Paragon shares expertise and insights on Computer System Validation (CSV) with an emphasis on best practices and solutions.
Welcome to the first post in our series on Computer System Validation.
During the next few months, we will be presenting an overview of its various aspects, providing real-world examples of good validation practices. In this post, we will begin by emphasizing three fundamentals of the validation process:
- A definition of computer system validation
- How validation is a compounding process
- A brief overview of the Good Automated Manufacturing Practice (GAMP) V model
Providing Documented Evidence
Computer validation is the process of providing documented evidence that an electronic system or technology will perform as specified. This evidence should be clear, repeatable, and stand up to scrutiny and audits. There are a number of steps to include in any validation initiative but among the most important pieces are:
- A Risk Assessment that identifies potential hazards to consider when embarking on a new project.
- Scope and requirement planning so that the sponsors and implementation team know what the project will include, and how to plan and support it.
- A detailed Validation Plan lays out the activities which will be undertaken to provide evidence that the new system is adequately validated, the conditions that must be met in order for it to go live, and procedures which will be in place to maintain the validated state after it is launched.
- A Test Plan which will list the areas to be tested, who will be executing them, which environments will be available for testing, and the criteria which must be satisfied to move from one phase to another.
- Test cases that will be drafted, pre-approved, executed, and post-approved over the course of the project. These usually consist of the following phases:
- Installation Qualification - IQs provide instructions to ensure that the system is installed correctly on the target environment(s).
- Operational Qualification - OQs are a series of test cases verifying the system’s functional requirements. These are generally quite detailed and touch every aspect and functionality of the system covering both positive and negative conditions depending on the system risk (this assessment is done in the initial stages of the project to understand the business, technical and regulatory criticality of the system). This stage is commonly also known as System Testing.
- Performance Qualification - PQs test the user requirements and often follow predefined use cases or real world scenarios that have been created by the client. The stage also goes by the name of User Acceptance Testing.
- A Requirement Traceability Matrix which ties the executed test cases back to the requirement documents.
- A Validation Summary Report which details what has been accomplished in the project and lists deviations (if any) from the Validation Plan
- A roadmap of post go-live activities to be followed and who will be supporting them.
It is a combination of these core components and having the right people to implement them which ensure not only that the project will be a success, but that future phases of the project or system will succeed as well.
Suppose that a document management system is being implemented at a young company in the pharmaceutical field.
- The pharmaceutical enterprise is looking to provide their business users with a repository to author, approve, and store sensitive documents. This could either be a standalone system or a piece of a larger suite of systems that integrate with each other.
- Now, imagine that the files in this new system can range from standard operating procedures (SOPs) to work instructions to configuration specifications for other products or systems, or literally dozens of other types of documents. This new system (let’s call it SOPlus) will be developed from the ground up and delivered to the company for everyday operation.
- Following the core components listed above, the system is properly designed, the project planned out, adequately validated, and succeeds in its go-live launch.
- After a certain period of use, the company will gather feedback on the system and enhancements will be planned.
- Then once a new project has been initiated to upgrade SOPlus to 2.0, all of the documentation that was drafted, executed, and maintained after the first project can be versioned to v2 and modified to adapt to the new enhancements.
- As long as the phase 1 documents have been maintained in a validated state, those can be used as the base and there’s no need to draft a requirement specification, test plan, or the other basic project deliverables from scratch. It doesn’t matter if different people or teams are performing the new project; if the validation base is strong, the heaviest lifting is usually out of the way.
Most validated projects will follow a variation of the Good Automated Manufacturing Practice (GAMP) V model for system development.
GAMP is an industry guidance from the International Society for Pharmaceutical Engineering (ISPE) that if properly followed satisfies the FDA regulatory requirements applicable to computer systems in life sciences industry. It ensures that as project deliverables are written and approved, there is a corresponding verification phase. There are several variations to the GAMP V model but one of the most common ones is displayed below.
The idea of the GAMP V model is that for each specification which the system is designed to, there is a corresponding verification phase.
These go in order from the top left to the top right. This means that the user requirements (usually the first specification drafted and approved in step 1) is verified by Performance Qualification (or User Acceptance Testing) in step 7. The practices outlined above are only a brief overview of the validation activities required to ensure that a new system or environment will stand up to the scrutiny that is required of modern applications.
Heavily Regulated Industries
In Life Science, Finance, and other industries that are heavily regulated, no company wants to be the next one to be hit with a multi-million dollar fine for noncompliance or an avoidable misstep in an otherwise followed procedure.
Good validation practices, especially ones that are well planned out, pave the way for future expansion and are absolutely essential as today’s business world leaves paper-based procedures behind.