures.
9. Backup and Restoration SOP
The final SOP and possibly the most important one is Backup and Restoration. The procedure should outline the schema and methods that you use to protect your data and systems properly. You should look to define how backup jobs are created, maintained and verified. A restoration request process will also be defined and should be tested periodically to ensure that you can still restore your data. Finally, long-term archiving of data should also be addressed in this SOP.
Now the above may seem like an exhaustive and painstaking list to complete, however, each of these SOPs are fundamental in ensuring compliance with 21 CFR Part 11 – so they must be in place. The processes that these SOPs govern are however reasonably standard from one organization to the next, and therefore you may consider acquiring standard templates as a starting point…
Acting as a standardized set of detailed instructions that define procedures around how to complete research-related activities, SOPs may differ slightly depending on your industry. SOP requirements could also depend on the type of activity your organization is undertaking, or what regulations govern your business processes. Montrium offers an SOP writing and review service to assure compliance with your current GxP requirements.
To keep all of your SOPs and training managed on one place, Quality Connect, an electronic quality management system comes with an SOP Management module is designed to manage all controlled documents that form part of your quality system. Easy access, centralized distribution, and intuitive workflows ensure that quality and compliance are at the heart of your operations.