What is Computer System Validation
The FDA, EU and other regulatory agencies require you to validate your computer system prior to deploying it into a regulated process.
The purpose of this article is to provide an introduction to the topic of Computer System Validation (CSV), including what it is and why you should do it.
CSV is the process of ensuring that a computer system or software application meets regulatory requirements. It’s a critical component of the risk-based compliance program for regulated industries, and if you’re in one of these industries, you need to understand what CSV is and why it’s important.
Computer systems can be used as tools to achieve many goals–such as improving efficiency and productivity or reducing costs–but they also pose certain risks.
Documentation to capture this hasn’t always been consistent or agreed upon across the industry. The GAMP forum, along with the International Society for Pharmaceutical Engineering (ISPE) introduced the first edition of Good Automated Manufacturing Practices (GAMP) in 1994 to address this.
Good Automated Manufacturing Practices
GAMP defined a clear set of industry best practices to ensure regulatory compliance and utilizes the V-Model Software Development Life Cycle (SDLC). The V-Model gives us a clear path to validation, that includes verification activities for each level of specification.
Before beginning a new project, an assessment of risk for the system must be completed and the system must be given a GAMP category classification. There are 4 categories in which GAMP 5 groups computerized systems according to their complexity. These GAMP 5 categories define the approach to full validation.
In other words, they determine:
- the validation route to follow
- and the necessary documents to demonstrate that your system is suitable for the use that will be given and complies with the GxP regulation.
GAMP category 1: infrastructure
GAMP category 3: non-configurable software
GAMP category 4: configurable software
GAMP category 5: custom or bespoke software
By identifying the risk and the GAMP category, we can implement our own internal processes/procedures which indicate the level of validation and deliverables required for the project. CSV is required by regulatory agencies to ensure:
- Data Integrity
- Product Quality
- Patient Safety
If the validation process isn’t documented appropriately then an organization risks findings during an audit that can have an impact across the organization. Ensuring your systems are validated appropriately can mitigate many of these issues and ensure your systems/products are reliable and safe.
Which systems do (and don’t) need to be validated – including off-the-Shelf
Validation is a critical part of the process for developing and deploying systems that are required to be regulated.
As with most things in life, it’s important to know what you’re getting into before you go down that road. When it comes to validation, there are three main types: off-the-shelf (OTS) software, SaaS applications and cloud services (software as a service).
Spreadsheets also fall into this category–but they’re not exactly like OTS or SaaS. Spreadsheets are typically used by non-programmers who have no formal training in computer science or engineering; they’re often used by people who don’t even have a college degree!
What are the consequences of not validating systems?
Not validating systems can have a range of consequences. You may be unable to meet regulatory requirements and face penalties, such as fines or being forced to shut down. Your business could also suffer from reputation damage, especially if you are a regulated organization that is publicly visible.
What are the steps you need to take to implement a computer system validation program? You can begin to develop your computer system validation program by establishing a process to validate systems and developing a checklist that will help you conduct the validation.
Conducting gap analysis will help identify where your systems are lacking, so you can create plans to address those gaps in the future. Implementing these new processes and monitoring results is important as well.
What the future holds – The Transition from CSV to CSA
The FDA’s new approach to CSV, Computer Software Assurance (CSA), represents a step-change in computer system validation, placing critical thinking at the center of the CSV process, as opposed to a traditional almost one size fits all approach.
Following the launch of their ‘Case for Quality‘ initiative in 2011, the FDA were uncertain why so few companies were investing in automated solutions and why so many continued to run long-outdated versions of software.
The initiative, which set out to study quality best practice in medical device manufacturing, found that the burden of Computer Systems Validation (CSV) deterred technology investments and as a result, inhibited quality best-practice. On learning that the burden of CSV was holding companies back from realizing their investment in technology, the FDA decided to partner with industry to strike a balance between promoting automation and value-add CSV activities.
The FDA aimed to improve quality, remove non-value add activities, and focus testing on high risk areas, therefore reducing validation cost and time by focusing on the software’s impact to patient safety, impact to product quality and impact to quality system integrity (Direct or Indirect system).
This shift in approach to validation from computer system validation to assurance aims to realign effort to planning and preparation first, then defining the testing to be performed, and finally test execution and documentation.
.
