Configuration Management is something that is critical to the sucess of any regulated facility; especially those utilising IT/IS, however it is also something that often overlooked from a point of view of criticality. This is something that seems to be reinvented on project to project, site to site.

Save time and money with configuration management

Managed configurations are extremely worthwile and save a hell of a lot of time in the future (often unplanned) when this has been done properly. Configuration Management is a core component of PRINCE2 and ITIL (IT Infrastructure Library) – these methodologies have been proven to consistently work.

This article will give a brief insight into some of the fundamentals of configuration management and exemplify how something that seems so small can have such a large effect – moving a computer.

The jargon explained

From a terminology point of view, bear these in mind, as with all IT related articles this one contains jargon:

  • CM = Configuration Management
  • CI = Configuration Item
  • CMDB = Configuration Management Database

Find the right balance

Firstly we will look at the reasons why this is either not deployed, not deployed properly or simply so cut down it doesn’t work. A starting point is something that most people struggle with at the best of times, sometimes we just can’t get the vision right, largely due to a lack of experience and/or knowledge; couple this with personality clashes and a workplace culture, implementing configuration management is going to get difficult. Can you see where this is going? Sponsorship from superiors is often difficult to obtain due to departmental/supplier barriers and boundaries. Mix this with people, processes and technology and usually the whole thing never gets mentioned again.

The reality is that there is already lot of data, yes it’s there but to varying degrees of accuracy. Maintained? Some. But more often than not there is a LOT of informal data and local knowledge that is, well, just there! In a multi-site organisation this data is often just inconsistent.

We have chosen the ITIL CM approach because it’s, in our opinion the best and therefore we’ll use this to portrait the concept in the hope that more people will take this onboard. The ITIL CM process contains 5 core components:

Planning: Self explanatory but for those how aren’t sure: “Failing to plan, is planning to fail”. Job done.

Identification: This is deciding on what exactly is going to be controlled by the CM process and then..

Control: Link to change management (very important); a question is yeilded from the control component, “Are you allowed to change it and how is the change to the configuration controlled?”.

Status Accounting: This is about what has changed and why!

Verification and Audit: Is this what we said we’d have? Have we done it correctly?

More changes than you think

The CMDB holds the details of each CI in an organisation, especially those items used to support the manufacturing operations of a GMP environment. Let’s say, for example we’re going to move 5 servers from a control room in building A to a computer room or data centre in Building B. Sounds simple, they’re just computers, put them on a trolley move them to building B and then as log as there is power and a network socket it’s a case of plug and play. Bob’s your uncle. Now can we go to the pub?

But wait, lets look deeper what has actually changed about that computer? Their room number has changed; they are connected to different network outlets. Does they need UPS power and are they still connected to the UPS? Were they connected the the UPS anyway? How do we tell? Do we need to know or does it just have to look like it is working? Will there be enough power in the new room, is there sufficient cooling – will the environment condition changes affect the service level agreement? Is there sufficient LAN / SAN outlets? There is a lot of change going on here.

Standardise your approach

In addition to all this, there are a lot of views of the situation – The cost view, the service view, the system view (logically are the specifications suitable; physically – is there room and capacity). Parts of these views are crossing over as well, they’re overlapping into areas of common concern and it is these components whose configurations must be managed (not leaving out others but merely highlighting the importance of configuration managment). These should be controlled.

The first thing is to make sure you’ve got the right team; each and every business has a different way of working – prototype the process until it is correct. Standardise naming conventions for everything: services, locations, cabinets, devices and so forth. Identify any gaps and where the knowledge lies – this is usually a combination of formal knowledge and informal knowledge (what people know that they haven’t documented). Make sure that ownership is clear and unambiguous and most importantly make sure that visible sponsorship and support is present.

Can you afford not to use configuration management?

This all sounds like a lot of work, but in the long run this is a completely valuable exercise and demonstrates control for numerous purposes. For example, every time a new IT project comes up does someone have to survey the datacentre for capacity for power, network, rack space, air conditioning capacity? These are all jobs that can be done from the desk when an efficient, up-to-date CMBD is setup and active – in addition a good system will give everyone confidence in their planning of anything from a small upgrade to a massive MES project implementation.

Without CM, change management is of limited effectiveness; its change management that we rely on so heavily in this industry to demonstrate our control in making changes to validated systems and qualified platforms. An end-to-end view is created with CM with each task rather than being able to plan, confidently in bulk. Service reporting will always be risky and therefore not trusted, even though it is required and finally and crucially, without CM the impact of faults and changes cannot be predicted with confidence.

Can you afford not to do configuration management?

Premier Infrastructure

If you would like to learn more about configuration management feel free to contact Premier Infrastructure anytime.

0
shares

  • http://www.coolpac.com Andrew

    it seems that you are saying configuration management is the same as change management. the example you used I would have said was one of change management. so is there a difference between the two?

