Laboratory

automation and
information
management
ELSEVIER Laboratory Automation and Information Management 31 (1995) 11-24

Quality assurance of computer systems

What is needed to comply with IS0 9000, GMP, GLP, and GCP?
Siri H. Segalstad
QA/ QC R&D, NYCOMED Imaging AS, P.O. Box 4220 Torshou, N-0401 Oslo, Norway

Received 1 July 1994; accepted 30 September 1994

Abstract

This paper will interpret the application of the different quality standards like Good Manufacturing Practice (GMP), Good
Laboratory Practice (GLP), Good Clinical Practice (GCP) and IS0 9000-3 guidelines to computer systems. The IS0 9000-3
contains requirements for developing software, whereas the GxPs have more detailed requirements for use. IS0 9000-3 can
be used profitably as a tool for the GxPs. The standards often have vague demands which need to be interpreted. The
wordings of the standards are compared to current interpreted requirements. Tables for comparison of the wording of the
standards are also included.

Keywords: Quality assurance; Computer systems; Compliance with standards; GMP; GLP; GCP; IS0 9000-3

1. Introduction The pharmaceutical industry has to follow Good

Laboratory Practice (GLP), Good Manufacturing
Quality seems to be the key word for industry in Practice (GMP), and Good Clinical Practice (GCP)
the 1990s. IS0 9000 and other standards are on (here called GxP to cover all three). These are fairly
everybody’s lips, almost no matter what kind of detailed demands to ensure that quality is built into
industry we are talking about. In order to be certified the products which are developed and produced.
for a quality standard by a certification body, the Almost every country has had its own set of GMP,
company has to prove that its organization is a GLP, and GCP. Work has been initiated to coordi-
quality organization supporting quality products. nate them to fewer sets. The EC (EU) set is to be
They need to have standard procedures for the work followed for pharmaceutical products sold in the
they do, as well as proving that they follow these European Union (EU). This will replace or is replac-
procedures. ing the GxPs for the member countries. The US set
IS0 9000 series, EN 45000 series, or other qual- is enforced by FDA, and is to be followed for
ity system certification will only show that there products sold in the US. In addition there is the
exists a quality organization doing whatever it is Pharmaceutical Industry Convention GxPs.
supposed to do. However, it does not say anything US Environmental Protection Agency (EPA) de-
about the level of quality. Nor does it say anything veloped Good Automated Laboratory Practice
about the time it takes for the company to deliver (GALP) [I] for the environmental and agricultural
their services or products. industries. GALP has thorough and detailed descrip-

0925-5281/95/$09.50 0 1995 Elsevier Science B.V. All rights reserved

SSDI 0925-5281(94)00022-O
12 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) 11-24

tions for an automated laboratory. This standard organization must have control of its computer sys-
explains how to handle computerized and automated tems as well as control of autoclaves, machinery,
systems to a greater detail than the GxPs, but the analytical methods, etc.
quality systems described in all the standards are Neither the IS0 9000 series nor most of the GxPs
approximately the same. have very detailed descriptions for computer sys-
In principle both the GxP and the IS0 9000 tems. The PIC GMP [2] has a chapter about com-
standards deal with quality, and may not seem very puter systems. The IS0 9001 has a guideline IS0
different. They all describe virtually the same quality 9000-3 [3] covering the life cycle of a computer
systems, but their scopes are dissimilar, see Table 1. system with emphasis on the development stages.
The main difference is the legal aspects of the two UK Department of Health has made an Advisory
systems: Leaflet [4] covering applications of GLP principles
- The GxPs are ethically motivated to ensure the to computer systems. The Japanese Inspection au-
patient’s safety. They are legal invariability regula- thorities and OECD [5] have made equivalent docu-
tions, and they are enforced by official authorities in ments. EEC guidance for GCP [6] has a few lines
the society. Sanctions and penalties are applied if the about computer systems.
regulations are not followed. NOTE: All tables contain only the requirements
- The IS0 9001 is motivated by commercial and in the computer section of PIC GMP; UK guide to
marketing reasons. They are not legally binding, but Inspectors regarding computer systems GLP; EEC
give guidance to international standards. The stan- GCP; and the guideline IS0 9000-3. For full re-
dards are contractual agreements enacted between quirements refer to GMP / GLP / GCP demands and
the vendor and the purchaser, and are privately suggestions for handling ‘equipment’.
enforced. Sanctions may be done by international When inspected by the authorities, computer sys-
civil laws. tems are regarded as ‘equipment’, which is well
A quality organization must document that they described in the GxPs. But it is not always easy to
have control over everything which can affect the ‘translate’ the demands for equipment handling into
quality of what it produces. This means that the demands for computer systems. Lepore of FDA has

