EFGCP Guideline for Auditing Clinical Laboratories - European ...
EFGCP Guideline for Auditing Clinical Laboratories - European ...
EFGCP Guideline for Auditing Clinical Laboratories - European ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Guideline</strong> <strong>for</strong> <strong>Auditing</strong> <strong>Clinical</strong> <strong>Laboratories</strong><br />
Formal requirements to the <strong>for</strong>mat of passwords (e.g. minimum number of characters required,<br />
alphanumeric plus number strings, recycling of passwords).<br />
The security and administration of user access:<br />
The auditor should verify whether access to computers is blocked when the user is not at his / her<br />
desk (e.g. password protected screen savers)<br />
System access needs to be controlled by a user ID and password protected.<br />
3.11.2 System Description<br />
The auditor should review the availability of the following:<br />
• A general description of the computer systems in use.<br />
• An assessment as to whether the computer system is an internally developed system, an "off-theshelf"<br />
package or a combination of the two.<br />
• In the case of globally operating central laboratories, the procedures <strong>for</strong> data exchange between<br />
sites/subsidiaries, assess impact of different time zones, units used (metric vs other systems).<br />
• System specification (covering user requirements and user acceptance test) <strong>for</strong> systems<br />
developed in-house.<br />
• Software life-cycle management: documentation of requests, requirements and acceptance of<br />
new release.<br />
3.11.3 Software Development<br />
The auditor should ensure that the following issues are reviewed:<br />
Standard <strong>for</strong> software development incl. coding standards.<br />
Change control procedures <strong>for</strong> software development and maintenance.<br />
Policy <strong>for</strong> user testing and acceptance.<br />
Documentation <strong>for</strong> testing including unit testing, integration testing and acceptance testing.<br />
3.11.4 Testing<br />
The auditor should ensure that the following issues are reviewed:<br />
• Test plans, inclusive tractability between user requirement specifications/systems specifications<br />
and the test records.<br />
• Test reports, inclusive test results and signed and dated screen dumps as applicable.<br />
• Reports on change control and error handling.<br />
• Audit trail <strong>for</strong> changes, completeness thereof and availability of any logs of changes.<br />
3.11.5 Maintenance and Support<br />
The auditor should ensure that the following issues are reviewed:<br />
• Service contracts with third parties or SOP/service level agreements if maintenance is ensured by<br />
company staff.<br />
• System and user support. The auditor should assure that the system administrator controls the<br />
software environment on PCs and laboratory work stations (e.g. via a software inventory) to avoid<br />
the uploading of unauthorised software by personnel.<br />
• Debugging of software.<br />
3.11.6 Security<br />
The auditor should verify the policy on access control:<br />
Staff and contractors having access to the various systems and tasks they are authorized to execute.<br />
<strong>EFGCP</strong> - <strong>Clinical</strong> <strong>Laboratories</strong> - Final Version 1.0 Page 12 of 15<br />
2005