Managing compliance for computerized lab systems includes the PC controlling your qualified instruments. This is an integral audit point that must be maintained to ensure compliance. Ah, but you’re thinking, "My IT department manages the computer, so it’s their responsibility to make sure the PC is compliant, right?" Well, before I answer, let me ask you a few questions first:
If you answered "No" or "I'm unsure" to any of these questions, then you may have an issue. And keep in mind that you are still accountable for ensuring your PC based system maintains compliance.
Configuration of a PC that operates, collects, and stores data from specialized instrumentation is a bit of a departure for most IT groups. Where hundreds if not thousands of PCs, smart devices, and other peripherals must be managed daily, the small selective group of lab PCs is not an area where IT offers much support. Most likely, if your lab PC was configured out of the box by IT, it received a standard PC business image. This might not be suited for your laboratory needs.
The definition of a PC image in the context of this discussion relates to several factors of a PC: its operating system, group and local security policy settings, file permissions, and registry settings, all which can be used to edit Windows behavior. To effectively manage large numbers of PCs, IT uses a practice known as cloning. This allows them to develop a "standard" image that then can be cloned to multiple PCs (see illustration 1).
While most of what is already on the business image of a PC applies to specialized PCs used in the GxP laboratory and manufacturing environment, there are distinct differences that should exist in the security policy settings. For example, most personal PCs allow a User to change date and time settings. In many corporations, this setting is disabled. This is a "MUST DO" in all PCs that are being used for any type of GMP work, regardless if they are desktops, laptops, or controlling laboratory or manufacturing equipment.
Another potential gap in a business imaged PC is the ability to change the time zone. Yes, you would think that if the IT department has already limited your ability to change date/time, they would also have denied you access to change the time zone, correct? Well not necessarily. At a recent client site, we found that the time zone could still be changed on each of the laboratory PCs that were in scope of our project. Several discussions had to take place before the good folks in IT pushed out a policy change that disabled this setting.
Let’s go back now to one of my earlier questions. Does your IT department understand the nuances of the FDA CFR Part 820.70 or ICH Q7 guidelines regarding computerized systems? The IT department is responsible for pushing out patches and updates to network connected PCs. Which calls to question, do these changes adhere to your department’s change control procedures for GMP systems? Failure to comply with this guideline will lead an auditor to further scrutinize whether or not your lab system is maintained in a validated state.
How is it best to avoid these pitfalls that can exist with a business imaged PC? I typically recommend to our Clients that to affect the needed settings for lab specific PCs, a unique image should be created and cloned to those PCs being used for GMP work. The acronym I use to describe this image is called L.E.A.D., which stands for:
In my CSV experience over the years, I’ve found that developing a L.E.A.D. type image satisfies not only the Lab areas but also Engineering, Manufacturing, and IT themselves (if in fact your IT group still develops/tests software in-house). This will require a coordinated effort between a team of IT network administrators, analysts, and lab system SMEs to define and develop.
Learn more about ProPharma's CSV services. Contact us to get in touch with our subject matter experts for a customized presentation.