A Guide to Computer System Validation (CSV) in Pharmaceuticals

a-guide-to-computer-system-validation

The pharmaceutical industry is closely regulated by various global bodies for ensuring patient safety. All implemented processes and manufactured pharma goods are thoroughly verified and validated before they are used or released in the market. This is specifically done to ensure consistent product quality and patient safety. While automating pharma processes also, businesses need to verify computer systems that they plan to purchase. The purpose of validating computer systems is to ensure appropriate functioning of application / system / equipment / machine so that they work as per the provided design or requirement.

Defining Computer System Validation

Computer System Validation is a documented process for ensuring that a computer system can be used in regulated sectors such as pharmaceuticals to accomplish its designated task in a consistent manner. These systems must ensure data integrity, excellent product quality and compliance with GxP regulations. FDA has been using this approach since the publication of the 2003 CSV guideline in addition to 21 CFR Part 11.

Computer System Validation applies to computer systems such as:

Process Control Software

  • Controller based System (MP/MC)
  • PLC for Controlled Packaging Equipment
  • Supervisory Control and Data Acquisition (SCADA)
  • Distributed Control System (DCS)

Commercial Off-the-Shelf (COTS) / Software as a Service (SaaS)

  • Laboratory Information Management System (LIMS)
  • Clinical Trial Monitoring Systems
  • Chromatography Data System (CDS)
  • Enterprise Resource Planning (ERP) Systems
  • Manufacturing Execution System (MES)
  • Batch Record System
  • Building Management Systems (BMS)
  • Cloud base software services
  • Spreadsheets

Computer System Categorization According to GAMP 5

Category 1: Infrastructure software, tools, and IT services

Category 3: Standard system components / Non configured functions

Category 4: Configured components

Category 5: Custom applications and components

*Category 2 does not exist*

Regulatory Obligations

Each country has a different set of regulations in place to validate the computer systems. These include US FDA, EU GMP, WHO, MHRA, MOW, etc. US FDA recognizes computer systems as equipment as per 21 CFR 211.68 which needs to be validated. The regulation provides detailed controls for electronic records and electronic signatures in 21 CFR Part 11. Part 11 mandates electronic records and signatures to be accurate, reliable, retrievable and secure with 100% legal replaceability to paper records and handwritten signatures. FDA mandates medical devices industry to validate software using the 21 CFR 820 guideline. EU Annexure 11 also provides guidance on validation of computerized systems. ISO 13485 standard 16 mandates CSV for medical devices industry.

Good Automated Manufacturing Practice (GAMP) is a set of guidelines and procedures used by pharma companies to validate computer systems to attain compliance with FDA 21 CFR 11. GAMP is not specifically a regulation, but a set of guidelines, which means, companies are not legally bound to comply with it. GAMP however, helps companies comply with global regulations indirectly.

What is GxP?

G = Good | x = Variable| P = Practices

As x is a variable, it can address different concepts in the pharma industry such as,

GMP – Good Manufacturing Practices

GCP – Good Clinics Practices

GLP – Good Laboratory Practices

GDP – Good Documentation Practices

GWP – Good Storage Practices

GEP  – Good Engineering Practices

Essential Steps in CSV

The Linear Approach (V Model)

Most organizations in the pharma industry follow GAMP 5’s V-Model to validate computer systems as defined by ISPE. The model is implemented to visualize the relationship between key user requirements & specifications of a system with the verification or testing performed upon them. Let’s picture a V-figure. The model’s left side addresses the requirements or specifications (URS, FS, DS) while the right-side addresses associated tests to verify those requirements.

GxP Compliance: Firstly, it is verified if a computer system is compliant with GxP regulations (GMP, GCP, GLP, GDP, GWP). This is ensured both by the computer system provider and the prospective user.

Define Necessary Criteria: It is necessary that essential criteria is firstly defined such as User Requirement Specification (URS), Functional Specifications (FS) and Design Specifications (DS). After defining these criteria, the computer systems are tested according to these specific criteria.

  • User Requirement Specification (URS): URS is a formal document that outlines the system’s requirements to meet the user’s needs. The URS is defined before you select any solution so that you are not influenced by the vendor’s solution, it helps you evaluate potential vendors and their solutions, prioritize your needs and reduces the cost of implementation. URS also takes into consideration regulatory compliance, safety requirements, operational constraints and other critical factors.
  • Functional Specifications (FS): The FS document specifies how a software operates to meet the user’s needs. This can essentially document description of the user interface screen or the look of reports and the data that is to be captured. This can also include logic, calculations and regulatory requirements.
  • Design Specifications (DS): The DS document contains all technical elements of the software and specifies how a system will meet its functional specifications. Some elements of Design Specification are:
  • Database Design
  • Logic / Process Design
  • Security Design
  • Interface Design
  • Architectural Design
  • Network requirements
  • Peripheral Devices (Scanners, Printers, etc)

Configuration / Coding: Vendors build and develop the software and configure them to meet the criteria set by the user (URS, FS, DS).

CSV Tests and Validation: After setting the Acceptance criteria, the user now has to choose a software from a set of vendors who provide GxP compliant systems and has all the required features. After selecting a product, the URS, FS and DS documents are presented to the vendor. Accordingly, the vendor makes necessary additions in their software to meet the user’s needs. After the software is personalized to the user’s requirements, it is tested by the user.

This process is known as User Acceptance Test (UAT). After rigorously testing the product with the help of a test link, it is then passed on to the validation link. After the user completely tests and validates the system, it is further passed in the actual production link, i.e., the software is tested in the user’s production environment. In this phase, if the software is able to provide consistent results, the product is handed over to the client.

Installation Qualification (IQ): Also referred to as ‘configuration or integration testing’, Installation Qualification confirms if a software is installed or setup according to the design specification.

Operational Qualification (OQ): Operational or Functional testing confirms that all functionalities defined in the specification are present and working correctly in a computer system.

Performance Qualification (PQ): Also known as ‘user requirement testing’, performance qualification confirms that a software is suitable for its intended use and meets all user requirement specifications.

Final Report: This is the last step of the validation process where a summary report is drafted declaring that the system is fit for its intended use and all deliverables have been delivered according to plan.

Iterative and Incremental Approach (Agile)

Unlike the V-Model, the Agile approach adopts a flexible, iterative method that merges Agile development practices with structured validation activities. It focuses on iterative product development, continuous testing and ongoing documentation. This requires continuous exchange between users and vendors. The entire process includes Planning and Specifying Requirements, Configure / Code, Verify and Review with sprint reviews, retrospectives, continuous feedback and improvement. The incremental product configuration helps developers meet compliance and user requirements with lesser burden.

With effective computer system validation in place, the pharmaceutical industry can evaluate and invest in good computer systems that can ensure productivity, quality and compliance. Computer systems need proper validation before they are used in manufacturing or real-time environment. By using the Linear and Agile approach, users can make proper choices in software and vendors can effectively deliver their products meeting the user specified requirements.

Schedule a Free Consultation
Request a Demo
Articles

See More Articles