White paper on the Validation of Cloud based

TARA PV System

TARA PV was designed by a team

of pharmacovigilance professionals,
physicians and regulatory specialists
who saw the benefits in a user-driven
approach to processing and storing drug,
device and vaccine adverse events in a
secure and compliant safety database.

CONTENTS

– Introduction
– Validation Approach
– Validation Package

CONNECT WITH US
105 Great North Road,

Eaton Socon, St Neots, PE19 8EL

+44 (0) 1223 656 002

TARA PV is 21 CFR Part 11 compliant,
www.tarapv.com
adheres to GxP and ICH standards
@TARAPVMedGenesis
and, also complies with all European
@TARA_Web & Worldwide pharmacovigilance data
MedGenesis Ltd part of idash Group protection regulations
Introduction

Purpose
This white paper is intended to provide as much information as possible to assist in the
validation of the TARA (Tools for Adverse Reaction Assessment) pharmacovigilance (PV)
system, enabling you to determine how much additional effort you might require when
implementing our solution in the cloud.
Our aim is to provide a reliable, user friendly and time-effective database solution for
pharmaceutical companies, CROs, academic institutions, and associated organisations.

Our intention is to complete as much of the pre-validation and validation process as

possible in order to allow for quick out-of-the-box implementation times. All you need
to do is establish your own working procedures and associated documentation and
you are good to go.

In our secure hosted environment, we act as your IT function and take responsibility
for the functionality and quality of the software and its operational environment, giving
you peace of mind to concentrate on pharmacovigilance.
We provide verification that the system has been formally tested and installed
according to predefined Standard Operating Procedures along with the relevant test
certificates and reports.

Background
TARA PV is a secure web-based safety database for processing and storing adverse
events and device adverse experiences, and for meeting your expedited report
generation needs. TARA PV is currently being used as part of pharmacovigilance
management systems for both clinical trials and marketed products, by a range of
companies, in the UK, EU, USA, Australia, South America and India.

Quality Credentials
Established in 2009, MedGenesis Ltd (the creators of TARA PV) became part of the
idash Group Ltd in 2021. The group is an ISO 27001 accredited UK based software
development company and a Microsoft Solutions Partner - Modern Work. Committed
to providing exceptional pharmacovigilance and clinical safety software, TARA PV is our
primary database solution.

TARA PV was originally co-developed between MedGenesis and i-dash Ltd, a UK

Software Development, Secure Hosting and a Managed Services Provider business,
Verius Limited, a CRO now part of the ProductLife Group and Anglia Ruskin University.
 The idash Group employs Microsoft .NET Framework Guidelines and Best Practices,
utilising Microsoft Visual Studio tools and the source code management system GIT –
used by Microsoft engineers. As a result, TARA PV is a secure and reliable
pharmacovigilance database.

By collaborating with IT and pharmacovigilance experts, we were able to develop an

intuitive and streamlined pharmacovigilance database which has evolved into TARA PV.

The idash Group develop software following a documented software development

lifecycle and associated Standard Operating Procedures (SOPs) . We test each function
of the computer system using Computer System Assurance (CSA) validation concepts.
We also provide Installation Configuration testing (IQ - Installation Qualification),
Functional and Operational testing as part of every implementation. Our fast-paced
agile methodology can easily keep up with the relevant regulatory and industry
standards, while ensuring we are incrementally reducing risk with every iteration and
release. Our release schedule includes at least three TARA PV releases a year.

Our software development and implementation processes are reviewed on an ongoing

basis to ensure our processes and procedures are being adhered to and any
improvements are identified and actioned.

Validation Approach

Definition of Validation
To quote from the FDA’s Guidance for Industry

Software Validation means confirmation by examination and provision of objective

evidence that software specifications conform to user needs and intended uses, and that
the particular requirements implemented through the software can be consistently fulfilled.

The FDA have recently released new guidance in this area - Computer Software
Assurance (CSA) for Manufacturing, Operations and Quality Systems Software. This
guidance provides guidelines for streamlining documentation with an emphasis on
critical thinking, risk management, patient and product safety, data integrity, and
quality assurance.

In conjunction with this guidance, there is the expectation that systems are properly
installed and documented - including the controls exercised over their establishment
and operational use in the business environment.
To this end we can ensure the following;

Data Security
Your data is secure –TARA PV uses one of the highest levels of security through the use
of SSL encryption, such as that found with online banking services. Our servers are
housed in ISO 27001 accredited Datacentres, with multiple remote back-up sites.

Our Hosting facilities employ the appropriate security controls to prevent

unauthorized access to software, computer rooms and backup media storage rooms.

