Computer System Validation – Periodic Review

Both the FDA and EU GMP’s detail the requirement for demonstrating that a computer system remains in a validated state throughout its operating history.

FDA 21 CFR 211.68(b) States:
“Input to and output from the computer or related system of formulas or other records or data shall be checked for accuracy. The degree and frequency of input/output verification shall be based on the complexity and reliability of the computer or related system.”

EU Annex 15 States:
“Facilities, systems, equipment and processes, including cleaning, should be periodically evaluated to confirm that they remain valid. Where no significant changes have been made to the validated status, a review with evidence that facilities, systems, equipment and processes meet the prescribed requirements fulfils the need for revalidation.”

Purpose of the Computer System Periodic Review

The purpose of the Periodic Review is to ensure that the computer system remains compliant with regulation, is fit for its intended use and satisfies company policies and procedures.

It should also fit with the companies Operation Excellence / Continuous Improvement programme.

When to Perform a Periodic Review

The frequency of performing Periodic Reviews should be dependent on the Complexity, Criticality, Novelty and Operating History of the computerised system. For example an automated control system (Category 4 / 5) the computer system periodic review should be performed more frequently than an off the shelf item. Once the operating history has been established and the system is stable (minimal incidents and changes) then the frequency can be reduced.

The frequency of review should be defined with a minimum and maximum time between reviews, for example a scale of 1 to 4 years can be set for the review period. Only new GAMP category 4 and 5 Computer Systems would have an annual review period. This would be extended as discussed above as the operating history demonstrated that the system operation is stable.

Non configurable systems starting with a frequency of 2 years when first installed through to a maximum 4 years once a stable operating history is established.

The periodic review of computer systems can be a considerable overhead for regulated companies. Low risk to patient safety and GMP requirements may not require a periodic review. The decision and rationale must be documented.

NOTE: This is personal guidance it is the responsibility of the regulated company to set the periodic review schedule and document the rationale and approach within a Standard Operating Procedure.

Description of the periodic review process

The following diagram provides an overview to performing a Periodic Review of a Computer System.

Inputs to the review process include:

  • Design Documents (Specifications, Risk Assessments, etc)
  • Incident Log / Fault Sheets and Maintenance
  • Deviations
  • Change Controls

SOP(s) (Operation, Maintenance, Security Management, etc)

The start of the review should identify whether there have been any regulatory or company policy changes since qualification / last review. If identified then a gap analysis should be performed on the system and associated documentation against the change. Where gaps are identified then a decision should be made as to whether corrective action is required.

Trends should be identified for computer systems faults. Have a number of deviations and / or incidents been attributed to the computer system? Where trends are identified the root cause analysis should identified and an action plan put in place.

Standard Operating Procedures for the Operation, Maintenance and Security Management should be reviewed along with the design documentation. These documents should be current and up to date. They should be reviewed against changes to ensure that there has been no impact. In addition audit trails / security access logs should be reviewed to ensure that the systems are controlled in secure fashion.

For process control systems alarms should also be reviewed. Pareto charts can be useful to identify the most re-occurring alarms and target process / operational improvement in reducing the alarms, or determining process improvements to reduce the out of specification conditions.

Performing the Review

There are two methods which can be followed for establishing and maintaining the validated state of a computer system. The first is the traditional periodic review of the computer system which is performed at a predefined period. The second is continual monitoring and trending with a review report.

Equipment History or Validation Equipment Files can be used to provide continual monitoring of Incidents Logs, Deviations and Changes. By logging these either to paper or electronically can be used to trend. The continual monitoring can be used to make improvements before minor incidents become quality related deviations.

All actions and recommendations resulting from the Computer System Periodic Review should be logged in the company CAPA system.

Consideration should be given to the number and extent of the changes and the impact of cumulative effect of the changes. Often verification is centred on the individual change. Reviewing the changes as a group can determine whether the overall design intent has been impacted.

Where risk assessments have been performed during the design and implimentation of the system, the assumptions made at the time of the assessment (particularly frequency of occura

A report should be produced detailing the validation / compliance status of the system.

Benefits of Computer System Periodic Review

Monitoring and trending incidents and deviations relating to the computerised system in real time provides the greatest benefit to both Quality and the Business. Identify trends and taking corrective action can improve the operation of the computer system and maintain compliance.

Performing a periodic review at a defined frequency can be time consuming, trawling change control, deviation and incident databases and then analysing and reporting the results. This also does not support the continuous improvement, identifying issues early and making improvements.

A hybrid of the two approached can be used to ensure the most efficient approach to ensuring on going compliance. The most critical, complex or bespoke systems have continuous monitoring process, as detailed above. Less complex systems that do not change routinely and are stable a periodic review may be the better solution to demonstrating maintaining compliance.

Author

Barry Tedstone

IT Quality Manager Cognizant Technology Solutions