Table 1
Definitions
GMP (PIG) GLP (UK) GCP IS0 9000-3

Principle The introduction of com- Purpose To check that procedures 1 Scope and field of application
puterized systems into systems of exist to ensure that computer sys- This part of IS0 9000 sets out
manufacturing, including storage, tems are suitably designed, con- guidelines to facilitate the applica-
distribution and quality control does trolled, operated and maintained in tion of IS0 9001 to organizations
not alter the need to observe the order to properly accommodate the developing, supplying and maintain-
relevant principles given elsewhere functions and activities to which ing software. It is intended to pro-
in the Guide. Where a computerized they are dedicated. The scope of vide guidance where a contract be-
system replaces a manual operation, these requirements encompasses any tween two parties requires the
there should be no resultant decrease kind of computer system which, in a demonstration of a supplier’s capa-
in product quality or quality assur- particular laboratory, is used to cap- bility to develop, supply and main-
ance. Consideration should be given ture and/or manipulate raw data in tain software products.
to the risk of losing aspects of the a toxicity or safety study conducted
previous system by reducing the in accordance with the principles of
4.1.1.1 The supplier’s management
involvement of operators. GLP for submission to a regulatory
shall define and document its policy
authority.
and objectives for, and commitment
to, quality. The supplier shall ensure
that this policy is understood, imple-
mented and maintained at all levels
in the organization.
 S.H. Segalstad/Laboratoty Automation and Information Management 31 (1995) 11-24 13

written an article discussing computer systems and explains how a system should be treated from the
GLP [7]. It may also be worthwhile to choose com- very beginning of the planning stages to the retire-
pliance to the strictest rule set of the GxPs for each ment (Table 2).
issue. Even though IS0 9000-3 covers only the No matter where the program is made it must
production of a computer software the guideline have built-in quality. It is definitely not enough to
contains a lot of good ideas for documentation and validate it after installation.
ways to work which can be applied also to the use PIC GMP states that “validation should be con-
and changes through the rest of the life cycle of the sidered as a part of the complete life cycle of a
system. computer system”, and continues that this cycle
FDA has conducted several GLP inspections tar- includes the stages of planning, specification, pro-
geting the computer systems in pharmaceutical in- gramming, testing, commissioning, documentation,
dustry. The reports are available to the public accord- operation, monitoring and changing. A system to be
ing to the Freedom of Information Act. In addition used in a GxP environment shall have built-in qual-
the presentation given by FDA Inspector Dr. Charles ity. Systems in other quality environments should be
Snipes in October 1992 181 clearly states that FDA is treated the same way.
moving to a stricter approach with regard to quality This can only be interpreted as: A system cannot
of computer systems. So far mainly GLP systems be validated unless it has been built and maintained
have been inspected but, to be on the safe side, the in a quality environment.
content of the comments and deviation documents As built-in quality of computer systems is clearly
(the so-called 483 from the form number) issued defined in IS0 9000-3, and this standard should be
should be applied by all companies for GMP and well known to computer vendors, it should be stated
GCP as well. in the requirement specifications to which extent
compliance to IS0 9000-3 should be met. This will
serve as an agreement for the quality standards to
which the system shall be programmed.
2. Life cycle of a computer system The user has the full responsibility for the quality
of the systems he is using as far as regulatory
Most system development textbooks have their compliance is concerned. The user must make sure
definitions of system life cycle. IS0 9000-3 states that the system has been developed in a quality
that the details may differ, but they are considered environment complying with the requirements. The
equal. The System Life Cycle approach in general verification of fulfilment of obligations can easily be

Table 2
System development issues
GMP (PIG) GLP (UK) GCP IS0 9000-3

Life cycle Validation should be considered as part Life cycle Life cycle 5 Quality system - Life-cycle activities 5.1
of the complete life cycle of a computer system. General A software development should be orga-
This cycle includes the stages of planning, specifi- nized according to a life-cycle model. Quality-re-
cation, programming, testing, commissioning, doc- lated activities should be planned and implemented
umentation, operation, monitoring and changing. with respect to the nature of the life-cycle model
(Validation 2) used.
5. The software is a critical component of a
computerized system. The user of such software This part of IS0 9000 is intended for application
should take all reasonable steps to ensure that it has irrespective of the life-cycle model used. Should
been produced in accordance with a system of any description, guidance, requirement or structure
Quality Assurance. be read differently, this is unintended and should
not be read as indicating that the requirement or
guidance is restricted to a specific life-cycle model
only.
14 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) II-24

done by auditing the vendor. FDA has commented the possibilities and need for a new system [9]. A
when organizations have failed to do so. group should be formed to work on the project.
The project group should follow principles of
system development. These are well described in
3. Planning a new system
several books in most languages [lo]. The process
When a new system is needed in the organization, itself may make the participants aware of details
the first start should be a study to get an overview of which they had not originally thought of. The proce-

Table 3
Audit trail and change control issues
GMP (PIG) GLP (UK) GCP IS0 9000-3
Securi@ issues Change control 8. Security issues Change control Security issues Change control 3.4
Data should only be entered or Security bl Security locks should be All corrections on a CRF and else-
amended by persons authorized to such that unauthorised entering, where in the hard copy raw data
do so. Suitable methods of deterring amendment or retrieval of data is must be made in a way which does
unauthorized entry of data include prevented. Those with authority not obscure the original entry. The
the use of keys, pass cards, personal should be required to identify them- correct data must be inserted with
codes and restricted access to com- selves and date any entries or the reason for the correction dated
puter terminals. There should be a amendments to data which they may and initialled by the investigator. For
defined procedure for the issue, can- make. c) Where appropriate, the electronic data processing only au-
cellation, and alteration of authoriza- above operations should be covered thorized persons should be able to
tion to enter and amend data, includ- by SOPS. These SOPS should cover enter or modify data in the computer
ing the changing of personal pass- the routine input and retrieval of and there should be a record of
words. Consideration should be data by all levels of scientific staff changes and deletions.
given to systems allowing for engaged in studies.
recording of attempts to access by
unauthorized persons.

