The Arkivum Traceability Matrix

Jump to each section by clicking on the below:

  • Extraction of regulatory requirements
  • Mapping to product features & capabilities
  • Impact assessment
  • Evidence

Mapping GxP Regulations and guidelines to solution requirements

Here at Arkivum, we provide a ‘validation pack’ for our solution which helps our customers accelerate their own validation and give them confidence that we ‘built it right’ and we ‘built the right thing’ (otherwise known as verification and validation). Clients qualify us as a supplier, including the processes and procedures we follow in our QMS such as staff training, risk management, software development lifecycle, releases, running the production environment, BCDR and more. This gives clients the confidence that they can build on the validation pack that we provide when they do their own final validation of our solution in their environment.

Part of that validation pack is a Traceability Matrix that maps product requirements to executed tests. These confirm that the product works as specified. That’s standard stuff for a validation pack. But we use the Traceability Matrix to do a lot more than that. We also map GxP regulations and guidelines to product requirements so there is traceability from what the regulators require to what’s delivered by our product. We also do an impact assessment of the risk to data integrity if a given feature doesn’t work as specified. This allows both Arkivum and our customers to take a risk-based approach and focus verification and validation attention to areas of the system that matter most.

Extraction of Regulatory Requirements

Here’s an example of what we do using ICH E6(R3). First, we extract out the relevant requirements. We give each one an ID and document from where in the guideline it comes from and what it says. There’s a few examples below from the very first part of ICH E6(R3) which covers general requirements for data integrity, retention of essential records, and access to these for the authorities and others. I’ve show three example requirements. The full list that we’ve extracted has nearly 50 requirements from ICH E6(R3) that cover a wide range of areas, including what needs to be retained, the need for Data Integrity, user management, audit trails, access and more.

We follow this process of requirements extraction for a whole host of other regulations and guidelines too, not just ICH E6 (R3) guidelines for clinical data (GCP), but also OECD No. 15,17 and 22 for GLP, and Annex 11 for GMP. There are other general regulations that we extract requirements from as well, including 21 CFR Part 11, the GAMP5 guidelines for computerised systems, the GAMP guidelines for Records and Data Integrity. And most importantly, we also take each of the nine ALCOA+ principles as requirements because they are pervasive in all GxP areas.

Mapping to product features and capabilities

We then link the regulatory requirements to our product requirements. An example is below. This example shows a very small number of product requirements for the Arkivum solution (each one also has its own ID) and how they can be mapped to the requirements of the various regulations and guidelines.

For example, ICH E6(R3) requires the retention of essential records, which is very broad in scope, hence there is a product requirement to be able to ingest and archive a very wide range of file types. This data must be protected against corruption and loss, which is a requirement of ICH E6(R3) and is of course part of meeting the ALCOA+ principles. And that data must remain readable and usable, which is why the Arkivum system can produce long-term preservation versions of files that ingested into the system and retains these along with the originals.

Click here to expand table.

There are many product capabilities and requirements that we could show as further examples, but hopefully the three above give an idea of the mapping process. As well as ICH E6 (R3), you can also see in the extract above how each product requirement is mapped to other corresponding regulations and guidelines that it supports, including the ALCOA+ principles, Annex 11, OECD No15 and more. There’s plenty more regulations and guidelines to the right that are not shown in the small extract above.

Impact Assessment

And finally, there’s the impact assessment that we do. We do this for GxP Data Integrity, i.e. each of the ALCOA+ principles. We do it for Confidentiality and Privacy too, for example under GDPR. ALCOA+, by definition, includes Availability and Integrity of data. Add to that Confidentiality, and you get the CIA triad of information security. Good information security underpins support for Data Privacy. This approach of considering Data Integrity, Confidentiality and Privacy all helps to ensure that the system, along with a whole host of other security measures that Arkivum employs, together can protect against cyber-attacks such as ransomware or other forms of hacking.

An example of the impact assessment that we do is shown below. Again this is a tiny extract from the Traceability Matrix. As you can see in the example, there is the requirement to ensure all records (files, metadata and audit trails) are replicated across multiple storage locations and there is the need to make files immutable. Both are Critical from a GxP Data Integrity standpoint. These features prevent data tampering, data corruption and data loss, which is obviously important when archiving data for the long-term!

On the other hand, the system’s ability to generate additional pre-viewing copies of data to help with easy viewing of files when navigating the archive is less critical from a GxP Data Integrity perspective. This is because the original data is always retained and remains unchanged in the Arkivum system, which means its Data Integrity is not directly affected. In another of the examples shown, the storage of data in pre-agreed locations is absolutely essential from a Confidentiality and Privacy perspective, for example when meeting GDPR requirements, but this is not quite so critical from a Data Integrity perspective, although still important because data still needs to be under proper control including where it is physically located.

Evidence

The validation pack contains the test scripts and documented set of executed tests that show that the system does indeed correctly implement the requirements as specified in the Traceability Matrix. This builds upon nightly automated testing that covers literally thousands of detailed tests of all aspects of the system. At Arkivum, we make heavy use of automated testing and in preference to manual tests whenever possible. Well specified and fully automated testing is faster, more efficient and less error prone - but that’s for another eBook.

Keeping Reading: Monitoring & Oversight

Arkivum Website | Contact Us | Privacy Policy

Arkivum Limited is registered in England and Wales, company number 7530353 Registered Office: Arkivum, 85 Great Portland Street, First Floor, London W1W 7LT. United Kingdom.