Operation Plan after system construction

After building(constructing) a system (e.g. MES, WMS, LIMS, etc.), the operation plan is very important. If so, I will try to explain how to operate it by imitating the regulations of the pharmaceutical industry. (In particular, the pharmaceutical industry has the most stringent regulations, so it is best to imitate that industry.)

1. Data

A. Computerized systems that exchange data electronically with other systems must contain appropriate built-in functions to verify safety data input and processing to enable hazard initiation.

1. Grant system access only to authorized individuals.
2. During data transfer (system replacement, update) and data transmission (interface between systems), it is necessary to review whether the exchanged data is safely transmitted and whether there is no change in meaning.

2. Accuracy Checks

A. If important data is entered directly, the accuracy of the data must be additionally checked. This verification can be performed by another operator or by a validated electronic method. Risks and potential impacts due to data entered into the system by mistake or incorrectly must be confirmed through risk management.

1. CPP data is selected through an importance assessment for all facilities where GMP data is generated.
2. When entering data, detailed information such as the person entering the information and the time of entry must be recorded.
3. After data entry, review by intermediate reviewer or electronic method (e-signature).
4. Validate the interface between recording systems when entering electronically.

3. Data Storage

A. Data must be protected against damage using physical and electronic means. Accessibility, readability, and accuracy of stored data must be checked. The data must be accessible during the data retention period.

1. You must prepare for data damage either physically (UPS, external hard drive backup) or electronically (redundancy, backup system).
2. Stored data must be confirmed in a form that can be read immediately when necessary during the storage period.
3. In the case of non-permanent originals such as thermal paper, keep the approved true copy.

B. All related data must be backed up regularly. During validation, the completeness, accuracy, and data recovery ability of the backup data are confirmed and inspected regularly.

1. Specify backup target selection, cycle, and performing department.
2. The inspection cycle is selected through risk assessment.
3. Check the backup history of backup files and perform recovery tests using backup data on a regular basis. (Comparison of data size, number, data identity before and after backup, etc.)

4. Printouts

A. Data stored electronically must be able to be printed clearly.

1. It must be possible to save it on a mobile device or print it out.

B. In the case of records related to the shipment of a manufacturing unit, it must be possible to create a printout that can confirm whether the data has changed since the time of initial entry.

1. The accuracy of critical data (records related to shipment of manufacturing units) as described above must be confirmed, and storage and output of the Audit Trail must be possible.

5. Audit Trails

A. Based on the risk assessment, care should be taken when entering into the system records of changes or deletions related to pharmaceutical manufacturing and quality control practices.

1. Review of inspection records is regularly conducted by a department unrelated to the work in question.
2. Determine the review cycle and review level based on the risk assessment.
3. In the case of an old system that does not generate inspection records, there must be an alternative that can be tracked, such as data creation, change, and deletion, and a report verifying that the alternative is equally effective as the inspection record must be prepared.

B. When changing or deleting data related to pharmaceutical manufacturing and quality control standards, the reason for this must be documented. Inspection records must be convertible into a generally understandable format, maintained in that format, and reviewed regularly.

1. For changes and deletions, the actor, values ​​before and after the action, and time of occurrence must be recorded.
2. Modification or deletion of inspection records should not be possible.

6. Change and Configuration Management

A. Changes to computerized systems, including system configuration, must be made only under management according to established procedures.

1. Access rights must be granted so that only authorized people can make changes.
2. Changes must be made after review and approval in accordance with the change management procedure.
3. Validation verification must be confirmed after changes.

7. Periodic evaluation

A. Computerized systems should be evaluated regularly to ensure that they are effective and in compliance with pharmaceutical manufacturing and quality control standards. Reports on the current system’s functional scope, deviation records, incidents, problems, improvement history, performance, reliability, security, and validation status should be appropriately included in the evaluation. (but I’m not sure the period)

1. It must be regularly checked whether GMP and related regulations are met.
2. If necessary, re-perform change management procedures for system improvement and replacement.

8. Security

A. Provide physical and logical controls or separate controls to allow access to computerized systems only to authorized personnel. Suitable methods to prevent unauthorized access include keys, access cards, personal passwords, biometric authentication, and restricting access to computer equipment and data storage areas.

