Beruflich Dokumente
Kultur Dokumente
Useful For
For Examples
Antivirus Software
Guiding
Guide
Medical Devices
Creative Writing
This Blog
This Blog
Top of Form
Bottom of Form
Computer System Validation
Specific requirements for computers and electronic records and signatures are also
defined in FDAs regulations 21 CFR Part 11 on electronic Records and Signatures
(4). This regulation applies to all FDA regulated areas and has specific requirements
to ensure trustworthy, integrity and reliability of records generated, evaluated,
transmitted and archived by computer systems. In 2003 the FDA published a
guidance on scope and applications of 21 CFR Part 11 (5). In this document the FDA
promoted the concept of risk based validation
.By far the most detailed and most specific official document that has ever been
developed on using computers in regulated areas is the Good Practices Guide on
Using Computers in GxP Environments. (6). It has been developed by inspectors for
inspectors of the Pharmaceutical Inspection Convention Scheme (PIC/S) but is also
quite useful for the industry. It has more than 50 pages and includes a six page
checklist recommended to be used by for inspectors.
Because of their importance, computer validation issues have been addressed by
several industry organizations and private authors:
The Good Automated Manufacturing Practices Forum (GAMP) has developed
guidelines for computer validation (7).
Huber has published a validation reference books for the validation of computerized
analytical and networked systems (8).
The Parenteral Drug Association (PDA) has developed a technical paper on the
validation of laboratory data acquisition system (9)
All these guidelines and publications follow a couple of principles:
Validation of computer systems is not a one time event. It starts with the definition
of the product or project and setting user requirement specifications and cover the
vendor selection process, installation, initial operation, going use, and change
control and system retirement.
All publications refer to some kind of life cycle model with a formal change control
procedure being an important part of the whole process.
There are no detailed instructions on what should be tested. All guidelines refer to
risk assessment for the extent of validation
While in the past computer validation was more focused on functions of single user
computer systems, recently the focus is on network infrastructure, networked
systems and on security, authenticity and integrity of data acquired and evaluated
by computer systems (10). With the increasing use of Internet and e-mail
communications the validation of web-based applications also gets more important.
Labcompliance recently published a package entitled Internet Quality and
Compliance.
Validation Overview
Validation of computer systems is not a once off event. Annex 11 of the European
GMP directive is very clear about this: Validation should be considered as part of the
complete life cycle of a computer system. This cycle includes the stages of
planning, specification, programming, testing, commissioning, documentation,
operation, monitoring and modifying.
For new systems validation starts when a user department has a need for a new
computer system and thinks about how the system can solve an existing problem.
For an existing system it starts when the system owner gets the task of bringing the
system into a validated state. Validation ends when the system is retired and allimportant quality data is successfully migrated to the new system. Important steps
in between are validation planning, defining user requirements, functional
specifications, design specifications, validation during development, vendor
assessment for purchased systems, installation, initial and ongoing testing and
change control. In other words, computer systems should be validated during the
entire life of the system.
Because of the complexity and the long time span of computer validation the
process is typically broken down into life cycle phases. Several life cycle models
have been described in literature. One model that is frequently used is the V-model
as shown in figure 1.
Description
GAMP 3
GAMP 4
GAMP 5
than the user ever will need. On the other hand there should be documented
evidence that the system performs all specified functions and compliance to the
specifications must be verified later on in the process during operational
qualification and performance qualification. Specifying too many functions will
significantly increase the workload for OQ. The development ofrequirement
specifications should follow a well documented procedure. Most important is to
involve representatives of all user departments in this process.
User requirements should have a couple of key attributes. They should be:
Necessary. Unnecessary functions will increase development, validation, support
and maintenance costs.
Complete. Adding missing functions at a later stage will be much more expensive
than including them initially.
Feasible. Specified functions that can not be implemented will delay the project.
Accurate. Inaccurately specified functions will not solve the applications problem.
Unambiguous to avoid guessing and wrong interpretation by the developer.
