TABLE OF CONTENTS Requirements traceability is a key issue in current computer validation best practice. If the requirement is not specified, you have not written the user requirements specification correctly and completely, have you? We will look at system security, as this should be applicable to all CDS systems.
The basis for all PQ testing is the system requirements specification and the individual requirements written therein. There is a very simple way to determine if the requirement has been written correctly: can you define a specific test without having to assume anything? If you can, the requirement has been written correctly. If you cannot, the requirement is poorly written and capable of many interpretations.
For example, if the system requirement specification states that the application must have security functions , this is an example of a poorly written function as explicit tests cannot be derived from it. Instead, more time and effort must be spent defining and documenting the various user types that are necessary and the access privileges allotted to each one.
User types: Typically, there will be a minimum of two: for example, a user and a system administrator/supervisor. Your CDS application will usually have a security module that the system administrator will configure to allow the different user types access to different functions in the application.
User privileges: Any discussion of logical security of an application should consider what each user could do when...
