[geeks] Drooogs and regulations (was Three heads)

joshua d boyd geeks at sunhelp.org
Tue Aug 7 16:09:57 CDT 2001 

On Tue, Aug 07, 2001 at 04:40:20PM -0400, Jonathan Katz wrote:
> Ken wrote:
> > Well, the FDA won't tell youwhat the answer is, they just tell you what is
> > needed, in vauge answers...
> 
> Indeed! It all boils down to the following corollary:
> 
> Document what you do.
> Do what you document.
> 
> How you (as a company) interpreate that is up to you. Lilly was
> doing (what it thought) was a pretty adaquate job until it underwent
> an audit a few years back (about 6-12 months before I was there.) 
> The FDA was unimpressed by the lack of paper-trail condusive to
> the R&D environment (at the time, manufacturing was held to much
> higher standards.) The solution was to push the manufacturing 
> standards onto the R&D group. (Think about the regulation that
> needs to go into a system which automates the manufacture of
> Prozac capsuls.)

I worked on the manufactoring side of Pfizer.  The standards there seem to
be a bit more clear cut.
 
> The nice thing was that a lot of the security I had to implement wasn't
> always fascist-- it had to be auditable. There were a lot of times when
> group permissions and such were wide-open on systems because they had
> to be (a team of scientists working on the same test runs from a mass
> spectrometer or nmr machine.) As long as we could tell who was working
> on a set of files (ownership would change but not group perms after
> editing) everything was cool.

So for what I did, all FDA related material was kept in a database, and we
had to have a strict transaction log of what changed in the
databases.  Users thus weren't allowed directly at the data.  Also, some
systems used transparent triggers (it made life as a programmer easier) so
that if a user did get directly at the data (say by cracking their machine
and installing a raw SQL client of some sort) all changes would still be
logged. 

> The one hangup of the FDA, which scares me, is that any computing
> environment which was used for testing and/or simulations must be
> "recreatable" for 7 years after the experiment. IIRC, that is 
> about as vague as it's stated. Does that mean the same system
> with same sized hard disks and all, or the fact that Solaris 22
> is backwards and binary compatible with Solaris 2.5 adaquate for
> re-running your pre-compiled Fortran code you get from the
> government?

In manufactoring, I don't believe that we had that problem.  We just had
to prove that our data didn't get mucked up anywhere along the way.

-- 
Joshua D. Boyd

More information about the geeks mailing list