Computer System Validation in a Nutshell! The 5 Minute Guide to Understanding the Principles
1. What is Software Validation?
Software validation is part of computerized system validation (CSV). Computerized system validation defined as a documented evidence with a high degree of assurance that the software/computerized system, functions as per software design and user requirements in a consistent and reproducible manner.
2. Introduction
2.1 General
Computerized system is defined as computer that includes software, hardware and peripherals devices which are necessary for proper function of the system.
All computerized systems and software that includes applications which may affect the quality of the Bio-Pharmaceutical/Medical Device product, should be assessed according to the GMP (Good Manufacturing Practice) and GAMP (Good Automated Manufacturing Practice) principles and standards.
Risk Assessment establishment is recommended at these early stages in order to determine the necessity and scope of the validation activities that should be undertaken for the computerized system validation.
Computerized system may include from time to time errors, flaws, mistakes, failures or faults (defined as “software bugs”) which should be detected as part of the computerized system validation process.
2.2 Definitions
- Electronic Records – Defined in the FDA Code of Federal Regulation (CFR) as records which maintained solely in an electronic format (not in a hard copy) or as electronic and hard copy formats and decisions are made based on these electronic records (E.R).
- Hardware – Defined as any programmable device including mainframe, midrange, mini, workstations, personal computers and any programmable equipment used in a quality related process.
- Electronic signature – Defined as computer data compilation of any symbol or series of symbols executed, adopted or authorized by individual to be legally binding equivalent of the individual’s handwritten signature.
3. FDA/CE Compliance Software
Every control system and/or computerized applications used in the Bio-Pharmaceutical and Medical Device fields should meet the requirements detailed below:
- Information security
- Information back up
- Information restore
- Information recovery capabilities in cases defined as “disaster”
- Periodic maintenance
4. Computerized System Security
4.1 General
As part of the GAMP (Good Automated Manufacturing Practice) standards and FDA 21CRF part 11 requirements, systems, records and process should keep confidentiality, integrity and availability.
4.2 Physical security
Computerized system, which defined as “critical” (mostly based on Risk Assessment methodology), should include physical barriers that restricts access of non-authorized personnel into the system. These restrictions should be systematically kept and tested as part of the computerized system validation stage.
4.3 Network security and password management
Computerized system that controls Bio-Pharmaceutical/Medical Device process or process related parameters must include securities such as:
- A dedicated production network which will be disconnected from the organizational administrative network
- Password codes usage for all actions related to process parameter changing
- Special restricted operations such as steps bypass, critical parameters changing, process steps sequence changing, special process steps operation etc. and access to confidential/”sensitive” information.
All securities including authorization level and password management will be tested and verified as part of the computerized system validation.
Passwords must be given individually per user and according to the official authorization level definition.
Passwords for all defined users shall be changed on periodically basis by the user.
Computerized systems that displays information of the Bio-Pharmaceutical and Medical Device production processes or Quality Control (QC) test results will require security measures such as password codes for all actions that require system parameters changing, special or restricted operations and access to confidential/”sensitive” information.
4.4 Other securities
PC access and screen saver must be in usage and will be restricted by password in order to provide an additional security for the computerized system.
It is recommended to install Anti-Virus applications in every system that is connected to the network.
5. Computerized System/Software Testing, Validation and Verification
5.1 Validation pre requisites
The company validation policy should define which Validation/Verification activities should take into consideration in all of the computer system validation projects at a site or within a specific department.
These validation projects, scope, priorities and requirements should be defined in the VMP (Validation Master Plan) document.
Usually, computerized system validation will include any programmable device including its software, hardware, peripherals, procedures, users, interconnections, inputs for the electronic processing and output of information used for reporting and/or control.
It is strongly recommended to complete an official Risk Assessment process, involving all the disciplines key personnel in brainstorming, in order to identify and assess the associated aspects and risks of the relevant computerized system and its potential effect on the quality of the Bio-Pharmaceutical/medical device in the different stages including raw material, manufacturing process, storage, shipment etc. of the final product.
Prior to computerized system IQ (Installation Qualification) and OQ (Operational Qualification) execution which is part of the computerized system validation, it is recommended that the system will be tested in the production environment or in the intended environment the system should function routinely.
5.2 Post validation changes implementation
In cases of software changes and/or new equipment/devices installation into the system after Risk Assessment and computerized system validation execution, a new Risk Assessment should be established and re-validation of the system will be required, based on the company’s Change Control methodology.
5.3 FDA compliant computerized system
According to FDA standards for computerized systems, system which is defined as FDA compliant, electronic records and electronic signature, in case exists, must comply the rules detailed in the CFR (Code of Regulation) title 21.
Compliance with these rules and standards will determine whether these electronic records can be in usage instead or in addition to hard copy records or whether electronic signature can be in usage and replace handwritten signature.
Before validation stage initiation, it’s very important to identify whether the system type is closed or open system.
5.4 Computerized system validation stages
The computerized system validation purpose is to verify the system installed and functions according to its design, user requirements and GAMP (Good Automated Manufacturing Practice) standards.
After system testing stage was completed by the system developer successfully, the validation stages detailed below can be initiated:
- Installation Qualification (IQ) – A documented evidence that demonstrates the system to be qualified meets all specifications, is installed correctly and according to the recommended environmental conditions and that all components and documentation required for continues operation are installed and in place.
- Operational Qualification (OQ) – A documented evidence that demonstrates all the operational aspects of the system functions correctly and as per the user requirements.
- Performance Qualification (PQ) – A documented evidence that demonstrates the system functions as required in a consistent manner over time and fits the user requirements and operations.
- User Acceptance Test (UAT) – A documented end user acceptance testing that will be usually performed by the costumer, prior to system usage.
5.5 Additional computerized system validation testing
As part of the computerized system validation process, the system will be tested in order to stress/challenge the system and software boundaries using set of different techniques and values including using invalid values, restricted scenarios and other simulations.
Usually, as part of the computerized system validation process, the system functionality will be tested through the system user interface and in case it is not possible, it can be tested using data base, log files etc.
The system will be tested in comparison to its design in order to verify it responds to a normally expected input and actions. Moreover, the system should be tested for challenging tests and under extreme and stress conditions.
System response, among other tests may be qualified for:
- Invalid values and inputs
- Error messages
- Functional validity
- Data validity
- System logic
- Transactions validity
- System security
- Authorization levels
- Backup and disaster recovery
- Procedures training