Computer systems are widely used in the pharmaceutical industry. With an increase in the use of computer systems in regulated industries, the computer system validation (CSV) process is very crucial for patient safety and compliance. It is essential to confirm that the systems perform reliably and are in compliance with the regulatory as well as the user requirements. Get to know more about CSV through this article.
What Is Computer System Validation?
Computer System Validation (CSV) in the pharmaceutical industry is a documented process for reassuring that the computer system performs its function for what it is designed to do in a consistent and reproducible manner. It makes sure that all the predefined requirements are met by the system and is apt for the use it is intended for. CSV plays a crucial role in the pharmaceutical industry in ensuring data integrity, product quality and patient safety.
The Computer System Validation process, also known as software validation, includes many steps. They are planning, specifications, preparation, testing, documentation & operation. Every step is important and should be conducted accurately to make sure the validation of the system.
Importance Of CSV In Pharmaceutical Industry:
It is important that the patient's safety cannot be compromised at any cost. This is the major reason why each requirement is in place and must be complied with. Everything comes down to patient safety and effectiveness. Computer system validation is done to ensure that the system that is planned to be implemented meets all the requirements set forward and is functioning properly for what it is designed for.
It can be concluded that large amounts of data generated are accurate, complete and reliable by the process of CSV. Any error, malfunction or failure of the system can be detected via a computer validation system. So, when a system is said to be validated it also means that it is safe for use and performs its function properly.
The data generated can be trusted and can be used for regulatory submissions, decision making and reporting as well. Data integrity also involves unauthorized access prevention, changes to data and audit trails maintenance.
The potential risk can be identified, evaluated and managed with computer system validation. The risks can be resolved before it can cause damage to the quality of the product and safety of the patient as well as the reputation of the company. Documentation of the validation process is required. It allows for tracking the activities and modifications performed on the system.
FDA CSV Guidance and General Principles
There is a final guidance document provided by FDA on general principles of software validation. In that, the principles that must be considered for software validation is described in section 4 of the document. They are:
Requirements
The validation process of software is not fulfilled without an established software requirements specification. It is referring to 21 CFR part 820(z) which is about validation (process validation and design validation), 21 CFR part 820.30(f) and (g). 21 CFR part 820.30(g) is about design validation which is discussed below and 21 CFR part 820.30(f) is about design verification. This states that:
Each manufacturer should establish and maintain the procedures to verify the design of the device.
It must be confirmed that the design output meets the design input requirements in design verification.
Results produced from the design verification, along with the design identification, methods used, date and the individuals conducting the verification, must be documented in the ensign history file. (DHF).
Prevention of Defect: Software quality assessment must be conducted. It needs to focus on the prevention of introducing defects into the system rather than fixing it after the software code is written. While software testing is a necessary activity, this alone is insufficient to claim its fitness for intended use. Software developers must use mixed methods and technologies for error detection and prevention that can occur.
Time and effort are required to conclude that the software is validated. It will be based on the evidence gathered via planned activities throughout the software lifecycle.
Software validation is not a separate process but is integrated into the lifecycle of software development. It must be conducted from the initial planning to final deployment and maintenance.
The process of software validation is controlled and defined via the use of a plan. The software validation plan describes what must be accomplished through the software validation effort. Scope, approach, resources, schedules and the types and extent of activities, tasks, and work items are areas that are specified in the software validation plan.
There are certain procedures for the execution of software validation process. How to conduct the software validation is established through these procedures.
For software, even when there is any small change it can cause a global system impact. So, whenever there is a software change, a validation analysis must be conducted. This is to know the impact of that change in the entire software system and not just to validate the individual change.
Baseline validation activities only be required for lower risk devices. As the risk level goes up additional validation activities must be put in place to cover the additional risks. Depending on the software complexity and safety risks must be the validation coverage.
Using the basic quality assurance precept of “independence of review” should be the conductance of validation activities. Self-validation is difficult. Independent evaluation must be opted for when possible, especially for devices with higher risk.
