There are a number of terms and concepts that we need to get right before we start the detailed journey into validation of your software in the following articles in this series.
There are a number of terms and concepts that we need to get right before we start the detailed journey into validation of your software in the following articles in this series.
Process validation is defined as:
Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its predetermined specification and quality attributes [FDA Process Validation Guidelines, 1987].
This definition was modified by the PDA for a computerised system:
Establishing documented evidence which provides a high degree of assurance that a specific computer-related system will consistently produce a product meeting its predetermined specifications [PDA Technical Report 18, Validation of Computer-Related Systems, 1995].
The key concepts in the last definition above are:
There are other regulatory or quality guidelines from the European Union and the Organisation for Economic Development. Each regulation may have slightly different requirements but all come down to the same series of requirements: in general, validation is concerned with generating the evidence to demonstrate that the system is fit for the purpose you use it for and continues to be so when it is operational and that there is sufficient evidence of management control. This usually means that an action must be documented. Another feature of validation is to produce an auditable system; having the appropriate documentation to aid any audit or inspection.
The problem is how to respond to the requirement for computer validation. Any response should be:
This latter point is most important, there is no point validating a function of a system that is not used.
Equally important, is the fact that one organisation’s use of an application can be markedly different from another’s use of the same software.
Computer validation must provide confidence in the system first and foremost to management and the users, secondly to an internal quality audit and thirdly to an external inspector. Inspectors only audit an organisation on a periodic basis; all others work in the organisation and use its computerised systems daily. The users must have the confidence in a system above all others, otherwise your investment will be wasted.
Virtually all equipment used in laboratory’s, clinical R&D or in production environments are classified as computerised systems. The key components are shown in Figure 1 [PDA Technical Report 18]. It is important to realise early in your project that if you are validating a computerised system, you don’t just concentrate on the computer hardware and software, as validation encompasses more requirements.
Figure 1: Elements of a Computerised System
The elements comprising a computerised system consist of a computer system and controlled function within the context of it operating environment.
The computer system consists of:
Hardware: The elements that comprise this part of a computerised system are the computer platform that the software application runs on such as:
Software: This comprises several elements such as:
The controlled function comprises:
There are a number of principles that should be followed correctly during validation. The following are a summary of the main ones and these are intended to be practical issues that have arisen when validating computerised systems.
System Owner is Responsible for Validation | The business owner of each system is responsible for the validation of that system. Whilst others may carry out validation on behalf of the system owner; the responsibility for validation cannot be delegated. |
Risk Assessment | Does the system have to be validated is a key consideration at the start of any computerised system project. If the system is to be used to generate regulatory data, then validation is required, however if it is used for research purposes only then validation is not. Undertake a formal risk analysis and document the result. |
Team Approach | Validation generally requires support from various functions and levels within the organisation e.g. scientists involved in using a system, system owner, quality assurance and if the system is networked, the IT department staff responsible for maintaining the server etc. All roles involved in validation must take responsibility for validation. |
Validation Plan | There must be a formal and approved validation plan for each system. This needs to be written as early in the project as possible to avoid validation additional costs involved by writing documentation retrospectively that should have been written at the time the activity occurred. |
Document Activities | All activities must be documented in reviewable forms. Today this documentation can be in either paper and / or electronic formats. Note carefully that it is not enough to observe the result of an activity or test, the politically correct term for this approach is informally documented; this leads to regulatory observations and warning letters. |
Four Eyes Principle | All documents should be written and reviewed by at least two people (or two sets of eyes) to ensure that they are correct from both the technical and compliance perspectives. |
Document Your Requirements | Your user or system requirements specification is your map through the system development life cycle and prevents you being seduced by technology or salespersons. Without this document, you cannot validate a computerised system. |
Traceable Requirements | All functions and components of a system must be traceable to approved specification document(s). Furthermore, it must be demonstrated that these requirements are met within the implemented system. |
Vendor Assessment / Audit to Assess Software Quality | Vendors must be assessed and if necessary audited. It is not adequate that another organisation has audited the vendor; this must be performed by your organisation, Furthermore, it cannot be assumed that products purchased from vendors are validated; all products (hardware, software, services) purchased must be checked for validation according to approved procedures. |
Predefined Test Results and Acceptance Criteria | All testing must be based on comparison of actual results to expected results within defined and approved test scripts. Furthermore, acceptance criteria must be explicitly stated, not implied, and based on sound scientific principles. |