Entering data 9. When critical data Entering data Entering data 3.2 Entry to a com-
are being entered manually (for ex- puterized system is acceptable when
ample the weight and batch number controlled as recommended in the
of an ingredient during dispensing), EEC guide to GMP. 3.3 If trial data
there should be an additional check are entered directly into a computer
on the accuracy of the record which there must always be adequate safe-
is made. This check may be done by guard to ensure validation including
a second operator or by validated a signed and dated print-out and
electronic means. back-up records. Computerized sys-
tems should be validated and a de-
tailed description for their use be
produced and kept up-to-date.

Audit trail 10. The system should Audit trail b) Security locks should Audit trail 3.4 All corrections on a
record the identity of operators en- be such that unauthorised entering, CRF and elsewhere in the hard copy
tering or confirming critical data. amendment or retrieval of data is raw data must be made in a way
Authority to amend entered data prevented. Those with authority which does not obscure the original
should be restricted to nominated should be required to identify them- entry. The correct data must be
persons. Any alteration to an entry selves and date any entries or inserted with the reason for the
of critical data should be authorized amendments to data which they may correction dated and initialled by the
and recorded with the reason for the make. c)Where appropriate, the investigator. For electronic data pro-
change. Consideration should be above operations should be covered cessing only authorized persons
given to the system creating a com- by SOPS. These SOPS should cover should be able to enter or modify
plete record of all entries and the routine input and retrieval of data in the computer and there should
amendments (an ‘audit trail’). data by all levels of scientific staff be a record of changes and deletions.
engaged in studies.
 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) II-24 15

dure may seem tedious, but is worth while to ensure ten about acquiring a new system, and any of these
that the system turns out right. Too many systems can be used as a guideline.
have failed in different organizations because the
planning has not been done thoroughly. Many orga-
4. Requirement specification
nizations often seem to have too little time to do it
right the first time, but they always have enough The requirement specification should be written in
time to redo it. That is far more expensive than doing great detail for three reasons: The first is the process
it right the first time. of finding out what the needs are; the second is to be
A description of the present system should be able to compare what is available on the market if
compiled. This system may be a manual system or a the system is bought, or to have a good description
computer system and can be a basis for a require- for programming purposes if the system is devel-
ment specification. Numerous books have been writ- oped; and the third is to be able to compare the

Table 4
Source code, availability, auditing, and location issues
GMP (PIG) GLP (UK) GCP IS0 9ooo-3
Source code auailability Source code auailability Source code availability
Applications Software . the Inspec-
tor may need to establish that: a)
development documentation, includ-
ing the source code, can be accessed
in case it is ever needed;

Release from system 19. When the Release from system Release from system
release of batches for sale or supply
is carried out using a computerized
system, the system should recognize
that only an Authorized Person can
release the batches and it should
clearly identify and record the per-
son releasing the batches.

Auditing 12. For quality auditing Auditing Auditing

purposes, it shall be possible to
obtain meaningful printed copies of
electronically stored data.

Service 18. When outside agencies Seruice Service

are used to provide a computer
service, there should be a formal
agreement including a clear state-
ment of the responsibilities of that
outside agency (see Chapter 7).

Location of system System 3. Atten- Interaction with other systems 2. Interaction with other systems 3.15
tion should be paid to the siting of Control procedures Software pro- If data are transformed during pro-
equipment in suitable conditions grams which organise, tabulate, sub- cessing, the transformation must be
where extraneous factors cannot in- ject data to statistical or other mathe- documented and the method vali-
terfere with the system. matical procedures, or which other- dated.
wise manipulate or analyse the elec-
tronically stored data, should permit
retrieval of original data entries.
16 S.H. Se&tad/Laboratory Automation and Information Management 31 (1995) 11-24

functionality of the new system with the original maceutical industry, do not have to comply with the
requirements. IS0 9000 series.

