10 Steps to validate your computerized systems
Define the CSV Team
This is one of the first activities that shall be defined before starting the validation of the computerized system(s). The Validation Team oversees all the computerized system validation (CSV) projects at a site, or within a department. These validation projects will be defined in the Validation Master Plan.
Whether the team is already formed, it is recommended to identify the people who will be part of the Computerized Systems Validation team (CSV Team), since this team will be responsible for the creation and maintenance of the Validation Methodology of Computerized Systems, such as the Validation Master Plan for Computerized Systems (CS), CS Inventory, CSV procedures, formats, and for carrying out the CSV activities, documentation, executions, and reports.
Define CSV Team Members
Whether you contract a third party for the validation of the computerized systems, or it is company personnel, the CSV team must be defined.
The CSV team members should be representatives from the following functional areas as appropriate to the site or department: Users, Quality Assurance, Validation Engineering, IT Department, and other relevant parties.
The CSV team members should be sponsored by one of the most senior managers within the site or department.
Define CSV Team Responsibilities
CSV Team will be responsible for creating and maintaining the Computerized Systems Validation Methodology. Responsibilities include, but are not necessarily limited to:
- Identifying Computerized systems or applications requiring validation
- Prioritizing and justifying the validations to be performed
- Developing the initial Validation Master Plan and producing subsequent revisions as required,
- Directing the project team on adapting the Validation methodology to their project
- Developing solutions to quality and compliance issues
- Coordinating validation projects, resourcing validation projects, including approving the use of consultants
- Creating and reviewing validation documentation.
Review Validation Master Plan
Each site should establish a Validation Master Plan (VMP), which describes all the required validation activities and assigned responsibilities, priorities, and timings for actions. The CSV Team should review and approve this site plan.
All CSV projects should either be included in this Validation Master Plan, or the CSV team shall create a separate Computer Systems Validation Master Plan.
The Validation Master Plan should be a dynamic document which at any point in time will represent:
- which systems exist on site
- which systems require validation
- who is responsible for each validation project
- the status of the individual validation projects
- the date for completion of each validation project
All upgrades and periodic reviews should also be added to this plan.
Create a CSV SOP
The CSV Team shall create the CSV SOP. This SOP aims to describe the CSV methodology for GxP regulated computerized systems installed at the site. This methodology ensures that computerized systems will reproducibly perform the functions they are designed to do and are suited for their intended use.
The CSV procedure shall apply to all computerized systems owned by the site that create, modify, maintain, archive, retrieve or transmit information in support of GxP activities or to all those systems that need to be validated for any regulatory or compliance purpose. The templates for all validation documents shall be included in the SOP.
Create a Computerized Systems Inventory
CSV Team shall create an inventory of all computerized systems in use within a given site or department. Creating an inventory is the first step in identifying systems that require validation. The information of the CS Inventory shall include, but it is not limited to:
- System reference number or ID
- System Name
- System Owner
- Business Areas Impacted
- Qualification Status
- Operating System
- Operation System Version
This inventory can be added if the system generates electronic records, uses electronic signatures, and has an Audit Trail.
Identify Systems that require Validation
The System Owner and CSV Team are responsible for identifying systems that require validation. Each system that has been identified must be assessed to see whether it performs quality or business-critical functions, whether there are sufficient controls to ensure its performance, and whether it should be validated or not.
The system owner is responsible for completing the assessment of each system and updating that assessment whenever there are changes to the system.
A quick evaluation can be performed to discern whether the system requires validation or not, for example:
- GxP Impact Evaluation, the system have a direct impact on the product quality, patient safety or data integrity?
- CFR 21 part 11 Evaluation, the system handled electronic records? Electronic signatures?
This evaluation shall be strengthened when the validation plan will be created for each system.
Determine Validation Priority
Once the systems that require validation had been identified, it will be necessary to determine the priority of each system validation (or validation project) within a site or department. To determine the priority of each validation, a risk assessment of all the validation projects shall be performed.
Validation Priority should be given to those systems that pose a greater risk to product quality, patient safety, and business.
Understand the Computerized System
An understanding of the supported process by the computerized system is fundamental to determining system requirements, the basis of the validation effort. In this stage, it is suggested to do a mapping of the process flows performed in the system.
Efforts to ensure fitness for intended use should focus on those aspects that are critical to patient safety, product quality, and data integrity. These critical aspects should be identified, specified, and verified.
Identify CSV roles
It is important to identify the Business Owner, System Owner, and Subject Matter Experts since they are the ones who support the activities of the validation of the system. In some cases, the process owner also maybe the system owner.
- Process Owner: The person ultimately responsible for the business process or processes being managed. This person is usually the head of the functional unit or department using the system. However, the role should be based on specific knowledge of the process rather than position in the organization. The process owner is responsible for ensuring that the computerized system and its operation are in compliance and fit for intended use according to applicable Standard Operating Procedures (SOPs) throughout its useful life. Responsibility for control of system access should be agreed upon between process and system owner.
- System Owner: The person ultimately responsible for the availability, support, and maintenance of a system and the security of the data residing on that system. This person is usually the head of the department responsible for system support and maintenance. However, the role should be based on specific knowledge of the system rather than position in the organization. The system owner is responsible for ensuring that the computerized system is supported and maintained by applicable SOPs. Responsibility for system access control should be agreed upon between the process and system owner.
- Subject Matter Expert (SME): Those individuals with specific expertise in a particular area or field. SMEs should take the lead role in the verification of computerized systems. SME responsibilities include planning and defining verification strategies, defining acceptance criteria, selecting appropriate test methods, execution of verification tests, and reviewing results.