Академический Документы
Профессиональный Документы
Культура Документы
Version 1.0
Title
Version 1.0
Document Approval
Name David Brown Role Author Date Signature
Document Control
Version 1.0 Author David Brown Date 08-Aug-2006 Description Version 1
Title
Version 1.0
Table of Contents
Introduction ............................................................................................................................ 4 1.1 1.2 1.3 1.4 1.5 Purpose ........................................................................................................................... 4 Scope ............................................................................................................................... 4 Definition ........................................................................................................................ 4 Responsibility................................................................................................................. 5 References ...................................................................................................................... 5 Determining Whether to Audit the Vendor ................................................................ 5 Re-Auditing Vendors..................................................................................................... 5 Customized Software..................................................................................................... 6 Audit Methods ............................................................................................................... 6 Perform Audit................................................................................................................ 7 Audit Report .................................................................................................................. 8 Follow-Up ....................................................................................................................... 8 Project Impact ............................................................................................................... 9
Title
Version 1.0
1
1.1
Introduction
Purpose
The purpose of this procedure is to outline the procedure for performing vendor audits of computer system (hardware and/or software) suppliers. The intent is to ensure that software suppliers are selected based on their capability to provide quality software and documentation which is adequate for validation. Quality cannot be inspected or tested into software. Rather, the quality of software is established during the design of the software and achieved through proper control of the software development process. The results of vendor audits may be used to recommend potential vendors for new systems being purchased or to specify corrective actions necessary to meet regulatory requirements.
1.2
Scope
Department/Section: Validation and Client Groups.
1.3
Definition
Client The business group commissioning or using a computer system. Lead auditor an individual with the appropriate level of validation experience responsible for managing the vendor audit process. Software Categories the following list provides a categorization of software referenced in this SOP: Category 1 - Operating Systems Category 2 - Standard Instruments, Micro Controllers, Smart Instrumentation Category 3 - Standard Software Packages Category 4 - Configurable Software Packages Category 5 - Application Specific or Custom Built Software
Title
Version 1.0
1.4
Responsibility
Validation and the other disciplines listed within this SOP are responsible for ensuring this procedure is followed. It is the responsibility of the client and IT groups to notify validation management when vendors are being considered to deliver systems. It is the responsibility of purchasing group to ensure issues arising from the vendor audit are incorporated in purchase agreements as appropriate.
1.5
References
Document ID Title
2
2.1
Procedure
Determining Whether to Audit the Vendor
Validation management will determine whether to audit the vendor based on the following: Vendors of Category 1 - Operating Systems software will not be audited because these systems are in wide distribution and validation of this software is implicitly performed through testing of the applications. Vendors of Category 2 and 3 - Standard Instruments, Micro Controllers, Smart Instrumentation and Standard Software Packages will not be audited because these systems are widely distributed and validation of this software is performed through testing of the applications. Vendors of Category 4 and 5 - Configurable Software Packages and Application Specific or Custom Built Software will be audited when the vendor uses a significantly different development life cycle.
2.2
Re-Auditing Vendors
When implementing updates or new releases to Category 4 and 5 systems, validation personnel will determine whether re-
Title
Version 1.0
auditing is needed based on the extent of changes to the system, past history, past audit history, and/or quality history of previous updates and releases. Additionally re-auditing will be considered based on changes in regulatory requirements.
2.3
Customized Software
Software suppliers who provide customized software must have clearly established procedures for producing this software. Validation should complete an audit of potential suppliers to evaluate the adequacy of their existing procedures. IT staff may assist with the audit. Results of the audit would be used as input in the decision regarding the use of the supplier. The results would also be used to define the procedures that should govern the development of the software. An agreement must be established as part of contract negotiations with the supplier that defines the validation requirements the supplier must work too. It is the responsibility of those who prepare contracts with vendors to include requirements in the contract for: producing deliverables according to the purchasing companies procedures or specifying the procedures to be used; approvals of deliverables by the purchasing company; timeline for project deliverables, and; a statement from the vendor assuring that the software does not contain undocumented features, does not contain hidden mechanisms that could be used to compromise the softwares security, and will not require the modification or abandonment of existing computer security systems.