It is important that IT staff protect themselves from being given the tasks that end users should perform in validation, because the work process and its GXP data are not fully known by IT personnel… Separate from the Software Application URS a Platform Requirements Specification (PRS) should be defined. (153)
In some organizations, busy end user groups push back on the demands of computer validation and ask IT to prepare the user requirements specification (URS), Test Plan, and test case/scripts for a new GXP system. Users say they don’t know computers so it must be an IT role. The IT department should counter with the fact that they don’t know the user’s regulated work and data needs well enough to develop a suitable user requirements specification (URS) and testing strategy based on the users’ work process. An IT person will write a URS and testing strategy that is technology focused, because that is the IT person’s expertise. The likelihood is that a great piece of software technology will be selected, but the system doesn’t closely fit the work process. Then at Go-Live the users will complain that it is IT’s fault that they have an unworkable system for their process, when their own lack of input is the reason.
The IT role in validation is to install and qualify the Platform system components and infrastructure needed to deliver application access to all its user community. The requirements specification that IT is responsible for is the Platform Requirements Specification (PRS). Collaborating with end users, IT develops the PRS to describe software requirements based on roles and privileges for using the application, methods and geographic spread of user access, and how application data is expected to flow in the work process to communicate with other applications, devices, or databases. In addition, IT itself needs to examine the technology fit requirements of the new application with existing software and infrastructure.
To perform formal Installation Qualification (IQ) testing, Test case/scripts must be executed against known requirements and the PRS defines those requirements. Defining the PRS can also identify maintenance and support requirements such as Disaster Recovery priority, change control qualification, and data/system backup frequency. When external data centers are used, communicating security and operational requirements for a GXP system become a training issue for the outsourced staff.
Documenting actions taken is not the usual first priority of most IT staff and external resources may not have a business focus on regulated applications that would inform them of relevant regulations. For GXP critical applications the PRS should identify where specific logs are required or when monitoring actions are to be performed. A well defined PRS also provides the foundation for a clear and appropriate service level agreement (SLA).
Next Month: The Software Supplier’s Role in Validation
…auditors must look closely to determine whether the supplier does have a controlled Agile SDLC documented for its product or whether the supplier is just using the term Agile to mask an ad hoc, chaotic, and uncontrolled programming effort. (213) Writing software for regulated environments should be a creative discipline and not a creative art form. (216)