Validation of computerized systems in pharmaceutical control laboratories - Oqotech
The validation of computerized systems has the main objective of providing documentary evidence that ensures that the computerized system works according to its intended use, previously determined and approved by the organization. Throughout this article we will review key aspects when defining the personnel involved in the project, the approach to validation and the activities to be carried out.
Nowadays, most of the equipment used in drug control laboratories is supported by computerized solutions integrated in the device itself or connected to them to obtain results or process the data generated. If the computerized system intervenes in activities regulated by the GxP they must be validated. But, should we put the focus on the computerized system or on the process it should manage? It is vital to avoid the traditional concept of qualification of equipment and computerized systems separately or poorly integrated. It is necessary to identify the components that will provide the operation, security, engineering or technology that together will manage the process and verify that all of them, in an integrated manner, operate according to the intended use. The methodology set out below is born from the experience and projects developed in Oqotech.
Risks associated with computerized processes
In order to elaborate the methodology to be developed in the validation project, initially the exercise of identifying the factors that can affect its correct functioning must be carried out. The following figure shows a risk analysis, in the form of a fishbone, which identifies the main factors to be controlled in the validation project.
Herringbone that analyzes the risks associated with computerized processes in pharmaceutical control laboratories.
Estrategia de la validación de sistemas informatizados
The validation of computerized systems is part of the quality system of the organization and allows to follow the phases of selection, implementation, use and withdrawal of computerized systems. The global strategy to be followed by all the equipment and computerized systems of the organization must be reflected in a master validation plan.
In order to establish controls and apply verifications to all possible types of risks in the computerized process, a validation team must be formed with specialists who provide experience and knowledge in the different areas of the company. The roles that must be represented in the validation team are: the specialists of the processes to be computerized, those responsible for the quality system, those responsible for the computerized systems and the information infrastructure.
The validation strategy must be applicable to all the equipment and computerized systems present in the organization, with the difficulty that all the computerized systems do not have the same complexity, nature or maturity within the organization or in the sector. Validation, therefore, must have a risk-based approach to establish the validation strategy and extent applicable to each computerized system.
It is worth noting the following classification of computerized systems according to GAMP5:
- Category 1, infrastructure software: refers to low-level software such as programming languages, operating systems or databases.
- Category 3, non-configured software: refers to systems that do not require configuration to run the process for which they were designed. An example could be a label printer, scales not integrated with any software or pH meters.
- Category 4, configured software: refers to more or less complex systems that, through their configuration, can be adapted to the process to be executed in the organization. An example of a category may be an HPLC or spectrophotometer.
- Category 5, custom-made software: refers to software tailored to the organization in whole or in part.
Applied to computerized systems used in control laboratories, the following classification could be made according to their complexity:
- Simple systems: non-configured systems (category 3 GAMP5) that generate values based on their firmware.
- Medium complexity systems: composed of one or more configurable components (category 4 GAMP5), which generate values based on their firmware and software with minimal configuration.
- Complex systems: composed of multiple configurable or custom-made components that operate in a network.
As the GAMP5 category or the complexity of the systems increases, the extent of the validation increases.
The validation project is mainly divided into four stages:
Definition of the equipment and computerized systems present in the organization.
- Validation project for critical equipment and systems.
- Maintenance of the state of control.
- Withdrawal and migration of systems.
Complete definition of computerized system
The organization must have at all times updated information on the equipment and computerized systems it has in use or in the process of filing (removed, but with information stored that must maintain its data integrity for a certain time). This way, it will be possible to justify that it keeps under control all the computerized processes.
To define the computerized system, two types of details are considered. The first would consist of a complete description of the equipment, centralized in an inventory of systems, and the second in the definition of its process map.
Inventory of equipment and computerized systems
All existing equipment should be identified and detailed in a global inventory of the organization. It should reflect the industrial components, hardware or software, system information, service provider, planned operation and personnel of the organization responsible for its installation, use, administration and maintenance. This information must be permanently updated.
