Inspection Readiness Q&A

A: "Yes, here is our validation package:"

• User Requirements Specification (URS)
• Functional Specification (FS)
• Requirements Traceability Matrix (RTM)
• IQ/OQ/PQ Test Results - 61 test cases, 100% pass rate

"The system was validated in January 2025 following GAMP 5 Category 4 approach. All critical requirements traced to test cases."

A: "We followed a risk-based validation approach:

• Requirements Definition: 33 user requirements defined in URS covering functional, security, and compliance needs
• Design Verification: Functional Specification documents how each requirement is implemented
• Testing: 61 test cases executed (IQ/OQ/PQ) with 100% pass rate
• Traceability: Complete bidirectional mapping: requirement → design → test case

We can demonstrate the system performs its intended functions consistently and produces accurate results."

A: "We have a documented change control process:

1. Change request submitted with business justification
2. Impact assessment: does this affect validated functionality?
3. Risk-based decision on testing scope (full re-validation vs. targeted tests)
4. Testing executed and documented
5. Change control record closed with QA approval

High-risk changes (e.g., audit trail modifications) trigger full re-testing. Low-risk changes (e.g., UI text) require only change documentation."

A: "The VDC system implements Part 11 requirements as follows:"

"See our 21 CFR Part 11 compliance mapping for details."

A: [Navigate to document detail page, click "View Audit Trail"]

"Here''s the complete audit history for this document. You can see:

• SUBMIT action by submitter1@example.com on Jan 7, 2025 at 14:23:18 UTC
• APPROVE action by approver1@example.com on Jan 7, 2025 at 15:45:22 UTC
• Each record includes user identity, timestamp, IP address, and action outcome

The audit trail is stored in DynamoDB with IAM policies that prevent modification or deletion. We tested immutability in OQ-017."

A: "No. The audit table has IAM policies that explicitly deny UpdateItem and DeleteItem operations. We validated this control in test case OQ-017 where we attempted to modify an audit record and confirmed it was blocked with AccessDenied error. Only PutItem (create new record) and Query (read records) are permitted."

A: "We follow ALCOA+ principles:"

"Each principle was tested in PQ-020 through PQ-024 with 100% pass rate."

A: "Multiple layers of control:"

• Authentication: Cognito MFA required for all sessions (no shared accounts)
• Authorization: Role-based access control (Submitters can''t approve; Approvers can''t approve their own documents)
• Data Integrity: SHA-256 hash calculated on upload and verified on download - modified files are rejected
• Audit Trail: Immutable record of all actions
• AWS IAM: Least privilege - Lambda functions can only access specific resources

A: "We chose AWS for several validated advantages:"

• Security: AWS has SOC 2 Type II, ISO 27001, and HIPAA certifications - enterprise-grade physical and network security
• Availability: 99.9%+ SLA with multi-AZ redundancy
• Scalability: Serverless architecture scales automatically
• Cost: Pay-per-use vs. maintaining dedicated infrastructure
• Validation: AWS services are GAMP Category 3/4 COTS - supplier-qualified, reduces validation burden

"Major pharma companies (Moderna, Pfizer, AstraZeneca) run GxP workloads on AWS. It''s a mature, validated platform."

A: "AWS manages backward compatibility and provides advance notice of breaking changes. We monitor the AWS Health Dashboard for service updates. Most updates are transparent (e.g., performance improvements). If AWS announces a major change affecting our system, we perform an impact assessment and re-validate as needed. This is documented in our change control SOP."

A: "We performed supplier qualification:"

• Downloaded and reviewed AWS SOC 2 Type II reports from AWS Artifact
• Verified ISO 27001, ISO 27017, ISO 27018 certifications
• Confirmed HIPAA BAA availability
• Reviewed AWS Life Sciences compliance program
• Verified services are Generally Available (not beta/preview)
• Documented in vendor qualification file with annual review schedule

A: "Access is controlled through Amazon Cognito user pools:"

• Submitters: Can upload documents, view own submissions
• Approvers: Can view pending approvals, approve/reject documents
• Administrators: Can manage user accounts via Cognito console (limited to IT admin)

"User provisioning follows our Access Control SOP. All users require MFA. We maintain a user access matrix reviewed quarterly."

A: "No. This is prevented by application logic in the approval Lambda function. When a user attempts to approve a document, the system checks if submittedBy equals currentUser. If true, the approval is blocked with an error message. We tested this control in OQ-004 and PQ-014."