Computerized System Validation (CSV) Audits

QC2 offers the following computerized system validation (CSV) audits:

QC2 audits computer systems supporting clinical development, including data management systems, image tracking, management and analysis, blinded reading systems for clinical response, central electrocardiogram reading centers, and other specialized applications.  We focus on testing of key requirements critical to data integrity and project success, assessing the robustness of testing, and determining whether validation activities are adequately supported by objective evidence.  Our auditors ensure traceability of requirements is maintained throughout the validation package. Error reporting and software defect reporting systems are closely reviewed to confirm that errors are graded appropriately, investigated, and resolved. We confirm testing activities can be accurately reconstructed, such that one can identify the build in which defects were found and the build in which they were resolved. Change controls over the application and hardware are also reviewed to ensure post production system upgrades, patches, and fixes have been fully validated.

Our computerized system validation audits are tailored to the type of application in use, whether commercial off the shelf (COTS), proprietary application, or a program that is validated at point of use (e.g., a biostatistical program).  We are familiar with the level of validation required in each of these settings, as well as of platform qualification needs. Generally, we audit according to the Good Automated Manufacturing Practices (GAMP) V model, and confirm applications and systems are validated from a risk based approach. Our audits will help assure that you and/or your vendor’s systems meet regulatory authority expectations.


Data Management Systems and Electronic Data Capture (EDC) Audits

QC2 performs audits of data management and EDC core applications as well as study specific configurations.  We are familiar with widely used data management and EDC applications for clinical trials and have audited validation packages for the core applications, both for local installations at contract research organizations (CROs), as well as at the software vendors themselves.  QC2 auditors are aware of the validation needs particular to the application infrastructure, including hosted systems.

We  understand the differing testing requirements for various data management platforms.  Both for core and configured applications, a thorough assessment of the robustness of validation is performed, with particular focus on functionality key to 21 CFR Part 11 compliance.   For study specific applications, we ensure edit check testing, dynamic navigation,  page level controls, and user privileges have been programmed according to specifications and have been thoroughly tested.  Data extracts and provision to biostatistical personnel, as well as archival and provision of final data to sites are assessed.  Application infrastructure, including the security, redundancies, and environmental safeguards are evaluated to confirm the system meets industry standards and regulatory requirements.

Safety Database Audits

QC2 has audited validation packages for industry leading safety database applications in a variety of environments.  Our safety database audits focus on validation of workflows and routing, alerting, and reporting functionality.  Testing of application user requirements relating to 21 CFR Part 312, 812, and 314, including reporting timelines, are also assessed.  The modules for triage and report management and tracking are emphasized, to confirm the application will facilitate timely safety reporting to regulatory authorities.  Compliance with 21 CFR Part 11 is also reviewed, including the infrastructure for the application.


QC2 has considerable experience auditing interactive voice response systems (IVRS), interactive web response systems (IWRS), or multi-modal platforms (IXRS).  We have audited a wide variety of IVRS/IWRS/IXRS applications, ranging from systems that are developed “one-off” for study specific use, to highly configurable, menu driven applications with little to no custom programming.   Audits include in depth assessment of the adequacy of testing of user requirements, ensuring that test cases include sufficient data to stress the system.  We confirm that thorough scenario testing has been performed to simulate production use of the application, to support that the system responds appropriately to complex inputs.

Careful focus is paid to the security, testing, and uploading of randomization lists and packing lists to the application, as well as the handling of unblinded information in reports and in other aspects of system operation.  We review internal user acceptance testing (UAT) and client or sponsor UAT, and associated issues, errors, or software defects arising during those activities and verify successful resolution.  Compliance with 21 CFR Part 11 is evaluated both at the application level and with respect to infrastructure.

Electronic Diaries and Patient Reported Outcome (ePRO) Tools Audits

QC2 has performed audits of electronic diaries and ePRO devices to confirm the applications have been appropriately validated for use.  We have audited electronic diary and ePRO systems involving multi-modal (e.g., internet and smart phone based) and single modality inputs (e.g., entirely on handheld devices or smart phones).  We closely evaluate the data capture tool specifications versus the software, and the decision flow, and confirm appropriate scenario testing has been performed manually and/or in automated fashion, and challenged appropriately.  Interfaces with other devices or systems are also assessed to ensure complete and accurate data are captured.  Security and integrity of the data while on the personal device are also given close attention.  As with all of our computerized system validation audits, infrastructure is also reviewed to ensure appropriate security, redundancies, and environmental safeguards are in place.  We confirm compliance with 21 CFR Part 11, where applicable, and ensure that regulatory requirements for investigational sites are also met such that, when appropriate, the investigator maintains ownership of the data.

Laboratory Information Management Systems (LIMS) Audits

QC2 conducts audits of LIMS validation packages.  We ensure that the environment and equipment are appropriately installed and qualified and that the system is fully described.  The operational qualification and performance qualification (OQ/PQ) are reviewed to confirm test cases demonstrate functional requirement have been met, and verify appropriate traceability within the documentation.  We confirm that sufficient testing has occurred, in addition to any software vendor supplied installation qualification (IQ) or OQ scripts to ensure that the system has been fully tested.  Our audits focus on key requirements, ensuring key functionality such as specimen tracking, instrument interfaces, results reporting, and audit trail functionality have been thoroughly stressed to ensure data integrity and compliance with 21 CFR Part 11.


QC2 audits are customized for your specific project and budget needs.  We can provide assistance with all aspects of your audit projects, including audit plan consulting and development; scheduling, conducting, and reporting on audits; and providing audit follow-up services, including review of audit responses.  We can conduct both general qualification audits and in-study audits.