conduct-gxp-audit

pjt222

Mis à jour Yesterday

2 vues

Métadata

À propos

Cette compétence permet aux développeurs de réaliser des audits GxP complets des systèmes informatisés, couvrant l'ensemble du cycle de vie, de la planification et la collecte de preuves jusqu'à la génération d'actions correctives et préventives (CAPA) et à la vérification de suivi. Elle prend en charge divers types d'audits, y compris les audits internes, les qualifications de fournisseurs et les audits déclenchés par des écarts. Les capacités clés incluent la détermination de la classification (critique/majeur/mineur) et la génération de rapports structurés pour les revues de conformité.

Installation rapide

Claude Code

Recommandé

Principal

npx skills add pjt222/agent-almanac -a claude-code

Commande PluginAlternatif

/plugin add https://github.com/pjt222/agent-almanac

Git CloneAlternatif

git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/conduct-gxp-audit

Copiez et collez cette commande dans Claude Code pour installer cette compétence

Documentation

Conduct GxP Audit

Plan and execute a GxP audit of computerized systems, data integrity practices, or regulated processes.

When to Use

Scheduled internal audit of a validated computerized system
Supplier/vendor qualification audit for GxP-relevant software
Pre-inspection readiness assessment before a regulatory audit
For-cause audit triggered by a deviation, complaint, or data integrity concern
Periodic review of a validated system's compliance posture

Inputs

Required: Audit scope (system, process, or site to audit)
Required: Applicable regulations (21 CFR Part 11, EU Annex 11, GMP, GLP, GCP)
Required: Previous audit reports and open CAPA items
Optional: System validation documentation (URS, VP, IQ/OQ/PQ, traceability matrix)
Optional: SOPs, training records, change control logs
Optional: Specific risk areas or concerns triggering the audit

Procedure

Step 1: Develop the Audit Plan

# Audit Plan
## Document ID: AP-[SYS]-[YYYY]-[NNN]

### 1. Objective
[State the purpose: scheduled, for-cause, supplier qualification, pre-inspection]

### 2. Scope
- **System/Process**: [Name and version]
- **Regulations**: [21 CFR Part 11, EU Annex 11, ICH Q7, etc.]
- **Period**: [Date range of records under review]
- **Exclusions**: [Any areas explicitly out of scope]

### 3. Audit Criteria
| Area | Regulatory Reference | Key Requirements |
|------|---------------------|------------------|
| Electronic records | 21 CFR 11.10 | Controls for closed systems |
| Audit trail | 21 CFR 11.10(e) | Secure, computer-generated, time-stamped |
| Electronic signatures | 21 CFR 11.50 | Manifestation, legally binding |
| Access controls | EU Annex 11, §12 | Role-based, documented |
| Data integrity | MHRA guidance | ALCOA+ principles |
| Change control | ICH Q10 | Documented, assessed, approved |

### 4. Schedule
| Date | Time | Activity | Participants |
|------|------|----------|-------------|
| Day 1 AM | 09:00 | Opening meeting | All |
| Day 1 AM | 10:00 | Document review | Auditor + QA |
| Day 1 PM | 13:00 | System walkthrough | Auditor + IT + System Owner |
| Day 2 AM | 09:00 | Interviews + evidence collection | Auditor + Users |
| Day 2 PM | 14:00 | Finding consolidation | Auditor |
| Day 2 PM | 16:00 | Closing meeting | All |

### 5. Audit Team
| Role | Name | Responsibility |
|------|------|---------------|
| Lead Auditor | [Name] | Plan, execute, report |
| Subject Matter Expert | [Name] | Technical assessment |
| Auditee Representative | [Name] | Facilitate access and information |

Got: Audit plan approved by quality management and communicated to auditee at least 2 weeks before the audit. If fail: Reschedule if auditee cannot provide required documentation or personnel.

Step 2: Conduct Opening Meeting

Agenda:

Introduce audit team and roles
Confirm scope, schedule, and logistics
Explain finding classification system (critical/major/minor)
Confirm confidentiality agreements
Identify auditee escorts and document custodians
Address questions

Got: Opening meeting documented with attendance record. If fail: If key personnel are unavailable, reschedule affected audit activities.

