SOP Custom Development - SDLC



This SOP Template (template) is being provided by Praxis Management International, LLC (Praxis) for the "fair use" by you, the User, as that term is defined under the U.S. Copyright Laws. All other use, reproduction or re-transmission in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage or retrieval system, without prior written permission from Praxis is prohibited. ?2013-2015 Praxis Management International, LLC. All rights reserved.Praxis makes no representations or warranties concerning the suitability or use of, or reliance on, the Template. Any actual or implied representation or warranty that the Template does not infringe the intellectual property rights of any third party is specifically hereby void. Any special, indirect or consequential damages or any damages whatsoever resulting from the use or misuse of the Template, the loss of use, data, or profits, whether in an action of contract, negligence, or other tortious action arising out of or in connection with the Template shall be born exclusively by the User.Contents TOC \o "1-3" \h \z \u Purpose: PAGEREF _Toc429132434 \h 3SOP Scope: PAGEREF _Toc429132435 \h 3Definitions: PAGEREF _Toc429132436 \h 3Responsibilities PAGEREF _Toc429132437 \h 3Risk Assessment Context PAGEREF _Toc429132438 \h 3Procedures PAGEREF _Toc429132439 \h 4Risk Assessment Timing PAGEREF _Toc429132440 \h 4Risk Assessment and Documentation PAGEREF _Toc429132441 \h 4ATTACHMENT A: System and Major Function Risk Assessment PAGEREF _Toc429132442 \h 8Purpose:This SOP defines the procedures to assess and analyze system quality risk for Information Technology systems used in regulated activities.SOP Scope:This SOP applies to all computer-based systems used in FDA-regulated activities.Definitions:Hazard: A potential source of harmCriticality Level: a measure of the severity of a hazard Complexity Level: a measure of the probability of a hazard Risk: A measure of the severity (criticality) and probability (complexity) of a hazardRisk Assessment: A comprehensive evaluation of risks and associated impactsMajor System Function: Sets of requirements that together define a capability or feature of the system. ResponsibilitiesThe Quality Manager is responsible for Leading system risk assessments.Contributing expertise on compliance with regulations and regulatory guidelines.The IT Director is responsible for Implementing the practices for system risk assessment as specified within this SOP.Contributing technical expertise to each computerized system’s risk assessment.The Business Managers are responsible for Contributing business area expertise to each computerized system’s risk assessment.Risk Assessment ContextSystem Risk Assessment is a component of the overall Risk Management process, as described in SOP System Risk Management. The assignment of criticality levels and complexity levels to systems and major system functions plays an important role in Risk Control. ProceduresRisk Assessment TimingEach system’s risk assessment is performed as early as possible in the system’s life cycle and is based on the system’s intended use.Risk assessments are done during development of User Requirements Specifications and Functional Requirements Specifications.For purchased systems, the Risk Assessment must be completed prior to the vendor audit because the vendor assessment method is based on the system’s criticality level. See SOP Vendor Assessment for details.For all systems, the Risk Assessment must be completed prior to the Validation Plan.Each system’s Risk Assessment is reviewed prior to any changes to the computerized system. If the planned changes impact the existing Risk Assessment, the assessment is updated and approved.For custom modifications to either custom developed or purchased systems: Review the Risk Assessment during the update of User Requirements Specifications and Functional Requirements Specifications. Complete the Risk Assessment prior to the Validation Plan.For vendor supplied changes or patches to purchased systems:Where the vendor supplied changes or patches can be selectively applied, evaluate each one to determine which will be installed.Review the system’s Risk Assessment for the changes and patches that will be plete the Risk Assessment prior to the Validation Plan.Risk Assessment and DocumentationThe QA Manager, IT Director and Business Manager(s) reference the computerized system’s User Requirements Specification and Functional Requirements Specification to identify major system functions.Major system functions are typically grouped under a common heading in User Requirements Specifications and System Requirements Specifications.Major system functions are documented on the System Risk Assessment template, Appendix A.The IT Director identifies the system version number to which the Risk Assessment applies.The level of risk associated with each major system function is evaluated using the tables, below, and criticality