Validating Operating system

Hi all,

I'm looking to validate windows 10 operating system as I've just found out that it interfaces with a category 5 system which impacts GxP, I've looked through the GAMP guide and my understanding is for category 1 you record version number, verify correct installation by following approved installation procedures,

Has anyone ever done this before that could tell me exactly what is involved,
Would you need to write a Val Plan, URS and IQ ? would you need to write test scripts ?

Thanks.

I'm unclear how Windows 10 is being used:

• If truly GAMP Category 1, infrastructure software, it should be configured/deployed in accordance with defined process and verified.
• If as a device OS reference the following: “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” May 2005
• You're somewhere in-between (?)

Hey, it's actually the Windows Active Directory which is used as username and password logon to a GxP CAT 5 system, I understand that infrastructure should be Qualified not validated, but how do you qualify the windows active directory, whats's invloved ? thanks

In that case, I think you need to look at Part 11 compliance (not all may apply)
Below outline is from MSBdocs *dot* com

1. Validation – For Security

• Is the entire system validated?
• Is there limited system access for authorized individuals?
• Is there a process defined in which only authorized individuals can use the system, electronically sign the documents, alter them or perform other operations?
• Is there any documented training available for the system that includes on-the-job training for system users, developers, IT support staff?
• Is there a written set of policies that make individuals fully accountable and responsible for each and every action initiated by them under their electronic signatures?
• Is data encrypted within the system?
• Are digital signatures used?

2. Audit Trails – For Traceability

• Does the system provide a secure, computer-generated, time-stamped audit trail (including date and time and actions such as create, modify, or delete electronic records)?
• After every change to an electronic record, is previously recorded information still available?
• Is the audit trail available for the purpose of reviewing and copying by the FDA?
• Does the audit trail include the User ID, set of events, a change log, and revision and change controls?
• Do the signed electronic records contain: the name of the signer, the date and time stamp, the purpose of the signing (such as approval, review, etc.)

3. Electronic Signatures – For Valid Use

• Are electronic signatures unique for every user?
• Is it possible to reuse or reassign the electronic signature to anyone else?
• Does each electronic signature link to its respective electronic record?
• Is the identity of an individual checked and thoroughly verified at the time of signing using an electronic signature?

4. Copies of Records – For Reference

• Is there a procedure defined to produce accurate and complete copies of electronic records on paper?
• Is the system capable of providing copies of records in the electronic form to serve the purpose of inspection, review, and copying by the FDA?
• Is the system well equipped to automate the conversion or export methods (PDF, XML, or SGML)?

5. Record Retention – For Efficiency

• Are controls in place to ensure that no individual can have the same combination of identification code and password?
• Is there a functionality to check that the validity of identification codes is periodically checked?
• Is there a need defined to reset passwords periodically?
• Is there a way to recall the identification codes and passwords under any circumstances (if a person leaves or is transferred)?

Thanks for that, I'll need to do some more investigating on how to qualify windows active directory

Hi,

I hope you figured this out by now on how to qualify the Windows upgrades!

I am looking for information on the same, would you be able to provide details on how you address windows qualification.

Thank you for your input.

I have never validated an OS and I have never had an auditor / inspector challenge that. I think you will either get completely bogged down doing so or you will prevent or delay security updates, exposing you to cybersecurity risks.

I've never validated Active Directory, but I have validated systems that rely on Active Directory.

FWIW: If I had my way, I never would have had any system other than "General Office Applications" use AD. The primary problem is that the AD (content, policies) are some combination of:

• Policies are not consistently applied
• When policies change there is never a formal remediation effort on AD content
• Content is subject to change for any reason
• AD content can change in ways that the interfacing systems cannot know/handle (e.g. name changes, email changes)
• If the content is "old enough" there may be limitations in AD that are impossible to know (e.g. lengths of certain field names)

After validating one business system, and having all the necessary connections to the (locations within the) AD established and proven it was later revealed by the AD administrator that many users were moved into a different AD, and that some users would never be made part of the AD!

diogo19 said:

Hey, it's actually the Windows Active Directory which is used as username and password logon to a GxP CAT 5 system, I understand that infrastructure should be Qualified not validated, but how do you qualify the windows active directory, whats's invloved ? thanks

Click to expand...

Firstly, because AD is configured to enforce certain policies + interface with the Cat-5 system, I recommend for an qualification of the AD-interface module; ( doesn't matter if its AD driven or Cat-5 system driven process)
Secondly, it also involves the changes/updates to the policies ( not just the AD configuration), hence all the more relevant for life cycle ( create - change / update - revise ) sections of the interface module to be established.

and it further involves not typical procedureal/document driven states; but certain technical stuff also.,
pl.. ref.

Hope this helps.