Computer System Validation

[yodon]

can the qualified person record that each of the 3 OTS meets the assurance activities?

Ideally, you want to provide objective evidence to support whatever assertions are being made. Checking a box saying "yeppers, we're good" isn't either objective or evidence, necessarily.

And to expand ion the point I believe @Tidge was making about integrity and authority, I think there's often way too much focus on testing, especially with commercial applications (which, I believe was one of the problems FDA was hoping to resolve with the assurance approach). Let's say you have an application to track where product is delivered and you would rely on that if you ever needed to do a recall or similar. Is that data adequately protected from loss or untraceable changes? I've seen a lot of applications where, for whatever reason, were set up either with all users having all rights (e.g., admin) or a single, generic login. That kind of situation would worry me more than proving a commercial application with millions of users can perform a basic operation.

 

[Tidge]

@yodon got to an example of what I mean by integrity and authority... some records shouldn't be changeable (integrity) by anybody (authority)... the electronic records and electronic signatures requirements of Part 11 come into play.

As to which records fall into this category... it is basically the electronic records that replace paper records generated and kept to satisfy "the part" in question, so 21 CFR 820 for medical devices. Part 11 is highly limited in scope, and there are any number of practices at a medical device manufacturer that don't require records... but many organizations put their own requirements on certain processes... but that is from the manufacturer (often following the Chicken Little advice from a third party), not the FDA.