Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ACEUTICA
ACTA
HELVETIAE
ELSEVIER Pharmaceutics Acta Helvetiae 72 (1998) 343-348
Abstract
In recent years the introduction of computer systems for data handling in the pharmaceutical industry has increased. A standard LIMS
(laboratory information management system) is software commercially available from different suppliers not only to facilitate data
handling in laboratories but also to cover GMP-requirements. Computer systems introduced in GMP-areas of pharmaceutical companies
have to be validated. For a standard LIMS, the general validation of the program is performed by the supplier. Nevertheless, the user is
always required to cover all phases of a validation. The objective of this paper is to discuss suitable test procedures for the most critical
functions of a standard LIMS needed during the verification step of the validation process. 0 1998 Elsevier Science B.V.
The validation test plan is based on a risk analysis. In The validation scheme can be divided into three parts:
order to guarantee as much security as possible during During the first part the data to be keyed-in as well as the
routine utilisation of the program critical functions have to expected result have to be defined in writing. The second
be defined and certain numbers of test runs have to be part covers the practical realisation of the test: Introduction
done (FDA, 1987). All critical functions and modules of of data and documentation of the actual result in writing.
the program should be covered in the test plan. The In the third part the actually obtained results are compared
relation of effort to result must nevertheless stay in an with the expected results and a final assessment of the
acceptable range, which means, must assure the most particular test is done.
security with the least possible expense. What has been After carrying out the testing of all functions, a global
agreed upon during the vendor audit and specified during assessment and rating of all results is performed (Beizer
continuous contacts with the supplier might give additional and Van Nostrand, 1995). Each single result is part of this
advice to define critical functions and modules of the assessment and contributes to the final decision whether or
program. not the program is working as expected and according to
what has been required initially (GAMP, 1996). For each
function to be tested the validation test scheme in Scheme
2.2. Validation testplan 1 has been applied.
3.1.1. Correct user-password combination istic. Two different ways are possible depending on the
The correct log-in is tested for each existing user group structure of the program: A program that independently
(e.g. technician, group leader, supervisor). creates a unique number for each following order can be
checked by generating new orders. These have to differ
3.1.2. Wrong user-password combination from the first one in at least one characteristic. With
The test should include existing users and existing various orders already generated it should not be possible
passwords, but in wrong combinations as well as not to create another additional order with an already existing
existing users and passwords in order to prove the access number. If manual numbering for order generation is pos-
refusal. sible, the test can easily be performed. Simply try if the
same identification characteristic can be used a second
3.1.3. Various log-ins of the same user at dtfberent loca- time.
tions at the same time
It has to be checked whether or not the same user can 3.2.2. Change of predejined fields
log-in at different locations. Depending on the program During order generation specific fields are automati-
characteristics the correct result can be positive or nega- cally filled in by the program. If it is not allowed to change
tive. given information, this has to be proved by trying to
change all these predefined fields.
3.1.4. Access to different program masks for different
3.2.3. Access to not yet released data
users
Information that is needed for creating an order has to
If the access to specific masks is defined with the user
be released before it can be used. Check if access to still
groups (access levels) the access can already be checked
unreleased data is denied.
with the log-in of different users out of different user
groups. If the access is defined especially for each user
3.2.4. Incomplete orders
individually, the test will be much more intensive since the
It has to be tested if an order can be generated with
test should be done for almost each individual user. Table
required information/data missing. Depending on the pro-
1 shows the possible combinations to be tested.
gram this is or is not possible. Check if the required
information/data can be added to an already existing
3.2. Order generation
order.
After the log-in and before starting the introduction of 3.2.5. Order traceability
results into the LIMS an order has to be generated. The It is important to be able to track “who did what and
following functions and modules related to order genera- when’ ’ . The name of the user, date and time should be
tion should be tested. registered together with the order created.
3.2.1. Order generation with a unique identification char- 3.2.6. Order status
acteristic At each time the order should be visible to the users
The program has to guarantee that each order created is with its respective status in order to check the progress of
registered with at least one unique identification character- the order.
Table 1
Possible tests for different user-password combinations
Access level Correct Wrong user Wrong user Correct Wrong password Wrong password
(e.g.) user name name (existing) name (not existing) password (existing) (not existing)
Technician X X
X X
X X
X X
X X
X X
X X
X X
X X
346 D. Friedli et al./Pharmaceutica Acta Helcetine 72 (1998) 343-348
A LIMS normally provides 2 possible ways of how to Today most networks are based on a client-server
decide on an order. An order can be automatically finalised structure which connects various PC’s (clients) and differ-
by the program itself. An order can also be finalised ent printers. It has to be checked whether the ‘communica-
manually if control of a supervisor is still necessary or a tion’ between the different locations works as designed.
secondary decision is required. Manual decisions are only
to be made by competent authorised personnel as the order 3.6.1. Verification of data introduced - Data printed
decision is also a critical function within a LIMS. For the With the printouts it has to be verified whether the data
manual order decision a special access level has to be keyed-in is identical with those printed. In addition any
defined. Further on it has to be checked whether only the comments introduced can also be checked for their pres-
user group that has been given authorisation has access to ence on the print-out.
the decision function. Generally users without a decision
permit cannot even open the decision mask or the decision
3.6.2, Print-out at different printers
button remains inactive. The following functions should be
In order to guarantee that all printers work equally, the
tested:
following tests are recommended.