and complexity levels are assigned.The resulting major system function criticality levels, complexity levels, and the rationale for each level are documented on the System Risk Assessment template, Appendix A.For high criticality and medium criticality functions, the rationale identifies the function’s involvement in a regulated process, its potential direct or indirect impact on the product, or the GxP compliance that it provides.For low criticality functions, the rationale states that the function has no involvement in a regulated process, no potential for product impact, and provides no GxP compliance.After the criticality level for all major system functions have been identified, the overall system criticality level is determined.The overall criticality level for each system is the same as the highest criticality level of the component major system functions.For example, a system comprised of 3 low criticality functions, 4 medium criticality functions, and 1 high criticality function would receive an overall criticality level of “High” due to the rationale that the highest criticality level of its component major system functions is “High”.The resulting system criticality level and the rationale for the level are documented on the System Risk Assessment template, Appendix A.The completed System Risk Assessment is reviewed and approved by the QA Manager, IT Director, and Business Manager(s).System Risk Assessment Criticality Level IdentificationCriticality LevelDefinitionExamplesHigh CriticalityDirect control of:ManufacturingLabelingDistributionProduct TestingProduct ReleaseDirect impact on:Product QualityProduct EfficacyPatient SafetyPersonnel SafetyManufacturing controlsAutomated product inspectionLabel management & automationDistribution tracking to enable recallsLaboratory test resultsAdverse event trackingClinical trial resultsPatient medical recordsProduct quality status managementMedium CriticalityIndirect involvement in:ManufacturingLabelingDistributionProduct TestingProduct ReleaseIndirect impact on:Product QualityProduct EfficacyPatient SafetyPersonnel SafetyProvides GxP compliance for regulations not already identified as “High Criticality”Calibration trackingValidation trackingDocument managementTraining trackingCorrective/Preventive action trackingSystem access trackingElectronic submissions to regulatory agenciesProduct work order managementDeviation trackingAudit trackingLow CriticalityAny function not already identified as “High Criticality” or “Medium CriticalityManufacturing cost reportsTurnaround time reportsSystem Risk Assessment Complexity Level IdentificationComplexity LevelDefinitionExamplesHighComplexityCustom developed functions within either purchased or custom systemsCustom accounting report developed in COBOLCustom code developed to send e-mail notification from an off-the-shelf training management systemMedium ComplexityConfigured functions within off-the-shelf purchased systemsReport configured with an off-the-shelf query toolCalculation configured in a laboratory systemCalculation configured in an off-the-shelf spreadsheet toolProduct release algorithm configured in an off-the-shelf inventory control systemLow ComplexityStandard, non-configured functions within off-the-shelf purchased systemsStandard test result report within an off-the-shelf laboratory systemStandard data entry screen in a medical records systemReferences:Eudralex Volume 4, Annex 15: Qualification and Validation, European Commission, July 2001General Principles of Software Validation; Final Guidance for Industry and FDA Staff, FDA, January 11, 2002Glossary of Computerized System and Software Development Terminology, FDA, April 30, 2003Good Practices for Computerised Systems in Regulated “GxP” Environments, PIC/S, September, 2007Guidance for Industry, FDA Reviewers and Compliance on Off-The-Shelf Software Use in Medical Devices, FDA, September 9, 1999Guidance for Industry: Computerized Systems Used in Clinical Investigations, FDA, May, 2007Guidance for Industry: Part 11, Electronic Records; Electronic Signatures – Scope and Application, FDA, August 2003Guidance for Industry: Q9 Quality Risk Management, FDA, June, 200621 CFR Part 820, Quality System Regulation, FDA, April 1, 2007 ATTACHMENT A: System and Major Function Risk AssessmentSystem Name _______________________________________System Version _______________________________________System Criticality Level? High ? Medium? LowSystem Criticality Rationale___________________________________________Major System Function Criticality and Complexity AnalysisMajor System FunctionCriticality LevelRationale for Criticality LevelComplexity LevelRationale for Complexity LevelRisk Assessment Approvals:Signature and DateQuality Manager___________________________________ _________Business Manager___________________________________ _________IT Director___________________________________ _________ ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download