Even though the principles of software validation are stated, specific implementation of the software validation principles might be different from one application to another. The device manufacturer can be flexible in choosing how to apply these validation principles. The manufacturer can be flexible but is always responsible in demonstrating the validation of the software has been achieved.
Regulatory Requirements for CSV in Pharma
Quality System Regulation requires software validation. From software used as a component of the medical device to the software itself being a medical device is where the validation requirements apply. This also applies to the use of software in the production of the device or in the implementation of the quality system of the device manufacturer. Unless excluded from the classification regulation, any medical device software product is subjected to applicable design control provisions, regardless of the device class it belongs to.
21 CFR 820.30(g) (Design Validation) describes the specific requirements for device software validation. In this part of CFR it is clearly stated that design validation should involve software validation and risk analysis where appropriate. It is applicable to medical devices, software as a component of medical device and software as a standalone device if it is placed in the medical device classification by FDA. The requirements are as follows:
Manufacturers must create and maintain procedures for the validation of the design of the device.
Validation must be carried out under defined operating conditions on initial production units, batches, lots or its equivalents.
Validation must make sure that the device complies with the defined user needs and the use it is intended for. Testing of production units should be done under simulated or actual conditions.
While performing software validation, risk analysis must also be conducted. Any risk to the safety and effectiveness of the device by the software (malfunctioning, bugs or failure) must be ruled out.
Each manufacturer must document the design validated, methods used, validation date, individual performed in a DHF (Design History File).
Other requirements include 21 CFR part 11 (Electronic records and signature), GAMP (Good Automated Manufacturing Practice) 5, GMP Directives, ISO 13485, European Union Annex 11.
Components of a Computer System Validation Plan
A validation plan describes the activities to be conducted to provide evidence that the system is in compliance with all the requirements and is also fit for the use it is intended for. The CSV plan involves the following:
System Definition: A detailed description of the system that is being validated.
Key user identification: Identifying the end users or stakeholders who interact with the system during and after validation.
Intended Use: Outline the use of the system for what it is intended for. It must clearly define the operational parameters of the system.
Validation Strategy: The strategies planned to be used for the validation of the system must be stated here. A detailed description of how the validation phases will be performed should be provided.
Risk Assessment: Identification of any risk of the system or system failures which can affect its proper operation which in turn affects safety and efficacy.
Responsibilities: State the responsibilities of each person involved in each task or activities in the validation process.
Timelines: Setting proper timelines for validation processes.
Phases of the Computer System Validation Process
Computer System Validation begins at the start of the system design. It is integrated along the Software Development Lifecycle (SDLC). Various Phases of CSV include:
Validation Master Plan (VMP)
Validation Master Plan is the process of establishing an outline for the validation of a whole computer system. As it is the primary validation process, every aspect of established systems along with software and hardware and validated processes like the risk reduction is covered. The VMP acts as a roadmap for validation. Setting the scope, goals and methodologies, justification of the strategies, determination of acceptance criteria and preliminary tests. It also defines the degree of the validation program.
User Requirement Specifications (URS)
The thoughts (how should it perform, what are the necessary features, expected performance standards, etc.) of the user on the computer system are documented. Each requirement is provided with a unique identifier which allows for the verification of the criteria in the subsequent validation steps. This also helps to prevent the omission of the functionalities that are planned during its development.
This unique identifier helps to understand whether each feature has undergone the testing or not. Details must be provided on the functional specification design (FDS) for the system supplier. This is done because they can calculate the time, resources and money required to engineer and document a computer system.
Design Qualification (DQ)
This must display that the design and its principles must be in compliance with GMP and its goals. All the mechanical drawings and the design elements provided by the manufacturer of the equipment must be reviewed. It is essential as the construction of the computer system will be in accordance with the design specifications of the software and hardware and the functional specifications (FS).
Upon completion of the reviewal of documents and comparison of URS with FS, SDS (Software Design Specification) and HDS (Hardware Design Specification) the parties appointed responsible will approve the record created. This is Design Qualification.
