GxP Assessment Questionnaire for SoftMax Pro GxP Software

Quality Management System

Is the software developed and produced in accordance with a Quality Management System?

Yes, under ISO 9001:2015 Quality Management System.

Are harmonized or company-internal guidelines, manuals, or procedural models for software development used (for example, programming or documentation guidelines)?

Quality Management System Manual (QMSM) and QMS processes and work instructions are in place to provide programming, development, and documentation guidelines.

Is the software developed exclusively by Molecular Devices? If not, are subcontractors certified or audited?

External subcontractors are audited and trained under Molecular Devices development processes.

Does the developer of the software or systems possess an appropriate, documented education and training to realize the assigned tasks?

Developers are hired and trained based on a defined job description.

Are there any internal audits of the software development processes?

Internal audits of the software development processes are routinely done, and any non-conformance prompts Corrective and Preventive Action (CAPA) items.

System Development Life Cycle (SDLC)

Does Molecular Devices have a System Development Life Cycle process?

The Molecular Devices Product Development Process governs all product development at Molecular Devices.

Are the results of individual software development phases within the life-cycle model sufficiently tested (review of phase results)?

The Molecular Devices Product Development Process requires reviews of results and accomplishments from development phases and all accomplishments including results that require approval for their completeness.

Are software requirements formally defined, reviewed, and approved?

High-level software requirements for a given product are defined in the Market Requirements Specification document. Detailed requirements are documented in a sub-system requirements document. Requirements are reviewed and approved. In Agile practices, high-level requirements are captured in the Market Requirements Specification document and the detailed functionality is defined in executable specification tests called story tests.

Software Design and Implementation

Are technical reviews conducted during software development?

Critical Design Reviews are conducted during software development.

Do you use an established, standard, software development life cycle? If so, which model is used?

Molecular Devices uses the Agile Software Development Process.

Does the release process for enhancements include full documentation of new functionality?

For major and minor software releases, all new functions are documented in Release Notes and depending on the type and scope of the release, also in the User Guides.

Do evaluation practices for purchased products assure freedom from virus infection?

Off-the-shelf software such as operating systems and office suites are purchased from suitable retailers. All products that are used in software development are evaluated on development systems, and company computers require the use of defined anti-virus software that identifies any known virus.

Do source listings conform to written standards (for example Good Programming Practices)?

Programming standards are documented in the Molecular Devices quality system. All developers are trained on the standards before working on software products.

Are software designs and source code reviewed?

Design specifications are created and reviewed by qualified software development personnel.

Source code is reviewed to ensure adherence to programming standards.

In Agile practices, designs and code are reviewed constantly as part of the pair programming and refactoring practices.

A separate formal code review is not warranted as all code is reviewed during the initial development and is reviewed again when doing refactoring activities.

If pair programming is not used, then a separate code review is required as part of the code check-in and build process.

Does the development process provide for formal evaluation of purchased products and services through specification of technical requirements and evaluation of products for conformance to specified requirements?

If the total product involves the use of a component that is a purchased product, then the purchased product is evaluated to confirm its fit for the intended use. The overall product is evaluated before release.

Is there evidence that the software development methodology was implemented through work processes and deliverables for the following: Defining and documenting software requirements? Designing software? Building software? Integration of software components? Testing of components and the integrated product? Release and support of the product?

Yes to all points.

Software Testing

What type of software testing is done?

Software Development is responsible for unit and integration testing. Product testers are responsible for system testing the software, and the testing scope is described in a Software Verification Plan. The test protocols and official test records are available for customer review only during an on-site audit with a non-disclosure agreement.

Additional testing of a software product can be done by the Product Application personnel or by designated beta site customers.

With Agile practices of Test Driven Development, high-level requirements are refined in story test creation to create an executable functional specification that tests for the requirement under development. The test will initially fail until the code fulfilling the requirement is written. The members of the customer team (representatives from Product Management, Domain experts, Verification and Information Development representatives, and so on) provide input to the story tests. Additional tests in the form of exploratory and GUI testing are completed by the Verification group and other members of the Customer Team.

Do you have a procedure that defines the testing process?

Yes, there are written procedures for testing of software requirements.

Are test results reviewed and approved?

The test results are reviewed for coverage of all the software requirements by Software Quality Assurance.

Do testing documents exist for the following: Unit level testing? Integration level testing? System Level testing? Structural and Functional testing?

Yes. Based on the product of interest, the testing depth is variable.

Are the original test documents and records retained and used for regression testing purposes?

The original test suite is retained and used for regression testing purposes. Original test records are retained and are used only to compare to the results of previous tests.

Are adequate software verification and validation processes used for the project (test planning, test-case determination, test-data generation test performance, test analysis, test documentary)? If yes, are test protocols and summarizing test reports available?

Verification and Validation plans and reports are required and approved during the appropriate development phases.

