For Computer validation to be compliant with with all of the current Good Manufacturing Practice (GMP)
rules and regulations, it must start with a three level User Requirements
Specification document (URS). Since most documents,
post the URS, will either
fully, or partially, base their contents on the URS, it is essential that this
document clearly, concisely and in a manner that is testable, specifies the
exact requirements of the end
user. It is also essential that these exact
testable requirements remain attributable through the development of the
Functional
Specification (FS)Design Specification
(DS) to the actual lines or groups of lines of code that
enable them.
Traceabilty of URS
functionality, to lines of code is an essential element in computer system validation
(CSV). Once thistraceability is establish future maintenance and
modification of software is made much simpler
and more manageable.
There is
much discussion throughout the industry regarding the use of automatic testing programs.A recent guidance document contained these
details of current thinking among the regulators.Proposals for device manufacturers would
require manufacturers that use automated quality control measurement (this could
include almost any automation system used within a medical device or in the
production of a controlled product) equipment to
1)Determine the validity
of the automated
test and determine whether the method will produce results directly applicable
to the device being tested;
2)Insure that QC
test devices are compatible with each other;
3)Verify computer
programs used and to document the testing of the program, and
4)Have a routine
calibration program with appropriate
records.
The guide-lines laid out in Good Automated Manufacturing Practices GAMP 5, for the computer validation of automated systems including automatic computerized manufacturing equipment, control systems, automated laboratory systems, manufacturing execution systems and computers running laboratory or database systems. These computerized system generally consists of the hardware,
software
and network
components, together with all control functions and GAMP 5 is a useful guide in scoping your computer validation activities for such systems. It must be remembered at all times that GAMP is collective ideas from
the industry and does try to be all things to all people.
Which at times means certain sections can appear to contradict other sections.
On a recent project when a group was set up to develop a Risk Assessment (RA) document from GAMP 5, after four weeks they were still divided and unable to
reconcile their company's requirements with the alternative stratigies given in GAMP. It bodes well to never forget that GAMP 5 is a guide from the end users point of view. The actual legal requirements come from the regulators, and obviously
takes precedence. Validation
Online's computer validation (CSV) protocols start with the development of a detailed three layer URS
and progress through the VMP - IQ -
OQ
- PQ. Each of
these computer validation documents are interactive fully detailed and simple to use. Each are preceded with an SOP which guides the user through all phases of
protocol generation completion.
The verification that the end users requirements as detailed in the URS have been fully satisfied, is
paramount to the equipment being correctly qualified. Often this is hard to verify since the traceability from URS functionality to the actual hardware or software utilized is lost in the various spefication designations that range from the functional specification to the design specification to code requirements. However unless the effort is made to maintain this traceability, computer validation is flawed and future maintenance and or modifications can become extremely problematic.
The Validation
Master Plan
- VMP, must be specific about this requirement and instruct all personnel involved in the qualification program, of the importance of maintaining this traceability.
There must be correlation between the elements of the various phase
deliverables / validation template documents; for example, the correlation between the functional requirements and the test cases that challenge them. This correlation can be demonstrated by using a traceability matrix. This matrix facilitates maintenance of the cross-referencing between requirements, the corresponding design elements, and the test cases that challenge them, as well as between the design and the code.
During the design phase, the traceability matrix can help facilitate design review since correlation of requirements to design can unearth mismatches and omissions.
Additionally, completing the traceability matrix can help ensure adequate test coverage in the testing phase.
In the system’s maintenance phase, if any of the requirements or design elements need to be updated due to a change, it is easy to determine what other documents are affected and/or what tests must be re-executed once the change takes place. In short, the
usefulness of the traceability matrix cannot be
overstated.
Dynamic
testing verifies the execution flow of software,
including decision paths, inputs, and outputs. Dynamic
testing involves creating test cases, test vectors
and oracles, and executing the software against these tests. The results
are then compared with expected or known correct behavior of
the software. Because the number of execution paths and conditions
increases exponentially with the number of lines of code, testing for all
possible execution traces and conditions for the software is
impossible.
Static
Analysis.
Code inspections and testing
can reduce coding errors; however, experience has shown that the process needs
to be complemented with other methods .
One such method is static analysis. This somewhat new
method largely automates the software
verification process. The technique attempts
to identify errors in the code,
but does not necessarily prove their absence. Static analysis is used to
identify potential and actual defects in source
code.
Abstract
Interpretation Verification.
A
code verification solution that includes abstract interpretation can be
instrumental in assuring software safety and a good quality process. It is a
sound verification process that enables the
achievement of high integrity in embedded devices. Regulatory bodies such as the
pharmaceutical regulators.
Revalidation
Scheduled.
