The life science manufacturer should conduct a detailed audit at the premises of the potential supplier(s) to examine the in-place methods and records reported by the vendor prequalification and any submitted quotation. Audits maybe undertaken before and or after the quotation phase.

A supplier needs to recognise the importance of this examination in providing a documented record for the pharmaceutical manufacturer’s validation program and be prepared to fully support the audit (and any follow up activities) in a timely manner. Guidance on computer system supplier audits is available in the GAMP guide and from the PDA Technical Report 32.

Related: Learn more about supplier qualification

ISO-Certified

With most system suppliers operating under ISO-certified or similar quality systems, training afforded by appropriate courses on the TickIT guide will also benefit software audits. At a minimum, the following considerations of a supplier’s operations would need to be examined:

  • Companies finances and stability
  • Management commitment
  • Organisation
  • Quality Management System
  • Professional affiliations
  • Confidentiality
  • Resource availability/qualifications
  • GMP application knowledge
  • Training program
  • Systems availability
  • System life planning/migration
  • System engineering procedures
  • Project Procedures
  • Procurement procedures
  • Subcontractor control
  • Production procedures
  • System build security
  • Site installation/testing procedures
  • Handover & final documentation
  • System operating procedures
  • Calibration maintenance procedures
  • Maintenance support and equipment
  • Document control
  • Change control
  • Internal audits
  • Review and approval process
  • Configuration management
  • Contingency/recovery procedure

As appropriate, the following quality assurance practices and records applicable to the operating system software, application specific software, and hardware should be reviewed by the pharmaceutical manufacturer:

  • Operating system code availability
  • Software/hardware specifications
  • Software/hardware design practices
  • Product design records
  • Program coding standards
  • System development records
  • System test records
  • Programming tools
  • Control of non-operational software
  • Removal of dead-code
  • Deviation analysis/corrective action
  • Virus detection and protection
  • Software release
  • Master copy and backup
  • Version control
  • Software replication
  • Problem reporting/resolution
  • Fault notification to customers

To automate operation of pharmaceutical manufacturing processes, the computer software in many instances becomes the “operating procedure” and thus the following in-built functionality and performance of the computer system itself should also be examined to ensure alignment with GMP application:

  • System controls
  • Access security
  • Data Integrity
  • Electronic record/signature
  • Accuracy
  • Repeatability
  • Self-documentation
  • In-built diagnostics

An audit report will serve as the formal record of the audit and its findings, and is a major input into selecting the supplier and determining any necessary corrective actions. To complete the quotation review exercise the pharmaceutical manufacturer should produce a formal report that summarises the quotation compliance, the key points of the audit report, and the main benefits of each system. The chosen supplier and the reasons for the supplier selection should be clearly stated. A review of the GMP risk implications should be undertaken at this time and maybe included as a section of the report.