Principle
- The introduction of computerised systems does not alter the need to observe the relevant principles given elsewhere in the Code. Where a computerised system is implemented, there should be no adverse affect on product quality and safety, or security and integrity of data.
General
- Where a computer is used in connection with a step in the manufacture of the product, this should meet the same quality systems requirements for those manual functions, which it replaces.
- Computer equipment should be located in appropriate conditions where environmental factors cannot interfere with the system.
- The development and subsequent modification of manufacturing systems software should follow appropriate development methodology using a quality system approach.
- The development, implementation and operation of a computer system should be carefully documented at all stages and each step proven to achieve its written objective.
- When a computer system replaces a manual operation, records should demonstrate that the two systems have operated in parallel, and been found equivalent, before the computer system is used for the manual operation it replaces.
- The following documentation and records for the computer system should be available:
- a written protocol for the initial verification and prospective validation of the computer system;
- a general description (including diagrams as appropriate) of the system, its components and operating characteristics;
- a list of programs with brief description of each;
- diagrams of hardware layout and interaction, system logic or other schematic forms for manufacturing systems software packages (excluding Operating Systems and similar);
- a review of hardware and software "start up" and "normal run" fault logs during development and subsequent ongoing use of the computer system.
- records of evaluation data to demonstrate that the system is operating as stated (verification stage and ongoing monitoring);
- range of limits for operating variables;
- details of access security levels/controls;
- details of formal change control procedures;
- procedure for ongoing evaluation; and
- records of operator training.
- Any change to an existing computer system should be made in accordance with a documented change control procedure. Records should include the following:
- the purpose and date of implementation of the change; and
- checks to confirm the changes have been correctly applied; and
- checks to confirm that the changes do not adversely affect the correct operation of the system.
- The following procedures and controls should be adopted for records retained by computer storage:
- records should be regularly and progressively backed up, and the backup retained at a location remote from the active file;
- data collected directly from equipment and control signals between computers and equipment should be checked by verification circuits/ software to confirm accuracy and reliability;
- interfaces between computers and equipment should be checked to ensure accuracy and reliability;
- there should be documented contingency plans and recovery procedures in the event of a breakdown. The recovery procedures should be periodically checked for the return of the system to its previous state; and
- the system should be able to provide accurate printed copies of relevant data and information stored within. Printed matter produced by computer peripherals should be clearly legible and, in the case of printing onto forms, should be properly aligned onto the forms.
- The system should include, where appropriate, built-in checks of the correct entry and processing of data.
- The confidentiality of donor information should be maintained.
- Data should only be entered or amended by persons authorised to do so. Suitable methods of deterring unauthorised entry of data include the use of keys, pass cards, personal codes and restricted access to computer terminals. There should be a defined procedure for the issue, cancellation and alteration of authorisation to enter and amend data, including the changing of personal passwords. Consideration should be given to systems allowing for recording of attempts to access by unauthorised persons.
- Critical data entered manually into a computer system should be checked for accuracy by a second person. The persons carrying out the data entry and verification should be identifiable.
- The computer system should create an audit trail of any changes to electronic data. The record should include the time of each change, the nature of the change, and the identity of the person involved.
- Data should be secured by physical or electronic means against wilful or accidental damage. Stored data should be checked for accessibility, durability and accuracy. If changes are proposed to the computer equipment or its programs the above mentioned checks should be performed at a frequency appropriate to the storage medium being used.
- Critical computer-dependent systems should have alternate systems available in the event of a systems failure.
- When outside agencies are used to provide a computer service, there should be a formal agreement including a clear statement of the responsibilities of that outside agency.
- When the release of product is carried out using a computerised system, the system should recognise that only an authorised person can release the product and it should clearly identify and record the person releasing the products.