There
is no regulatory requirement to re-validate a process as long as that process
operates in a state ofGMPcontrol
and no changes have been madeto
theprocess
or outputproduct,
the process does not have to be revalidated. Whether the process is operating in
a state of control is determined by analysing day-to-day process control data
and any finished device testing data for conformance with specifications and for
variability.
Revalidation on
Relocation.
When
equipment is moved to a new location, installation and operation should be
re-qualified. By comparing data from the original installation and operation
qualification(IQandOQ)
and the re-qualification ,
themanufacturercan
determine whether there have been any changes in equipmentperformanceas
a result of the move. Changes in equipmentperformanceshould
be evaluated to determine whether it is necessary to revalidate the
process.
Part 820.75of
theQSregulation
requires that validated processes be monitored and controlled so that when
changes or process deviations occur, amanufacturerwill
know to review and
evaluate the process and perform revalidation when appropriate. 21
CFR 820.75(c ) requires you to have documented procedures in place for
evaluating; when computer validation is again required.
Recent
research has highlighted that in the pharmaceutical and bio-medical industry,
thirty two per-cent of all equipment procurements are unsatisfactory. The
major problem has been identified as companies not specifying in sufficient
detail and or accuracy,what theiractual
needs are. The lack of a quality company approvedUser
Requirements Specification (URS), leads
to many companies having to resort to otherwise un-necessary and
costlyretrospectiveactions
in modifying the equipment or producing unspecified documentation or engineering
drawings, post procurement. These extraneous GMP requirements often
cost more than the equipment.
The
SOP for Computer Validation continues to be an
extremely popular document. This computer validation document leads you through
the validation process, from the URS to the final P2Q.
Purchase your copy now at Special Price of
$22.00.
This combination protocol has been produced in response to several hundred reader
suggestions we received in our ‘Suggestions Section’. It has been carefully designed to make it the preferred choice for Process and Laboratory stand alone equipment. It is interactive, easy to use and suitable for all mixes of equipment with and without software.
The IQ section establishes documented verification that key aspects of the
equipment adhere to approved design intentions and that the recommendations of
the manufacturer have been suitably considered. The OQ section establishes that
there is documented verification that the installed system functions as
specified and that there is sufficient documentary evidence to demonstrate this.
The PQ section gives documented verification that the equipment performance in
its normal operating environment is consistently exactly as specified in
theURS.
It
now appears that the current FDA Guidance rules pertaining to 21 CFR Part 11 may be with us for a longer time
than was originally anticipated. So we have incorporated the guidance
suggestions in their latest guidance document, into our current Validation Risk
Assessment (now issue 10), which is now available for immediate download. This
VRA document now comes with a downloadable matrix
for registering the justification for all your Part 11 assessments as this is
now a mandatory requirement.
The Software User Requirements
Specification
(SURS) document should contain a written
definition of the software functions. This must define the functionallity that
the end user requires from the system. These requirements must
be set out in a manner that is none ambiguous, clear and easy to understand. Further to this the requirements must be grouped or worded in a manner that renders them testable and verifiable. It is not possible for computer validation to be properly executed without having predetermined and
documented software strong requirements to validate against. Typical software requirements specify the following:
Computer
Validation (CSV), must include the under listed tests / inspections, but is not
limited to them alone. The inclusion of the21 CFR Part 11,Applicability is deliberate. This allows the executor of the computer validation (CSV) protocols to clear this requirement by cross referencing the risk assessment reference number and stating Yes or No, to the applicability question. The regulator now does not
have to search further, he can see that requirements for 21 CFR Part 11 (and the latest official guidelines) have been considered and judged.
There is a degree of flexibility in deciding precisely at what stage in the validation process some of these test and inspections are executed. Where this flexibility exists the choice between theIQorOQorPQ, must be rationalized and documented
in the Validation Master Plan (VMP) or the Validation Plan
(VP).
In this
diagram it can readily be seen
that the URS, along with the VMP and the applicable company Practices
and Procedure documents, come together and are used to produce a Project Quality Plan (PQP). This can be vendor or
end user produced. This PQP must document the scope and intensity of
the QA and QC involvement in the design, build,
test, commissioning and validation of the proposed system. The PQP will
also specify the range of documentation that must be produced to enable the
regulatory compliant introduction and maintenance of the system into cGMP use.
Once this
documentation is produced, a complete package of validation documents will be
raised consisting of the DQ, IQ, OQ and PQ. The execution of these protocols must verify
that all the end user's requirements as specified in the URS are fully complied
with. Computer validation (CSV) activities are grouped in two colours
(orange and blue).The blue colour
is the requirement for standard computer validation (CSV).