Documented Operation | It must be demonstrated that operation of a system follows the system Standard Operating Procedures. These SOPs must be followed by the users and reflect current working practices with the system. |
Independent Approval | The person approving key validation documentation must be independent of the validation team, the users and the developers of the system. A Quality Assurance involvement from the beginning of the project is essential. |
Organised Archive | An archive for validation documentation must exist and it must be well organised. It must be possible to retrieve both physically and electronically archived documents accurately and quickly. This is essential to meet the requirements of 21 CFR 11 regulations. |
Training and Ongoing Training | It must be demonstrated that all users, management, technical support and IT operations are trained in and are familiar with the system on an ongoing basis and applicable regulations. This will require initial and on-going training for all types of users (system manager, supervisor, user and IT support staff). |
Standard Operating Procedures | The system must be operated using documented and approved Standard Operating Procedures. Further, and crucially, it must be possible to demonstrate that users continue to use the documented Standard Operating Procedures over time. |
Change Management | Formal change management and configuration management procedures must be applied to all configuration items of the system e.g. hardware, application software, system software, training materials, SOPs and all documentation. |
System Access Defined | Logical and physical access to the system, functions and the data must be clearly defined and validated. This needs to be updated regularly for compliance with 21 CFR 11 regulations if changes are made to access by users or functionality is increased. |
Maintain Validation | Once validated, a system does not stay so automatically. The system owner needs to ensure that the system remains under control and changes need to be validated or revalidated when they occur, after the impact of the change has been assessed. Moreover, the system may need to be audited internally to ensure that the validation status has not changed. |
Many people are familiar with validation in general terms and therefore a range of assumptions exist about it, but many these are incorrect or false. To help avoid these misconceptions, some of the more frequent ones are addressed in this section.
We Bought a Validated System |
False! Any vendor product implemented in a particular environment becomes a unique item, as the combination of environment, parameters, configuration, data content, interfaces, user procedures etc. are unique. Note, as stated above, the system owner is responsible for validation and this cannot be delegated. The use of certificates of “validation” from vendors only apply to the portion of the system development life cycle that the vendor is responsible for. The system owner is responsible for the whole life cycle and, at best, these materials only provide a partial solution. |
Partial Validation of the System | You cannot partially validate a computerised system, its is either all (validated) or nothing (unvalidated); see the FDA draft guidance document of General Principles of Software Validation for further information. |
Long Term use Equals Validation | The fact that a system performs without problems for an extended length of time does not mean that the system is validated. To be validated a system requires documentary proof it meets predetermined validation criteria. See also comment 65 of the 21 CFR 11 preamble for further details. |
Validation is a One-off Activity |
Validation is not a single event in a system’s life cycle as changes to the system inevitably occur, for example upgrade of application software or operating system. Therefore, on-going revalidation of a system is required until the system ceases operation. The data generated by the system need to be available for a batch’s shelf-life plus one year for GMP data or 15 years after the last launch in the last country for a system operating in R&D especially in the light of 21 CFR 11. |
Validation Does not need Documentation | Oh yes it does! All activities contributing to validation of a system must be proven to have taken place i.e. documented either in paper or electronic means. If it’s not written, (approved and reviewed) the activity did not take place. |
GMP = Giant Mass of Paper | The documentation needed to validate a system is little if any more than that required for good practice delivery of a computerised system not requiring validation. Further, references to vendor documentation can be used when these references include author, title, date/release number, and location. |
Validation Equals Software Testing |
Wrong again! Firstly, a system includes more components than just software e.g. procedures, hardware, documentation and people. Secondly, other activities than testing are needed to prove a system functions as desired e.g. system specifications. Validation is a process that once started cannot be stopped. |
Requirements are not Needed |
The definitions of validation above explicitly state that system requirements are required. In the absence of requirements:
|
Just a Documentation Exercise | It is not adequate just to document validation features retrospectively. Validation must be proactively specified into a system. Further, it must be demonstrated that use of the system in practice continues to meet designed in validation features e.g. that Standard Operating Procedures are being followed. |
Validation is a job for IT or QA/QC | Validation is the responsibility of the users of the system, in particular, the system owner who is legally responsible for validation. You can’t delegate this responsibility except due to incompetence. |
Regulatory Bodies don’t care about IT Systems | Wrong yet again! There are increasing trends both to inspect IT systems and in the level of sophistication of such inspections. This is especially the situation with 21 CFR 11 regulations and the resulting warning letters. |
There are three key roles in validating any computerised system, these are the users, quality assurance and the Information Technology (IT), where appropriate. Each role will be described below together with an outline of their responsibilities.
External roles may also be involved these include the following: