The document provides guidance on preparing for a computer systems quality audit by outlining key elements of a quality assurance program including standard operating procedures, a change control program, and computer systems validation. It describes the components and purpose of the change control program and committees. It also lists important documents needed for a computer systems validation program including plans, procedures, and project documents.

1. How To Prepare for a Computer Systems Quality Audit Contact: Robert Ruemer 845-300-3921

2. Quality Policy Most quality audits will start with an inspection of your Q uality A ssurance (QA) program. The program should include: S tandard O perating P rocedures (SOPs) and a SOP training program. A Change Control Program that controls: Changes to existing computer systems Changes to policies and procedures Adding new computer systems A C omputer S ystems V alidation (CSV) program and or CSV procedures.

3. SOP Policy Your SOP policy should require that: Personnel are trained on procedures before performing operational duties or functions. SOPs are updated periodically to ensure that the procedures are current. Changes in SOPs are put under change control.

4. The CCP will be used to: Approve and monitor changes to your policies and systems. Control validation requirements for new systems. Determine which systems are required to be GxP (Good Manufacturing or Laboratory Practices) or SOX (Sarbanes Oxley) compliant. Provide a central repository for all change requests. The Change Control Program (CCP)

5. Your change control SOPs should describe: When to initiate a change request. How to initiate a change request. How to closeout a change request. The change request form should be a associated with the change control SOP. Change Control Program (SOPs)

6. Ideally a CCC should consist of the following members. Change Control Coordinator Director of QA or Compliance Director of Computer Systems Validation Business owner Director of IT, MIS or IS The committee’s responsibilities include determining project validation deliverables and change request closeout approval. The Change Control Committee (CCC)

7. The CSV program should provide the following: C omputer S ystem M aster V alidation P lan ( CSMVP ) . A M aster S ystems I nventory (MSI) of all company’s computerized systems. Central repository for all validation project documents. Training guidance on running and documenting test protocols. Management of validation efforts. The Computer Systems Validation (CSV) program

8. CSV efforts can do more that just test the installation of new computer systems. The following list suggests some of the benefits of a CSV effort: Gathering requirements before buying a system can improve the chances that the business owner gets what they want at the most efficient price. The validation plan will ensure the efficiency of the effort by ensuring that only those things that are planned will be worked on. Writing requirements and specifications ensures that the system will be properly configured to meet the business need. Testing of the system ensures that the system will perform as expected. Documenting the validation effort will prove that the effort was done correctly and as expected. The Computer Systems Validation (CSV) program

9. CSV documents can be divided into two categories: CSV documents – policy, procedures and project document templates. CSV project documents – Validation/Test Plan, Requirements, Design Specification, IQ, OQ, PQ, RTM, Summary and Release. CSV Documents

10. The first CSV policy document you should have is a Computer System Master Validation Plan (CSMVP) . The CSMVP describes: Your various approaches to validating systems. Your risk analysis method. System Development Life Cycle / Validation Life Cycle and its documents. Change control process. System categories. CSV Documents Computer Systems Master Validation Plan

11. At least two types of SOPs will be needed: SOPs that pertain to running of the CSV program. SOPs that pertain to the management and use of the computer systems. Job aids can be used, in some cases, to fill this function. CSV Documents (SOPs)

12. CSV Program SOPs should include procedures that define: How to handle protocol deviations. How to handle documentation deviations. Monitoring of approved systems. CSV Documents CSV Program SOPs

13. Typical VLC documents: Validation Test Plan (VTP) User Requirements Specification (URS) Functional Specification (FS) Design Specification (DS) Installation Qualification (IQ), Operational Qualification (OQ), Performance Qualification (PQ) Requirements Traceability Matrix (RTM) Summary Report (SR) Release Report (RR) Some of the above documents can be combined if the project is simple. CSV Documents Validation Life Cycle (VLC) Documents

14. All CSV project efforts should start with a change request. The Change Control Committee will review the request and determine which document deliverables are required for the effort. For large system installations, all of the documents described on the previous slide might be needed. For smaller project efforts, a subset of the VLC documents might be all that’s needed. According to GAMP 5 (Good Automated Manufacturing Practices), a risk analysis should be performed to determine the extent of the effort required to validate a system. The analysis should be done by the CSV group and follow a predetermined method for risk analysis. The method should be described in your Computer Systems Master Validation Plan ( CSMVP ). Performing a risk analysis will help to focus your validation effort and eliminate unnecessary testing and documentation. CSV Documents Validation Life Cycle Project Discussion

15. There are various approaches to building a quality program; however, the suggestions given in this presentation have worked well in my experience. Having a good quality program not only ensures that you are in compliance with federal regulation, but it also can improve your “bottom-line”. Although most validation efforts add about 20% to the cost of purchase, the overall cost of ownership will be reduced when the validation effort is done correctly. As stated in slide 8, buying only what you need and configuring it to meet you business process will, in most cases, save your company money. My final advice is to make sure that you control your project documents. Project documents should be uniquely numbered and associated with the change control request. If the documents are stored electronically, make sure that your storage is 21 CFR part 11 compliant. Conclusion