A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Transcription

1 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Revisin 1.5 August 4, 2015

2 A96 CALA Plicy n the use f Cmputers in Accredited Labratries TABLE OF CONTENTS TABLE OF CONTENTS... 1 CALA POLICY ON THE USE OF COMPUTERS IN ACCREDITED LABORATORIES BACKGROUND POLICY STATEMENTS SPECIFIC REQUIREMENTS Integrity and Cntrl f Electrnic Data, Dcuments and Recrds Validatin f Electrnic Systems Cnfidentiality/Security f infrmatin Access Cntrl Retrieval f Electrnic Data, Dcuments and Recrds Maintenance f Electrnic Systems (Cmputers/Sftware) References APPENDIX 1 COMMON REFERENCES WITHIN ISO/IEC 17025:2005 THAT APPLY TO THE USE OF ELECTRONIC SYSTEMS IN AN ACCREDITED LABORATORY. THIS APPENDIX FORMS PART OF THIS POLICY...7 Rev 1.5

3 A96 CALA Plicy n the use f Cmputers in Accredited Labratries CALA POLICY ON THE USE OF COMPUTERS IN ACCREDITED LABORATORIES 1.0 BACKGROUND Labratries accredited by CALA t ISO/IEC 17025:2005 must shw their cntinuing cmpetence t prduce technically valid results. This capability is supprted, in part, in many labratries, thrugh the apprpriate use f electrnic systems (cmputers and sftware - infrmatin technlgies-it) that: Supprt the cllectin f data; Supprt the manipulatin and reductin f data; Supprt the strage, retrieval, amendment, archiving and transmissin f data, dcuments and recrds; and, Supprt the develpment f quality system dcuments and recrds CALA prvides this general guidance and apprpriate methds fr accredited labratries t: Ensure the cntinuing integrity f their electrnic data, dcuments and recrds; Ensure the cntinuing validatin f their sftware; Ensure the cntinuing cnfidentiality f their electrnic infrmatin; Ensure adequate cntrl and tracking fr the amendment f their electrnic dcuments, data, and recrds; and, Ensure the cntinuing retrieval f their electrnic data, dcuments and recrds This CALA Plicy dcuments the requirements fr accredited labratries t maintain accreditatin t ISO/IEC 17025:2005, with regard t the implementatin and use f electrnic systems in supprt f all labratry peratins. 2.0 POLICY STATEMENTS Accredited labratries shall have apprpriate cntrls and prcedures in place fr the cllectin, strage, manipulatin, reductin and transmissin f electrnic data and results. Accredited labratries shall have apprpriate cntrls and prcedures in place fr the develpment, apprval, strage, retrieval, access and archiving f electrnic dcuments and recrds. Rev 1.5 Page 2 f 10

4 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Accredited labratries shall develp, dcument and implement prcedures t frmally dcument the validatin f all sftware and infrmatin technlgy slutins emplyed t supprt labratry peratins Accredited labratries shall implement cntrls and prcedures dealing with electrnic systems that supprt labratry peratins s that these systems meet the requirements given in ISO/IEC 17025:2005 fr paper-based dcuments, recrds, data and results. 3.0 SPECIFIC REQUIREMENTS The fllwing are the areas that wuld nrmally be addressed by electrnic system plicies and prcedures in use at accredited labratries: Integrity and cntrl f electrnic data; Validatin f infrmatin technlgy slutins, including sftware and applicatins; Cnfidentiality/security f infrmatin access cntrl; Retrieval f electrnic data, dcuments and recrds; and, Maintenance f electrnic systems The clauses in ISO/IEC 17025:2005 that may be cited t address the use f electrnic systems used in accredited labratries are given in Appendix 1 t this Plicy. 3.1 Integrity and Cntrl f Electrnic Data, Dcuments and Recrds The integrity and cntrl f electrnic data, dcuments and recrds may depend n the measures taken fr their prtectin frm inadvertent r unauthrized amendment and f their direct crrelatin t riginal data, dcuments, recrds and bservatins Plicy Statement Accredited labratries shall develp and implement prcedures t prevent the inadvertent and/r unauthrized amendment f cmputer sftware, electrnic recrds, dcuments and data. The prcedures shall stipulate the steps t be taken t frmally amend cmputer sftware, electrnic data, dcuments, and recrds. [4.3, 4.13] Cmmn Appraches Cntrlled access t sftware, electrnic recrds, dcuments and data. Create multiple rles that read-nly r read-write. Specify the persns wh are nrmally granted access. Use f user ID and/r passwrds. Use f read-nly strage media. Clear and simple prcedures t mdify sftware, dcuments, recrds and data that prvide the tracking infrmatin fr amendments, which nrmally includes the identity Rev 1.5 Page 3 f 10