4.1. Include quality requirements 4.2. Access restrictions and audit trail
Requirement specifications generally cover the GxPs require access restrictions to avoid unautho-
technical requirements for a new system. An organi- rized use. Thus, access restrictions, and deleting and
zation which has to comply with GxP, IS0 9000 alteration restrictions should be available. GLP re-
series, or other quality systems, must have compati- quires the system to have an audit trail to see who
ble computer systems. This means that the computer has done what and when (Table 3). When changes
system must be built in compliance with the quality are made the system should retain the old records
standards, as well as used in compliance with these. with change reason.
The built-in quality must be defined in detail in the
requirement specification. After the system has been 4.3. Source code availability
purchased there is little the user can do to change the
GLP has a specific requirement of access to the
quality. If more companies demand quality more
source code (Table 4). This can be solved in two
vendors will eventually have to build in quality or go
out of business. All terms and conditions regarding different ways: Either the system user has a copy of
quality assurance should be included in the contract the source code at his site, or an escrow agreement is
and thus regarded as legally binding between vendor made. An escrow agreement will deposit the source
and buyer. code with a third party, normally a bank or a solici-
It is unwise to lower the quality requirements in tor, which will give access to the user when needed.
order to get a cheaper system. It is more expensive to It is not enough to be allowed to see the source code
reject a low-quality system prematurely than spend- at the vendor’s facility. He may not be in business
ing the extra money to get a quality system right for as long as the system is in use. It may be
away. The cost of quality must be included in the tempting to change the source code when an error is
budgets from the beginning, and may include a more found and the user has access to the code at his site.
expensive system as well as the extra cost of operat- This should definitely not be done. The vendor will
ing the system in a quality environment. However, usually not allow changes in their software, and will
the total benefit of a quality system is generally therefore not support a home-changed source code.
larger than the cost. The demands for operating in a The user does not have the necessary knowledge to
quality environment is increasing, and many systems have a proper control over the change.
as well as companies will probably succumb to the 4.4. Rights to quality auditing
increased demands for quality during the next few
years. The requirement specification should also include
A company in need of a very specific system rights for the customer to perform audits, both for
which only one low-quality vendor can deliver has a himself and for the regulatory agencies which may
problem. There seem to be three alternatives: inspect him. PIC GMP is the only GxP to cover this
(1) Try to make the vendor comply with at least issue (Table 4). This should be possible both before
some of the requirements and thus produce a system contract is agreed upon, and after. The inspection
which at least is somewhat better. (2) Buy a bad should be performed, especially if the vendor does
system which cannot be used in GxP studies, but not have an IS0 9001 certification under the TickIT
perhaps is able to give additional information com- [ll] scheme. TickIT is a variant of IS0 9001 which
pared to the previous system. (3) Decide not to buy sets a level on the quality, as opposed to a ‘normal’
the system yet. IS0 9001 which only tells that the vendor has a
The descriptions of system development in IS0 quality system. It may seem expensive to have to go
9000-3 cover all aspects, and quality organizations to another country or continent to perform an audit,
can benefit from requiring systems built to these but buying a system which does not have built in
requirements, even if they themselves, like the phar- quality is far more expensive.
 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) II-24 17

4.5. Homemade systems for commercial systems above. The user then also
acquires responsibilities as being a supplier/vendor
When the program is made, in-house care should having to comply with the quality requirements. The
be taken to comply with the same rules as described safe way to go about it is to work in compliance with

Table 5
Quality, development, design, implementation, and change control issues
GMP (PIG) GLP (UK) GCP IS0 9000-3

Deoelopment Validation should be considered as Develop - Deuelop- Deuelopment 5 Quality system - Life-cycle
part of the complete life cycle of a computer ment ment activities 5.1 General A software development
system. This cycle includes the stages of planning, should be organized according to a life-cycle
specification, programming, testing, commission- model. Quality-related activities should be planned
ing, documentation, operation, monitoring and and implemented with respect to the nature of the
changing. (Validation 2) life-cycle model used.

5. The software is a critical component of a This part of IS0 9000 is intended for application
computerized system. The user of such software irrespective of the life-cycle model used. Should
should take all reasonable steps to ensure that it has any description, guidance, requirement or structure
been produced in accordance with a system of be read differently, this is unintended and should
Quality Assurance. not be read as indicating that the requirement or
guidance is restricted to a specific life-cycle model
only.
5.4 Development planning 5.4.1 General The de-
velopment plan covers the following: a) the defini-
tion of the project, including a statement of its
objectives and with reference to related purchaser
or supplier projects; b) the organization of the
project resources, including the team structure,
responsibilities, use of sub-contractors and material
resources to be used; dl the project schedule
identifying the tasks to be performed, the resources
and time required for each and any interrelation-
ships between tasks; e) identification of related
plans, such as - quality plan - configuration
management plan - integration plan - test plan
The development plan should be updated as devel-
opment progresses and each phase should be
defined as in 5.4.2.1 before activities in that phase
are started. It should be reviewed and approved
before execution. [Detailed descriptions given]
5.5 Quality planning 5.5.1 General As part of the
development planning, the supplier should prepare
a quality plan. The quality plan should be updated
along with the progress of the development and
items concerned with each phase should be com-
pletely defined when starting that phase. The
quality plan should be formally reviewed and
agreed by all organizations concerned in its imple-
mentation. The document that describes the quality
plan (see 5.5.2) may be an independent document
(entitled quality plan) or a part of another docu-
ment, or composed of several documents including
the development plan. [Detailed descriptions given]
18 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) II-24

