Updated: Oct 10, 2022
Initial Assessments: Part 1
Quality Assurance - CSV - Software Validation
This is the first one in a series of posts on general aspects of Computerized Systems Validation (CSV). In this post we will be looking at the first crucial steps which will determine greatly the success of the rest of your project. These steps consist of what is often called a system level impact assessment and a supplier assessment. We will only cover the former one here since vendor qualification is a subject in itself which we will discuss in the next post.
GxP Impact Determination
Before starting the validation of a computerized system, one should understand if and why the system in question needs to be validated and to what extent. The need for validation is dependent on the intended use of the system rather than the type of system. For example, a laboratory information management system used in preclinical research and development should be validated to meet good laboratory practices while the same system used in a quality control lab for testing commercial batches needs to be validated to meet good manufacturing practices which is much stricter and require more effort.
The same exercise can be done to determine if other regulations e.g. SOX, HIPAA, GDPR are applicable and need to be taken into account within the project.
For complex systems, a component level impact assessment can sometimes help to further distinguish high impact components within the system from those which are lower impact and finetune the verification effort later on.
Another factor determining the extent of validation is the complexity of the system. There is no exact formula for this but the industry and regulatory authorities have overall adapted the GAMP categorization as the standard. There are mainly three GAMP categories being non-configured software, configured software and custom-built software. Non-configured software are also often called Out-Of-The-Box or Commercial-Off-The-Shelf and are not (or just a little) configured before use. Configured software usually contain some amount of configuration of a considerable complexity often in the form of formula, workflows, user permissions, etc. Custom-built software require some amount of programming and are usually built for a specific purpose within one company. The complexity should be reflected in level of detail in system design documentation and in the level of testing performed.
Definition of The Electronic Record(s)
After you have assessed the system, you would also want to take a look at what data should be the focus of your validation. For this exercise, companies often refer to the Part 11 regulation which says that "...records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations..." and "...electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations...". A good understanding of the data flow before and after system implementation is of utmost importance. A medical report can be generated and edited by different persons in one system but, if the final report is approved and version controlled in another system, the former one would have rather low GxP impact or, in other words, the latter one should have all the data integrity controls implemented on the medical report.
Many of the issues arising within a CSV project can be traced back to the initial assessments. Often times, not all stakeholders, especially Quality and Compliance, are included from the very beginning of the project resulting in an inaccurate impact and scope determination. These issues usually arise later on in the project and can slow down or block progress even more until everything is clarified for everyone and all documentation revised.
At C-realize, we combine over 15 years experience in CSV with hands-on knowledge of the latest technologies and methodologies used in software development. Contact us for a free first consultation session.