It is no secret that the life science industry is always challenged globally by ever evolving stringent regulations. With the modernization of the life science industries, implementation of technology has increased. To prevent software malfunctioning and more importantly to ensure that the life science technologies are safe for patients, CSV is mandatory for all life science companies.
Life science industry includes pharmaceutical, biotechnology, Clinical Services, and medical device manufacturing companies. The products/services of these industries need to maintain a set of attributes that includes safety, identity, strength, quality, purity, and efficacy.
Validation is establishing documented evidence providing a high degree of assurance that a particular computerized operation or process will consistently produce a quality result meeting its predetermined specifications. The data and processes involved have a direct impact on product attributes (mentioned above), which can be critical in nature being linked with Human wellbeing.
Validation is all about objective evidence, and the system performs as per pre-defined requirements. From our experience, we have found some gaps commonly found in validation, which is listed below:
Common Validation Gaps
- Business user requirements are not documented properly
- Functional requirements are not detailed enough and do not have traceability to user requirements
- System testing scripts do not have a reference to requirements, and actual results are not aligned to test objectives and expected results.
- Traceability matrix is not maintained or updated
- Training records are not maintained for all production users
- Objective evidence in the form of documentation for security SOD is not available
- Validated system has missing GxP Controls
- Validated system is non-compliant with US FDA 21 CFR Part 11 regulation
A typical CSV SDLC process includes six steps as follows:
- Concept Business Requirements – Business users are documented along with user requirements and specifications that are unique, testable and traceable across the SDLC.
- Planning & Scoping – System risk assessment is conducted based on criticality and complexity of the system. Validation plan is designed with clearly laid out scope, system description, GXP criticality, validation deliverables, governance and acceptance criteria.
- Requirements & Design – Functional requirements are documented, and design configuration is built based on installation qualification (IQ) for hardware and software components. It is a good practice to conduct IQ for development systems, quality systems, and production systems.
- Build – Installation qualifications and technical design specifications for customization requirements are laid out. Developers also perform code review and unit testing.
- Test – System testing is conducted in a controlled environment on the functional requirements. User acceptance testing is also carried out with regards to business user requirements. Traceability matrix (used to verify the completeness of validation) is created as well.
- Deploy – Before the final deployment training records are documented for all users who have access to production. Business and IT SOPS are approved. Additional validation summary report with deviation and service level agreements are approved and documented. Period reviews are conducted at regular intervals.
21 CFR Part11 compliance is obligatory for all electronic records and signatures, which in turn ensures that the system generates accurate records and time-stamped audit trails.
Any qualified vendor would guarantee that a gap analysis report is generated after system assessment. Next 21 CFR part11 remediation plan is created that addresses the hardware and software requirements aligning to CSV policies, procedures, and training plan. In addition to this, during development, the system is remediated for all 21 CFR Part 11 requirements. Once the system is compliant with 21 CFR, the validated state is maintained.
Validation is a never-ending activity and system has to be maintained in a continuous validated state. Change is the only constant. New improved technologies are popping up now and then even in the life science industry. This leads to the next question:
How To Implement Changes In A Validated System Without Compromising The Validated State?
After the system is in a validated state any change to production environment can be made via a risk-based change control process. There are five stages in the workflow as mentioned below:
- Assess – This step includes assessment of business, Impact of Changes concerning GxP (will the change affect GxP or non-GxP), technical and regulatory risk. Assessment will also determine the level of involvement, documentation, and responsibilities required.
- Plan – All deliverables required to implement the change are approved by the Change Control Governance Board (CCB) members including QA validation before implementation of the change
- Implement – Here site change control with regards to SOP and training is coordinated. Changes carried out to the SDLC documents and Validate the Change if necessary (only for changes affecting GxP functionality)
Computer system validation is an important tool to assure quality of computer system performance. CSV enhances the reliability of system, resulting in fewer errors and less risk to process and data integrity. It also reduces long term system cost by reducing the cost of maintenance and rework.
For more information and a demo on Computer System Validation. Watch On Demand Webinar
Ramakrishnan Balasubramanian Program Manager – Life Sciences Practices@ YASH Technologies