Computerized Systems and the Need for Validation

A computerised system consists of Hardware, Software and network components together with controlled functions and associated documentation.

Hardware Components:

The following devices fall under the hardware category:

· Server (Physical or virtualized)

· Storage

· Client Machines (Laptop/desktop/thin clients)

· Equipment Machines

· Different types of Gauges

· Printers

Software Components:

The software falls under the following categories:

· License Management

· Application & Programs

· Software Life Cycle Management

· Database (SQL, MSSQL, Hana) Management

· Data Backup & Restoration

Network Components:

· LAN/WAN Infrastructure

· Internet Connectivity

· Ports Management

Any computerised system involved in the following area falls under this term:

- Clinical Trials Data Management

- Enterprise Resource Planning

- Laboratory Information Management

- Process Controls and Analysis

- Building Management

- Warehouse Management

- Adverse Event Management

- Document Management

- Quality Management

Any system that has automated manual activities are termed a Computerised System. These systems are designed in such a way that they remain compliant as per the regulatory guidelines. When you replace an old paper-based system with a computerised system, all paper-based compliances need to be applied. The generation of audit trails, security, access controls, roles & authorization and data backup becomes very important as you start relying on the computerised data.

When critical information that has a direct link to the product quality comes under the computerised system, the system must be so robust that no one should be able to make any type of changes in it once the data is stored.

Such systems which have a direct association with the regulated activities are called as GxP environment.

Where

G stands for Good

x – remains a variable that can be replaced with manufacturing, clinical, laboratory or documentation

P stands for Practice

In this way, such GxP systems are termed GMP, GCP, GLP or GDP Systems

Any change in these systems comes under the change management enabled by the QAMS framework of the organization.

If we discuss a complete life cycle of the computerised system, we need to ensure that all GxP aspects should be documented very well. When a new system is deployed in the GxP area, proper documentation is done that talks about the business processes, best practices, risks, risk-mitigation, periodic reviews, vendor assessment, data security, backup procedures and how changes will be addressed. These documents are termed Computer System Validation or CSV of the Computerised System.

A computerised system remains effective for multiple years in a GxP environment. The key concept is that a system should remain compliant the entire of its life. Key stakeholders or actual users are involved in User Acceptance Testing (UAT) and Site Acceptance Testing (SAT). After getting their final confirmation, the system release certificate is released by Quality Assurance Department.

When people start using a computerised system, they come across some challenges. IT team interacts with the business to understand these gaps and starts adding these functionalities. These changes may impact existing functionalities in a live server.

So how to highlight these challenges?

These challenges are communicated to the QA department who raises a change control and captures risks associated with these changes. Proper risk assessment is done and when functionality is ready, these risks are mitigated. All such risks are documented properly in a Quality environment. Some companies call them a validation server. If a new release comes for the application, the same route is followed and all risks are mitigated. IT persons verify that new change would not impact their old data as this data pertains to the regulations.

Various test scripts are designed and actual screenshots are captured. User Acceptance testing is done along with the QA team and change control is closed after a system release. When such small changes are done periodically, it triggers the requirement of a fresh validation where complete documentation is done again.

The organizations can make their SOPs or Policies for periodic reviews and fresh validation.