To successfully implement, use, and maintain computer systems, the regulatory, clinical, and IT professionals working in the biopharma industry must maintain relevant knowledge and approaches to computer systems validation (CSV).
To support CSV, FDA’s General Principles Validation allow a manufacturer to apply a critical risk-based approach to their validation activities.
The FDA is most interested in situations that could directly impact product safety or quality – high-risk events. When implementing a risk-based CSV approach, the level of documentation will highly depend on the level of impact a computer system change or update has on a product or process.
Every CSV process should start with a formal risk assessment that addresses and has a response plan for:
- What could go wrong?
- How likely is it that the system will require downtime?
- What are the consequences of the system not functioning properly?
From there, you should approach categorize the risk of each computer system.
Prioritizing Computer Systems Risk
Once you’ve identified the risks and impacts of each, you can document how you will respond, including identifying appropriate controls and verifying that the controls are applied successfully.
When software or hardware is updated or substantially changed, risk assessment and revalidation is critical to ensuring the system still functions appropriately for its intended use.
However, not every computer system change requires full revalidation. Save time by identifying the types of changes that do not alter how the system works and creating documented procedures in your QMS that outline how these changes are addressed.
Examples of changes to validated systems that can be effectively handled as procedures include:
- Systems access updates
- Rights and roles creation
- User-level operations
- General configuration modifications
Adopting a risk-based approach can reduce validation efforts, costs, and project duration.
Creating a Computer Systems Risk Assessment Plan
A risk-based approach to CSV ensures that the computer system functionalities with the highest risk receive the most focused validation effort first.
The level of validation really depends on the type of risk that might occur. An expert can identify risks in your computer system by understanding their likelihood to occur and characterizing each in one the following buckets:
- High: Direct impact on data integrity, patient safety, or product quality
- Medium: Indirect impact on data integrity, patient safety, or product quality
- Low: No impact on data integrity, patient safety, or product quality
Involving a team of validation experts, the computer system vendor, and relevant stakeholders can help identify and categorize all potential risks.
What’s Next for Risk-Based CSV?
The FDA intends to publish a guidance report on Computer Software Assurance for Manufacturing and Quality System Software in FY2021 and we are looking forward to an expanded discussion on software development and computer systems validation.
We anticipate the guidance to incorporate combined efforts around data integrity, quality, safety, risk, testing, and streamlining documentation and we look forward to keeping you GMP inspection ready.