Diagram of the equipment and its computerized system
The intended use of the equipment and its computerized system must also be recorded. To make the diagram, the equipment and system must be considered as a black box, having to determine what input data are required for the process (they can be samples, files from other computerized systems, a signal from an industrial equipment, etc.), the configuration to be applied (they can be simple parameters or sequences that have specific conditions), the maintenance to ensure the operation of the equipment and system over time, and the output data or expected results.
The following figure shows an example of a diagram of an HPLC with an associated computerized system. The diagram should be accompanied by protocols or documentation that expand on the information in the points named in the chart, for example, user manuals, administration, calibration reports, etc.
Validation Project
The main tasks of the validation project are presented below.
Definition of the information flow, process and management of the equipment and computerized system
Computerized system validation plan
The main objective of the validation plan is to define and shape the procedure to be followed by all the equipment and computerized systems. It must leave defined the equipment and computerized systems affected, the processes that will be analyzed, the steps to be followed in the project according to the situation of the equipment (differentiating whether the validation process is carried out from the beginning, acquiring the computerized system, or if at the time of validation the equipment and system is already in place), the staff of the participating organization and their responsibilities, objectives and acceptance criteria to release the systems analyzed and fulfilled the plan.
User Requirements (URS)
This report clearly and precisely defines what the company requires from the computerized system, the so-called intended use. The user requirements are expected to be specific, measurable, achievable, realistic and testable.
They must be associated with the business process to be managed and can be used for the selection process of the equipment and the associated computerized system.
Agreements with service providers
The organization will be responsible for all services subcontracted to a third party. Therefore, in order to ensure the quality of the service by the supplier, it will be necessary to sign agreements.
The extension of the agreement will depend on the criticality of each computerized system and strategy of collaboration with the supplier. The recommended points to be specified are: description of the service, roles and responsibilities, quality systems, periodic audits, support documentation, information and advice obligations, execution deadlines, maintenance, development ownership and confidentiality.
Installation Qualification (IQ)
The final objective of the installation qualification is the verification of the characteristics, installation and configuration of the final environment of the equipment and the computerized system.
The main tasks to be performed in this project stage are the definition of the system (industrial components, hardware, software, communication structure and wiring), the execution of a risk analysis to establish the criticality of each component, the verification of the existence of documentation such as installation and configuration manuals, use and administration of the system or technical specifications, and finally the verification, for critical components, of the IT and industrial infrastructure with respect to the technical requirements.
Traceability Matrix (MX)
Taking as reference the approved user requirements, a matrix will be generated that will allow linking all the documentation associated with the validation project by requirement.
In this way, for each equipment we can associate the user requirement code that informs its intended use, its administration and use procedures, as well as the qualifications required by its GAMP5 category.
Standard Operating Procedures (SOPs)
The activities of administration and use by end users and managers of the information generated or processed must be reflected in the standard work procedures. The procedures must detail the required configuration, its intended use and the record that must remain of the process.
Design Qualification (DQ)
Once the list of user requirements has been made, the equipment and computerized system installed and the process documented, it is necessary to verify compliance with the critical requirements for the process. A risk analysis must be applied in case any deviation or change of the final computerized environment from the initial requirements is detected. In this way the impact of the change will be evaluated and it will be determined if any corrective measure should be applied.
The final objective of this stage is the verification of the operational, technical and safety design of the equipment and computerized system implemented.
Any change in the computerized system must go through a process of analysis, approval, implementation, documentation and monitoring
Change control
Any change in the computerized system, whether in industrial components, software or hardware, must go through a process of analysis, approval, implementation, documentation and monitoring.
Critical aspects to take into account when evaluating the impact of a change are the following: affected functionalities and documentation, verifications or training to be carried out and the effect on the integrity of historical data.