IS0 9000-3, although it might sometimes feel rather 6. Programming the system
extreme.
No matter whether the system is a commercially
programmed system or programming has been done
5. Buying or developing a system? in-house, the system should have total quality and
configuration control throughout the whole life cycle
The author’s view is that it is safest to buy (Table 5). This includes all stages from the first
whenever possible, even if the functionality require- drafts of planning through operating phase and until
ments are not fully met. The responsibility for the the retirement of the system. The hardware configu-
upgrades and bug fixes are left to professional soft- ration explains how the hardware is connected and
ware vendors where they hopefully know what they organized. The software configuration explains how
are doing. Upgrading expenses will be shared with the different modules of programming interact. A
other customers. The best solution is to buy the configuration chart may be used to visualize the
program from a vendor with an IS0 9001 certifica- configuration. Configuration changes as well as other
tion, preferably under the Tick-IT scheme. The next changes must be included in the change control
best solution is to have an external programmer do when developing the system. The requirement speci-
the programming job, and the very last solution is to fication should include demands for system develop-
make it ourselves. ment according to a life cycle model, may be speci-

Table 5 (continued)
GMP (PIG) GLP (UK) GCP IS0 9000-3
-
5.6 Design and Implementation
5.6.1 General The design and im-
plementation activities are those
which transform the purchaser’s
requirements specification into a
software product. Because of the
complexity of software products, it
is imperative that these activities be
carried out in a disciplined manner,
in order to produce a product ac-
cording to specification rather than
depending on the test and valida-
tion activities for assurance of qual-
ity. [Detailed descriptions given]

Change control 11. Alterations to a Change control 2. Control Change control Change control 6.1.3.2 Change
system or to a computer program Procedures control The supplier should estab-
should only be made in accordance Control of Programs within Systems lish and maintain procedures to
with a defined procedure which Management must provide docu- identify, document, review and au-
should include provision for vali- ments or SOPS which precisely thorize any changes to the software
dating, checking, approving and define: a) control procedures de- items under configuration manage-
implementing the change. Such an signed to detect or prevent unau- ment. All changes to software items
alteration should only be imple- thorised program changes; b) mea- should be carried out in accordance
mented with the agreement of the sures to ensure that authorised pro- with these procedures. Before a
person responsible for the part of gram changes are adequately change is accepted, its validity
the system concerned, and the al- recorded; c) who may authorise should be confirmed and the effects
teration should be recorded. Every program changes; Application on other items should be identified
significant modification should be software d) all changes to equip- and examined. Methods to notify
validated. the changes to those concerned and
ment (hardware/software) are doc-
to show the traceability between
umented and, where appropriate,
changes and modified parts of soft-
formally tested before being put
ware items should be provided.
into use;
 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) 11-24 19

fied as certain parts of IS0 9000-3 or an equivalent garding the system should be kept together and be
quality standard. The vendor with a Tick-IT scheme easily retrievable (Table 6).
IS0 9001 certification for his system has developed
7.2. Acceptance test
his system accordingly. These vendors are audited by
the certification body twice a year, and will lose their An acceptance test should be performed as soon
certification if they are no longer in compliance. as possible after implementation of the system to see
However, a vendor without such certification may do if the system works according to the requirement
an equally good job. The user has the responsibility specifications. Normally an acceptance test is carried
of making sure that the system has been programmed out before the purchase agreement is final (Table 7).
in compliance with the quality standards needed. The acceptance test may be in the form of a valida-
tion, which is a more thorough way of documenting
and testing, see validation below.
7. Implementing the system
7.3. Standard operating procedures (SOPS)
7.1. Documentation
SOPS should be written to cover all operational
The four standards have this written differently, and security measures for the system, including train-
but the basics are the same: the system implementa- ing, definitions, change control, access, validation,
tion should be well documented. All documents re- revalidation, normal operation, error handling, disas-