    In one company that I worked at we put some IT systems under configurration management (a lesser version of change management). this entailed identifying the system and allowing IT staff to alter settings in software but each alteration had to be documented in a specific log. this enabled IT staff to make changes quickly where necessary i.e. roll out patches and security updates.

  • http://www.coolpac.com Andrew

    it seems that you are saying configuration management is the same as change management. the example you used I would have said was one of change management. so is there a difference between the two?

    In one company that I worked at we put some IT systems under configurration management (a lesser version of change management). this entailed identifying the system and allowing IT staff to alter settings in software but each alteration had to be documented in a specific log. this enabled IT staff to make changes quickly where necessary i.e. roll out patches and security updates.

  • Mark Richardson

    Configuration Management isn’t a lesser version of Management. All changes should be carried out under approved change management processes/procedures; released under release management procedures.
    When implementing changes in a regulated industry, especially IT changes there is always or nearly always at least two components, firstly the change to the system, secondly the change to the specifications for that system. By deploying an efficient change management system, the CI would have a corresponding component on the computer system, this would be documented in the CMDB as well, therefore, when the requirement for change originates and is approved, the change will happen to both the CI in the CMDB and the system. This provides a structured approach and helps to ensure that the system and the documentation is aligned at all times.

    In summary, both Change and Config Management are different, in regulated environments the config management will be changed in accordance with approved change control procedures, otherwise as you have mentioned logbooks can be updated to roll out quick-changes as long as this method is proceduralised in an approved SOP or Work Instruction.

    I hope this clarifies.

  • Mark Richardson

    Configuration Management isn’t a lesser version of Management. All changes should be carried out under approved change management processes/procedures; released under release management procedures.
    When implementing changes in a regulated industry, especially IT changes there is always or nearly always at least two components, firstly the change to the system, secondly the change to the specifications for that system. By deploying an efficient change management system, the CI would have a corresponding component on the computer system, this would be documented in the CMDB as well, therefore, when the requirement for change originates and is approved, the change will happen to both the CI in the CMDB and the system. This provides a structured approach and helps to ensure that the system and the documentation is aligned at all times.

    In summary, both Change and Config Management are different, in regulated environments the config management will be changed in accordance with approved change control procedures, otherwise as you have mentioned logbooks can be updated to roll out quick-changes as long as this method is proceduralised in an approved SOP or Work Instruction.

    I hope this clarifies.

Similar articles:

Changes to equipment and documentation is an integral part of the whole GMP process in any regulated facility. In this article we will discuss how equipment is designed in a GMP facility and how good documentation practices are an essential part of quality assurance and GMP.

The content of this article has been taken from module 7 of our eLearning module on Good Manufacturing Practices (cGMP) within the life sciences.

You can view this module in full by viewing the video below.

cGMP eLearning Module – Compelling, Engaging and Interactive

 

Equipment

All equipment is designed, constructed and located to suit their intended use and to facilitate easy maintenance and cleaning.

Equipment is installed in such a way as to prevent any risk of error or of contamination, and cleaned according to detailed and written procedures and stored only in a clean and dry condition.

Production equipment should be designed in such a way as not to present any hazard to the products.

The parts of the production equipment that come into contact with the product must not be reactive, additive or absorptive to such an extent that it will affect the quality of the product and thus present any hazard.

Any defective equipment should, if possible, be removed from production and quality control areas, or at least be clearly labelled as defective. When not in use, equipment should be covered to ensure it remains clean.

Balances

Balances and measuring equipment of an appropriate range and precision should be available for production and quality control operations.

All measuring devices are required to be calibrated and checked at defined intervals by appropriate methods, and adequate records of such tests should be maintained.

Utilities

Fixed piping should be clearly labelled to indicate the contents and where applicable, the direction of flow.

Water pipes used in production (e.g. Purified Water, Water for Injection) are sanitised according to written procedures that detail the action limits for microbiological contamination and the measures to be taken.

Electrical circuits should be identified, and a record maintained of the load on each circuit to prevent inadvertent overload.

Documentation

Good Documentation Practices are an essential part of quality assurance and GMP.

It is important for a manufacturer to get the documentation right in order to get the product right.

GMP Documentation e.g. Site Master File, Specifications, Batch Manufacturing Formulae, Batch Manufacturing Records, Processing, Labelling, Packaging, Testing Instructions, Standard Operating Procedures, Protocols, Technical Agreements, Records, Certificates of Analysis, Reports etc. should contain the following attributes of a good document:

They should be:

  • Attributable
  • Legible
  • Contemporaneous
  • Original
  • Accurate
  • Complete
  • Durable
  • Corroborated
  • Version Based
  • Accessible
  • And Authorized

Change Control

Change to GMP documentation, equipment, processes, systems, instrumentation, test methods, etc. are required to be controlled under a formal change control program.

