Unpacking Computerized System Validation

Computerized System Validation, also referred to as computer system validation or simply CSV, often presents challenges for many regulated manufacturers. Gathering evidence from warning letters the U.S. Food and Drug Administration (FDA) publishes every year website is one source. Additionally, access to high-quality computerized system validation training is limited. However, let’s begin by defining validation and computerized systems separately. Principally, validation within the pharmaceutical industry means the following:

‘A program that establishes and documents that a specific process, method, or system will consistently produce a result meeting pre-determined acceptance criteria’

-[ICH Q7A]

For more information on validation, check out this article What is Pharmaceutical Validation?

What is a Computerized System?

A computerized system is a computer system integrated with a controlled process (or function) within an operating environment. The computer system includes all the computer hardware, firmware, installed devices, and software controlling the operation of the computer. The controlled process may involve equipment, operating procedures, and the system users, as indicated in Figure 1 below.

Figure 1: Computerized System Diagram

The operating environment is simply where the computerized system is used. The setting can be a clinic, a manufacturing floor, a lab, etc. Accordingly, the phrase GxP covers any operating environment. GxP is an all-encompassing term for the following; Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Distribution Practice (GDP), Good Quality Practice (GQP), Good Manufacturing Practice (GMP), and Good Pharmacovigilance Practice (GPP).

To better understand what Computerized Systems are, check out this article.

Note that the phrases computerized system and computer system are often used interchangeably. However, according to PICS Good Practices for Computerized Systems in Regulated “GXP” Environments, a well-recognized pharmaceutical industry guidance on computerized systems, the computer system is a subcomponent of the computerized system. Despite a lack of harmonized terminology, the intentions among industry professionals are the same when describing such systems.

What is Computerized System Validation?

Computer science will define validation as ensuring that software meets its specifications. However, in the biotech and pharmaceutical industry, Computerized System Validation (CSV) is the collection, evaluation, and reporting of documented evidence that the controlled process(es) or operation(s) integrated with a computer system performs as intended, effectively, and compliantly with applicable GxP regulations. In other words, computerized system validation is the effort of confirming the system’s functionality does, in fact, meet its intended use and complies with applicable GxP regulations.

Note, recall that computerized system validation and computer system validation are used interchangeably.

For more info on intended use check out this article.

Why is Computerized System Validation important?

Firstly, validation is an essential component to complying with Current Good Manufacturing Practices (CGMP) regulations. Secondly, validation and well-controlled computerized systems should enhance the quality assurance of the manufactured product (i.e., drug, biologic, or medical device). Moreover, computerized systems should improve the management of associated data as well.

Specifically, several FDA regulations directly apply to computerized systems within Title 21 Code of Federal Regulations (CFR) such as the following:

• GxP Regulations for Computerized Systems
  • Part 11 Electronic Records; Electronic Signatures
• CGMP Regulations for Computerized Systems
  • Pharmaceutical Drug
    • 211.63 Equipment design, size, and location
    • 211.67 Equipment cleaning and maintenance
    • 211.68 Automatic, mechanical, and electronic equipment
  • Biological Product
    • 606.60 Equipment
  • Medical Device Regulations
    • 820.70(g) Equipment
    • 820.70(i) Automated Processes

Moreover, regulations for manufacturers supplying member states of the European Union would likely include the EudraLex Volume 4. Within the EudraLex v4, the following sections are directly relevant to CGMP computerized systems:

• EudraLex v4
  • Annex 11 Computerized Systems
  • Annex 15 Qualification and Validation

In summary, manufacturers must validate computerized systems supporting CGMP processes for their regulated product(s).  

Note, other regulations may apply. Therefore, be sure to consider the product (e.g., drug, biologic, medical device, or combination product), the relevant regulations (i.e., FDA, EMA, MHRA, etc.), the intended use of the computerized system as well as the data and record(s) generated from the system (e.g. production records, laboratory records, etc).

How do you validate computerized systems?

Several strategies exist for computerized system (CSV) projects. Generally speaking, validation of computerized systems should involve some amount of specification, design, and verification. ASTM’s E2500 is a Good Engineering Practice (GEP) standard that provides such a framework.

One of the most popular approaches within the pharmaceutical industry is ISPE’s GAMP 5 Guide: Compliant GxP Computerized Systems. ISPE’s GAMP 5 provides a life cycle model for computerized systems. This life cycle model for computerized systems consists of four major phases; concept, project, operation, and retirement. Each phase of the life cycle covers various activities. The project phase covers the validation work within multiple stages as described in Figure 2 below. ISPE’s GAMP 5 model is similar to ASTM’s E2500 specification, design, and verification process.

Figure 2: Computerized System Lifecycle Diagram

Regardless of the specific framework used to validate computerized systems, the primary objectives are the following:

1. Achieve and maintain GxP compliance
2. Achieve and maintain fitness for intended use

That is to say, the validation of computerized systems should cover the following steps:

1. Identifying users’ needs via system requirements
2. Capturing requirements in specifications
3. Verifying those requirements are met and the system complies with the applicable regulations.