Table 6
Other issues to be covered in SOPS
GMP (PIG) GLP (UK) GCP IS0 9000-3

Personnel Personnel 1. It is Personnel Security a1 Staff in Personnel 3.4 All corrections [The IS0 9000-3 does not cover
essential that there is the clos- charge of computer systems on a CRF and elsewhere in the system use. The issues listed
est cooperation between key and those involved in data in- hard copy raw data must be below is the requirements for
personnel and those involved put and retrieval should have made in a way which does not system development. - Au-
with computer systems. Per- had adequate training and ex- obscure the original entry. The thor’s comment] Personnel
sons in responsible positions perience to perform the duties correct data must be inserted 4.1.1.2.1 Responsibility and
should have the appropriate required of them. The limits of with the reason for the correc- authority The responsibility,
training for the management authority allocated to individu- tion dated and initialled by the authority and the interrelation
and use of systems within their als must be clearly defined in investigator. For electronic data of all personnel who manage,
field of responsibility which SOPS or other formal docu- processing only authorized per- perform and verify work af-
utilizes computers. This should ments approved by Manage- sons should be able to enter or fecting quality shall be de-
include ensuring that appropri- ment. 5. StaffTraining The modify data in the computer fined, particularly for person-
ate expertise is available and principles of GLP require that and there should be a record of nel who need the organiza-
used to provide advice on as- an organisator has adequately changes and deletions. 3.16 tional freedom and authority.
pects of design, validation, in- and appropriately qualified and The sponsor must maintain a 4.1.1.2.2 Verification re-
stallation and operation of experienced personnel and that list of persons authorized to sources and personnel The
computerized systems. 8. Data there are training programmes make corrections and protect supplier shall identify in-house
should only be entered or including both on-the-job train- access to the data by appropri- verification requirements, pro-
amended by persons authorized ing and, where appropriate, at- ate security systems. vide adequate resources and
to do so. tendance at external training assign trained personnel for
courses. The Inspector may verification activities.
therefore require to see docu-
mented evidence of scheduled
training programmes relevant
to levels of involvement of
staff who work with or use the
computer system. Training
records, where appropriate,
should be available for inspec-
tion.
20 S.H. Segalstad /Laboratory Automation and Information Management 31 (1995) II-24

ter recovery, etc. A more flexible system needs more not exceeding the time corresponding to the maxi-
detailed SOPS than a less flexible system to make mum affordable loss of information. E.g., if it is
sure that most possibilities are taken care of in the acceptable to lose one day’s worth of data, then
SOPS. The number of SOPS for the system is of little backup should be performed daily.
interest, as long as they cover all relevant items.
Some of these issues are described in the require-
ments listed in Table 6. 8. Validation

7.4. Backup The system must be validated before use. This

should be done to prove that the system does what it
Backup is necessary, and is discussed in both PIC is supposed to do and will continue to do so. All
GMP and UK GLP (Table 8). The backup media GxPs are concerned with validation. The OECD
(tapes, diskettes, disks) should be stored in a fire-re- GLP states that “Assurance of the quality of com-
sistant cabinet in a separate building. Retrieval of puterised systems is gained from the joint efforts of
data from backup should be tested and documented. management, quality assurance personnel, systems
A rule of the thumb is to perform backup at intervals personnel and users. However, the primary responsi-

Table 6 (continued)
GMP (PIG) GLP (UK) GCP IS0 9000-3

Documentation 4. A written Documentation Documentation 3.12 When Documentation [TheIS0 9000-

detailed description of the sys- Study Systems and Sub-Systems electronic data handling sys- 3 does not couer system use.
tem should be produced (in- There should be documents, tems or remote electronic data The issues listed below is the
cluding diagrams as appropri- Standard Operating Procedures entry are employed, SOPS for requirements for system deoel-
ate) and kept up to date. It (SOPS) or manuals to provide: such systems must be avail- opment. - Author’s comment]
should describe the principles, a) definition of programming able. Such systems should be 6.2 Document control 6.2.1
objectives, security measures languages used; b) description designed to allow correction General The supplier should
and scope of the system and of any other systems or sub- after loading, and the correc- establish and maintain proce-
the main features of the way in systems to which or from which tion must appear in an audit dures to control all documents
which the computer is used study data is passed or re- file (cf. 3.4 & 3.16). that relate to the contents of
and how it interacts with other ceived.Applications Software this part of IS0 9000. This
systems and procedures. the Inspector may need to covers: a) the determination of
establish that: a) development those documents which should
documentation, including the be subject to the document
source code, can be accessed control procedures; b) the ap-
in case it is ever needed; b) proval and issuing of proce-
records are being kept of all dures; c) the change proce-
acceptance or other formal test- dures including withdrawal and
ing; c) all modifications to pro- as appropriate, release. [De-
grams are documented; d) all tailed description given]
changes to equipment (hard-
ware/software) are docu-
mented and, where appropriate,
formally tested before being
put into use. All documenta-
tion relating to the operation,
function, system specification
and design including user man-
uals should be kept in histori-
cal file(s) securely held to pre-
vent unauthorised access.
 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) 11-24 21

bility for system validation rests with the users.” are tested before sale, and that the system may have
GCP states that computer systems should be vali- been developed in a quality environment. The OECD
dated and error-free. The latter requirement is hardly GLP states “Any testing performed by the supplier
possible to comply with (Table 7). does not preclude the need for validation testing as
Validation must be done by the user on the user’s described above.” This is a valid approach for all the
site in the normal operational environment. The GxPs.
system may work well at the vendor’s site, but it There are two ways to attack validation:
should also work well at the user’s site with their Validation type Advantage Drawback

configurations, network, and peripheral hardware. System validation: Easy to define Validation can
Numerous articles have been written about the issue, To ensure that the - the requirement be too
system does what specification comprehensive,
most of them saying that “one must make sure
it is supposed can be used as the and too many
that...“. Segalstad and Synnev%g have written a Tu- to do. reference document. resources might
torial in this journal [12] comparing what ought to be be used for
done with a detailed description of what was actually testing non-
done in a given case. Some books have been written crucial features.

