Have you ever been working on the Computer System Validation (CSV) of a Laboratory System and hit a brick wall? The validation comes to a standstill because the software/hardware does not meet one of three main aspects of computer system validation testing:
- Does not function as intended
- Does not meet an aspect of 21 CFR Part 11
- Does not meet a general CSV requirement
After struggling with the system on your own and contacting the vendor, it is soon determined that an alternate solution must be found in order to meet the regulations. The quality organization of your company will be a key driver in determining what will be an appropriate solution. And if sufficient in-house CSV expertise does not exist, it is highly recommended that a laboratory software validation Subject Matter Expert (SME) be engaged.
So how can you overcome this challenge? The primary way is to hopefully find an “engineering solution” wherein the software can be configured/customized to solve the challenging issue. When this is not possible a procedural solution must be found that is acceptable to the business, the IT organization, and the quality approver for the validation. Let’s take a closer look at the three challenges described above.
Does Not Function as Intended
The most difficult issue to overcome is when the software/hardware does not function as intended. This is the rarest of the issues since one would hope that the software vendor has tested their system for intended use and remedied any issue found. However, bugs and function failures still do occur.
The first way of addressing this issue is to contact the vendor to determine if there is a known solution. If there is not, your next course of action is to attempt to turn off that functionality in the software. If both of these approaches fail then you must first show due diligence by performing the following actions:
- Document in the CSV documentation that the function will not be used
- Document and train the users that the function will not be used
- Create an SOP that documents that the function will not be used for GxP purposes.
During data review for this system once it is validated, the document reviewer also needs training and a procedure to verify that this function was not used by an analyst.
Does Not Meet a 21 CFR Part 11 Requirement
In the current compliance environment, data integrity has become very important. Companies must not only show that they are in control of all data that is created, but also must show that the raw data is inalterable and fully audit trailed. They must show that there is accountability for that data from its creation to its ultimate archiving. The metadata for these system must also be under control. If electronic signatures are used by the company, they must show that the signatures are attributable to an individual.
Laboratory instrumentation that have a computer and store data must meet these criteria. In many cases the vendors have created these instruments and the associated software with the intent to meet 21 CFR Part 11, but in many cases there are gaps or non-compliance issues. These situations can make it difficult for a laboratory to successfully complete their CSV project.
The key to overcoming these challenges is to set the laboratory system up as a hybrid system. Certain aspects of the 21 CFR part 11 portion of the validation can be met by the software but others can then be met by procedure (i.e. SOPs). The way that a company combines the paper procedural SOPs with components of the electronic system yields the compliance that is required.
Remember, when gaps are first identified, a risk assessment should be performed to identify and determine the overall risk and exposure. This will help guide how and what extent of testing and documentation will be required to satisfy compliance.
Does Not Meet a Computer System Validation Requirement
A computer system validation requirement such as: backup, windows security, recovery, etc. are common requirements that have issues passing CSV. This could be for a variety of reasons. Some software applications may stop running if they become securely locked down in the operating system. Others will not be able to backup all files since some are “open files”. In these instances, a procedural solution combined with a software solution may be required. This will require the attention of the business, the vendor and the IT department to solve.
Solving these issues can be complex. It is critical to have people that are experienced in the system, compliance and IT solutions in order to address these issues. All these disciplines bring a view that will be able to create a solution that can meet the scrutiny of the agency looking at compliance and data integrity.
Does your laboratory have CSV projects that have stalled or stopped due to one of the issues discussed above? If so, have you figured out why and addressed the issues? Did you balance your software compliance with procedural compliance? If so, is your quality group satisfied with the solution?