As a part of an inspection scheme, a Regulatory Authority has established a central IT-system for the recording and storing of the inspection data and all accredited inspection bodies must use that tool.
That IT-system is provided and developed by the Regulatory Authority and it is consisting of authorization system using electronic ID infrastructure, user interface for data entry, database storage for the inspection related information and interface to access the data and generate official inspection reports. The IT-system is out of control of the inspection bodies.
In addition to the generation of the inspection reports, and to avoid duplication several inspection bodies have begun to rely on the service of IT-system for inspection data storage and archival (time limits, liquidation and access to data are defined by law). Inspection bodies have no control over the database and there are no agreements between either inspection body and the Regulatory Authority to enforce any additional requirements from inspection body (i.e. longer storage time).
In the context of ISO/IEC 17020:2012 cl 7.3.1 and the fact that inspection bodies rely fully on previously described service from the Regulatory Authority for the management of inspection records and reports, could that be enough for being in compliance with ISO/IEC17020:2012? Or should the inspection body still duplicate some functions to get them under their own control?
Does such IT-system qualify as a “computer software used in inspection” and therefore must be validated (cl. 6.2.13) before use and revalidated when system is changed?
What additional aspects may be relevant for the case?
September 2016
The Technical Regulatory Authority has established an inspection scheme which requires the inspection bodies to use a “central IT system” that is used by the inspections bodies for directly record the data during the inspections and for central storage of the records and database function. This “central IT system” is out of control of the IB.In this case the inspection body needs to have an “agreement” with the National Authority to comply with requirements of ISO/IEC 17020:2012. The agreement should assure accessibility and maintenance of the records e.g.: the access during an accreditation body assessments (if accreditation is mandatory), the access for the inspection body to resolve claims and appeals, later checks, etc.