Operation Qualification (OQ)
Once the functionalities of the equipment and computerized system have been established, it is necessary to evaluate its criticality in the process from a functional approach, security, data integrity and compliance with applicable regulations.
Using the standardized working procedures as a reference, possible failures are identified. Through the risk analysis the criticality is established in case the failure happens. The critical functionalities will follow a process of qualification of the operation.
A testing procedure should be established establishing the personnel involved and the tasks to be carried out. The objective of the test must be clear: to verify the correct functioning of a given operation, analyzing some specific cases, in a given environment, with some users and simulating a specific situation. Likewise, the acceptance criteria per step of the test and the evidence to be captured in the testing process will be determined. When the test is executed, the evidence of the result must be documented and, finally, all the results must be attached in a final report of the qualification of the operation.
Managing users and security profiles
The premise must be fulfilled, as far as possible, that each user of the system has their own user code and private password to authenticate themselves in the computerized systems implemented in the company.
The figure of the system administrator should be highlighted. The administrator must have a different account than the system user account. Preferably, people who are not involved in the process should be assigned as administrators and the changes that apply as an administrator should be documented and approved.
In the same way, the access and type of permissions (visualization or modification) per user and functionality must be clearly specified.
A procedure must be implemented to determine the methodology for user registration requests, modification of user permissions and user inactivation. All these actions must be recorded, determining the user who performs the action, the user affected, the date and time, the change made and the reason for the action in case of modification or cancellation.
Training plan
Once the tasks to be executed by the different members of the organization have been established, the training needs of the users in the associated functionalities become clear.
It should be noted that it is necessary to reflect in a record the training given, the users attending, the date and duration of the training, and the documentation used.
Information Security
Data management should be considered as a process in itself, not as something subsidiary to each operational process.
It must focus on the entire data life cycle, from its generation through its selection, representation, storage, retrieval, distribution and use; regardless of the format or medium in which it has been recorded, processed, archived or removed.
Computerized systems that manage processes considered as critical must comply with the ALCOA+ rule.
Process Qualification (PQ)
Once the OQ is performed, it is necessary to verify in a grouped way the management of a process to ensure that the set of user, equipment, system and procedures allows the correct execution and registration of the process. Also verifying the adequacy of procedures (use, administration and maintenance), as well as the completion of previous phases of validation without critical deviations.
Acceptance and release report
Elaboration of a final report of acceptance of the system determining the personnel involved, methodology followed, results obtained, procedures of maintenance of the state of control and the final report.
Maintenance of the control status
In order to maintain the validated environment permanently, it is necessary to determine the procedures that will be implemented in the organization. These procedures must reflect the activities, people responsible and times of execution.
The following management procedures should be highlighted: change control, user and security management, training plan, physical and logical security procedure, data backup and restoration policy and contingency plan.
Also, in this stage of the project, the methodology to be carried out in the process of periodic revision of the validation is established. The internal audit procedures of the validation, service providers and data integrity are established to maintain the control status over time.
Withdrawal
Withdrawal from a computerized system must be done in a planned manner. The final computer environment, the procedures for use, the technical characteristics of the server, the backup plan and the definition of security permissions must be described in order to ensure that only information can be consulted on the system after it has been removed from the system.
Retired systems should be included in periodic internal audits during their archiving time and in all maintenance procedures of the control environment.
Conclusions
– It is of vital importance that the objective of the validation is to ensure the process to be managed in a computerized way. And be aware that this process is the whole operation of various industrial components, hardware and software.
– We must take into account the integrity of the data throughout its life cycle.
– The validation must be carried out by a validation team in which specialists in the process to be managed, in the regulations to be complied with and in the computerized systems to be managed are present.
In OQOTECH we are experts, with over 13 years in the sector, specializing in the validation of computerized systems. Contact our consultants and receive personalized advice for your company.
Article originally published in Pharmatech’s magazine, issue 47, November-December 2019
Do you want to download this article? You can do it here