Should any changes be made to the hosted environment, these are all completed via
strict Change Control Procedures which form the key element of idash’s ISO-accredited
Quality Management System.

Customers are provided with their own dedicated database(s) on a chosen URL.

Compliance
TARA PV is 21 CFR Part 11 compliant, adheres to GxP and ICH standards and is
compliant with European & Worldwide regulations including GDPR.

We follow a clearly defined and documented software development lifecycle to ensure

quality and prevent software defects.

1. Any change to any record is captured in the audit trail and these entries are time stamped
with additional information including the digital identity of the person making the change and
why the record was changed.
2. Our system has security controls to prevent unauthorized modification, ensuring role-based
access and preventing users from directly updating the database.
3. Our software employs digital signatures for any transaction into the system.
4. All system requirements are clearly defined and approved before any design or coding
effort starts.
5. Test plans, test procedures and test cases are developed as early in the development
lifecycle as possible.
6. Coding Standards are well documented and code reviews are carried out to ensure that
these standards are followed.
7. A multi-level testing methodology is followed, including peer review, verification test,
system test, regression test and exploratory testing. In addition, performance testing and
disaster recovery testing is carried out to ensure that service level requirements are met.
8. Change management processes ensure that proper change control documentation,
approval and testing procedures are followed for any changes
9. Software developers, designers, quality managers and project managers are trained to
perform the technical aspects of their jobs and the company has training policies to ensure
they continue to have the right skills on an ongoing basis to do their job.
Validation Package
Validating a computer system is the process of establishing and maintaining
confidence, by examination and provision of objective evidence, that software is fit for
its intended use, and that it remains in a state of control throughout its lifecycle
(“validated state”).
As such it is important to know what to expect from our validation package and how it
can reduce your time and effort by providing you with objective evidence;

– Configuration Specification
This documents a high-level overview of the software components, hardware
architecture and information on how the system must be configured to meet user and
functional requirements.

– Functional Requirements Specification

The functional requirements specification (FRS) documents the operations and
activities that a system must be able to perform, based on how it was developed. This
includes descriptions of operations performed by individual modules, descriptions of
the system’s workflows, descriptions of system reports, as well as access to the system.
It is important to understand that the functional requirements are intended for general
business use and that not all provided requirements may need to be tested based on
your user requirements.

– User Requirements
The User Requirement specification (URS) describes the business need for what you
require from the system. This specification includes requirements around, workflows,
data needs, life cycle maintenance, and user access based on internal processes and
procedures.

– Risk Analysis & Traceability Matrix

This document links all requirements to their respective test cases and identifies
potential business and compliance risks associated with the system. It can help to
define the criticality of certain risks and the probability of occurrence. This document
ensures that all the requirements that have been defined in the specifications have
been tracked and tested throughout the validation process.

– Installation Qualification
The installation qualification (IQ) document verifies that the proper installation and
configuration of the system has been followed. It verifies the specifications identified in
the Configuration Specification.
– Operational Qualification/System Testing
The system test, verification test and regression test scripts provide documented
evidence that the requirements identified in the Functional Requirements Specification
(FRS) have been tested. It is a collection of test cases that are used to verify the proper
functioning of the system. Each test case includes an instruction, an expected result,
and an actual result with an indication of pass or fail.

- Performance Qualification/User Acceptance Testing

The Performance Qualification (PQ) / User Acceptance Testing (UAT) activities are the
responsibility of the customer, ensuring that the system complies with their internal
Standard Operating Procedures (SOPs), Work Instructions (WIs) and processes.

– Validation Summary/System Release Report

This document provides an overview of the entire validation/testing process once it
has been executed. This report will include a description of the project, a record of the
test cases performed, any deviations that occurred during the testing process, and
how those deviations were resolved. It may also describe how the system will be
released for use.

As well as supplying the above documentation around the system in its installed and
configured format, we can also supply the following additional documents in template
form;

– Validation Plan
– User Acceptance Test Plan
– User Acceptance Test Scripts
– Validation report

Many of our customers accept our validation approach and documentation set as is.
However, you may decide to repeat some or all tests from our System, verification and
Regression Test scripts, modifying them where you think fit to meet any of your own
specific requirements, or you may wish to develop your own test plan. We are happy to
support you whatever scenario you adopt.

CONNECT WITH US
105 Great North Road,

Eaton Socon, St Neots, PE19 8EL

+44 (0) 1223 656 002

www.tarapv.com

@TARAPVMedGenesis

@TARA_Web

MedGenesis Ltd part of idash Group