May 5, 2020
Computer systems have produced significant changes to business processes in every industry by facilitating workflow automation and information management. These technologies are used to transform internal business processes, as well as enhance how businesses interface with customers and other businesses.
Computer system validation (CSV) is a documented process which assures that a computerized system does exactly what it is designed to do in a consistent and reproducible manner. Validation of computer systems is required by most regulatory agencies around the world in order to confirm data accuracy and integrity in systems so that product safety and effectiveness is ensured. The FDA, for example, requires pharmaceutical companies to perform CSV for systems that support the production of the following products:
- Medical Devices
- Blood and blood components
- Human cell and tissue products
- Infant Formulas
Computer system validation is required when either making a change in a validated system (upgrades, patches, extensions, etc.), or configuring a new system.
In today’s challenging economic environment, companies are seeking to improve operational efficiencies while keeping pace with the ever-evolving regulatory landscape. Toward this end, computer systems that streamline compliance and provide efficiencies over paper-based processes are deemed essential. Too often, however, companies get locked into the initial version of their software due to the cumbersome impact and cost CSV has on the upgrade process. In this article, we will give a basic overview of validation best practices, and discuss how BIOVIA applications are designed to avoid the version lock scenario and significantly reduce the amount of work required to complete necessary CSV processes.
Computer System Validation Basics
An effective CSV process helps to assure that both new and existing computer systems consistently fulfill their intended purpose by producing results which facilitate data accuracy and reliability, regulatory compliance, consistent intended performance, fulfillment of user requirements, and the ability to discern invalid and/or altered records. CSV requires the use of both static and dynamic testing activities that are conducted throughout the software development lifecycle (SDLC).
A “Computer System” in an FDA regulated laboratory is more than just computer hardware and software – it also includes any equipment and instruments connected to the system, as well as users that operate the system and/or equipment using Standard Operating Procedures (SOPs) and manuals. The FDA defines software validation as “Confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled.” In other words, the software must be examined to confirm that it functions as defined in the requirements and is suitable for its intended use. The examination also needs to confirm that the software will work in all situations. Finally, all validation activities and test results need to be documented.
It is critical that companies perform risk-based CSV. It never makes sense to try to validate every aspect of every system. CSV takes a lot of time and IT resources to accomplish, so it is wise to do a thorough risk assessment to determine what is practical and achievable. CSV efforts should concentrate on the critical elements of the system that affect quality assurance and regulatory compliance.
The first step in this process is to determine user requirements and functional specifications for the system in question. Once this is accomplished, a Validation Plan is developed that outlines the following:
- Scope – defines parts of system to be validated and deliverables. Scope is limited to the features of the software that will be utilized by the regulated company.
- Testing Approach – types of data you are going to use, types of scenarios you are going to test
- Roles and responsibilities – the roles and responsibilities of the different people involved in the validation process
- Acceptance criteria – defines conditions that need to be fulfilled before this system is considered suitable for use in the regulated activity
Once the Validation Plan is complete, CSV testing is performed:
- Network and Infrastructure Qualification – demonstrates that the network and infrastructure hardware/software supporting the application system being validated has been installed correctly and is functioning as intended
- Installation Qualification (IQ) – demonstrates that system has been installed correctly in user environment
- Operational Qualification (OQ) – demonstrates that system does what it is intended to do in user environment
- Performance Qualification (PQ) – demonstrates that system does what it is intended to do with trained people following SOPs in the production environment even under worst case conditions
The CSV process concludes with a Validation Report that documents the results of the testing:
- Confirms that everything you set out to do in validation plan has been accomplished
- Testing summary and list of open defects (along with justification for why the system can be used with these defects)
- Confirms that user acceptance criteria have been met
- Authorizes deployment of the system
In addition to performing CSV on internal systems, an FDA-regulated company needs to be prepared to audit third-party service providers (e.g., CROs), along with vendors of critical applications and cloud-based services (SaaS). The manufacturer of an FDA-regulated product is ultimately responsible for the integrity of the data that supports the product’s efficacy and safety, so if third-party vendors or service providers are used, the manufacturer needs to take appropriate steps to ensure that they are operating under standards that would hold up under an FDA inspection.
A risk-based assessment should be conducted to determine if an audit is necessary. At the minimum, formal agreements that clearly detail responsibilities must exist between the manufacturer and any third parties that are used to provide, install, configure, integrate, validate, maintain or modify a computerized system.
Validation for BIOVIA Applications
BIOVIA applications can be utilized to establish a digital thread over the full product lifecycle – from early materials discovery all the way through to product use and the customer experience. The integrated digital environment that is enabled with BIOVIA software provides numerous important benefits such as enhanced innovation, accelerated product development, improved process efficiency, and reduced cost and compliance risk.
