OBJECTIVE:
To lay down a procedure for periodic review of computer systems.
SCOPE:
This SOP is applicable for periodic review of computer systems at {Company Name} {Location}.
RESPONSIBILITY:
Information Systems(IS) Department.
ACCOUNTABILITY:
QA Head shall be Accountable for implementation of SOP.
PROCEDURE:
DEFINITION:
Periodic Review: A planned review throughout the operational life of a computerized system to verify that it remains compliant, fit for intended use, and satisfies the defined policies and procedures.
Problems identified during the review shall be documented in Periodic Review Report for respective system, along with recommended corrective actions.
General Considerations
Periodic review shall be performed for all validated GxP computerized systems to determine whether the system is in a validated state and identify any necessary actions to restore its validated state.
Periodic review shall assess the documentation procedures, records and performance of a computerized system to evaluate that controls are in place around the system and are functioning correctly.
The review period (frequency) for the respective systems shall be based on system impact, complexity and criticality as determined in High Level Risk Assessment (HLRA).
A periodic review schedule shall be prepared based on the frequency of periodic review.
The required corrective actions shall be defined and documented along with the Periodic Review Report.
Conducting the Review:
The relevant information shall be made available for the review including, but not limited to, the following as appropriate.
- Documentation for the system including e.g. plans, specifications, verification including testing, reports, traceability, risk management documentation, design reviews, user manuals, training materials and records.
- Operational and maintenance Standard Operating Procedures (SOPs)
- Configuration management information
- Change management information
- Incident logs
- Security and access control information
- Data backup and restore verification logs
- Any prior audits of individual system
- Validation report
The following areas shall be subjected to periodic review, but not limited to:
- Adequacy and Accuracy of documentation including
- Specification and Verification documentation
- Operation and maintenance documentation
- Configuration item list
- Any change of use of the system
- The level of change that system has been subject to and the nature of those changes.
- Outstanding actions required by a Validation report
- Previous audit reports, and the actions which resulted
- Any controls implemented to manage risk are still in place and functioning effectively.
- Evidence of unstable or unreliable operation
- Changes in environment, process or business requirements, legislation or accepted best practice
- Operational procedures (including access control)
- Business continuity planning
- Personnel (including qualification, training, experience and continuity)
- System security and access control
- System maintenance and incident logs
- Software and data backups
- Impact of regulatory update on validation
Output from the Review:
The review outcome shall include a documented justification of the continued acceptability for use of the systems under review. For complex or critical systems, a summary report shall be prepared covering:
- The outcome of the review
- Deviations or problems found
- Required remedial work
Actions identified in the summary report shall be completed and approved, prior to closure.
Frequency of Periodic Review:
Initial Review:
The first periodic review of a new or significantly upgraded system shall be carried out within a relatively short time period of it being handed over for operational use.
If there are any unanticipated problems with the performance or support provision for a system these shall be identified as rapidly as possible and remedial actions instigated.
Ongoing Review:
Frequency of periodic review shall be determined based on the system impact considering Patient Safety, Product Quality and Data Integrity.
The frequency of periodic review for each system shall be based on the assigned risk priority determined during High Level Risk Assessment (HLRA)
| System Risk | Frequency of Periodic Revie |
| Low | Once for every 5 years ± 6 Months |
| Medium | Once for every 2 years ± 3 Months |
| High | Once for every 1 year ± 1 Month |
Depthof Review:
The depth of review shall be determined by adopting a risk based approach. The following factors shall be considered for evaluating the depth of the review.
- GAMP5 category of the system
- Outcome of the previous review
- Level of change to the system since the previous review
A three level model as described below shall be applied for determining the depth and extent of the review considering risk priority and GAMP category of the system as per High Level Risk Assessment (HLRA).
Level 1: Basic Review
Level 1 periodic review shall be primarily performed using a defined checklist for Low and Medium risk systems as determined through HLRA.
The review shall ensure that the required plans, procedures and records are in place and have been subject to the expected level of review and approval.
Evidence from internal quality audits related to supporting processes is accepted – which may not be specific to the system being reviewed.
Level 2: Intermediate Review
The objective of a level 2 periodic review is to perform a review appropriate to the risk priority and complexity of the system (linked to risk of system as per HLRA) of the system.
The status of actions identified at any previous review shall be evaluated and recorded. Areas where there have been significant changes shall be examined in detail e.g. major system upgrades or changes in scope of use of the system.
The review shall evaluate the quality and content of the documentation and shall include objective evidence to support the findings and relevant evidence may be retained.
Evidence from internal quality audits related to supporting processes may be expected – wherever possible it shall be specific to the system being reviewed.
Level 3: Detailed Review through Challenge Testing
The objective of a level 3 periodic review is to perform a comprehensive review of all components of the system.
Level 3 periodic reviews shall be primarily performed for High risk customized systems as determined through HLRA.
The status of actions identified at any previous review shall be evaluated and recorded. Examples of plans, procedures and records specific to the system are obtained and are reviewed in depth by the reviewer to confirm that the content is aligned with the controlling procedures.
A challenging testing approach is adopted. The reviewer must seek and observe objective evidence to support the findings and relevant evidence may be retained.
Evidence from internal quality audits related to supporting processes may be accepted but shall be specific to the system being reviewed.
The following table provides the criteria for selecting the appropriate review level considering the risk to patient safety and product quality.
| Depth of Periodic Review | ||||
| Risk Priority | GAMP5 Category | |||
| 1 | 3 | 4 | 5 | |
| Low | Level 1 | Level 1 | Level 2 | Level 2 |
| Medium | Level 1 | Level 2 | Level 2 | Level 3 |
| High | Level 1 | Level 2 | Level 3 | Level 3 |
Where a review identifies or indicates suspected issue further reviews shall be conducted to determine the extent of the problem and to identify root causes.
REFERENCES:
Not Applicable
ANNEXURES:
Not Applicable
ENCLOSURES: SOP Training Record.
DISTRIBUTION:
- Controlled Copy No. 01 : Head Quality Assurance
- Controlled Copy No. 02 : Information technology
- Master Copy : Quality Assurance Department
ABBREVIATIONS:
| PD | : | Production |
| IS | : | Information Systems |
| No. | : | Number |
| SOP | : | Standard Operating Procedure |
| HLRA | : | High Level Risk Assessment |
REVISION HISTORY:
CHANGE HISTORY LOG
| Revision No. | Details of Changes | Reason for Change | Effective Date |
| 00 | New SOP | Not Applicable | To Be Written Manual |