Specific to avoid wrong interpretation by the developer.
Testable. Functions that are not testable can not be validated.
Uniquely identified. This helps to link specifications to test cases.
Functional specifications answer the question: what functions does the system need
to comply with users requirements. They are normally written by the developer of
the system and should be reviewed by the user.
Design specifications are also written by the developer. They answer the question:
how does the system implement specified functions. They should be formally
reviewed by a team of developers under the supervision of QA.
Vendor Assessment
Validation of software and computerized systems covers the complete lifecycle of
the products which includes validation during design and development. When
software and computer systems are purchased from vendors, the user is still
responsible for the overall validation.
FDAs guide on Principles of Software Validation states this very clearly: Where the
software is developed by someone other than the device manufacturer (e.g., off-
the-shelf software) the software developer may not be directly responsible for
compliance with FDA regulations. In that case, the party with regulatory
responsibility (i.e., the device manufacturer) needs to assess the adequacy of the
off-the-shelf software developers activities and determine what additional efforts
are needed to establish that the software is validated for the device manufacturers
intended use.
The objective of vendor qualification is to get assurance that the vendors products
development and manufacturing practices meet the requirements of the users firm
for quality. For software development this usually means that the software is
developed and validated following documented procedures.
Vendor assessment should answer the questions: "What type of assurance do you
have that the software has been validated during development" or "How can you be
sure that the software vendor did follow a quality assurance program?" Depending
on the risk and impact on (drug) product quality answers can be derived from
Documentation of experience with the vendor
Experience may come from the product under consideration or from other products.
External references
Useful if there is no experience within the vendor within your company
Assessment checklists (mail audits)
Use checklists available within your company, through public organizations, e.g.,
PDA and from private authors.
3rd party audits
Gives an independent assessment of the quality system and/or product
development
Direct vendor audits
Gives a good picture on the vendors quality system and software development and
validation practices.
Assessment cost increase from 1 to 5 and the final procedure should be based on
justified and documented risk assessment. Such risk assessment include two parts:
Product risk
Vendor risk
Factors for product risk include
System complexity
Number of systems to be purchased
party.On the other hand green areas could be handled by a one to two page
document describing who the vendor and why you did select the vendor.
Vendors in the yellow area could be assessed through mail audits supported by
good internal or external references. Results of the vendor audits should be
documented followinga standardized ranking scheme. An example is shown in Table
2.
The results of the vendor assessment and any vendor audit should be well
communicated within a company to avoid duplication of audits of the same vendor
by different departments or sites. This can be achieved by developing a company
wide repository with entries of all vendor assessment activities. The whole process
of vendor assessment and audits should be controlled by documented procedures.
Ratin
Meaning
g
Interpretation
Excellent
Adequate
Poor
Unsatisfactory
N/A
Not Applicable
Installation Qualification
Installation qualification establishes that the computer system is received as
designed and specified, that it is properly installed in the selected environment, and
that this environment is suitable for the operation and use of the instrument.The list
below includes steps as recommended before and during installation.
Before installation
Obtain manufacturer's recommendations for installation site requirements.
Check the site for the fulfillment of the manufacturers recommendations (utilities
such as electricity, water and gases and environmental conditions such as humidity,
temperature, vibration level and dust).
During installation
Compare computer hardware and software, as received, with purchase order
(including software, accessories, spare parts)
Operational Qualification
Operational qualification(OQ) is the process of demonstrating that a computer
system will function according to its functional specifications in the selected
environment (
Before OQ testing is done, one should always consider what the computer system
will be used for. There must a clear link between testing as part of OQ and
requirement specifications as developed in DQ phase. Testing may be quite
extensive if the computer system is complex and if there is little or no information
from the supplier on what tests have been performed at the suppliers site. Extent
GAMP3
GAMP4
Medium
risk
Test critical
functions.