In recognition of the challenges that CSV presents to companies in regulated industries, BIOVIA has designed automated validation tools that work with their software applications. A generic validation package is available containing testing scripts that help validate core functionality. Every time a piece of BIOVIA software gets updated or has new features added, the validation package is updated accordingly so it remains up to date.
The BIOVIA validation package comes with test scripts to follow, along with the set of requirements they are based on. This allows the customer to have a better understanding of what is being tested. The validation package contains:
- Software requirements
- Test scripts that are cross referenced with requirements
- Evidence of test execution at Biovia before release
When the system is configured or customized in ways that deviate from core functionality, the cross referencing of test scrips with requirements allows the customer to easily identify which testing scripts need to be modified from what is provided in the validation package.
With BIOVIA applications, a lot of the OQ testing is already done for you. The ability to easily validate common workflows with this package removes much of the burden of CSV for users of BIOVIA applications, since customers will only need to develop validation scripts for unique configurations or customization work that is done.
The ease of validation for BIOVIA applications helps facilitate regular upgrades. The user community benefits from enhancements in subsequent releases of the software in addition to more up to date support and training. In addition, once the system configuration has been validated, BIOVIA software allows layered permissions to prevent lab technicians from changing the system configuration. This ensures that technicians perform all work on a validated system.
When performing CSV, it is important to work with a quality consultant who understands FDA regulations (or the regulations for your specific industry) and can perform a risk-based assessment. This will help you identify critical validation processes that have a big impact on quality assurance and regulatory compliance, and ensure that you develop the proper scope for your validation efforts. A good CSV consultant can save you significant amounts of time and money in this area.
At Astrix, we are experts in IT risk identification and management including decades of regulatory compliance expertise. As such, we understand that computer system validation is not a “one size fits all” process. With over 20 years of validation experience, we work to create CSV processes that are based on applicable regulations and guidance, best practices for the domain, and the characteristics of the system being validated. Our validation professionals constantly update their knowledge of industry “best practices,” and stay abreast of regulations so we can help you comply with complex and ever-changing global compliance requirements.
Our CSV deliverables typically include:
- System inventory and assessment – determination of which systems need to be validated
- User requirement specifications – clearly defines what the system should do, along with operational (regulatory) constraints
- Validation Plan – defines objectives of the validation and approach for maintaining validation status
- Validation Risk assessments – analysis of failure scenarios to determine scope of validation efforts
- Functional requirement specifications – clearly defines how the system will look and function for the user to be able to achieve the user requirements.
- Validation Traceability Matrix – cross reference between user and functional requirements and verification that everything has been tested
- Network and Infrastructure Qualification – documentation showing that the network and infrastructure hardware/software supporting the application system being validated has been installed correctly and is functioning as intended
- Installation Qualification (IQ) Scripts and Results – test cases for checking that system has been installed correctly in user environment
- Operational Qualification (OQ) Scripts and Results – test cases for checking that system does what it is intended to do in user environment
- Performance Qualification (PQ) Scripts and Results – test cases for checking that System does what it is intended to do with trained people following SOPs in the production environment even under worst case conditions
- Validation Report – a review of all activities and documents against the Validation Plan
- System Release Documentation – documents that validation activities are complete and the system is available for intended use.
With a thorough understanding of the SDLC, complemented by our experience with and knowledge of business processes in numerous sectors, Astrix can offer CSV support for all BIOVIA applications in any industry. Our computer system validation professionals provide you with a best practice CSV methodology, along with the peace of mind that comes from knowing your CSV documentation has been produced by experts. Additionally, we staff projects based on required expertise and scope, and provide nearshoring options in order to offer the most efficient and cost-effective CSV services possible.
Finally, our experienced professionals can provide support for all aspects of your BIOVIA informatics projects, from system architecture and design to implementation and integration. As the premier BIOVIA services partner, Astrix offers increased value to customers through specific design, implementation and/or integration services leveraging BIOVIA applications and software. Utilizing BIOVIA applications, Astrix helps enterprises build a scalable, integrated, and supported laboratory informatics application landscape.
Effective, risk-based validation of computerized systems is becoming more and more critical in light of new rules effected by international regulatory agencies. In addition to version lock, poor product quality and excessive consumption of IT resources, the cost of inefficient or ineffective CSV processes can include regulatory action. With regards to the FDA, for example, the consequences of failing to do adequate CSV may include one or more of the following:
- Warning Letters
- Product seizures
- Import restrictions
- Clinical hold
- Rejection of application data
- Delay in approval of new products or facilities
- Consent decree
- Disqualification of clinical investigators
- Criminal prosecution
These actions can be costly and even potentially devastating to an organization. In order to avoid them, it is wise to work with a quality informatics consultant who understands the regulations in your industry and can perform efficient and effective risk-based CSV assessment and testing.