These are validation processes conducted to confirm that the system is installed, operating (under controlled conditions) and performing (in the real world) as it is expected to be.
A Validation Summary Report
Depending on the results achieved from the qualification tests performed, a summary report is created.
Periodic Review
The validate systems must be reviewed periodically to confirm that they are still in compliance with the GMP and of continued validity. With the change control process, all the validation documents relevant will be reviewed to determine the extent of revalidation. Reviews can occur typically once in a year based on the application.
Life Cycle Model of CSV
The use of a life cycle model allows for efficient and cost-effective work processes and products. It is structured as such it makes sure that the computer system is validated entirely and is in compliance with the patient safety and other requirements specified. Software systems can be developed using a lifecycle model.
Complete CSV process using V model is typically required during the project phase. The V model confirms that the system is validated at every stage of development. Both IT and CSV use the V model for risk mitigation that are associated with computer aided systems.
Challenges in Computer System Validation
Common challenges include in the areas of planning, communication and in understanding the regulatory requirements.
Planning
Failure in considering the range of impact and the reach of the system they plan to implement is a major problem. Isolated thinking can lead to a limited perspective and holds back the implementation of the system to other departments. Specifications are developed based on the needs of a particular department. They fail to consider that the system can also be utilized by other departments as well, which will cause issues.
Communication
Lack of communication within and also with other departments is a huge issue. Improper communication and lack of cross departmental collaboration will lead the CSV to move through inefficiency and friction. It also leads to not being able to accommodate the needs of other departments.
Recognition Of Regulatory Requirements
Regulatory requirements can be complex to understand. This can be due to the dynamic nature of the regulatory environment. Moreover, the companies tend to comply with the regulatory requirements as it is necessary to do so for the approval process. They don't really understand the need for all this compliance and work along with it just to meet the requirements. Ineffective training can be a cause for this lack of understanding.
Best Practices For Successful CSV Implementation
For the implementation of successful computer system validation certain things can be followed. Some of them are:
Process Maps/Mapping: Representing the task or activities performed in an operation graphically are process maps. This gives a detailed view of the activities involved in the operation.
The first step in initiating a CSV project is to define the desired functionalities of the system and system objectives clearly. Conducting stakeholder analysis is a way to do this.
Assemble teams early and communicate with them. Regularly conduct cross functional meetings. These allow for asking and addressing critical questions, brainstorming, deciding on requirements and provide for a proactive optimization of the process.
Subject matter experts should also be included from each department. Wide range of knowledge and expertise can be beneficial.
Patient safety and quality must be prioritized at all times. Gap assessments can be conducted with the help of a third party. This helps in identifying the blind spots in the application and understanding of the regulations within the organization.
These are the best practices that can be considered for a successful CSV. Advantages of a third-party gap assessment have already been discussed. At Artixio, with the help of our team of regulatory experts, we ensure a streamlined approach towards the validation process and in understanding the right requirements. Connect us through info@artixio.com
FAQs About CSV
Q. What is the role of Computer System Validation in Pharma industry?
A. CSV is a process to analyze and evaluate whether the computer systems used in the pharmaceutical industry are reliable, accurate and perform its function as it is intended to be. This is important to make sure patient safety, product quality and data integrity.
Q. What are the phases of computer system validation?
A. Validation Master Plan (VMP), User Requirement Specifications (URS), Design Qualification (DQ), Installation Qualification (IQ), Operational Qualification (OQ), Performance Qualification (PQ), validation summary report and periodic review are the phases involved in computer system validation.
Q. Why is 21 CFR part 11 important in CSV?
A. 21 CFR part 11 deals with the section of electronic records and signatures. CSV generates large amounts of electronic data and itt is required to be in compliance with 21 CFR part 11. This makes sure the data integrity & security and also meets regulatory requirements.
Q. What is the difference between software validation and computer software assessment?
A. Computer Software Assessment (CSA) is more of a risk-based approach whereas CSV is a process to identify whether the system is performing as it is intended to be and focus on regulatory compliance. CSA is done to establish confidence of the automated systems used in the production or quality systems