1. A person responsible for the system must be designated.
2. Access to computerized systems should be permitted only to authorized personnel
3. Granting access rights The authority of the system administrator should not be granted to those directly interested in quality data.

B. The degree of security management depends on the criticality of the computerized system.

1. A security strategy must be prepared according to importance.

C. Creation, change and deletion of access rights must be recorded.

D. Data or document management systems should be designed to record the identity of personnel entering, changing, verifying, or deleting data, including date and time.

1. The computer system clock must be synchronized with the standard clock.
2. The identity of the operator must be recorded when entering, changing, or deleting data.

9. Incident Management

A. All incidents, not just system failures and data errors, must be reported and evaluated. Identify the root cause of critical incidents and lay the foundation for corrective and preventive actions.

10. Electronic Signature

A. Electronic records may be signed in electronic form.

1. Electronic signatures have the same effect as handwritten signatures within a company.
2. An electronic signature is permanently linked to the record associated with that electronic signature.
3. The date and time the electronic signature was applied must also be included.

B. Electronic signature general information

1. Application of management for electronic signatures is limited to systems that perform electronic signatures (e.g. MES, LIMS and WMS etc.).
2. Electronic signatures have the same effect as handwritten signatures.
3. Electronic signatures use at least two separate identification components (e.g. ID and Password).
4. Electronic signatures must be used only by the owner of the signature.
5. Electronic signatures must automatically record the date and time the signer signed.
6. Electronic signatures must include the meaning or reason for signing (e.g. execution, review, approval, etc.) as well as the date and time of application.
7. Records of electronic signatures must not be arbitrarily changed and cannot be deleted.
8. An electronic signature signed on an electronic record must be permanently associated with that electronic record.

C. User ID and Password General information

1. Each ID and password combination must maintain uniqueness.
2. User ID must be at least 4 characters long.
3. Passwords should avoid using consecutive English letters or Arabic numerals in patterns that are easily stolen or exposed.
4. ID and password must be periodically checked and retrieved or revised.
5. The validity period of the password is specified, and when the period expires, the password loses its validity.
6. The password replacement cycle does not exceed 6 months.
7. The password must be able to set the number of digits and complexity.
8. Measures must be in place to limit access and attempts to access unauthorized IDs and passwords.
9. System and program access must set an automatic log-off time when not in use, and access by unauthorized persons must be prevented in case of temporary absence.
10. Among quality-related automated devices, all PCs that generate GMP electronic data are assigned an ID and password so that only limited people can access them to prevent tampering, such as arbitrary modification of data.
11. When using devices that generate IDs and passwords, they must be inspected periodically and control procedures must be established to prevent theft and loss.
12. The Admin (administrator account) ID and password are managed by the system owner.
13. Do not perform anything that may cause problems with data integrity, such as deleting or modifying data, under any circumstances other than the authority granted to the system owner.

11. Batch release

A. Even when a computerized system is used to record batch release and certification, only authorized personnel must approve batch release. The system must clearly identify and record the identity of the person shipping or approving the manufacturing unit. In this case, an electronic signature must be used.

12. Business ontinuity

A. Computerized systems that support critical processes must provide alternative methods (e.g., manual or alternative systems) to continue supporting the process in the event of a breakdown.

1. Manual or alternative system procedures should be documented.

B. The time it takes until an alternative method can actually be utilized is determined based on risk and must be appropriate for the specific system and task to which the method is applied. These alternatives should be appropriately documented and tested.

1. Select backup methods and procedures for recovery through risk assessment and set the implementation cycle.
2. Example system recovery procedure (e.g. Software version rollback, backup of version before changes, etc.)
3. Verify recovery verification for backups.

13. Archiving

A. The accessibility, readability, and completeness of stored data must be checked. If changes are made to a system (e.g. computer equipment or programs), data must be recoverable from that system and tested.

1. The system must be designed to enable data recovery, and if recovery is difficult, there must be an alternative.
2. Validate system recovery devices.
3. Retained (archived) data must be immediately accessible upon the auditor’s request, must be stored in a readable form, including metadata, and must be recoverable.