I
Integrator - 2012
Here's a topic not often discussed I think.
At the end of 7.6 Control of monitoring and measuring equipment, it says:-
'NOTE Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.'
This was new in 2008. Most external auditors I've seen interpret it to mean that some means of proof that software is working correctly is required, e.g. develop a form with some standard inputs and standard outputs; you verify if your regular check gives the right result (within an appropriate tolerance) and retain the record.
If this is the requirement the application seems patchy. There is so much software these days where do you draw the line. Just a few thoughts;
1) Common software normally works OK but what about a common problem that spreadsheet software formulas have become corrupted by poorly trained humans. Should there be some note in QMS documentation that spreadsheet or other relevant software should be protected where possible to prevent inappropriate alteration of formulas, or access restricted by login as required? Should training in relevant software be listed in Training Registers to reduce the risk of such corruption?
2) Can verification of software be requested from software suppliers? Would this be of value? Of course it can't be proven that the end result will be correct if untrained persons are at the controls, but perhaps this can provide some assurance. It can definitely be argued that in well developed software, source codes are usually protected from any kind of 'messing up' by users.
3) On the other hand verification by the end user must give confidence of no gross error. This would particularly be welcome where there is any doubt as to the software’s efficacy, e.g. ‘in-company' developed software where the chance of mistakes may be greater the software development may be less well resourced.
There's a lot to discuss here!
At the end of 7.6 Control of monitoring and measuring equipment, it says:-
'NOTE Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.'
This was new in 2008. Most external auditors I've seen interpret it to mean that some means of proof that software is working correctly is required, e.g. develop a form with some standard inputs and standard outputs; you verify if your regular check gives the right result (within an appropriate tolerance) and retain the record.
If this is the requirement the application seems patchy. There is so much software these days where do you draw the line. Just a few thoughts;
1) Common software normally works OK but what about a common problem that spreadsheet software formulas have become corrupted by poorly trained humans. Should there be some note in QMS documentation that spreadsheet or other relevant software should be protected where possible to prevent inappropriate alteration of formulas, or access restricted by login as required? Should training in relevant software be listed in Training Registers to reduce the risk of such corruption?
2) Can verification of software be requested from software suppliers? Would this be of value? Of course it can't be proven that the end result will be correct if untrained persons are at the controls, but perhaps this can provide some assurance. It can definitely be argued that in well developed software, source codes are usually protected from any kind of 'messing up' by users.
3) On the other hand verification by the end user must give confidence of no gross error. This would particularly be welcome where there is any doubt as to the software’s efficacy, e.g. ‘in-company' developed software where the chance of mistakes may be greater the software development may be less well resourced.
There's a lot to discuss here!
