Computerized System Validation (CSV) by Ana Paula Bertelle

1. What is computerized system validation?

Computerized system validation consists of the execution of a series of tests that generate documented evidence that the system meets the user’s requirements, the technical and functional specifications, and the regulatory requirements in force for the industry where it will be used.

CSV is important because it aims  to ensure that the acquired system operates satisfactorily within the functionalities necessary for users and in compliance with good practices and regulations in force.

1. What is the importance of computer system validation?

Computerized systems are investments that companies make in search of optimizing routines and increasing safety.

Computerized systems process data and information that are very critical to the routines of companies and need to be secure. It is essential to ensure that the system operates properly and that there is integrity and security for the data processed, recorded or informed.

It is important to ensure that data is stored securely, cannot be modified, and can be recovered.

CSV brings security to the users of the system.

1. What are the risks associated with lack of validation in critical computerized systems?

When a system goes into routine without validation, there are several associated risks, such as:

• the audit trail is not enabled,
• the security policy is not defined and parameterized,
• not setting up user management correctly,
• not establishing the backup policies,
• not parameterize restore routines,
• Do not parameterize alarms.

1. What are the steps involved in the CSV?

The process should start with the elaboration of the User Requirements Specification, a document that should describe all the functionalities and solutions that are sought with the acquisition of the system. The ERU should also outline the hardware, security, engineering, and best practices requirements that must be met by the system.

The next step is the selection of the supplier that best meets the ERU and presents the best commercial and after-sales conditions (e.g. customer service system, quality management, face-to-face and remote technical assistance, spare parts). At this stage, benchmarking with other customers who already use the system is indicated to have information about implementation, validation, and maintenance experiences.

After selecting the supplier, he will prepare the project and the technical and functional specifications that will be used for the qualification of the project or drawing. In the project or design qualification  stage, an evaluation of the ERU x project/specifications proposed by the supplier is carried out. Divergences are recorded as deviations and for each one there must be an evaluation and action plan.

For some systems it is possible to perform the factory acceptance testing (FAT)  stage which we perform together with the manufacturer in a test environment to verify that the design requirements (ERU, ET and EF) are all in compliance before releasing the system for installation to the user.

When the system is installed on the user, commissioning and start-up (SAT)  is performed by the manufacturer to ensure that all hardware components are compliant and operational and that all system functionalities are operating.

After the release of the system by the manufacturer, we start the qualification steps:

Installation qualification: verification of the network architecture, hardware components, instruments, and displays.

Operation qualification: verification of reference documentation, all system functionalities with positive and negative tests, user management, the back up routine and the audit trail.

Performance qualification: the system goes into operation in a routine and is monitored for a certain time to check for failures or deviations.

After all the previous steps, the Traceability Matrix is prepared,  which is a document that demonstrates through cross-reference the requirements x tests performed.

Periodic checking of the system in use should be established in the routine. 

You also have to pay attention to the moment of retirement of a system so that there is adequate and safe planning so that there is no loss of data, records and information.

It is important that after the completion of the project qualification, any modification must be carried out via change control.

1. How do regulation and standards play a role in systems validation?

In industries regulated by agencies like ANVISA and FDA, regulation has been requiring controls that ensure the integrity of electronic data and that operations performed via computerized systems are proven to be secure.

With the increase in regulatory requirements related to data integrity/security, the validation of computerized systems has become a regulatory prerequisite that must be carried out before the system can be used routinely in regulated companies.

1. What are the main standards that companies need to follow?

Internationally, the main systems-related references are the FDA’s CFR 21 part 11,  which deals with electronic records and signatures, and GAMP,  which describes a risk-management-based approach to CSV.

ANVISA determines the requirements for computerized system validation in the standards of good manufacturing practices and also published guide number 33/2020 for CSV applicable to the pharmaceutical and API industries.

1. Could you provide some practical examples of how system validation is applied in specific industries?

In  the pharmaceutical industry, computerized system validation is a regulatory requirement described in IN 134/22, which provides for Good Manufacturing Practices complementary to computerized systems used in the manufacture of medicines. This normative instruction is in line with international guidelines and requirements.

In the Active Pharmaceutical Ingredients (APIs) industry, CSV is a regulatory requirement described in RDC 654/22 in chapter XII – Validation, Section VI Validation of computerized systems.

In these industries, the validation of computerized systems is a normative requirement for all systems and/or modules with an impact on Good Manufacturing Practices. This applies to analytical equipment, process equipment, management systems, and automation.

Also for Cosmetics and Sanitizers CSV is a requirement described on RDCs 47/13 and 48/13.

1. What are the common challenges faced by companies when performing system validation?

Evaluate the BPx impact of each system and/or module.

Evaluate and define the category of each system and/or module to establish the correct validation approach for each system.

 Infrastructure Software (1)

 Non-Configured Software (3)

Configured Software (4)

Custom Software (5)

Define the roles of Process Owner, System Owner, and Subject Matter Expert.

Set the System Administrator based on Risk Management.

1. How can these challenges be overcome?

The BPx impact assessment and the system category need to be considered  already in the design phase  so that the entire life cycle is established in compliance with the guides and regulations.

Users need to be made aware that the basis of the project will be the ERU and therefore time should be dedicated to describing the requirements clearly and objectively.

It is necessary  to define the roles in the project and make it clear to everyone that risk management requires barriers that in some situations can be considered obstacles to routines, such as blocking users after consecutive login/password errors, time for automatic logout, periodic reset of passwords, and restriction of access to critical system functions.

It is essential that training is carried out on security policies explaining to those involved how important they are for mitigating risks.

1. What tips or advice would you give to companies that are just starting to explore systems validation in their operations?

System validation is a highly technical and highly complex activity that requires a lot of time to familiarize with the system and many exchanges of information with users and the manufacturer.

The documentation of systems validation is complex, extensive and the execution of the validation takes many weeks or months depending on the system, which may be unfeasible to be absorbed by an internal specialist who already has other activities in his daily routine.

For companies that do not have system validation specialists in their internal teams who can be dedicated to the project, it is highly recommended to hire a third-party specialist who will ensure that the computerized systems validation cycle is met in compliance with CFR 21 Part 11, GAMP and Guide 33.

We want to put the system into operation as soon as possible because it was a high investment and will bring solutions to the routine. Outsourcing is often the solution to reduce equipment clearance  time without reducing CSV quality.