Software quality assurance audits

The inspection of the capability of the process in order to gain the required assurance as to the fitness for purpose of the developed software—a measure of its validatabillty—is referred to here as a software quality assurance audit. The software quality assurance audit is occasionally referred to as a Supplier Audit (e.g., in the GAMP Guide). However, a Supplier Audit is also used to audit original equipment manufacturers, hardware suppliers, independent contractors and even an internal department with a pharmaceutical organization. There may be no "software" involved at all. For that reason, the term software quality assurance audit is more preferable than Supplier Audit. 

This chapter does not attempt to explore the software quality assurance audit process or the nature of currently accepted standards of good software... 

In many instances operating system software has already been developed and is offered as a fundamental part of the computer system ready for application software to be developed or configured. In such cases it is prudent to establish the existence of the respective software quality assurance plans and procedures and the design, development, and testing records. Identification and examination of this documentation can be conducted and recorded as part of the supplier audit. (See Sec. VI.)... 

Supplier prequalification response Supplier audit report Project and quality plans Software quality assurance plan Commercial and purchasing specs. 

The definition of supplier validation activities and documentation should be embedded in contractual agreements. In addition, suppfiers should agree to potential inspection by GxP regulatory agencies and Supplier Audit by pharmaceutical and healthcare companies. Supplier Audits can be conducted by the pharmaceutical or healthcare company s own personnel or, if this would compromise the supplier s commercial interests, by an independent software quality assurance auditor, consultant, or validation expert employed by the pharmaceutical or healthcare company. Auditors must be suitably qualified, for example by independent certification by examination to the quafity system standards such as ISO 9001 2000. Suppfier Audits are discussed in detail in Chapter 7. 

Howard Garston-Smith, formerly of Pfizer, has published a book on software quality assurance. It provides a postal audit checklist reproduced in Appendix 7C. If the supplier has already prepared an internal ISO 9000 mapping or an internal audit report on how it aligns to industry standards such as the GAMP Guide, this can be offered as an alternative to the auditor s postal checklist. A reduced postal checklist may be agreed upon, at the very least. Wherever possible, photocopies of actual example documents and test records should be inspected for documentary evidence of validation. Remember that the pharmaceutical and healthcare companies are themselves being inspected for documentary evidence of validation. 

The software life cycle activities extend until retirement of the software. However, in a manner of speaking, life cycle activities extend even beyond retirement since the data must be able to be reconstructed at any time during the life of the product, i.e., the archived record must always be accessible and readable even if the software is no longer commercially available or typically employed in the laboratory. Additional software validation includes implementation of the code and integration and performance testing. There also must be system security, change control procedures, audit trails, calibration, preventative maintenance, and quality assurance. 

The International Standards Organization (ISO) definition of audit is Systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled. The bottom-line goal of the software developer audit process is to allow you to assess the developer s quality assurance (QA) system. 

As with pharmaceuticals themselves, remember that you can t test quality into the finished software product it must be produced utilizing quality processes throughout. Require evidence of quality assurance and development processes within your firm and during vendor audits. 

A Source Code Review must be performed on application software unless there is evidence from the Supplier Audit that the source code has been, or will be, developed in a quality assured manner and subjected to review as part of its development life cycle. The decision and justification not to perform a review must be documented within the Validation Plan. 

This requirement is usually met by means of the audit conducted by the pharmaceutical or healthcare company. The audit examines the quality assurance attributes of the supplier s process, the firm s general capability maturity, and the suitability of its equipment or service suggested for use on the project. Suppliers in this context may be understood to include equipment vendors, service suppliers, or the pharmaceutical or healthcare company s in-house software development department. Regulators hold pharmaceutical and healthcare companies accountable for the use of suppliers whose capability assessment indicates their inability to deliver validatable, compliant software. ... 

As stated above, the validation plan is a crucial document. From experience, the best method to create the plan is to set up a small team, consisting of the user, system expert, and quality assurance representative. The plan will include the results of the risk and software category assessments as well as any additional requirements determined by the supplier audit. The plan will state what documents are required, when they will be produced (i.e., in what order), and by whom. The validation plan will state what must be done in order to confirm that a system will be validated. 

Alternatively, if the decision is made to buy only commercially available software, or only commercially developed add-ons or automation scripts, then the pharmacometrician needs to participate in the key processes used to evaluate the vendor. The occurrence of key quality failures in widely used software has been previously documented (14). Therefore, the pharmacometrician should be intimately involved in the vendor audit process. If the vendor is not performing the quality assurance procedures just outlined for internal development, the cost (both in quality and accuracy of future work) will be in jeopardy. As discussed later in the section on validation documentation, the ability to state what the vendor s quality processes are will mitigate the need to perform functional software testing at the same level that has already been executed by the vendor s quality assurance group. 

Pre-shipment inspection can be performed along with vendor audits to address issues such as software development and quality assurance plans, operational reports, and specific vendor/purchaser inspection reports. 

If the quality of hardware and software objects is not adequately covered through this evaluation, it should be checked before procurement via a questionnaire that contains questions regarding the Quality Assurance System of the supplier. If the questions are not answered satisfactorily and cannot be demonstrated with examples, an audit should be conducted. 

Various types of validation generally required in biopharmaceutical manufacturing include process validation, facility and equipment validation, analytical method validation, software validation, cleaning validation and expression system characterization. Combined with other elements of cGMP, including lot release testing, raw material testing, vendor quality certifications, and vendor audits, the quality of product can be consistently assured. 

---