PCs such as laptops or desktop computers are more sophisticated than PLCs but are still relatively easy to qualify. The reason for this is that most of the software used on a PC is “off the shelf” nonconfigurable. That is, the software code cannot be changed. Only the application is configurable. For example, the Microsoft Excel spreadsheet program can neither be validated nor qualified. However, the application of each spreadsheet must be qualified. Specifically each calculation needs to be verified from both its algorithm to its data input and output.
All aspects of the PC need to be qualified, just as any other process or laboratory equipment. All input/output devices (eg, keyboards, disk drives, USB inputs of outputs, mouse control and other pointers, screen displays, printers, etc.) need to be tested and demonstrated to be functioning correctly. This means that the data being input is the same as the data coming out. For example, if you want to type the letter “M,” the keyboard should only respond to the “M” key and the screen should display only an “M” from that designated key. The same holds true for data storage devices, whether internal or external.
Data storage devices also are part of the PC qualification program. Storage time of the data on the external device, as well as the environmental conditions it is stored under are factors in this qualification.
Operating systems are not usually qualified due to the large number of users. However, the vendor audit or other review for code preparation, annotation, etc. should be performed (Table 6.6).
PLCs and PCs may be linked together to form a “Network.” Simply, a network is a group of individual units (PCs or PLCs) linked together so that information can be easily shared. There are two basic types of networks—open and closed. In the pharmaceutical industry, the closed network is the preferred type.
If users transmit data over a network, then the network should be validated. However, that validation is usually a subset of validation of the database system (with tests that make sure clients can talk to servers and so forth). In addition, there is typically some platform validation performed to ensure that the network can handle traffic flow correctly.
A risk assessment should truly answer when and how to do network validation. For example, if the network is only used for backing up servers, then the firm would develop a set of requirements, specifications, and tests regarding how servers are backed up. If the network were only used for client interaction to the server, then the firm would develop requirements, specifications, and tests around network loading, response speed, and server timeouts (Table 6.7).