with a more thorough approach [13,14]. Revalidation Process ualidation: The frames are Valid testing
must be performed for every change to the degree To ensure that the job defined by methodology
necessary to prove that the change does not have an is done properly using what is really is not
the system as a tool needed obvious.
unintended impact on the system.
for this purpose. from the system.
Some vendors claim to sell ‘validated systems’.
This only means that they are selling systems which

Table 6 (continued)
GMP (PIG) GLP (UK) GCP IS0 9000-3

Checks and controls 6. The systems Checks and controls Checks and controls 3.13 The spon-
should include, where appropriate, sor must ensure the greatest possible
built-in checks of the correct entry accuracy when transforming data. It
and processing of data. should always be possible to com-
pare the data print-out with the
original observations and findings.
3.14 The sponsor must be able to
identify all data entered pertaining to
each subject by means of an unam-
biguous code (cf. 3.9).

Disaster recovery procedures 15. Disaster recovery proce- Disaster recovery procedures
There should be available adequate duresSecurity d) SOPS describing
alternative arrangements for systems routine use of computer systems
which need to be operated in the should also include the backup pro-
event of a breakdown. The time cedures for ensuring that data gath-
required to bring the alternative ar- ering can continue in the event of
rangements into use should be re- failure of the computer resource.
lated to the possible urgency of the
need to use them. For example,
information required to effect a re-
call must be available at short no-
tice.
16. The procedures to be followed if
the system fails or breaks down
should be defined and validated.
Any failures and remedial action
taken should be recorded.
22 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) 11-24

9. Old computer systems was paid for. Still there might be GxP- or IS0
requirements for the quality of the system in use. A
The quality of old computer systems may be more vendor audit might be possible to arrange. At least
difficult to keep under control. The requirement ask the vendor to state his compliance with the
specification was written long before quality was a quality standards. All documentation of the system
key word, and it is probably impossible to put pres- can still be collected and systemized provided it has
sure on the vendor for quality years after the system been retained.

Table 6 (continued)
GMP (PIG) GLP (UK) GCP IS0 9ooo-3

Archives/archiving Archives / archiving 3. Archives Archives/archiving

Special procedures for archiving
computer data will probably be nec-
essary and should be described in
SOPS. However, these SOPS should
reflect the principles applied to the
archiving of manually generated
data. Heroic measures do not need to
be taken to preserve electronically
stored data for the purpose of satis-
fying GLP requirements. Thus, out-
dated computers do not have to be
maintained solely to read old data,
nor do conversion programs have to
be prepared to permit the reading of
tapes or disks on a new computer.
Where problems in reading tapes or
disks are foreseen it should be borne
in mind that computer tapes or disks
may hold raw data and hard copies
should be taken for archiving prior
to their destruction. Tapes and disks
holding raw data may not be deliber-
ately destroyed nor should electroni-
cally stored data be deleted without
good reason. The reasons and the
signature of the person taking the
decision to destroy electronically
stored raw data, together with the
date upon which the destruction took
place, should be recorded in writing
and kept in the archives with other
data relating to the study. Where
practicable, an authenticated print-
out (or microfiche copy) of the raw
data should be taken prior to
tape/disk destruction, including the
information relating to amendment
of original entries (see above).

Error handling 17. A procedure Error handling Error handling

should be established to record and
analyze errors and to enable correc-
tive action to be taken.
 S.H. Segalstad/Laboratory Automation and Information Management 31 (1995) II-24 23

Table 7
Testing and validation issues
GMP (PIG) GLP (UK) GCP IS0 9000-3
-
Testing and validation 7. Be- Acceptance testing Testing and validation 3.10 Testing and ualidation 5.7
fore a system using a computer Applications Software All soft- The sponsor must use vali- Testing and validation 5.7.1
is brought into use, it should ware will normally be accep- dated, error-free data process- General Testing may be re-
be thoroughly tested and con- tance-tested before being put ing programmes with adequate quired at several levels from
firmed as being capable of into service by a laboratory user documentation. 3.3 If trial the individual software item to
achieving the desired results. If and the Inspector may need to data are entered directly into a the complete software product.
a manual system is being re- establish that: a) development computer there must always be There are several different ap-
placed, the two should be run documentation, including the adequate safeguard to ensure proaches to testing and integra-
in parallel for a time, as part of source code, can be accessed validation including a signed tion. In some instances, valida-
this testing and validation. Val- in case it is ever needed; b) and dated print-out and back-up tion, field testing and accep-
idation 2. The extent of valida- records are being kept of all records. Computerized systems tance testing may be one and
tion necessary will depend on a acceptance or other formal test- should be validated and a de- the same activity. The docu-
number of factors including the ing; c) all modifications to pro- tailed description for their use ment that describes the test
use to which the system is to grams are documented; e) peri- be produced and kept up-to- plan may be an independent
be put, whether it is prospec- odic testing for correct func- date. 3.15 If data are trans- document or a part of another
tive or retrospective and tioning of parts, or of the com- formed during processing, the document, or may be com-
whether or not novel elements plete system, is carried out. transformation must be docu- posed of several documents.
are incorporated. Validation mented and the method vali- [Detailed descriptions given]
should be considered as part of dated.
the complete life cycle of a
computer system.