5 A96 CALA Plicy n the use f Cmputers in Accredited Labratries f persn amending, date and time f amendment, identity f persn apprving amendment (if applicable), date and time f apprval include the reasn(s) fr change. Back ups f current versins, s as t allw restratin t current cnditin, if current strage media discntinues nrmal retrieval access. Cnsider migratin f data t new media types during the recrd retentin perid. 3.2 Validatin f Electrnic Systems The validatin f cmputer-based applicatins is the result f measures taken t validate the ability f the applicatins t perfrm as specified. Specificatins can vary frm simple wrdprcessing applicatins t cmplex algrithms in dedicated measurement applicatins, such as Crdinate Measuring Machines (CMM). The Nte in Clause f ISO/IEC 17025:2005, indicating that validatin f cmmercial ff-the-shelf sftware des nt apply t cmputing applicatins that are used t cllect, manipulate r reduce data. Fr these types f applicatins, Clause gverns, because the applicatin is cnsidered t be a piece f measurement equipment, whether r nt it was purchased frm a cmmercial vendr Plicy Statement Accredited labratries shall develp and implement prcedures t frmally dcument the validatin f cmputer systems (sftware and applicatins) in supprt f labratry peratins. Such validatin shall be cmmensurate with each type f cmputer-based slutin used in the labratry and its intended purpse and scpe. [5.4, 5.5] Cmmn Appraches Determine the level f validatin required fr the electrnic system (hardware, firmware, r sftware, r parts f all f them) frm its classificatin as either Cmmercial, Cmmercial-user-mdified, User-develped. Dcument the validatin prcess used. See Figure 3 f Sftware Validatin in Accredited Labratries (reference 1). Mnitr the cntinuing validatin f the electrnic system thrughut its life cycle in the labratry. See Figure 1 f Sftware Validatin in Accredited Labratries. ASTM E2066 Standard Guide fr Validatin f Labratry Infrmatin Management Systems EPA 2185 Gd Autmated Labratry Practices ( publicatin n. EPA-220-B ) 3.3 Cnfidentiality/Security f infrmatin Access Cntrl The security f sftware and electrnic infrmatin, regardless f its cnfiguratin as data, recrds r dcuments, is the result f measures taken t prtect it frm unauthrized access, viewing and disseminatin. Rev 1.5 Page 4 f 10

6 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Plicy Statement Accredited labratries shall develp and implement prcedures t prvide adequate prtectin fr sftware, electrnic recrds, dcuments and data in rder t prevent access and viewing by unauthrized persns. Such prtectin shall be cmmensurate with each type f recrd, dcument r bservatin/data pint cllected, stred, r maintained by the labratry. [4.3, 4.13, 5.4, 5.5] Cmmn Appraches Cntrlled access t sftware, electrnic recrds, dcuments and data. Specify the persns wh are nrmally granted access. Use f passwrds r digital signatures. Tracking f access t sftware, electrnic recrds, dcuments and data. Use f increased levels f security, such as Public Key Infrastructure (PKI), r ther types f encryptin, in the transmissin and receipt f electrnic recrds, dcuments and data. Use f firewalls t cntrl external access. Assurance that electrnic-signatures are permanently linked t specific instances f data. 3.4 Retrieval f Electrnic Data, Dcuments and Recrds The retrieval f electrnic data, recrds r dcuments, is a cntinuing measure f its availability, bth during and after its use within the labratry Plicy Statement Accredited labratries shall develp and implement prcedures t prvide adequate facility fr the cntinuing retrieval f electrnic recrds, dcuments and data in rder t permit access and reference t such recrds, dcuments and prcedures fr as lng as the labratry may require such access and reference. [4.3, 4.13] Cmmn Appraches Off-site strage. Use f frmats that are likely t be used in the future such as Adbe Acrbat (*.pdf) frmat r XML frmat r ASCII frmat. Use f media that are likely t be used in the future such as CD-ROM, DVD ROM, memry cards and USB drives. Ensure migratin f data when it needs t be transferred t new media. Use f an apprpriate methd f indexing archived data t facilitate ease f retrieval. Rev 1.5 Page 5 f 10