Print reports and certificates at different printers in
35.1. Release with correct results order to compare them for completeness and correctness.
An order will be released if all results comply with Print reports and certificates at different PC’s (clients)
specifications and no errors and deviations have been in order to compare them for completeness and correct-
recorded. ness.
Print particular reports with special characters and spe-
3.5.2. Release with non-compliant results cific symbols in order to check for correctness.
An order with one or more non-compliant results is
generally not releasable by the system. Check if it is still 3.6.3. Print-out of archived data
possible to release this order manually. This certainly Compare original print-outs with prints-outs made out
depends upon the structure of the program and the decision of the archive and check whether the data is identical.
levels defined.
3.7. Total run
3.5.3. Secondary decision with non-compliant results
Orders that cannot be released because of out of specifi- It is strongly recommended to perform some entire runs
cation results have sometimes to be nevertheless continued (black box) in order to control the system from the begin-
under certain circumstances. For this reason the program ning to the end (Wolf, 1996). It is important to do total
should provide a possibility for a secondary decision which runs on different product types/order types in order to
can only be performed by authorised users and normally cover most of the system functionality that will be used
also implies a written justification. during routine operation. It may be advantageous to per-
form the total runs with actual data such as real products
3.5.4. Rejection and specifications. This already assures that specific func-
An order with non-compliant results that cannot be tions that are needed have already been tested.
released, not even by a secondary decision, will be re-
jected. It must not be possible to generate certificates of 3.8. Evaluation of all tests - Conclusion
this order/product. For a rejection a motivation text is
normally required as well. Each single test evaluation contributes to the final as-
sessment of the entire test. The final decision can be
3.5.5. Order decision registered with user, date and time positive or negative. A final positive assessment is achieved
Each order decision, release as well as rejection, should if all required tests and functions meet the expected results.
be recorded in the system with user, date and time. The validation report can be finalised and the program can
Status of the order (Release/Reject) be released for use. If the final evaluation results in a
After order decision the status of the order should be negative assessment the program has to be corrected and
visible in the system with its respective status. revalidation tests are necessary.
348 D. Friedli et al. /Pharmaceutics Acta Heluetine 72 (1998) 343-348
4. I. Separate database
References
Using a separate database all data that is used during
APV-Fachgruppe Informationstechnologie, 1996. APV - Computerunter-
validation has to be introduced again for routine and
stiitzte Systeme. Pharm. Ind. 58 (71, 590-598.
consequently needs more time and effort. Nevertheless, Beizer, B., Van Nostrand R., 1995. Software Testing Techniques. New
with a separate database the validation work is very well York.
documented and reproducible. The most important issue is FDA, 1987. Guidelines on General Principles of Process Validation. 5600
that it has to be guaranteed that the program works identi- Fisher Lane, Rochville, Maryland 20857.
GAMP Good Automated Manufacturing Practice, 1996. Pharmaceutical
cally during validation and routine.
Industry Supplier Guide for Validation of Automated Systems in
Pharmaceutical Manufacture, ISPE.
4.2. Identical database Huber, L., 1996. Validierung Computergesteuerter Analysensysteme: Ein
Leitfaden fur Praktiker. Springer Verlag, Berlin, Heidelberg, New
Validating on the same database is not as time and work York.
Huber, L., 1996b. Validierung Computerunterstiitzter Systeme. Pharm.
consuming since the data is only introduced once. During
Ind. 58 (lo), 935-940.
validation the same data is tested as it is used afterwards PMA, CSVC, 1986. Validation Concepts for computer System, Valida-
for routine, which means that introduced data has already tion in the Manufacture of Drug Products. Pharm. Technol. lO(51,
been proven during validation and does not have to be 24-34
checked again for routine. The validation is only docu- Teuchert, V., 1996. Prozessleitsysteme in der Pharmaproduktion. Pharm.
Ind. 58 (lo), 930-934.
mented by the hard copies, but is not reproducible since
Wolf, H., 1996. Die Anwendung der GLP-Grundsltze auf
the same database is used. computergestiitzte Systeme (OECD 19951, Deutsche ubersetzung.
If the final conclusion after the validation process was Konsenspapier GLP u. DV/306. OECD-Originaldokument:
positive and the program has been released for use, any OCDE/GD, 1995, p. 115.