For the availability of computerised systems critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g., a manual or alternative system).
The time required to bring the alternative arrangements into use should be based on risk appropriate for a particular system and the business process it supports.
These arrangements should be adequately documented and tested.
Hence it is very essential how practically we can prepare robust business continuity plans for the GxP computerized systems considering a variety of factors namely Procedures, Planning, Recovery, Management, On-going operations, Risks and Resilience.
It is very often understood that disaster recovery plans are the same as business continuity plans.
But the fact is that the disaster recovery plan is only a part of the business continuity plan. The extensive Business Continuity plan includes: data back-up, storage and restoration and further verification of restoration of data are all considered.
The robust Business continuity plan should address mainly the following elements:
- Event detection,
- Business process impact evaluation,
- Repair operations,
- Business continuity deployment,
- Recovery and restoration operations,
- Return to normal operations and business continuity process closure.
Let us understand these elements one-by-one:
Under this element, the event should be detected and recorded as per site procedures, e.g., quality event management, incident or deviation management procedure etc.
Under this head, we need to evaluate the event cause like:
The event may be related to loss of data for example due to connectivity failure or system unavailability
The event may be related to security of the data for example due to possible cyber-attack,
The event may be related to change in local area environment for example increase in temperature
The event may be related to a natural disaster for example fire or earthquake etc.
We have to consider each such event that can be resolved and evaluate maximum tolerable non-availability of the system and the same should be recorded in our business continuity plan.
Business process impact evaluation
Under this element we have to study a business process impact evaluation considering the identification of functionalities or workflows potentially affected by the system unavailability as well as the business functions and their dependencies impacted (e.g., number of entities, users, geographical area impacted).
We can make use of the Quality Risk management process for Business process impact evaluation.
Under this element, in parallel with the deployment of the business continuity process, repair operations should be initiated in order to restore the normal usage conditions of the system.
These operations should be managed in accordance with a change control procedure and should be associated with testing activities and data review, before approval and release of the repaired system for production usage.
It needs to be considered that while evaluation of these requirements, many companies received FDA 483 observations and warning letters also. Such observations can be referred to in the FDA database.
Business continuity deployment
Under this element, we have to consider activation of the predefined manual or automated operating process.
Either we can have manual operations with manual controls for record keeping and data integrity or we can make use of alternate systems, you can make use of disaster recovery plans.
For example, in case of server breakdown we can move to an alternate server or you can make use of restoration of the back-up data so as to ensure smooth business operations.
Recovery and restoration operations
As per this element, we have to set a clear process for prioritizing system recovery before returning a GxP computerized system to normal activity.
The process may include,
- Method of recovery
- Sequence of system functionalities or workflows to be restored in priority order
- Reconciliation of activities performed outside the system for example, e.g., entry of data managed during interim manual or automated process discussed during the previous element.
Return to normal operations and business continuity process closure
As per this element, we have to authorize the termination of the business continuity process, by Verification of business continuity activities performed and Communication to system users and stakeholders about return to normal usage.
We have looked into how to make a robust business continuity plan for GxP computerized systems.