For the availability of computerised systems critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g., a manual or alternative system).
The time required to bring the alternative arrangements into use should be based on risk appropriate for a particular system and the business process it supports.
These arrangements should be adequately documented and tested.
Hence it is very essential how practically we can prepare robust business continuity plan for GxP Computerised system considering a variety of factors namely Procedures, Planning, Recovery, Management, On-going operations, Risks and Resilience.
It is very often understood that disaster recovery plan is same as business continuity plan.
But the fact is that the disaster recovery plan is only a part of business continuity plan. The extensive Business Continuity plan include: data back-up, storage and restoration and further verification of restoration of data are all considered.
The robust Business continuity plan should address mainly the following elements:
- Event detection,
- Business process impact evaluation,
- Repair operations,
- Business continuity deployment,
- Recovery and restoration operations,
- Return to normal operations and business continuity process closure.
Let us understand these elements one-by-one:
Under this element, the event should be detected and recorded as per site procedures, e.g., quality event management, incident or deviation management procedure etc.
Under this head, we need to evaluate the event cause like:
The event may be related to loss of data for example due to connectivity failure or system unavailability
The event may be related to security of the data for example due to possible cyber- attack,
The event may be related to change in local area environment for example increase in temperature
The event may be related to natural disaster for example fire or earth quake etc.
We have to consider each such event that can be resolved and evaluate maximum tolerable non-availability of the system and same should be recorded in our business continuity plan.
Business process impact evaluation
Under this element we have to study a business process impact evaluation considering the identification of functionalities or workflows potentially affected by the system unavailability as well as the business functions and their dependencies impacted (e.g., number of entities, users, geographical area impacted).
We can make use of Quality Risk management process for Business process impact evaluation.
Under this element, in parallel with the deployment of business continuity process, repair operations should be initiated in order to restore normal usage conditions of the system.
These operations should be managed in accordance with a change control procedure and should be associated with testing activities and data review, before approval and release of the repaired system for production usage.
It needs to be considered that while evaluation of these requirements, many companies received FDA 483 observations and warning letters also. Such observations can be referred in FDA database.
Business continuity deployment
Under this element, we have to consider activation of the predefined manual or automated operating process.
Either we can have manual operations with manual controls for record keeping and data integrity or we can make use of alternate systems, you can make use of disaster recovery plan.
For example, in case of server breakdown we can move to alternate server or you can make use of restoration of the back-up data so as to ensure smooth business operations.
Recovery and restoration operations
As per this element, we have to set a clear process for prioritizing system recovery before returning a GxP computerised system to normal activity.
The process may include,
✓ Method of recovery
✓ Sequence of system functionalities or workflows to be restored in priority order
✓ Reconciliation of activities performed outside the system for example e.g., entry of data managed during interim manual or automated process discussed during previous element.
Return to normal operations and business continuity process closure
As per this element, we have to authorize the termination of the business continuity process, by Verification of business continuity activities performed and Communication to system users and stake holders about return to normal usage.
We have looked into how to make robust business continuity plan for GxP Computerised systems.