Essential Steps for Conducting Effective Periodic Reviews in CSV

Follow this link to read the full article: https://zamann-pharma.com/2024/06/03/essential-steps-for-conducting-effective-periodic-reviews-in-csv/

Periodic reviews are conducted throughout the operational life of computerized system to verify that it remains in a validated state, complies with current regulatory requirements, is fit for intended use, and satisfies company policies and procedures. The review should confirm that operational controls are in place and are being effectively applied. ?

So we have established that the periodic review is an independent audit of a computerized system to determine if the system has maintained its validation status and, as said before, it is also a planned and formal activity. The first requirement for conducting a review is a standard operating procedure (SOP) covering the whole process. As a periodic review is a subset of an audit, the audit SOP should be relatively simple to adopt for a computerized system or you can use an existing audit SOP with a subsection for periodic reviews.?

Computerised systems should be periodically evaluated to confirm that they remain in validtate and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports.

Lets understand the Essential Steps for Conducting Effective Periodic Reviews in CSV in below blog.

Objectives of a Periodic Review

There should be two main goals for a periodic review of a computerized system:

• To provide independent assurance to the process owner and senior management that controls are in place around the system being reviewed and are functioning correctly. The system is validated and controls are working adequately to maintain the validation status.
• To identify those controls that are not working and to help the process owner and senior management improve them and thus eliminate the identified weaknesses. The impact of a finding may be applicable to a single computerized laboratory system or all systems in a laboratory.

Find any controls that aren’t working properly and help improve them. This is really important because it helps fix weaknesses. Sometimes, a problem with one system can affect all the systems in a lab. So, it’s crucial for managers to understand this and work on fixing issues.

Teams Responsibility for the Periodic Review

Management Commitment: Senior management is responsible for ensuring the availability of resources necessary for the execution of periodic reviews and for fostering a culture that prioritizes compliance and quality assurance.

The Process Owner needs to make sure that the system gets regularly checked, and if any problems are found, they should fix them properly.

Quality Assurance (QA): The Quality Unit is in charge of planning, doing, and keeping records of the regular checks. They are also responsible for the approval of the review process and its outcomes.

System Owners: System owners are directly responsible for coordinating the periodic review of their respective systems. This includes ensuring that the review team has access to necessary documentation and system data.

Review Team: Composed of individuals with appropriate technical and quality assurance knowledge, the review team conducts the review, which may include system validation status assessment, change control review, incident and deviation review, and a reevaluation of risk assessments.

IT and Security Departments: These departments are responsible for ensuring that the system's technical integrity and security measures are maintained and reviewed periodically for effectiveness.

?Steps for Periodic Review Process:

?The following diagram provides an overview to performing a Periodic Review of a Computer System.

1. Determine the frequency to Carry out the Periodic Review

Typically the Periodic Review is performed every one or two years, but different frequencies can be defined based on the GAMP5 category of the system and / or the time elapsed since the end of its initial validation

The frequency of periodic reviews should be determined through a documented risk assessment that takes into account its potential impact on patient safety, product quality, data integrity, and system complexity.

It's imperative to document the periodic review frequency, which can be done in validation reports, system inventories, or configuration management databases. Additionally, clear responsibilities should be established for managing the timing, scheduling, and resource allocation for these reviews.

Adjustments to the review frequency may be warranted based on current and historical data, such as:

• Increasing the frequency of reviews in response to significant incidents that indicate ineffective operational controls.
• Decreasing the frequency of reviews for systems with a high level of maturity or stability, characterized by minimal changes or incidents.

Supplier assessments, including monitoring activities, should be performed to verify the completion of these reviews. The participants in supplier periodic reviews may vary within the supplier organization, encompassing roles such as product owners, DevOps, support personnel, infrastructure managers, information security specialists, data privacy experts, and quality unit representatives.

Regulated companies should ensure that periodic reviews of suppliers are conducted to confirm compliance with Service Level Agreements (SLAs) and quality agreements, as well as to validate that supplier assessment and monitoring activities adhere to predetermined schedules.

2. Scheduling the Periodic Review

• Define Review Frequency: Establish the frequency of the periodic review based on product complexity, risk assessment, and regulatory requirements. This could be annually, biannually, etc.
• Identify Review Scope: Determine what processes, systems, and documentation will be included in the review. This may involve critical areas such as production, quality control, and CSV (Computer System Validation).
• Allocate Resources: Assign responsibilities to qualified personnel for conducting the review. Ensure that they have the necessary training and access to relevant documentation and systems.
• Set Review Dates: Schedule the review dates well in advance to ensure availability of necessary resources and to allow for preparatory work.

3. Conducting the Periodic Review

• Collect Data: Gather all relevant data, including system performance records, change control records, previous review reports, audit findings, and CAPA (Corrective and Preventive Actions) records.
• Evaluate Compliance: Assess compliance with applicable regulations, guidelines, and internal SOPs (Standard Operating Procedures). This involves a thorough review of the documentation, systems, and processes.
• Risk Assessment: Perform a risk assessment to identify any new risks or changes in the risk profile of the system or process since the last review.
• Identify Deviations: Document any deviations or non-compliances found during the review. This includes gaps in documentation, procedural errors, or system deficiencies.