7 A96 CALA Plicy n the use f Cmputers in Accredited Labratries 3.5 Maintenance f Electrnic Systems (Cmputers/Sftware) The maintenance f electrnic systems (sftware and applicatins) in a labratry is a measure f the ability f the labratry t mnitr the perfrmance f all f the cmpnents f the electrnic system and effect preventive and crrective actins n their use Plicy Statement Accredited labratries shall develp and implement prcedures t effect the maintenance f electrnic systems (sftware and applicatins), which may include sftware, firmware and/r hardware, s as t prevent nn-cnfrming peratin f the electrnic system. [5.5] Cmmn Appraches Operatin by trained and qualified persnnel. Preventive maintenance schedules fr hardware. See reference 1 belw by Gregry D. Ggates, Sftware Validatin in Accredited Labratries, 27 Sep Dcument the validatin prcess used. Mnitr the cntinuing validatin f the electrnic system thrughut its life cycle in the labratry. Inclusin f electrnic systems within labratry calibratin prgram, as required. Identificatin f triggers t re-validate that define when re-validatin needs t ccur and the level f detail required. 3.6 References 1. ISO/IEC 17025:2005, General requirements fr the cmpetency f testing and calibratin labratries. 2. Gregry D. Ggates, Sftware Validatin in Accredited Labratries, 27 Sep 2001, 3. Marianne Swansn, Natinal Institute f Standards and Technlgy (NIST), Security Self-Assessment Guide fr Infrmatin Technlgy Systems, NIST Special Publicatin , US Gvernment Printing Office, Washingtn, August 2001, pp. 98. Nte: NIST SP is superseded by NIST SP (revisin 4) and the NIST SP A (Revisin 1) ASTM E2066 Standard Guide fr Validatin f Labratry Infrmatin Management Systems 5. EPA 2185 Gd Autmated Labratry Practices ( publicatin n. EPA-220-B ), Rev 1.5 Page 6 f 10

8 A96 CALA Plicy n the use f Cmputers in Accredited Labratries 4.0 APPENDIX 1 COMMON REFERENCES WITHIN ISO/IEC 17025:2005 THAT APPLY TO THE USE OF ELECTRONIC SYSTEMS IN AN ACCREDITED LABORATORY. THIS APPENDIX FORMS PART OF THIS POLICY Clause Extract / Wrding Plicy Cnsideratin c shall have plicies and prcedures t ensure the prtectin f its clients cnfidential infrmatin and Integrity f data and Access cntrl Prcedures exist t prtect client s infrmatin prprietary rights, including prcedures fr prtecting the electrnic strage and transmissin f results shall establish and maintain prcedures t cntrl all Integrity f data and Access cntrl Prcedures t cntrl sftware dcuments... in this cntext, dcument culd be. sftware. These may be n varius media, whether hard cpy r electrnic, All dcuments issued.shall be reviewed and apprved fr use The prcedure(s) adpted shall ensure that: a) authrized editins f apprpriate dcuments are available at all lcatins the altered r new text shall be identified Prcedures shall be established.. dcuments maintained in cmputerized systems are made and cntrlled All recrds shall be readily retrievable hard cpy r electrnic media The labratry shall have prcedures t prtect and back-up recrds stred electrnically and t prevent unauthrized access t r amendment f these recrds. Integrity f data Quality system reviewed and apprved by authrized persnnel by electrnic signatures r passwrd prtectin and/r retentin f apprval recrds in hard cpy. Integrity f data and Retrieval f data Authrized editins f apprpriate dcuments all lcatins. (Intranet, NT file Share) Integrity f data Altered r new text shall be identified (electrnic dcument) Integrity f data Prcedures shall describe hw changes in dcuments, including sftware are cntrlled. Retrieval f data Recrds (electrnic media) shall be stred and maintained s that they are retrievable Integrity f data and Access cntrl Prcedures t prtect and back-up electrnic recrds. Rev 1.5 Page 7 f 10

