Mastering Software Validation
Tue, 03/11/2008 - 11:18am
A practical approachBy Valarie King-Bailey
OnShore Technology Group
Within the life sciences community, the mere mention of the word “validation” sets off discussions filled with validation jargon and acronyms such as IQ, PQ, OQ, predicate rules, GAMP, and other related verbiage. The truth is most professionals who are not validation practitioners or quality experts are confused as to what validation actually is, why it’s important and how to succeed in validating today’s enterprise or desktop applications. Most organizations turn to their software vendors for help only to find that many software vendors are equally as confused about validation or have not considered validation as part of their implementation planning further exasperating the problem.
In today’s highly regulated systems environment, many companies are integrating various technologies in alignment with their compliance and business goals. These systems often support mission critical compliance and business processes that have significant impact on the quality of pharmaceuticals, biologics, and medical devices. Global regulatory agencies are becoming more sophisticated regarding the high degree of complexity of these systems and are demanding comprehensive, documented evidence that these systems are performing according to their intended use and are able to help manufacturers produce therapies which are unadulterated, safe and efficacious.
Given the increased flexibility of many commercial-off-the-shelf (COTS) applications, the line is becoming more blurred between off-the-shelf software and custom-developed software applications. With increasing automation coupled with overlapping regulations, the questions are, “what is the best way to validate technology in highly regulated environments?” How can you maintain validated systems over time? And further, “how does one go about setting up a comprehensive validation program and should you use outside help?
The answers to these questions are the focus of this article. For years, organizations addressed software validation in a tactical, legalistic sense focusing on the required deliverables and documentation rather than looking holistically at regulatory intent and leveraging validation as a business advantage rather than a regulatory burden. For software validation, organizations must move beyond rudimentary tactics to higher levels of mastery to ensure economic efficiency, regulatory conformance, and greater software quality assurance.
Why mastery? Mastery has been defined by some as the ability to blend skills and knowledge in a specific area of practice. Masters may be viewed as those at the “top of their game”. They have mastered all of the basic practices in their field and raised the bar of achievement throughout each endeavor. This article summarizes the requirements for effective validation and summarizes what it will take to master software validation within your organization. Mastering software validation is essential to driving your organization to higher levels of compliance maturity and software assurance in highly regulated systems environments.
The Validation ProcessValidation itself is a process. It is an on-going process that spans across the full lifecycle of software implementation. Validation is not a “one-size-fits-all” process. Validation processes may vary somewhat from company to company thus, validation processes are similar but never exactly the same. Each validation exercise is itself unique. Many validation practitioners find that validation of identical software solutions may result in material differences in configuration, security, intended use and thus, changes in the way the system is ultimately validated. The validation process must ensure that all of these factors are taken into account which accounts for the uniqueness of each effort.
The questions often asked are “where does it say in the regulations that software has to be validated and where does the process begin?” The simple answer is “in many places”. The regulations that affect U.S. manufacturers are set forth in the U.S. Code of Federal Regulations 21 (21 CFR). These regulations are sometimes known as “predicate rules”. The FDA defines validation as:
“...establishing documented evidence which provides a high degree of assurance that the computer-related system operates in accordance with pre-determined system specifications and functional definitions, and will be maintained to do so in the future…” The “documented evidence” in the definition goes beyond test scripts and protocols. The U.S. FDA’s Quality Systems Regulations - 1996 21 CFR 820.70 [i] Automated processes - spells out the regulatory expectations for electronic systems:
“When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol.”
This represents the “intended use” principle. In Europe, EU Directives 2001/83/EG and 91/356/EG define the common codex for human medicines in the EU and establishes EU GMP requirements which are interpreted in the EU GMP guidelines and its annexes. Annex 11 specifically relates to computer validation.
It is important to note that global regulations define what companies must do, not how to do it. Therein lies the root cause of the confusion. Since there is no “single” answer with respect to validation, it is often left to interpretation. This is where best practices come into play. Software validation should begin as part of the Software Development Lifecycle (SDLC) for custom software development projects. Inexperienced practitioners who address validation from a tactical perspective often view software validation as an afterthought which is a recipe for sure failure.
For COTS implementations, it is important to ensure that your vendors/suppliers have developed their applications according to an industry-defined standard and understand the implications of validation in your unique environment. The software supplier audit is the key to mastering this dimension of software validation. Always conduct a supplier audit for your COTS vendors and include the audit results as part of your software validation package.
