21 CFR part 11 has been considered for many years the corner stone of computer systems validation and the basis for regulating electronic records and electronic signatures in GMP environment. Part 11 is available in approximately 6 pages that detail the general expectations of the US FDA regarding the submitted electronic records and signatures. Secure time-stamped audit trail is typically required to track any modification or deletion of electronic records. The agency requires also the validation of computer systems to ensure accurate, reliable and consistent system that are able to identify invalid or altered electronic records. In order to achieve this, computer systems are generally tested against the user requirements and challenged to verify its reliability, security and integrity. Management of passwords, unique identification and generally the access to the computer system is required during the lifecycle of any computer system in the GMP environment. In addition, risk assessments can be employed to assess the possible failure modes of a system and suggest mitigation actions. Disaster recovery plan should be in place to ensure that the electronic records can be retrieved throughout the retention period. Business continuity plans should be in place in case of temporary failure of a particular computer system.
Despite the established validation requirements for many years in the pharmaceutical industry, computer-system validation (CSV) is still widely seen by the industry practitioners as the topic that should be avoided as possible. In many organizations, CSV is a highly tedious process that is preserved to big computer system and automation projects. External resources may be utilized in many cases to conduct the required validation. On the other hand, smaller business-driven automation projects may lack the required expertise for the development and validation. For example, many pharmaceutical organizations use rudimentary spreadsheets as database to manage GMP processes from document numbering to inventory management. Automation (including visual basic macros and MS power automate flows) are usually discouraged not to be in a situation that CSV is mandatory. This results in a situation where a formal manual process is presented to inspectors and a hidden digital process is relied on in the day to day business activities.
The aim of this article is to solve the mystery of CSV and provide a basic guidance for validating simple automation solutions in GMP environment. The following is a high-level process for validating a configured or custom-made software.
Create the user requirements: either if the automation solution is home-made or developed by a third-party, user requirements are usually needed to define the functional , security and other features related to data processing. Each requirement is usually assigned a unique number and are tested as will be explained in the next sections.
In the light of the user requirements, the automation solution is developed. Design document, system description or a technical specification may be created to explain how the IT developer addressed the user requirements. The importance of this step comes from the fact that there are different ways to meet a user requirement and hence, different potential failure modes. Based on the understanding of the user requirements and the technical specification, testing phase is established.
Quality risk management: It may needed to assess the potential failure modes at system and component level before creating the testing protocol.
Code review: it is particularly required for customized software (GAMP category 5) where a customized code script is written for a particular software. From the name, code review implies expert-review of the written codes to ensure they are free from bugs.
Testing: installation and operation qualification (IOQ) needs to be implemented to test that the computer system meet all the computer system requirements. Traceability matrix can be required for bigger projects to confirm that each user requirement has been covered by at least one test.
Business continuity plan: In the case of failure of the computer system, alternative process needs to be in place to keep the business running. The contingency process can be either manual or another digital system.
Disaster recovery plan: As per the 21 CFR part 11 requirements, electronic records must be protected and readily retrievable throughout their life-cycle. This document basically explain the process to be followed in case of destruction of the electronic records due to a disaster (e.g. fire) or any other accident causing file corruption (e.g. cyber attack). The plan usually explain a process of regular back-up of data. The frequency and location of back-up servers must be justified through a risk assessment. If the generated electronic records are printed to paper (e.g. the calculated results in a validated spreadsheet), they may not be handled anymore as electronic records and physical archiving process be in place.
Security plan: This document addresses the virtual and physical security of the computer system. Also, different access levels should be described if applicable.
Security administration procedure: There should be a procedure in place to grant access to the authorized personnel and to revoke the access if needed. Also, the procedure can manage passwords and access roster reviews.
Periodic review: In order to monitor the validated state of the computer system, regular periodic reviews may be conducted to assess the performance of the computer system and provide recommendations.
Finally, it is important to note that the level of complexity of the CSV process is directly proportional to the criticality and complexity of the computer system. In may cases, one document can include all the required validation documentation.
Comments