Test plans and reports are archived and available.

Who does the verification and validation? Is there an independent group for this work?

Software testers and application scientists do the verification and validation. Software testers belong to the software test group.

Who authorizes test plans, test protocols, test reports?

Test documents are authorized by the project manager, the product manager, the software quality assurance lead and the software lead.

Is access to the testing environment (testing tools, test data) and test documentation assured?

Test tools, data, and documents are archived into a central repository for all software projects, and they are version controlled.

Security Controls

Does the company have standards or guidelines for the establishment and upkeep of software documentation?

One central repository is in place for all project documents.

Is access to software development documentation assured?

Access requires authorization to the archival system.

Is access to source code assured (if necessary)?

Access and permissions are enforced by the source code management system.

Defect Reporting

Does the company have standards or guidelines for the establishment and upkeep of software documentation?

One central repository is in place for all project documents.

Is there a formal reporting process?

A defect tracking system is in place.

How are error reports and correction and improvement recommendations received and processed?

Reported errors are entered into the defect tracking system and processed according to the workflow defined in the tracking system.

How are customers informed of the processing status?

Customers are informed of the processing status upon request.

Release notes are included with every software release, which contain a list of resolved issues.

Change Control

Who approves software changes?

Software changes that affect the schedule of the project are approved by the portfolio management team.

Are documented change control or version management procedures in place?

A change control procedure is in place and all project documents required by Quality Management System are archived in a version-control system.

How are Customers trained in the use of Molecular Devices systems?

Training is provided with the instruments. The level and length are dependent on the product. The training is either done by a Field Application Scientist or by a Technical Support Specialist or by the Sales Representative depending on the product.

How long does Molecular Devices support a given release of Software or Hardware?

Molecular Devices typically offers hardware and software support for the period of 5 years after the last manufacturing date.

How do you notify customers of new releases?

Customers are provided appropriate setup information with the documentation supplied with the system. Critical operation updates are forwarded to customers who register their products. Normal updates and subsequent engineering changes are not published to the end users.

How do customers report problems (for example, software bugs and instrument problems)?

support.moleculardevices.com

How are customer complaints documented and managed?

All complaints are documented as cases in our customer relationship management (CRM) system. We communicate through email and phone, and do not close the case until the customer agrees that the problem is resolved.

System Operation

Does the system enforce the sequencing of events that can be pre-defined, such as in batch sequence management, when sequencing is being managed manually?

Yes. SoftMax Pro GxP Software data files can be integrated with third-party tools, but the system setup is the end-user’s responsibility.

Does the system use checks to interrogate the source of an operational command to ensure that only an authorized workstation, terminal, or device is issuing the command?

Not applicable for this application. System setup is the responsibility of the customer. However, automation commands require electronic sign in.

Record Integrity & Backup

How and when are records stored to durable media?

Records are saved manually on command or after a read completes if you use Auto Save. The command can be automated with a robotic or automated command. The software saves every open document to the database every five minutes for the purpose of data recovery, and the temporary backups are deleted when the software is closed.

Can operators modify the content of records after they have been stored on durable media?

No, raw data cannot be modified. Reduction and Analysis setting changes are tracked through the audit trail.

Can operators delete records that have been stored on durable media?

It is up to the system administrator or Standard Operating Procedure (SOP) to restrict these capabilities. All records can be saved using Auto Save preferences.

Can administrators modify the content of records after they have been stored on durable media?

No, raw data cannot be modified. Reduction and Analysis setting changes are tracked through the audit trail.

Can administrators delete records that have been stored on durable media?

It is up to the system administrator or Standard Operating Procedure (SOP) to restrict these capabilities.

Is the system equipped with archiving tools and utilities to create backups of electronic records on durable media?

It is up to the system administrator or Standard Operating Procedure (SOP) to identify backup and archiving functionality.

Can criteria be selected such that specific records can be selected for archiving?

No. once the file has been archived, the record of the file cannot be deleted.

Record Copying & Retrieval

In what format and file types are records stored electronically?

Raw data is saved in binary format.

How are records retrieved from archive media and loaded into the operating environment?

The record gets created as the result of opening a file.

Does the system provide the ability to retrieve and display any record electronically or to generate hard copy reports on any electronic record?

Yes.

Can records be selectively retrieved and displayed for inspection?

Yes.

Does the system provide standard report formats that can be modified to meet specific regulatory reporting requirements?

Yes. Customized data summaries, known as Notes sections, and Group tables can be printed.

Does the system generate records such as primary data, metadata, audit trails, user account activity, security configuration, and electronic signature definition?

All these records can be reviewed or generated as reports.

Does the system also automatically store metadata that defines or otherwise limits primary data collected?

Yes.

Can the system report security activities such as the following: Addition of users? Deletion of users? User log-on activity?

