Introduction: Computer Systems Validation (CSV) – is a process used to test, validate and formally document that a regulated computer-based system does exactly what it is designed to do in a consistent and accurate manner that is secure, reliable and traceable.
These sectors use computer systems to operate and record a range of processes and activities from clinical trials, manufacturing, product testing, distribution, storage, logistics, etc so it’s critical that these systems can be relied upon to produce data accurately and consistently create an indelible electronic data trail that is transparent, traceable and tamper-proof store those electronic data records in a way that is safe, secure and can stand the test of time and that the standard operating procedures (SOPs) and processes are put in place to manage these systems.
In addition, the CSV process is used when replacing paper records and handwritten signatures with electronic data records and electronic signatures in highly regulated environments that impact public health and safety such as the pharmaceutical and medical device industries.
What is computerized systems?
According to the above, we can define computer systems as a combination of hardware and software that perform functions for the process they serve (where process means, all the constituent elements of it, such as personnel, equipment, activities, input and output elements, related documentation, among others).
Gxp Regulated Computerized System: Computerized systems that are subject to GxP regulations. The regulated company must ensure that such systems comply with appropriate regulation.
What is the validation of computerized systems?
Validation of computerized systems is a documented process to ensure that a computerized system does exactly what it was designed to do in a consistent and reproducible way (suitability to use), ensuring the integrity and security of data processing, product quality, and complying with GxP applicable regulations. The robustly and documented evidence shows that the system is suitable for the contemplated purpose and it is doing what it is designed to do, with the certainty that the result or the final product will have the expected quality. Computer system validation is required when configuring a new system or making a change in a validated system (upgrades, patches, extensions, etc.).
Why CSV is essential?
Regulatory agencies such as the U.S. Food and Drug Administration (FDA), the European Medicines Agency (EMA), and others require pharmaceutical companies to validate computer systems used in GxP (Good x Practice) environments.
Compliance with regulatory requirements and fitness for intended use may be achieved by adopting a life cycle approch following good practices as explaing in GAMP 5 guideline.
CSV ensures that the data generated and processed by computer systems are accurate, reliable, and consistent, contributing to maintaining data integrity.
Many computer systems in the pharmaceutical industry control critical processes that directly impact patient safety. Ensuring the proper functioning of these systems is vital to prevent errors that could lead to adverse events.
CSV helps identify and mitigate risks associated with computer systems, ensuring that potential vulnerabilities are addressed before they impact product quality.
Validated computer systems are more likely to operate effectively, minimizing downtime and disruptions in manufacturing processes.
Computer systems need to be examined to confirm that the system will work in all situations. Additionally, all validation activities and test results need to be documented.
What Are Examples of Computer System Validation Regulation?
The Food and Drug Administration (FDA) considers computer systems as equipment 21 CFR 211.68 and thus needs to be validated. It also provides detailed controls for electronic records and electronic signatures in the Code of Federal Regulations (CFR) under FDA 21 CFR 11. Part 11 mandates the requirements for electronic records and signatures to be accurate, reliable, readily retrievable, and secure and to be able to legally replace paper records and handwritten signatures. This code applies to (bio)pharmaceutical and medical device manufacturers, biotechnology companies and other FDA-regulated industries.
For medical device makers, the FDA requires them to validate the software and systems used in manufacturing medical devices using 21 CFR 820.
Within the EU, EudraLex – Volume 4 – Good Manufacturing Practice (GMP) provides guidance on the validation of Computerised Systems under Annex 11: Computerised Systems.
The Pharmaceutical Inspection Co-Operation Scheme PICs provides guidance with its document on Good Practices for Computerised Systems in Regulated GxP Environments. Computer System Validation is also required in ISO 13485 standard 2016 – For Medical Devices.
Some examples of the controls required are:
- Data should be stored in electronic format and can be archived. Electronic records should be as trustworthy as paper records.
- The system must ensure that electronic signatures are as trustworthy and secure as handwritten signatures. Controls on electronic signatures should include: the name of the singing user, the day/time the signature was executed and and the meaning of the signature
- Signed records cannot be altered by users. The system can determine when a record was created, altered, or deleted by a user of the system.
- Password masking facility should be available in the system.
- Password complexity should be required i.e. password should be of minimum character length, etc. Previous passwords can’t be re-used.
- Screen lock should trigger after a defined period of time.
- Only authorised people can use the system.
- The system should have different access levels based on the criticality of the system.
- The system must be able to generate an audit trail. i.e. every activity should be stored in the system such as who, when, what, etc should be captured.
Best Practices for Computer System Validation
Before you even begin the validation process, it’s crucial to define what you aim to achieve. Setting clear, specific objectives ensures that the validation process is aligned with both regulatory requirements and business needs. For example, a pharmaceutical company might set an objective to validate a new laboratory information management system (LIMS) to comply with FDA 21 CFR Part 11 regulations.
Like any technical endeavor, CSV processes should be guided by a good plan that is created before the project starts. This plan will define the objectives of the validation, the approach for maintaining validation status over the full SDLC, and satisfy all regulatory policies and industry best practices (e.g., GAMP 5). The validation plan will be created by people who have a good knowledge of the technology involved (i.e., informatics systems, instruments, devices, etc.) and serve to minimize the impact of the project on day-to-day lab processes.
