We’re in the process of making some changes in functionality to a software database that stores and manages quality “events” at our facility (eg change controls, deviations, OOS etc). The risk assessment has determined there is no GMP risk in relation to the proposed changes. A protocol has been drafted to test if these functional changes are as per the user requirement specification.
My question is - The software itself has indirect GMP impact (and has been previously validated) but since there is no GMP relevance on the software changes does the protocol have to be a validation document (with pre/post QA approval) or can it be merely a simple functional testing protocol handled internally by IT?
Lots of “ifs” to consider. The biggest of which would be your internal procedures - do they allow you to do what you’re suggesting?
You’ll definitely want to get QA to sign off on the risk assessment (indicating no GMP risk with the changes). If they agree to that then you might get their agreement to not require QA pre/post approval.
If I was QA, I would probably push back. While the changes may not have a direct impact on GMP, there may well be an indirect impact. For example, there could be new security issues. There could be problems filling up databases. I would typically expect some level of re-qualification just to have a level of confidence that the changes truly didn’t break anything.
The same question also appears in front of me quite often. But there are many non-GxP systems that process data critical to operation of the business, such as those involving financial, medical, or certail personnel data. Some of these could greatly benefit from structured approach to software QA, testing, and system maintenance that are required for validation. In my opinion the IT team must consider the validation of such systems as a part of good business practice.
My above explanation is also referring to the reply by Yodon i.e. “If I was QA, I would probably push back”… I agree with Yodon’s comment.
I suppose my question is borne from lack of human resource (Validation & QA) and looking to streamline processes moving forward.
QA do sign off on all RA’s and would like to think the assessment would be comprehensive enough to unearth direct and indirect GMP challenges (although this may not always the case).
I think it’s best to err on the side of caution and have QA approval on all IT testing regardless if the changes to a given system are relevent to GxP.
In our organisation we get signoff on most of the IT documents with QA. We have kept QA in IT scope as well and have covered their signoffs on all IT SOPs. We take sign off from QA in PVP/VMP, URS, FRS, CSD,QP,VSR and SRCs.
I believe its better to keep QA as well in the scope of IT and can train them on IT SOPs as well.
Regards
Sourav