Periodic Review Process
The following diagram provides an overview of performing a periodic review of a computer system.
Inputs to the review process include:
- Design Documents (Specifications, Risk Assessments, etc.)
- Incident Log / Fault Sheets and Maintenance
- Deviations
- Change Controls
- SOPs (Operation, Maintenance, Security Management, etc.)
The start of the review should identify whether there have been any regulatory or company policy changes since qualification / last review. If identified, then a gap analysis should be performed on the system and associated documentation against the change. Where gaps are identified then a decision should be made as to whether corrective action is required.
Identify Trends
Trends should be identified for computer systems faults. Have a number of deviations and/or incidents been attributed to the computer system? When trends are recognized, the root cause should be identified (via a root cause analysis) and an action plan should be put in place.
Review SOPs
Standard Operating Procedures for the Operation, Maintenance and Security Management should be reviewed along with the design documentation. These documents should be current and up to date. They should be reviewed against changes to ensure that there has been no impact. In addition, audit trails/security access logs should be reviewed to ensure that the systems are controlled in secure fashion.
For process control systems, alarms should also be reviewed. Pareto charts can be useful to identify the most re-occurring alarms and target process/operational improvement in reducing the alarms, or determining process improvements to reduce the out of specification conditions.