(COMPANY LOGO) CGMP COMPUTERIZED SYSTEM VENDOR AUDIT QUESTIONNAIRE

Transcription

1 1. GENERAL COMPANY INFORMATION (COMPANY LOGO) 1.1 Name Address Years in Business Number of Employees Services Performed or Products Manufactured Prior Experience with (Company Name) 1.2 Please provide references for whom you have performed services similar to those to be performed for (Company Name). 1.3 Describe the general financial status of your company. Annual Sales Current Financial Status Ownership Structure 1.4 Do you have a Quality Assurance unit? If yes, how is it structured, and if no, how do you deal with Quality Assurance functions? Please outline your Quality Assurance Units functions in software development. 1.5 Are you aware of the pharmaceutical industry practice of validating computerized systems? Are you aware of FDA s GMP requirements and how they apply to software used by FDA regulated industry? Have you identified GMP requirements for your software? If so, what GMP issues have been identified? Have your programmers and development managers had GMP training? Example Only 1

2 1.6 Do you have any experience in assisting a customer with validation of a system or its components? Please give an example. 2. PRODUCT DEVELOPMENT INFORMATION 2.1 If product or service is of a customized nature, please provide major qualifications or resumes of primary individuals involved. 2.2 Do you use professional standards? If yes, list; if no, describe your development process? 2.3 Are requirements and specifications written in early stages of development? If yes, describe this procedure. 2.4 Do you follow a System Development Life Cycle approach or other formal system for software application development? If yes, describe the system. 2.5 How do you assure that the methodology is followed? Describe. How do you document compliance with the methodology? 2.6 Are walk-throughs conducted at designated intervals during design? If yes, describe a typical walkthrough How are code walk-throughs documented? Is this documentation available to the customer? To the FDA? 2.7 What procedure is followed when an error or anomaly is detected (e.g., program, system, hardware, or data error)? Is unit testing performed? How is it documented? Is this documentation available to the customer? To the FDA? Is software integration testing performed? How is it documented? Is this documentation available to the customer? To the FDA? Example Only 2

3 2.8 How is system testing performed and documented? 2.9 Who performs the tests? 2.10 Who approves the test plan and results? 2.11 Are challenges to the tests performed by someone other than the developer? Describe How do you assure that test procedures are followed? 2.13 Are test procedures routinely reviewed and updated? If yes, at what frequency? 2.14 At what point in new product or application development does the client or customer take ownership? What software metrics are collected and evaluated? 3. TECHNICAL DOCUMENTATION Please advise if the following list of technical documentation is provided to a client or customer. If not, please offer explanation and alternative. Diagnostic Kits Description of Data Structures Sample of Output Reports Hardware Manuals Source Code 4. SECURITY POLICY 4.1 Describe the physical security you have at the development facility. 4.2 Describe the specific forms of computer security in place to protect your software development. 4.3 Describe your software archiving and documentation storage procedures. 4.4 Describe how the security policy is enforced. Example Only 3

4 4.5 Describe how unauthorized changes to the source code are prevented. 5. CONFIGURATION MANAGEMENT 5.1 Hardware/Equipment Describe how a customer is notified of a recall Are recalls only honored during the warranty period? Please provide warranty information. 5.2 Software Describe the documentation/help on correcting bugs or errors when they are found Describe the documentation of error and solution Who authorizes software changes? How do you ensure that the changes that are authorized are the ones made? If you use procedures, are they adequate and complete, and do they provide control over changes? Please provide an example of a control of change procedure If major changes to systems are released to the customer as new versions, when and how are version numbers changed? Describe how a customer is notified of a new version Are customers made aware of software defects detected by other customers? If so, describe the system. Example Only 4

5 6. TRAINING 6.1 Describe the type of training you offer the customer. 6.2 Who performs the training? 6.3 Where is the training conducted? 7. PERFORMANCE TESTING 7.1 List and describe the aspects of system performance that are tested (e.g., database, on-line transaction volume, large db batch processing, I/O performance). 7.2 Do you have performance testing results, and are they available for review? If yes, please be prepared to provide these results. 7.3 Do you provide for user acceptance testing? Where and when does testing take place? 8. BACKUP/DISASTER RECOVERY 8.1 Do you have a plan for software backup and storage of backups? If yes, please describe. 8.2 Do you have a plan for disaster recovery. If yes, please describe. 9. Do you have a complete set of high level requirements for currently marketed systems? 9.1 Do you have a complete set of detailed software design specifications for currently marketed systems? 9.2 Do you perform software V & V? Describe. Example Only 5