9 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Clause Extract / Wrding Plicy Cnsideratin shall retain recrds t establish an audit trail Integrity f data and Retrieval f data Retain recrds fr the retentin perid (ld versins f sftware als) Observatins, data and calculatins shall be recrded When mistakes ccur in recrds,.in the case f recrds stred electrnically, equivalent measures shall be taken t avid lss r change f riginal data The labratry management shall ensure the cmpetence f all wh perate specific Access t and use f areas affecting quality shall be cntrlled The labratry shall have instructins n the use and peratin f equipment Calculatins and data transfers shall be subject t apprpriate checks in a systematic manner a) cmputer sftware develped by the user is dcumented in sufficient detail and suitably validated b) prcedures are established fr prtecting data, such prcedures shall include integrity, cnfidentiality Integrity f data Observatins shall be recrded at the time they are made. (electrnic). Integrity f data and Access cntrl Electrnic recrds shall avid lss t riginal data (audit trails) D Databases and spreadsheets include "audit trails" t nt allw previusly recrded data t be bscured? Validatin and Maintenance f electrnic system Des evidence shw that persnnel invlved in use f Custm Sftware have adequate training? If the Custm Sftware was develped in-huse, is there evidence that they have adequate training in the develpment f these types f slutins? Integrity f data and Access cntrl Server rms r server access shuld have limited access Integrity f data Validatin and Maintenance f electrnic system This includes sftware. D adequate instructins exist fr the peratin & maintenance f the sftware? Integrity f data and Validatin f Electrnic system Calculatins (spreadsheet) and data transfers (tables) shall be subject t checks. Where ther prgramming appraches are used t effect data manipulatin and transfer, there must be sme methd established t ensure that these are checked as well. Validatin f Electrnic system Sftware shall be validated and dcumented even if cmmercial sftware is cnfigured fr specific use Integrity f data and Access cntrl Prcedures are established t prtect data Rev 1.5 Page 8 f 10

10 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Clause Extract / Wrding Plicy Cnsideratin c) cmputers and autmated equipment are maintained Integrity f data and Maintenance f Electrnic system Cmputer and autmated equipment are maintained Nte Cmmercial ff-the-shelf sftware in general use, within their design applicatin range, may be cnsidered suitably validated. Hwever, sftware cnfiguratin/ mdificatins shuld be validated as in a) Equipment, and its sftware.shall be capable f achieving the accuracy required. Befre being placed in service, equipment (sftware) shall be calibrated r checked t establish that it meets the labs requirements Each item f equipment and its sftware used fr testing shall be uniquely identified. Validatin f Electrnic system The sftware validatin nte allws labs t take credit fr assumed validatin effrts made by the manufacturer f purchased sftware but requires that individual spreadsheets, macrs, and all cnfiguratin / mdificatins / setups be validated. This des nt apply t electrnic systems used t acquire, manipulate r reduce data, such as hard-cded firmware that is ften supplied with cmputer-driven devices. Validatin and Maintenance f Electrnic system Des the accuracy f the Firmware/Sftware meet r exceed the accuracy required by the test methd r ther relevant specificatin? A gd test is the uncertainty cntributin f the device (and its prgramming) t the verall uncertainty f the test result. All deplyed sftware shuld be verified prir t being placed in service by perfrming sme user acceptance testing such as a cmparisn f the requirements against features. This includes placement int service fllwing a mve r after being shipped back frm calibratin r maintenance. Maintenance f Electrnic system Each item f equipment & sftware shall be uniquely identified. Prcedures shuld include dcumenting the versins in use (versin cntrl) Recrds shall be maintained Maintenance f Electrnic system Recrds shall be maintained f equipment & sftware. Firmware is prgramming that is inserted int prgrammable read-nly memry (prgrammable ROM), thus becming a permanent part f a cmputing device. Firmware is created and tested like sftware (using micrcde simulatin). When ready, it can be distributed like ther sftware and, using a special user interface, installed in the prgrammable read-nly memry by the user. Firmware is smetimes distributed fr printers, mdems, and ther devices cntrlled by cmputers. Rev 1.5 Page 9 f 10

11 A96 CALA Plicy n the use f Cmputers in Accredited Labratries Clause Extract / Wrding Plicy Cnsideratin Where calibratins give rise t crrectin factrs prcedures t ensure that cpies (e.g. in cmputer sftware) are crrectly updated. Validatin f Electrnic system Des evidence exist cnfirming crrect sftware deplyment at each target installatin? Cnsider the same apprach t sftware as fr ther dcuments such as dcument cntrl (sftware management), distributin cntrl Test and Calibratin equipment, including sftware, shall be safeguarded frm adjustments NOTE j The test reprts r calibratin certificates may be.by electrnic data transfer the identificatin f persn(s) authrizing the test reprt r calibratin certificate in the case f transmissin f test r calibratin results by electrnic means, the requirements f this Internatinal Standard shall be met Integrity f data and Maintenance f Electrnic system Sftware shall be safeguarded frm adjustments such as passwrd prtectin n spreadsheets r ther files. Integrity f data Reprts may be issued electrnically Integrity f data Reprts may cntain electrnic signatures. LIMS systems shuld have established authrizatin prtcls. Integrity f data Reprts may be transmitted electrnically. Whatever methd f transmissin is used, it must prvide an the same level f prtectin f integrity f infrmatin affrded t paper dcumentatin. Rev 1.5 Page 10 f 10