Technology

This chapter will cover:

  • Technology requirements
  • Technology procurement good practice
  • Practical considerations for technology

Today, almost all data and documents are created, processed, managed, and retained in computer systems and other electronic systems such as laboratory equipment.

Technology offers opportunities to improve operational efficiency, work more collaboratively in real time, and enhance data integrity. However, technology also presents challenges, not least among them the difficulties of archiving clinical data, documents, systems, and equipment for long periods such as the twenty-five-year period mandated by regulation EU 536/2014.

To ensure the integrity of (and trust in) data, and documents, the systems and equipment on which data and documents are created, processed, managed, and retained must be proven to be fit-for-purpose. Accordingly, these systems and equipment are also subject to scrutiny by inspectors.

When assessing technology options organisations should consider the below.

Reasons for Purchase.

Ensure that all computer systems and equipment have been purchased for the right reasons e.g. the purpose has been clearly defined and understood prior to procurement. A common finding by inspectors is that technology acquisition is poorly or inappropriately sequenced.

To avoid this, organisations should consider role and purpose of [new] technologies as well as the purpose and value of the documentation input sand outputs. Having user and functional requirements and design qualification prior to implementation is essential: a schematic of the inter-relationship of systems can be helpful.

Medical devices such as smart watches used for research purposes may present myriad challenges with data storage and transfer and with ethical considerations associated with excess and unwarranted data collection e.g. GPS or health data unrelated to the purpose of the study.

Validation.

Provide documentary evidence of validation, qualification, or calibration to prove to inspectors that systems and equipment have been appropriately tested for operation, controls, security, and functionality and are fit-for-purpose.

ISPE GAMP5® provides guidance on validation requirements but regulators recommend that organisations adopt a risk-based approach to validation based on the criticality of the data and documents created, processed, managed, and retained within the system.

Back-up.

Establish robust backup, disaster recovery, and business continuity plans so that in the event of a failure or disaster, data and documents are kept secure, able to be recovered with minimum interruption, and appropriately preserved.

Retention Challenges.

Recognise the challenges of retaining digital data and documents for the long term. Regulations do not differentiate between digital and other types of data or documents.

However, to read digital content, it is essential to have access to the enabling format, software, operating system, hardware, manual, and licence.

The focus should not be just on content but also on elements such as metadata (audit trails, permissions, digital signatures, MS Excel formulas etc), which can be critical to proving integrity and trustworthiness, and characteristics and behaviours such as hyperlinks and bookmarks.

Scalability Limitations

Be aware of scalability limitations; care often needs to be taken with laboratory equipment that may have limited storage capacity, especially where the default is for old data to be overwritten (and lost in the event of capacity overload.

These (among others) are the kinds of questions that regarding technology that may arise during an inspection. Being prepared in advance will not facilitate an organisation’s ability to respond positively and confidently but also provide reassurance to inspectors that the organisation has a thoroughly cohesive, integrated, and well-thought-through IT strategy.

We’ve provided a schematic around the technology procurement process; if you are responsible for purchasing a new technology, we would suggest following this process to ensure that it fits its purpose and fulfils what it is intended to be used for.

Practical Considerations for Technology.

  • Cover all stages of the data, document, life cycle including creation, processing, workflow, management, storage, archiving, and destruction.
  • Cover all stages of the system life cycle, including testing, validation, installation, upgrade, retirement, and decommissioning.
  • Detail physical and logical arrangements, data flows, interfaces, hardware and software prerequisites, security measures.
  • Have a fully traceable Design Qualification (DQ), User and Functional Requirements Specification (UFRS), Installation Qualification (IQ), Operation Qualification (OQ), Performance Qualification (PQ) and Maintenance Qualification (MQ) including a fully managed and documented change control programme.
  • Have evidence of testing against a quality management system.

Computer systems should include:

  • Automated, non-modifiable audit trails in “intelligible form” even for elements as simple as tracking timestamps for logins and user access.
  • …and disallow audit trail deactivation.
  • Checks for data security, accuracy, integrity, accessibility, readability, and (where necessary) usability.
  • Security and access permissions based on role and / or function.
  • Defined procedures for change and configuration management.
  • Reporting functionality e.g. KPIs, metrics, reports.
  • Documentary evidence of periodic evaluation.
  • Back-up/restoration procedures including record integrity/accuracy checks.
Previous page
Continue to the next page