The validation plan should detail the following:
Project Scope – outlines the parts of the system that will be validated, along with deliverables/documentation for the project. Validation activities are only applied to aspects of the system that will be utilized by the company.
Testing Approach – Defines the types of data that will be used for testing, along with the kind of scenarios that will be tested.
Testing Team and Responsibilities – Lists the members of the validation team, along with their roles and responsibilities in the validation process.
Acceptance Criteria – Defines the requirements that need to be satisfied before the system is considered suitable for use in regulated activities.
Each industry has its own set of regulations governing computer system validation. Familiarizing yourself with these requirements is essential. For instance, companies in the pharmaceutical sector need to adhere to FDA guidelines, while those in Europe must comply with EMA regulations. This knowledge shapes your validation strategy, ensuring it meets all legal and quality standards.
A risk-based approach to CSV prioritizes activities based on the potential impact on product quality and patient safety. By identifying and assessing risks early, you can allocate resources more effectively. CSV takes a lot of time and IT resources to accomplish, so it is wise to follow a flexible GAMP 5 approach that utilizes a risk-based assessment on the system to determine required test cases and the optimal level of testing for each. CSV efforts should concentrate on what is practical and achievable for the critical elements of the system that affect quality assurance and regulatory compliance. Benefits of this risk-based approach to CSV include reduced cost, business risk, duration of the validation efforts.
CSV is not just an IT task; it requires collaboration across various departments, including quality assurance, regulatory affairs, and operations. A cross-functional team brings diverse perspectives and expertise, ensuring a comprehensive validation effort. Imagine a scenario where the IT department, quality assurance team, and laboratory personnel work together to validate a new software application for quality control testing.
- Document Everything Meticulously
Documentation is the backbone of CSV. It provides evidence that systems have been properly validated and are fit for their intended use. This includes everything from validation plans and test protocols to test results and final reports. Think of documentation as a detailed diary that chronicles every step of the validation process, providing a clear audit trail for regulatory inspectors.
Testing is at the heart of CSV. It verifies that the system performs as intended under various conditions. Effective testing covers functional performance, security, and user acceptance, among other aspects. For example, a healthcare provider validating an electronic health record (EHR) system would perform stress testing to ensure the system can handle high volumes of concurrent users without performance degradation. Avoid Ambiguous Test Scripts. Precise requirements lead to precise validation testing that confirms the system is fulfilling its intended use. Additionally, vendor test scripts typically only validate the base system requirements and will not be sufficient to ensure regulatory compliance.
Proper training ensures that everyone involved in the CSV process understands their roles and responsibilities, as well as the regulatory standards they must meet. Training should be tailored to the specific needs of the team and updated regularly to reflect changes in technology or regulations. Consider a scenario where a manufacturing company conducts regular CSV training sessions for its staff, focusing on the latest industry guidelines and best practices.
The technology and regulatory landscape is constantly evolving. Regularly reviewing and updating your CSV activities ensures that your systems remain compliant. This might involve re-validating systems in response to software updates or changes in regulatory requirements. CSV is not a one-time event but an ongoing process of monitoring, review, and improvement. Adopting a mindset of continuous improvement helps identify opportunities to enhance system performance, efficiency, and compliance. For example, after successfully validating a new data management system, a company might review the process to identify lessons learned and areas for improvement.
Conclusion
Navigating the complexities of Computer System Validation can seem daunting, but by adhering to these best practices, organizations can ensure their systems are compliant, efficient, and poised to meet the challenges of the digital age. Remember, the goal of CSV is not just to satisfy regulatory requirements but to ensure that computerized systems are reliable and effective tools in achieving business objectives and safeguarding product quality and patient safety. With the right approach, CSV becomes a valuable asset in your quality management arsenal, driving innovation and excellence across your operations.
In the fast-paced world of technology and regulation, staying informed and adaptable is key. Whether you’re just starting your CSV journey or looking to refine your processes, these best practices offer a roadmap to success. Embrace the journey, and watch as your systems—and your business—thrive.
Need help?
Need Expert Guidance on Computer System Validation (CSV)?
Is your team seeking specialized, motivated people for effective validation? We are here to support you implement robust, compliant systems tailored to your specific needs.
Reach out to us today to fine-tune your approach to CSV together. With the right strategy, the validation of computer systems becomes a minor matter for you.
Useful Links
- S. Food and Drug Administration.General Principles of Software Validation; Final Guidance for Industry and FDA Staff; U.S. Department of Health and Human Services: Rockville, Md., 2002. Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-software-validation.
- https://health.ec.europa.eu/system/files/2016-11/annex11_01-2011_en_0.pdf
- https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application
- http://www.picscheme.org GOOD PRACTICES FOR COMPUTERISED SYSTEMS IN REGULATED “GXP” ENVIRONMENTS
- https://ispe.org/publications/guidance-documents/gamp-5-guide-2nd-edition
Sagar Pawar
Computer System Validation Specialist