Low risk
No testing
GAMP5
standard functions
Proper functioning of back-up and recovery and security functions like access
control to the computer system and to data should also be tested.. Full OQ test
should be performed before the system is used initially and at regular intervals,
e.g., for chromatographic data systems about once a year and after major system
updates. Partial OQ tests should be performed after minor system updates.
Tests should be quantitative. This means inspectors would not only expect a test
protocol with test items and pass/fail information but also expected results,
acceptance criteria and actual results. An example for a test protocol template is
shown in figure 8.
Tests should be linked to requirement specifications through a test traceability
matrix. A template for such a matrix is the table below should help to easily find a
test protocol for a specific test requirement.
The matrix can be documented on paper format but for larger projects it is
recommended to use electronic document management systems. This can range
from simple Word tables to data bases and software specifically developed for
managing traceability matrices.
Requirement Number
Requirement
Test ID
1.1
Example 1
4.1, 4.3
1.2
Example 2
1.2
1.3
Example 3
3.1
1.4
Example 4
3.1, 4.1
Performance Qualification
Performance Qualification (PQ) is the process of demonstrating that a system
consistently performs according to a specification appropriate for its routine
use.Important here is the word consistently. Important for consistent computer
system performance are regular preventive maintenance, e.g., removal of
temporary files and making changes to a system in a controlled manner and regular
testing.
In practice, PQ can mean testing the system with the entire application. For a
computerized analytical system this can mean, for example, running system
suitability testing, where critical key system performance characteristics are
measured and compared with documented, preset limits.
PQ activities normally can include
Complete system test to proof that the application works as intended. For example
for a computerized analytical system this can mean running a well characterized
sample through the system and compare the results with a result previously
obtained.
Regression testing:reprocessing of data files and compare the result with previous
result
Regular removal of temporary files
Regular virus scan
Auditing computer systems
Most efficient is to use software for automated regression testing. The software runs
typical data sets through a series of applications and calculates and stores the final
result using processing parameters as defined by the user. During regression testing
the data are processed again and results are compared with previously recorded
results. Normally such tests dont take more than five minutes but give assurance
that they key functions of the system work as intended.
customerspecificssaid...
It is safe to say that nearly everything about managing customer specific
requirements is a hassle. If you're an auditor, how do you know what customer
specific requirements exist so that you can audit against them? If you're the
customer, how do you distribute them efficiently? If you're a supplier, how do you
get them? How do you know if you have the latest version?
Customerspecifics.com was founded as a way of improving the management of
customer specific requirements for registrars and quality personnel. The idea
started when a member was surprised to find that his revision of a customer specific
requirement had become obsolete just days before his audit, resulting in a finding.
Really?
This person wasn't notified of the release of a new revision. If suppliers are required
to notify their customers of changes to processes, shouldn't customers return the
favor and notify their suppliers of changes to requirements? If something is
important enough to be a requirement for a supplier, it's just good business practice
to make sure that your suppliers are aware of these requirements.
Arpita mohapatrasaid...
If something is important enough to be a requirement for a supplier, it's just good
business practice to make sure that your suppliers are aware of these
requirements.more information
January 14, 2013 at 3:53 AM
Post a Comment
Newer PostOlder PostHome
Subscribe to:Post Comments (Atom)
powered by
Bottom of Form
Popular Posts
Types of process validation
1. Types of process validation .Depending on when it is performed in relation to
production, validation can be prospective, concurrent, r...
Setting Cleaning Validation Acceptance Limits for Topical Formulations
Top of Form
Search Books
Bottom of Form
Showing 1 - 10 of 2197 results
12345>
Privacy
<a href="http://ws.amazon.com/widgets/q?
rt=tf_sw&ServiceVersion=20070822&MarketPlace=US&ID=V20070822%2FUS
%2Fphotgall08-20%2F8002%2F1963b3d0-792a-4985-87dcc3fd0f2ba601&Operation=NoScript">Amazon.com Widgets</a>
Subscribe To
Posts
Atom
Posts
Blog Archive
Comments
Atom
Blog Archive
Comments
Share it
Site Stats
Followers
, 2010)