Yes. All listed activities are reported in the GxP Admin Portal Software System Audit Trail.

User log-on activity is also reported in the SoftMax Pro GxP Software data file audit trail

Can the system report global security parameters, such as the following: Application configurations? Function configurations (such as, Security Configuration Report)?

Yes. Instrument settings and analysis parameters are recorded in the audit trail. Permission levels reports for each user can be generated.

Electronic Records

Does the system provide an electronic signature capability intended to replace a legally binding hand-written signature on a written record?

Yes. This can be configured in the GxP Admin Portal. Our electronic signature functionality is designed per 21 CFR Part 11 requirements:

§11.3 Definitions
(b) The following definitions of terms also apply to this part:

(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.

Does the signature manifestation clearly and unambiguously identify the signer in human readable form?

Yes. Our electronic signature functionality is designed per 21 CFR Part 11 requirements:
§11.10 Controls for closed systems

(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.

Does the electronic signature, as part of the electronic record, indicate in either human readable or electronic form the following information: Name of the signer? Time and date of the signing event? Meaning of the signing act (approve, review, certify, etc.)?

Yes. Our electronic signature functionality is designed per 21 CFR Part 11 requirements:

§11.50 Signature manifestations

(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
1. The printed name of the signer;
2. The date and time when the signature was executed; and
3. The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

Does the system provide set up options to specify an amount of time that constitutes a continuous period of controlled system access?

Yes. This can be configured in the GxP Admin Portal.

Does the software link an electronic signature to the electronic record and ensure that the signature cannot be excised, copied, or repudiated?

Yes. Our electronic signature functionality is designed per 21 CFR Part 11 requirements:
§11.70 Signature/record linking

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Does the system allow a user to override the operating permissions reserved for a specific signature by someone other than its genuine owner?

Yes. Upon end-user data integrity risk assessments, the ‘Revoke signatures’ permission can be configured to a role in the GxP Admin Portal.

Does the system require all password components again after the specified time elapsed?
Does the system process several electronic signatures of one individual within a single, continuous period of controlled system access as follows: Initial signing (requires ALL electronic signature components for the signing act)? Subsequent signings (require at least one electronic signature component, and if so, which component)?

Our electronic signature functionality is designed per 21 CFR Part 11 requirements:

§11.200 Electronic signature components and controls

(a) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

Security

Does the non-biometric log in use at least two distinct components, such as one identification code (user ID) and one password?

Yes.

Does the password functionality require the use of enough characters and sufficient content to prevent a password from being guessed?

Multiple password strength options are available and are configurable in GxP Admin Portal.

Does the security system check for the uniqueness of every user ID and password combination in the system and reject duplicates?

Yes, it checks for unique user ID and rejects duplicates.

Does the system require a combination of a unique user ID and one password to gain access to the application or to execute a function?

Yes. All users require a unique user name and a password.

Is the file containing passwords encrypted so that the administrator cannot read password content?

Yes.

Does the security system log all security administration and controlled access events, whether successful or unsuccessful, to a historical record?

Yes. The GxP Admin Software System Audit Trail captures application activity including file creation, modification, and deletion events and the SoftMax Pro GxP Software captures document specific activity.

Does the system support password aging with limitations on the reuse of previous passwords?

Yes.

Can more than one operator be logged on to the system simultaneously?

Yes, for a multi-computer (single server) environment.

No, for a single computer environment.

Does the system support automatic time-out during periods of inactivity?

Yes. This can be configured in GxP Admin Portal software.

Is the time-out period configurable?

Yes. This can be configured in GxP Admin Portal software.

What steps are required to reactivate the system following a time-out, particularly if the time-out occurs during a transaction?

The user must enter a password to log on to the system. After timed-out, instrument activity continues but operator intervention is prevented until an authorized user password is entered.

Audit Trails

Does the system automatically generate time-stamped audit trails that record transactions that create, delete, or modify electronic records?

Yes. Our system audit trail functionality is designed per 21 CFR Part 11 requirements:

§11.10 Controls for closed systems

(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Do audit trails record the following information: Time and date of transaction? Identity of the user/operator? User/operator action executed (created, deleted, modified)?

The record gets created as the result of opening a file.

Is the audit trail part of the primary record?

Yes.

Is the audit trail a separate electronic record?

No.

Is the audit trail secured against intentional and unintentional user intervention, including “super-user” activities?

Yes.

Does the system keep all prior versions of the authentication record after its modification or deletion?

No. The customer must implement SOPs to archive successive document versions. The audit trail tracks changes to a particular file. The SoftMax Pro GxP Software cannot overwrite an existing document.

Are there limitations that prevent the audit trail from being retained for the life of the record?

No.

Does the system retrieve and display accurate and complete copies of the audit trail (an electronic record) in both human readable and electronic form, suitable for inspection, review, and copying into a “take away” format?

Yes.