Table 8
Security issues
GMP (PIG) GLP (UK) GCP IS0 9000-3

Data storage 13. Data should be Data storage Data storage 3.17 The investigator
secured by physical or electronic must arrange for the retention of the
means against willful or accidental patient identification codes for at
damage, and this in accordance with least 15 years after the completion
item 4.9 of the Guide. Stored data or discontinuation of the trial. Pa-
should be checked for accessibility, tient files and other source data must
durability and accuracy. If changes be kept for the maximum period of
are proposed to the computer equip- time permitted by the hospital, insti-
ment or its programs, the above tution or private practice, but not
mentioned checks should be per- less than 15 years. The sponsor, or
formed at a frequency appropriate to subsequent owner, must retain all
the storage medium being used. other documentation pertaining to
the trial for the lifetime of the
product. Archived data may be held
on microfiche or electronic record,
provided that a back-up exists and
that hard copy can be obtained from
it if required.

Backup 14. Data should be protected BackupSecurity d) SOPS describing Backup

by backing-up at regular intervals. routine use of computer systems
Back-up data should be stored as should also include the backup pro-
long as necessary at a separate and cedures for ensuring that data gath-
secure location. ering can continue in the event of
failure of the computer resource.
24 S.H. Segalstad/Laboratoty Automation and Information Management 31 (1995) 11-24

The system can undergo retrospective validation. References

In principle this can be done by collecting evidence
that the system has worked the way it should during l11 Good Automated Laboratory Practices, Office for Informa-
tion Resources Management, US Environmental Protection
the time it has been in use. If the system has been
Agency, Research Triangle Park, NC, Draft 1990.
checked, calibrated, controlled or likewise at a cer-
l21 PIC GMP: Pharmaceutical Inspection Convention Guide to
tain frequency, this can be used as part of the Good Manufacturing Practice for Pharmaceutical products
evidence. Depending on the type of system, addi- (Chap. 5 incorporated in this GMP covers computer systems),
tional validation may be needed. PIC, Geneva, March 1991.
If the documentation is collected, discussions on [31 IS0 9000-3, Quality management and quality assurance stan-
dards, Part 3. Guidelines for the application of IS0 9001 to
validation issues are documented, and retrospective the development, supply and maintenance of software. Inter-
validation has been performed as described above, national Organization for Standardization, Geneve, 1991.
the user is by far better off than just having the 141 Good Laboratory Practice Advisory Leaflet No. 1, The appli-
system there when the authorities come for inspec- cation of GLP principles to computer systems, UK GLP
Compliance Programme, Department of Health, London,
tions. With available documents the authorities will
1989.
have to prove the inadequacy of the validation.
[51 Concepts relating to computerised systems in a GLP environ-
Without documents the user has a major problem. ment, OECD, Draft, 1992.
[61 EEC Note for Guidance: Good Clinical Practice for Trials on
Medicinal Products in the European Community, 1990.
10. Conclusion [71 Paul Lepore, FDA’s good laboratory practice regulations and
computerized data acquisition systems, Laboratory Informa-
tion Management, 17 (1992) 283-287.
Even though different industries have different 181C. Snipes, FDA Division of Scientific Investigations GLP
standards to which they must comply, the standards Inspection, Exit Discussion at PRI on October 27, 1992.
are basically the same for computer systems. They [91 M. Brooks, Project management: key to the successful imple-
mentation of information management systems, Laboratory
all describe a total quality control and total quality
Information Management, 13 (1991) 51-67.
management during the entire life cycle of the com- [lo] K. Shumate and M. Keller, Sofrware Specification and De-
puter system. The IS0 9000-3 covers the develop- sign: a Disciplined Approach for Real-Time Systems, Wiley,
ment phase of a computer system, whereas the use of New York, 1992.
the system in a quality environment is covered in [ll] TickIT: DISC TickIT Office, 2 Park Street, London WlA
2BS, UK.
IS0 9001. However, the IS0 9000-3 can profitably
[12] S.H. Segalstad and M.J. Synnevgg, A practical guide to
be used also for the live system. The GxPs say very validating LIMS, Laboratory Information Management, 26
little about the development of the computer systems (1994) 1-12.
other than “Validation should be considered as part [13] R. Chamberlain, Computer Systems Validation for the Phar-
of the complete life cycle of a computer system” maceutical and Medical Device Industries, Alaren Press,
Libertyville, IL, 1991.
(PIG GMP). For pharmaceutical regulatory use IS0
[14] Pharmaceutical Industry Supplier Guidance, Validation of
9000-3 is not mandatory, but systems should be in Automated Systems in Pharmaceutical Manufacture, UK
compliance with a system like the one described by Pharmaceutical Industry Computer System, ms Validation
the guideline IS0 9000-3. Forum, Version 1.0 Issue A (first draft), February 1994.