4. Reporting and Addressing Deviations

• Prepare Review Report: Compile a detailed review report that includes findings, risk assessments, and recommendations for addressing any identified deviations or areas for improvement.
• Implement CAPA: For deviations identified, develop and implement CAPA plans. Ensure that actions are prioritized based on the risk assessment.
• Verify CAPA Effectiveness: After CAPA implementation, verify the effectiveness of corrective and preventive actions taken. This may involve follow-up reviews or audits.
• Update Documentation: Revise SOPs, training records, and other relevant documentation based on the review findings and CAPA implementations.
• Management Review: Present the review findings and CAPA status to management. Ensure that management is informed of the review outcomes and any actions required at the management level.
• Schedule Next Review: Based on the review findings and the established frequency, schedule the next periodic review.

What documents should be checked during a Periodic Review?

To support a periodic review, the collection of a comprehensive set of documents and records is important. This ensures adherence to regulatory standards and maintains the validated status of computer systems. Below is an explaination on each type of document or record necessary for a robust periodic review:

Audit Trails: The review should confirm that audit trails for GxP records are active and comprehensive, providing an unalterable record of all actions that could affect the quality of the product or data integrity.

Information Security Controls: It's vital to verify the adequacy of security measures such as patch management, antivirus solutions, and vulnerability monitoring to protect against unauthorized access and data breaches.

Action Closure: Any pending tasks from previous validation efforts, routine reviews, audits, or CAPAs should be resolved. This ensures that issues are addressed promptly and do not recur.

Operational SOPs: Confirm that all necessary SOPs are current, readily accessible, and properly implemented to guide operations in compliance with regulatory requirements.

System Inventory: Maintaining an accurate and updated system inventory and configuration management database is crucial for effective system management and compliance.

Incident and Problem Management: Analyzing trends in incidents and problems can help identify systemic issues or areas for improvement in system design or validation processes.

Support and Maintenance: Ensure that SLAs and maintenance contracts are in place and that routine support activities are conducted as scheduled to prevent disruptions.

Training: Review training records to ensure that all users, including new ones, are properly trained on the systems they use.

Backup and Restoration: Verify the regular execution of backups, the resolution of any failures, and the periodic testing of restoration processes to ensure data integrity and availability.

Record Archiving: Test the archiving system's capability to recover and read records over their intended retention period, ensuring compliance with regulatory requirements.

Change Management: Validate changes to the system thoroughly, keeping documentation current across the system's lifecycle. This includes rigorously applying change management processes and authorizing changes appropriately.

User-Access Management: Review the alignment of user roles with their organizational responsibilities, segregation of duties to prevent conflicts of interest, management of accounts with elevated privileges, and the provision of comprehensive training prior to granting system access.

Continuity and Disaster Recovery: Confirm the implementation of Business Continuity and Disaster Recovery plans, including the periodic testing and rehearsal of these plans to ensure readiness in case of an emergency.

?

What are the tools and techniques that can help you perform a periodic review faster and easier?

It's important to tailor these tools and techniques to the specific needs and regulatory context of your organization. Implementing these approaches can significantly reduce the burden of periodic reviews while maintaining high compliance standards.

1. Automated Monitoring Tools

These tools can automatically track and report on system performance, audit trails, and user activities. By automating surveillance, organizations can quickly identify potential compliance issues or deviations from expected performance parameters.

2. Document Management Systems (DMS)

A robust DMS can streamline the management of validation documentation, change control records, and system use logs. These systems often feature version control, access control, and audit trails, which are essential for an efficient periodic review process.

3. Electronic Training Management Systems

Ensuring that all system users and maintenance personnel are adequately trained is a critical component of periodic reviews. An electronic training management system can help manage training records and ensure compliance with regulatory training requirements.

4. Change Control and Configuration Management Tools

These tools facilitate the management of system changes, ensuring that each change is documented, reviewed, and approved before implementation. Effective change control supports compliance and system reliability.

5. Risk Management Software

Risk management tools can assist in identifying, assessing, and mitigating risks associated with computer systems. They can be particularly useful in prioritizing review efforts based on the criticality and risk profile of different system components.

6. Data Analytics and Reporting Tools

Advanced analytics tools can process vast amounts of data to identify trends, anomalies, or areas requiring attention. These insights can guide periodic review efforts, focusing resources on areas with the greatest impact on compliance and system performance.

7. Technique Enhancements

Utilizing standardized checklists based on regulatory requirements and industry best practices can ensure comprehensive reviews. Regular training updates for personnel involved in the periodic review process can enhance efficiency and compliance.Encouraging cross-functional teams to participate in the review process can bring diverse perspectives and expertise, leading to more thorough reviews.