Back to News & Resources

Operating an un-validated system feels like looking for a needle in a haystack!

When computerised systems are identified and their capabilities assessed and challenged, this provides you with assurance that they can be promptly relied upon to give you the data you need, when you need it.

Below is a list of considerations, when you are assessing the suitability for use of a computerised system before commencing validation.

  • A list of all hardware (both standalone and networked) and software used and it’s intended use.
  • Identify and evaluate vulnerabilities in performance and security of all of these computer systems, including but not limited to, their configurations, administrative rights, password controls, audit trails capabilities and state of implementation for each system, qualification/validation status, deviation history, backup capabilities, network requirements, completeness of data records, suitability of current hardware/software for its intended use(s), change management, and management oversight.
  • Detail the associated user privileges for each system.
    • Specify user roles and associated user privileges for all staff levels who have access to the computerised system, and provide organisational affiliations, responsibilities, and titles. Clearly specify all staff who have administrator privileges.
    • Fully describe how you will ensure segregation of personnel involved first hand in the task, from those with administrator rights. For all staff roles that are permitted to have administrative rights, specify the scope and type of privileges.
  • Assess each system to determine if unique usernames and passwords are used.
  • Evaluate policies and procedures regarding computers and data governance, with special emphasis on audit trails, prohibiting data deletion, and appropriate modifications of results. Specify how your business prevents data deletion and undocumented/inappropriate modifications of data. Also describe how you ensure original data and information is always preserved. Have procedures for audit trail review.
  • Provide requirements for data retention and backup for all computerised systems.
  • For example, describe how you ensure that all quality control tests are performed by an analyst and receive second-tier review from a separate qualified individual (e.g., lab manager). Describe these processes in the relevant procedures.
  • For retrospective validation, document through a risk assessment any interim controls to assure reliable performance and security while a comprehensive validation is being completed.

Written by Sanjay Nadarajah