Step 3: Collect and Review Evidence

Review documentation and records against audit criteria:

3a. Validation Documentation Review

URS exists and is approved
Validation plan matches system category and risk
IQ/OQ/PQ protocols executed with results documented
Traceability matrix links requirements to test results
Deviations documented and resolved
Validation summary report approved

3b. Operational Controls Review

SOPs current and approved
Training records demonstrate competence for all users
Change control records complete (request, assessment, approval, verification)
Incident/deviation reports handled per SOP
Periodic review conducted on schedule

3c. Data Integrity Assessment

Audit trail enabled and not modifiable by users
Electronic signatures meet regulatory requirements
Backup and recovery procedures documented and tested
Access controls enforce role-based permissions
Data is attributable, legible, contemporaneous, original, accurate (ALCOA+)

3d. System Configuration Review

Production configuration matches validated state
User accounts reviewed — no shared accounts, inactive accounts disabled
System clocks synchronized and accurate
Security patches applied per approved change control

Got: Evidence collected as screenshots, document copies, interview notes with timestamps. If fail: Record "unable to verify" as an observation and note the reason.

Step 4: Classify Findings

Classify each finding by severity:

Classification	Definition	Response Required
Critical	Direct impact on product quality, patient safety, or data integrity. Systematic failure of a key control.	Immediate containment + CAPA within 15 business days
Major	Significant departure from GxP requirements. Potential to impact data integrity if uncorrected.	CAPA within 30 business days
Minor	Isolated deviation from procedure. No direct impact on data integrity or product quality.	Correction within 60 business days
Observation	Opportunity for improvement. Not a regulatory requirement.	Optional — tracked for trend analysis

Document each finding:

## Finding F-[NNN]
**Classification:** [Critical / Major / Minor / Observation]
**Area:** [Audit trail / Access control / Change control / etc.]
**Reference:** [Regulatory clause, e.g., 21 CFR 11.10(e)]

**Observation:**
[Objective description of what was found]

**Evidence:**
[Document ID, screenshot reference, interview notes]

**Regulatory Expectation:**
[What the regulation requires]

**Risk:**
[Impact on data integrity, product quality, or patient safety]

Got: Every finding has classification, evidence, and regulatory reference. If fail: If classification is disputed, escalate to the audit program manager for adjudication.

Step 5: Conduct Closing Meeting

Agenda:

Present findings summary (no new findings should be raised)
Review finding classifications
Discuss preliminary CAPA expectations and timelines
Confirm next steps and report timeline
Acknowledge auditee cooperation

Got: Closing meeting documented with attendance. Auditee acknowledges findings (acknowledgement ≠ agreement). If fail: If auditee disputes a finding, document the disagreement and escalate per SOP.

Step 6: Write Audit Report

# Audit Report
## Document ID: AR-[SYS]-[YYYY]-[NNN]

### 1. Executive Summary
An audit of [System/Process] was conducted on [dates] against [regulations].
[N] findings were identified: [n] critical, [n] major, [n] minor, [n] observations.

### 2. Scope and Methodology
[Summarize audit plan scope, criteria, and methods used]

### 3. Findings Summary
| Finding ID | Classification | Area | Brief Description |
|-----------|---------------|------|-------------------|
| F-001 | Major | Audit trail | Audit trail disabled for batch record module |
| F-002 | Minor | Training | Two users missing annual GxP training |
| F-003 | Observation | Documentation | SOP formatting inconsistencies |

### 4. Detailed Findings
[Include full finding details from Step 4 for each finding]

### 5. Positive Observations
[Document areas of good practice observed during the audit]

### 6. Conclusion
The overall compliance status is assessed as [Satisfactory / Needs Improvement / Unsatisfactory].

### 7. Distribution
| Recipient | Role |
|-----------|------|
| [Name] | System Owner |
| [Name] | QA Director |
| [Name] | IT Manager |

### Approval
| Role | Name | Signature | Date |
|------|------|-----------|------|
| Lead Auditor | | | |
| QA Director | | | |

Got: Report issued within 15 business days of the closing meeting. If fail: If delayed beyond 15 days, notify stakeholders and document the reason.

