With computer systems endemic in the laboratory, effective risk management can dramatically reduce validation costs. It also ensures functionalities with the highest business and compliance risks receive the requisite focused validation effort.
This article will guide you through a logical approach to Commercial Off-The-Shelf (COTS) system validation using risk assessment principles and critical thinking.
Testing
So, what is computer system validation? Computer system validation is a complex process. Failure in any step can lead to disastrous consequences for patients and loss of credibility with regulatory authorities. This is why reliable validation is critical in the pharmaceutical, clinical, and medical device industries.
Risk management starts during the concept phase with a User Requirement Specification (URS), where business processes are analyzed to establish process controls, and a validation strategy is developed. This includes a detailed high-level project plan, resources, timelines, benefits and restrictions, and a first risk assessment.
This is where it becomes possible to achieve significant cost savings through a risk-based approach. In this way, only the highest-risk systems need to be validated. Typical factors that determine the level of risk include the likelihood and severity of an error, work done by suppliers, SOPs, and management external to the application that mitigates risks, the type of records handled, and their impact on product quality, patient safety, and compliance.
This is what the new FDA guidance on computer software assurance (CSA) aims to promote. It will allow us to rely on a risk-based approach that builds upon the GAMP 5 principles of product and process understanding, quality risk management, and leveraging supplier activities. It will also provide more flexibility to leverage cloud-based systems where routine software updates occur regularly.
Assessment
Computer systems are widely used in pharma manufacturing for instrument control and data evaluation in laboratories and data transmission, documentation, archiving, and retrieval. In regulated environments, it is required that they are formally validated. The primary compliance-related purpose of the validation is to ensure that the system produces accurate and reliable results for regulatory and user requirements fulfillment.
An excellent initial step is to conduct a risk assessment. This involves developing a project plan and gathering all relevant information to determine the extent of testing needed based on the level of risk. A traceability matrix should be extended to link the original user requirements to the design specifications and appropriate verification tests.
During this phase, the initial risk assessment team should be established. This should include members from the areas that will use the computer system, including validation, quality, manufacturing, and IT. It is essential to select a risk analysis tool that suits the size of the project, available time, and resources. A simple tool would be more practical if only limited resources were available than an advanced one requiring considerable expertise.
It is helpful to look at the existing work done by the software supplier as part of the initiation phase of the risk assessment. Taking advantage of the fact that many aspects of a risk assessment have already been taken into account by the software supplier will make it easier to focus on the higher-risk items that matter and reduce the overall amount of testing required.
Design
A risk-based approach to computer system validation focuses testing efforts on the areas most likely to impact product quality. This approach allows the industry to reduce testing time and resources while maintaining high data integrity. It also enables validation teams to make informed decisions about the appropriate scope of testing for a particular system.
A vital part of the risk assessment is determining how much impact an error in a specific computer system will have on product quality and safety. This is determined by a Failure Modes and Effects Analysis (FMEA) process. For each unit operation in a circle, a risk priority number is calculated based on the impact of a potential failure and the likelihood that it will occur. The total number of units with a risk priority number more significant than a threshold value determines the overall system risk.
The system risk is then categorized, from highest to lowest, based on the potential impact of an error. This step helps identify which parts of the system are most important to test, which parts can be tested less frequently or not, and the extent to which a risk reduction strategy should be employed.
Any time software or hardware changes, a new risk assessment and re-validation should be performed. However, not all changes require a complete system re-validation. Some can be made with a partial upgrade and documented procedures in the company change control system.
Maintenance
The risk-based approach to validation is a critical component of computer system validation. It ensures that the systems utilized in regulated businesses consistently fulfill their intended purpose and produce accurate, reliable results. This enables regulatory compliance, fulfillment of user requirements, and data integrity.
It also facilitates using newer, best-of-breed computer software applications, lowering the barriers to using them. This is important because many regulated industries use outdated guidelines to prevent them from enjoying today’s best-in-class systems’ cost, productivity, quality, and safety benefits.
This is accomplished by identifying, evaluating, and prioritizing potential risks and determining how much testing is required to minimize these risks. The evaluation includes consideration of the work performed by software suppliers, standard operating procedures and management external to the application that mitigates risk, the impact of an error on product quality and human health, and the probability of the event occurring.
Effective communication between the supplier and the customer is critical to this process. This includes open and transparent discussions, document exchanges, and meetings between the parties, enabling the supplier to provide valuable insights into the system’s functionalities, performance, and potential risks. This translates into clear and thorough documentation that helps minimize validation efforts and ensures that all aspects of the system are fully validated. This is a crucial step in ensuring the computer system validation process is effective and efficient.