The FDA’s initiatives for 21st Century GMPs have catapulted the concept of risk assessment to the forefront. From the perspective of software validation, risk assessment may be used to help determine the extent of validation efforts. The risk management strategy must be documented in the Validation Master Plan. This analysis includes:
* Risk Management Process
* Detection Review Points
* Contingency Plans to Mitigate Risk
* Increased Rigor
Increasingly, life sciences organizations are moving towards commercially-off-the-shelf (COTS) software solutions to help reduce risks and associated costs of validation. As a general rule, the more standard the solution, the lower the risk and associated costs. Custom software development or bespoke systems have the highest associated risk and require the most due diligence to ensure validation and verification of the system. You should manage risk in order to deliver a final solution that meets your business needs and regulatory obligations, NOT simply to generate paper for the sake of regulators. Risk should be classified, assessed, reduced, and managed throughout all phases of the project life cycle and the operational life of the system.
Establishing An Effective Validation ProgramEstablishing an effective validation program requires initially the establishment of processes and procedures to provide governance. A sound validation program should include the policies, objectives, principles, organizational authority, responsibilities, accountability, and implementation plan of your organization to ensure quality throughout the process. Comprehensive procedures and controls must be in place to ensure success. The Computer Systems Validation (CSV) policy is a high-level SOP that defines the goals of your validation program.
The most critical aspect of validation is planning. The software validation process is defined and controlled through the use of a plan. This plan is commonly referred to as the Validation Master Plan. The master plan clearly defines “what” is to be accomplished through the software validation project. The development of a validation plan promotes quality assurance and goes a long way to ensure the success of your validation initiative. The Validation Master Plan should highlight the following items:
* Validation Scope
* Risk Assessment
* Validation Activities
* Validation Deliverables
The planning process should be completed prior to any validation activities taking place. This will eliminate costly mistakes made during validation and help ensure overall success. It is essential that regulatory requirements such as 21 CFR Part 11 be considered during planning efforts.
Outsourcing Software Validation: Pros & ConsIn today’s environment, organizations are looking for economic and process efficiencies across the organization. Outsourcing business processes has recently gained in popularity as an alternative business strategy. Outsourcing of your validation projects has its pros and cons.
Pros* Access to validation expertise on demand
* Minimize impact on current, scarce IT personnel
* Accelerate validation process
* Leverage current methodologies and best practices
* Knowledge transfer from industry experts
* Potential cost savings
Cons* Incompatible validation methodologies
* Higher project and Intellectual property risk
* Limited knowledge transfer
* Expensive to sustain over time
* Corporate cultural differences
* Potential hidden costs
The biggest factor to consider when exploring the potential of outsourcing your validation initiative is EXPERIENCE. You will need to ensure that your consultants have the depth of experience in validating your system.
Mastering Software ValidationTo avoid costly mistakes and move to higher levels of compliance maturity and mastery, consider the following lessons learned:
1. Follow the “Intended Use” Principle. It is important to establish a set of user requirements for the system so that all validation activities can be performed in accordance with intended use.
2. Consider The Impact Of Data Migration – most organizations have existing data and documents in house. Consider the migration upfront to minimize the overall impact on your project.
3. Plan before you act. Validation planning is the first step towards successful validation. A master plan is the foundation of successful validation.
4. Establish an effective training program. Validation requires a knowledgeable staff that has the relevant competencies to perform well constructed and documented audits of the systems/processes.
5. Leverage ECM technologies. All validation documentation should be stored in a controlled Enterprise Content Management (ECM) system and be placed under version/change control processes.
6. Take The Time To Define Clear Validation Protocols. The validation protocol is a key document that is essential to any validation initiative. The validation protocol document establishes the validation program, defines the program responsibilities as well as specific requirements for each initiative.
7. Don’t repeat vendor unit testing – this is a common mistake make by validation practitioners. They want to validate every feature and function. You should inspect the unit tests when you conduct a supplier audit and conduct a more comprehensive integrated system tests which tests the system according to your intended use.
8. Develop comprehensive validation policies and procedures. This may seem like a no-brainer, but it is an often skipped process in many programs.
9. Remember “One-Size-Does-Not-Fit-All” – each validation imitative is unique. Compliance your due diligence accordingly.
Without question, validation professionals face a most certain future. Software innovations will continue to flourish, global regulations will increase, and the need for software validation will remain strong. Mastering software validation requires a deeper understanding of the methods and processes associated with validation. Those who have reached compliance maturity understand that validation is not simply a regulatory burden – it makes good business sense. Mastering software validation can save both time and money while reducing risk by leading to the discovery of costly defects BEFORE your system goes into production. It also serves as confirmation that the system performs according to YOUR intended use which, if properly defined, will provide intended results.