Step 7: Track CAPA and Verify Effectiveness

For each finding requiring a CAPA:

## CAPA Tracking
| Finding ID | CAPA ID | Root Cause | Corrective Action | Due Date | Status | Effectiveness Check |
|-----------|---------|------------|-------------------|----------|--------|-------------------|
| F-001 | CAPA-2025-042 | Configuration oversight during upgrade | Enable audit trail, verify all modules | 2025-04-15 | Open | Scheduled 2025-07-15 |
| F-002 | CAPA-2025-043 | Training matrix not updated | Complete training, update tracking | 2025-05-01 | Open | Scheduled 2025-08-01 |

Got: CAPAs assigned, tracked, and effectiveness verified per defined timeline. If fail: Unresolved CAPAs escalate to QA management and are flagged in the next audit cycle.

Validation

Audit plan approved and communicated before audit
Opening and closing meetings documented with attendance
Evidence collected with timestamps and source references
Every finding has classification, evidence, and regulatory reference
Audit report issued within 15 business days
CAPAs assigned with due dates for all critical and major findings
Previous audit CAPAs verified for closure effectiveness

Pitfalls

Scope creep: Expanding the audit scope during execution without formal agreement leads to incomplete coverage and disputes.
Opinion-based findings: Findings must reference specific regulatory requirements, not personal preferences.
Adversarial tone: Audits are collaborative quality improvement exercises, not interrogations.
Ignoring positives: Reporting only findings without acknowledging good practices undermines trust.
No effectiveness check: Closing a CAPA without verifying the fix actually works is a recurring regulatory citation.

Related Skills

perform-csv-assessment — full CSV lifecycle assessment (URS through validation summary)
setup-gxp-r-project — project structure for validated R environments
implement-audit-trail — audit trail implementation for electronic records
write-validation-documentation — IQ/OQ/PQ protocol and report writing
security-audit-codebase — security-focused code audit (complementary perspective)

Dépôt GitHub

pjt222/agent-almanac

Chemin: i18n/caveman-lite/skills/conduct-gxp-audit

agentsagentskillsai-assisted-developmentclaude-codeskillsteams

Compétences associées

content-collections

Méta

Cette compétence propose une configuration éprouvée en production pour Content Collections, un outil axé sur TypeScript qui transforme des fichiers Markdown/MDX en collections de données typées de manière sûre avec une validation Zod. Utilisez-la lors de la création de blogs, de sites de documentation ou d'applications Vite + React riches en contenu pour garantir la sécurité de typage et la validation automatique du contenu. Elle couvre tout, de la configuration du plugin Vite et de la compilation MDX à l'optimisation des déploiements et la validation des schémas.

Voir la compétence

polymarket

Méta

Cette compétence permet aux développeurs de créer des applications avec la plateforme de marchés prédictifs Polymarket, incluant l'intégration d'API pour le trading et les données de marché. Elle fournit également une diffusion de données en temps réel via WebSocket pour surveiller les transactions en direct et l'activité du marché. Utilisez-la pour mettre en œuvre des stratégies de trading ou pour créer des outils traitant les mises à jour de marché en direct.

Voir la compétence

creating-opencode-plugins

Méta

Cette compétence aide les développeurs à créer des plugins OpenCode qui s'interconnectent avec plus de 25 types d'événements tels que les commandes, les fichiers et les opérations LSP. Elle fournit la structure du plugin, les spécifications de l'API événementielle et les modèles d'implémentation pour les modules JavaScript/TypeScript. Utilisez-la lorsque vous avez besoin d'intercepter, de surveiller ou d'étendre le cycle de vie de l'assistant IA OpenCode avec une logique personnalisée pilotée par les événements.

Voir la compétence

sglang

Méta

SGLang est un framework de service LLM haute performance spécialisé dans la génération rapide et structurée pour les workflows JSON, regex et agentiques grâce à son cache de préfixe RadixAttention. Il offre une inférence nettement plus rapide, particulièrement pour les tâches avec des préfixes répétés, ce qui le rend idéal pour les sorties complexes et structurées ainsi que les conversations multi-tours. Choisissez SGLang plutôt que des alternatives comme vLLM lorsque vous avez besoin d'un décodage contraint ou que vous construisez des applications avec un partage étendu de préfixes.

Voir la compétence