Key supporting processes for a validation project would include quality risk management, document management, and configuration management. Moreover, a computerized system validation project should involve the qualification of software and hardware as seen in Figure 3 below. Qualification of software to demonstrate the functionality of processes executed by the controlling computer system. Qualification of hardware to prove that equipment works correctly and leads to expected results.

Figure 3: Verification of a Computerized System

#1 Goal of Computerized System Validation =

Achieve and maintain GxP compliance & fitness for intended use

How much validation is required for computerized systems?

Determining the right amount of validation for a computerized system can be difficult. Even more difficult without proper training or a well-defined strategy. However, fundamentally, the extent of validation for a computerized system (CSV) should be proportionate to the risks posed by the system. Other factors to consider would also include the criticality of the associated data and its intended use. To quote an FDA guidance document emphasizing the extent of computerized system validation for pharmaceutical manufacturers:

“[Referring to “Does each workflow on our computer system need to be validated?”] Yes, a workflow, such as creation of an electronic master production and control record (MPCR), is an intended use of a computer system to be checked through validation (see §§ 211.63, 211.68(b), and 211.110(a)). If you validate the computer system, but you do not validate it for its intended use, you cannot know if your workflow runs correctly.”

– FDA Data Integrity and Compliance With CGMP

What are typical validation documents for a computerized system?

Despite using a risk-based approach to determine the extent of validation for computerized systems (CSV), many of the project deliverables are often the same in practice. The deliverables are often the same. This is because validation projects, by definition, involve specification, design, and verification to some degree. Specification, design, and verification are part of engineering best practices. Something a computerized system validation training course should provide.

Here is a list of common validation documents for a computer system validation project.^1,2 A short description is included of each document is also included.

• Validation Plan
• User Requirements Specification
• Functional Requirement Specification
• Configuration and design specification(s)
• Verification
• Validation Report

Notes:

1)This list is not intended to be exhaustive nor prescriptive. The pharmaceutical manufacturer should have a well-defined validation program that provides adequate guidance regarding the documentation needed to meet internal compliance requirements and applicable GxP regulations for a particular system.

2) References to Computerized System Validation and Computer System Validation are used synonymously.

What is a Validation Plan?

A validation plan is an overview of a project. The plan covers measures of success and defines the criteria for acceptance and release of the system for operational use.

What is a User Requirements Specification?

A User Requirements Specification (URS) outlines the individual requirements of a system or component(s) of a system. For computerized systems, a URS describes the ‘needs’ of a system. These ‘needs’ should support a business process from the user’s perspective.

What is a Functional Requirement Specification?

A Functional Requirement Specification (FRS) describes the features and functions of a particular system. The FRS should meet the users’ needs outlined in the URS.

What are configuration and design specifications?

Configuration and design specification(s) describe the detailed framework of the computerized system. By framework, we mean the system’s architecture, infrastructure, setup, and format. But the format and content of such documents can vary. Common configuration and design specification document references include Configuration Specification (CS), Design Specification (DS), and System Design Specification (SDS).

What is Verification?

Verification is an umbrella term. The term means to achieve assurance regarding the fitness for the intended use. Verification applies to systems, equipment, processes, etc. Synonyms that also mean verification include testing, qualification, commissioning, or system validation. In other words, verification is the act of confirming requirements have been met for the installation, operation, and performance of a system. Consequently, verification happens by drafting, approving, executing, and reviewing protocols. The protocols should demonstrate the selected system is capable of operating according to its requirements. Protocols that test the very requirements described in the specification documents. Therefore, verification is documented evidence proving a system is fit for its intended use.

What is a Validation Report?

A validation report provides an overview of the validation project describing the criteria, activities, and outcomes. In short, the report should summarize the validation project and provide a disposition regarding the system’s fitness for the intended use.

Related Topics

• What is Pharmaceutical Validation?
• Understanding Computerized Systems

Ready for Computerized System Validation Training?

For high-quality CSV training, enroll in CGMP Academy’s Computerized System Validation Course

References

• ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems, International Society for Pharmaceutical Engineering (ISPE), Fifth Edition, February 2008, www.ispe.org 
• International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) ICH Q7 Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients  https://www.ich.org/page/quality-guidelines
• EUDRALEX Volume 4 – EU Guidelines for Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use. https://ec.europa.eu/health/documents/eudralex/vol-4_en
• PIC/S Guidance on Good Practices for Computerized Systems in Regulated “GxP” Environments (PI 011-3) September 2007 (available at http://www.picscheme.org).
• US Code of Federal Regulations, Title 21, Food and Drugs
  • 21 CFR Part 11 – Electronic Records, Electronic Signatures
  • 21 CFR Part 211 – Current Good Manufacturing Practice for Finished Pharmaceuticals
  • 21 CFR Part 606 – Current Good Manufacturing Practice for Blood and Blood Components
  • 21 CFR Part 820 – Quality System Regulation (Medical Device)
• FDA Data Integrity and Compliance with CGMP Guidance for Industry April 2016
• ASTM International E2500-13 Standard for Specification, Design, and Verification of Pharmaceutical and Biopharmaceutical Manufacturing Systems and Equipment (available at http://www.astm.org)