The questions that the Blue Book tells investigators to ask about computer hardware and software systems continue to be valid and are asked by inspectors and auditors today for systems operating in regulated environments. (3)

 

In February 1983, the US Food and Drug Administration (FDA) published its first guidance focused on the accuracy and trustworthiness of computerized systems in pharmaceutical manufacturing. It provides guidance to inspectors for how to examine computerized operations and gives a list of questions to be asked that (your validation package) should be able to answer.

  • Do the program and hardware match the assigned operational function? (Documented and management approved system requirements)
  • Have operational limits been identified and considered in establishing production procedures? (SOPs and Work Instructions)
  • Have test conditions simulated “worst case” production limits for hardware and software? (Range, Logic, Limits, Stress, and Negative tests)
  • Have tests been repeated enough times to assure consistent reliable results? …In general at least three separate runs should be made. (Test Plan approach & test run documents)
  • Has the software and hardware validation been thoroughly documented? (Supplier’s OQ/ Installer’s IQ/ Users’ PQ packages)
  • Are systems in place to initiate revalidation when program and/or hardware changes are made? (Change Control SOP, Forms, Disaster Recovery Plan & DR Testing)
  • How often and in what way are computerized operations being monitored? (IT infrastructure management tools, Software supplier update/bug fix process, User’s work process change)
  • What kind of input and output are being sent over a network? What is the identity and location of establishments interacting on the net? What are the security measures used to prevent unauthorized access and data corruption? What is the extent and nature of monitoring and controlling activities exercised by remote online establishments? (Logical security Policies, SOPs, WIs, Firewalls, Antivirus software)

Next Month: Auditable Formal Testing Practices

Testing without formal documentation is meaningless for audit and inspection purposes and a waste of precious resources for GXP systems. (89)