Computer System Validation in the Regulatory Environments
In the modern world, with the rapid growth in technology, companies have turned to computer systems to become more productive. Like most other industries, the FDA regulated firms have also swiftly adapted the use of computer systems to increase the efficiency of individuals, reduce errors, and increase overall productivity. So it is only normal to use electronic records instead of paper records.
FDA regulated companies that maintain records or submit designated information electronically to FDA must ensure compliance for both infrastructure qualification and computer system validation.
To successfully implement, use and maintain computer systems, the regulatory, clinical, and IT professionals working in the healthcare, clinical trial, biopharmaceutical, and medical device sectors must gain relevant knowledge.
Computer systems validation compliance requirements and standards:
Guidance: CFR Part 11: Electronic Records, Electronic Signatures - Scope and Application
- Applicable to records and signatures
- Requires suitable features and validation
- FDA's definition of computer system validation (CSV)
- Computer System validation requirements
- FDA 21 CFR part 820.70: "When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented."
- FDA 21 CFR part 11.10: "Persons who use systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records. Such procedures and controls shall include validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records."
- ISO 13485, inter alia in chapter 4.1.6, 7.5.2.1 and 8.2.3
- GMP directives
- GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems
- Use of alternative communication methods such as newsletters or compliance intranet
- Tasks supporting validation
- Quality planning - includes tasks such as Risk (Hazard) Management Plan, Configuration Management Plan, Software Quality Assurance Plan, Problem Reporting and Resolution Procedures, and other Support Activities
- Requirements - includes Preliminary Risk Analysis, Traceability Analysis, Description of User Characteristics, Listing of Characteristics and Limitations of Primary and Secondary Memory, Software Requirements Evaluation, Software User Interface Requirements Analysis, System Test Plan Generation, Acceptance Test Plan Generation, and Ambiguity Review or Analysis.
- Design - Includes Updated Software Risk Analysis, Traceability Analysis, Software Design Evaluation, Design Communication Link Analysis, Module Test Plan Generation, Integration Test Plan Generation, and Test Design Generation
- Construction or coding - Includes tasks such as Traceability Analyses, Source Code and Source Code Documentation Evaluation, Source Code Interface Analysis, and Test Procedure and Test Case Generation
- Testing by software developer - Includes Test Planning, Structural Test Case Identification, Functional Test Case Identification, Traceability Analysis - Testing, Unit (Module) Test Execution, Integration Test Execution, Functional Test Execution, System Test Execution, Acceptance Test Execution, Test Results Evaluation, Error Evaluation/Resolution, and Final Test Report
- User site testing - Includes Acceptance Test Execution, Test Results Evaluation, Error Evaluation/Resolution, Final Test Report
- Maintenance and software changes - 'Hardware maintenance typically includes preventive hardware maintenance actions, component replacement, and corrective changes. Software maintenance includes corrective, perfective, and adaptive maintenance but does not include preventive maintenance actions or software component replacement.'
- Validation planning
- Computer system validation activities should be documented with the following
- Analyze system requirements and develop clear and precise functional requirements:
- User/System Requirements Specification (the 'What')
- Functional Requirements Specification (the 'How')
- Design Spec (the 'How to Build')
- Perform risk-based CSV:
Although many companies use electronic records, when it comes to using electronic signatures, they are in doubt. They print the records and sign on them. However, there is no need for printing and signing the records if the company is part 11 compliant. The CFR Part 11 applies to both electronic records and signatures.
For the proper functioning of processes, all regulated companies maintain standard operating procedures (SOPs). While part 11 allows replacing paper records with electronic records, it requires the computer system to have suitable features and to be properly validated.
"Confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled." - Validation ensures that "you built the right thing."
Computer system validation encompasses hardware and software. It includes equipment and/or instruments connected to the system, and users that operate the system and/or equipment.
There are 4 key areas of 21 CFR compliance:
A validation plan is fundamental to the success of the project. Create a plan that will define the objectives of the validation, the approach for maintaining the status of the validation over the software development life cycle, ensuring compliance with the regulatory requirements. The plan should be created by personnel who are knowledgeable about the technologies involved. The plan should detail:
What functionality is actually required and will be highly effective in increasing productivity? While ensuring proper functionality, is it compliant with regulatory requirements and standards? Strategic planning is required to ensure the success of the project. The requirements document should have a high degree of specificity and should explain
Following are the steps to validate a computer system
Attend the seminar 'Computer System Validation - Reduce Costs and Avoid 483s' to explore proven techniques for reducing costs associated with implementing, using, and maintaining computer systems in regulated environments.
The speaker David Nettleton is an industry leader, author, and teacher for 21 CFR Part 11, Annex 11, HIPAA, software validation, and computer system validation. He has completed more than 230 mission critical laboratory, clinical, and manufacturing software implementation projects. He is involved with the development, purchase, installation, operation, and maintenance of computerized systems used in FDA compliant applications.