This program must consist of Quality oversight to review the proposed changes, evaluate the potential impact of the change, determine any potential risk to product quality, and to establish the required level of supplemental validation/documentation required for the change.

In many instances, changes will also require submission to the Health Authority for approval of the change.

For example, changes impacting the submission documentation are subject to post approval change guidances according to the Health Authority regulations.

Change Control is a critical aspect of the GMP systems.

If you want to learn more about cGMP or if you want to evaluate our eLearning module for your company you can find more information here.

0
shares

Similar articles:

The enduring assets of a laboratory’s work are the records that document those activities. When laboratory records are used to support a regulatory function, they are considered to be legal documents.

Laboratory Data Integrity – eLearning Course

 

For records to be considered reliable and trustworthy they must comply with the following criteria:

  • Legible and Understandable – they must be able to be read and understood for the lifetime of the record, without having to refer to the originator for clarification. The information may be needed in five, ten or twenty years’ time, perhaps after the originator is no longer available
  • Attributable – who made the record or created the data and when?
  • Contemporaneous – the record must be made at the time the activity was performed
  • Original – the information must not be written on a post-it, piece of scrap paper, sleeve of a lab coat etc. and then transcribed.
  • Accurate – no errors or editing without documented amendments
  • Complete – All the information and data associated with the analysis is included
  • Consistent – All elements in the sequence of analysis must be date & time stamped and must be in the expected order
  • Indelible – Records are made on to controlled documents, such as laboratory notebooks or controlled worksheets, or saved to electronic media
  • Available – over the entire lifetime of the record for review, audit and inspection

1. Legible and Understandable

A record that cannot be read or understood has no value and might as well not exist. All records should be composed so they conform to grammatical convention which should be consistent throughout.

It is best to avoid buzzwords, cliques and slang as these are prone to change with time and are often not understood outside a particular locality. It is always good practice to have any record reviewed by a second person as this can often highlight any ambiguities.

2. Attributable

The identity of the person creating a record should be documented. For paper records this is normally done by the individual signing and dating the record with their signature.

As the record you may be signing may be a legal document, you should clearly understand the implication of your signature. A signature should be individual to a specific individual and the practice of signing someone else’s name or initials is fraud, and is taken very seriously.

3. Contemporaneous

All records must be made at the time an activity takes place. Delaying writing up, for example until the end of the day, will inevitably affect the accuracy of that record as details can be forgotten or miss-remembered.

4. Original

All records must be original; information must be recorded directly onto the document. This avoids the potential of introducing errors in transcribing information between documents.

If information from an instrument is printed out, by the instrument, that printout is the original record and should be signed, dated and attached to the record.

5. Accurate

The record must reflect what actually happened. Any changes should be made without obscuring or obliterating the original information, the use of whiteout or correction fluid is prohibited.

Any changes made to a record should be signed by the person making the change and dated to show when it was made and a written explanation should also be provided. Remember, the record may be needed after you have left the company and cannot be contacted for clarification.

6. Complete

The record must contain all information associated with the analysis of the sample, including system suitability tests, injection sequences, processing methods, sample preparation procedures and results.
This must also include any reinjections or repeat analysis performed on the sample.

Remember the position of the regulatory authorities for something that needs to be done is – ‘if it isn’t documented it’s a rumour’. However, failing to disclose reanalysis or reinjection of samples will undermine confidence in the reliability of the records.

7. Consistent

Consistency in this context refers to the sequence of the component events, which the analytical method comprises, being performed in a logical order.

For example it is not possible to commence the HPLC run before the samples have been prepared, therefore the balance printout for the sample weights should be date/time stamped at least one or two hours prior to the sample injection time, to allow time to prepare the samples. Therefore all date/time stamps should be in the expected sequence.

In order to avoid confusion in this respect, it is worth ensuring all instruments that produce date/time stamped printouts are time synchronised. This is best done by reference to a standard reference time, such as a national online time server.

8. Indelible

Indelible means the record must be legible for the lifetime of the record and once it has been made it cannot be removed.

Hand written entries of information should be made in ink and not pencil which can be erased

If printouts are made on thermal paper, which darkens with time, a photocopy should be made; this should be certified as an accurate copy of the original print and attached

If print outs are attached to a page they should be

  • Secured to the page with acid free glue and industrial strength Sellotape
  • Signed and dated across the attachment and the page
  • Annotated with a reference to the document

9. Available

All records should be available for inspection, audit and review for the lifetime of the document. If a document is requested during a regulatory audit, it should be produced within thirty minutes.

Therefore, the laboratory should establish an easy to reference archive system. Records should be archived so as to preserve their integrity, such as

  • Secure facility with restricted access
  • Effective fire suppression
  • Protection from dampness or humidity
  • Controlled access to Document

Check Out Our Laboratory Data Integrity eLearning Module

If you are looking for a way to train your staff on the importance of data integrity in a regulated environment check out oureLearning Course.

0
shares

Similar articles: