Managing compliance for computerized lab systems includes the PC controlling your qualified instruments. This is an integral audit point that must be maintained to ensure compliance. Ah, but you’re thinking, “My IT department manages the computer, so it’s their responsibility to make sure the PC is compliant, right?” Well, before I answer, let me ask you a few questions first:
Did you engage your IT Team in the procurement phase of the computerized lab system?
Did your IT department configure (image) the PC before it was installed in your Lab?
Has your IT Team approved the Vendor supplied PC before you requested having it added to your corporate network?
Do you know if your IT support team understands the requirements set forth by both the FDA CFR Part 820.70(i)(1) and ICH Q7 guidelines (2)related to managing change control to your GMP classified system?
Does your IT support team understand how the PC interacts with the equipment/instrument and whether or not system updates, screensavers, or network configuration changes can impact the usability of the equipment?
If you answered “No” or “I’m unsure” to any of these questions, then you may have an issue. And keep in mind that you are still accountable for ensuring your PC based system maintains compliance.
Configuration of a PC that operates, collects, and stores data from specialized instrumentation is a bit of a departure for most IT groups. Where hundreds if not thousands of PCs, smart devices, and other peripherals must be managed daily, the small selective group of lab PCs is not an area where IT offers much support. Most likely, if your lab PC was configured out of the box by IT, it received a standard PC business image. This might not be suited for your laboratory needs.
The definition of a PC image in the context of this discussion relates to several factors of a PC: its operating system, group and local security policy settings, file permissions, and registry settings, all which can be used to edit Windows behavior. To effectively manage large numbers of PCs, IT uses a practice known as cloning. This allows them to develop a “standard” image that then can be cloned to multiple PCs (see illustration 1).
How should a GxP PC image differ from a standard PC business image?
While most of what is already on the business image of a PC applies to specialized PCs used in the GxP laboratory and manufacturing environment, there are distinct differences that should exist in the security policy settings. For example, most personal PCs allow a User to change date and time settings. In many corporations, this setting is disabled. This is a “MUST DO” in all PCs that are being used for any type of GMP work, regardless if they are desktops, laptops, or controlling laboratory or manufacturing equipment.
Another potential gap in a business imaged PC is the ability to change the time zone. Yes, you would think that if the IT department has already limited your ability to change date/time, they would also have denied you access to change the time zone, correct? Well not necessarily. At a recent client site, we found that the time zone could still be changed on each of the laboratory PCs that were in scope of our project. Several discussions had to take place before the good folks in IT pushed out a policy change that disabled this setting.
Let’s go back now to one of my earlier questions. Does your IT department understand the nuances of the FDA CFR Part 820.70 or ICH Q7 guidelines regarding computerized systems? The IT department is responsible for pushing out patches and updates to network connected PCs. Which calls to question, do these changes adhere to your department’s change control procedures for GMP systems? Failure to comply with this guideline will lead an auditor to further scrutinize whether or not your lab system is maintained in a validated state.
L.E.A.D., Don’t Follow
How is it best to avoid these pitfalls that can exist with a business imaged PC? I typically recommend to our Clients that to affect the needed settings for lab specific PCs, a unique image should be created and cloned to those PCs being used for GMP work. The acronym I use to describe this image is called L.E.A.D., which stands for:
In my CSV experience over the years, I’ve found that developing a L.E.A.D. type image satisfies not only the Lab areas but also Engineering, Manufacturing, and IT themselves (if in fact your IT group still develops/tests software in-house). This will require a coordinated effort between a team of IT network administrators, analysts, and lab system SMEs to define and develop.
|CFR||Code of Federal Regulations|
|CSV||Computer System Validation|
|FDA CFR Part 820.70(i)||Any software used to automate any part of the device production process or any part of the quality system must be validated for its intended use. This requirement applies to any software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system.|
|GMP||Good Manufacturing Practices|
|ICH||International Conference on Harmonization Regulations used to define GMP requirements|
|ICH Q7||Good Manufacturing Practice of API’s (Active Pharmaceutical Ingredients)|
1. Q7 Implementation Working Group ICH Q7 Guideline: Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients 10-June-2015
2. General Principles of Software Validation; Final Guidance for Industry and FDA Staff 11-Jan-2002