The
regulators have further mandated
that all such software be identified as such - and subjected from concept to
actual use, to Full Life Cycle Validation (FLCV) requirements.This additional validation is
represented in the diagram in orange.
The
vendor therefore (be they in, or out, of house), must
produce a Quality Plan that ensures the software
development will follow a validation evolution similar to that shown in the diagram.Your actual diagram must be planned and
justified for the software
system that you are proposing.
Computer Biometric Standard Announced.
A new standard to increase the security of financial transactions over electronic media has been published by ISO. The new
standard, ISO 19092:2008, Financial services
– Biometrics – Security framework, establishes the security requirements for the implementation
and management of biometric identification
technology within the financial industry.
According to ISO 19092:2008 the sheer volume and value of
daily payments and other financial systems through telephone, wire services and other electronic communication mechanisms exposes the financial community and its customers to severe risks from accidental or deliberate alteration, substitution or destruction of data. With computer validation and biometrics being considered increasingly as a reliable means of identification ISO 19092:2008 describes the security framework for using
biometrics for authentication of individuals in financial
services. It introduces the types of biometric technologies and addresses issues concerning their
application.
Pervasive computing is the trend towards increasingly ubiquitous (another name for the
movement isubiquitous
computing),
connected computing devices in the environment, a trend being brought about by a
convergence of advanced electronic - and particularly,wireless-
technologies and the Internet. Pervasive
computing devices are not personal computers as we tend to think of
them, but very tiny - even invisible -
devices, either mobile or embedded in almost any type of object
imaginable, including cars,
tools,
appliances, clothing and various consumer goods - all communicating through increasingly interconnected networks. It is now generally purported that by 2011 computing will have become so naturalized within the environment that people will not even realize that they are using computers. Many researchers
expect that in the futuresmart
devices
all around us will maintain current information about their locations, the contexts in which they are being used, and relevant data about the users.
The
goal of researchers is to create a system that is pervasively
and unobtrusively embedded in the environment, completely connected, intuitive,
effortlessly portable, and constantly available. Among the emerging technologies
expected to prevail in the pervasive computer validation environment of the future arewearable computers,smart homes and smart buildings. Among the myriad of tools expected to support these are: application-specific integrated circuitry
(ASIC);speech recognition;gesture recognition; system on a chip (SoC); perceptiveinterfaces;smart matter;flexible transistors; reconfigurable processors; field
programmable logic gates (FPLG); and microelectromechanical systems
(MEMS).
This combination protocol has been produced in response to several
hundred reader suggestions we received in our ‘Suggestions Section’. It has been
carefully designed to make it the preferred choice for Process and Laboratory
stand-alone equipment. It is interactive, easy to use and suitable for all mixes
of equipment with and without software.
………………………………………
Computer User Requirements
Specification (Issue 5.) -- $115.00
The document that sets the standard, and specifies your computer
requirements in a manner that ensures when a system or piece of equipment is
selected, it will deliver the functions you want, it will have maintenance
standards, it will have calibration records, it will have all the documents and
records to enable successful validation to be completed. This document was
designed to be used as a live document up until the DQ is completed and
approved.
……………………………………………
Computer Validation Master Plan
(Issue 5.) -- $115.00
The Computer Validation Master Plan, is the starting point for
validation, and hence the most important validation document. It improves
validation efficiency greatly by forcing all concerned to document, review, and
discuss, the proposed methods and allotted responsibilities. It is an expected
document with the FDA, and a mandated document with the
EU.
This computer validation is suitable for all major validation
projects and contains the under-listed interactive documents. VMP, VP, URS, VRA,
DQ, IQ, OQ and PQ.
The complete chain of regulatory required documentation; for the
validation of a computer system, minus the VMP. This Validation Package contains
one of each of these documents: VP, URS, DQ, VRA, IQ, OQ,
PQ.
………………………………………
Computer Vendor Audit (Issue
3.) -- $87.00
This Computer Vendor Audit document should be customised using the
built in tools. The document can then be targeted to reflect your project
priorities. The fifteen chapters all contain 10 questions, the total scored is
then weighted to reflect your priorities. By assessing the importance of each of
the chapter subjects in your project, the weighting is altered taking points
from one and adding to others. This enables your assessment to be expressed
simple and clearly as a percentage, allowing clear unambiguous comparisons to be
presented for competing companies.
………………………………………
CSV Design Qualification (Issue
3.) -- $89.00
The Standard Operating Procedure attached to this generic computer
design qualification protocol, will chapter by chapter take you through the task
of raising a fully detailed protocol. The main body is split into fourteen
tables, each one probing the computer design requirements and standards for the
individual requirement. Practically all the requirements are in table form.
Allowing fast and clearly presented results to be
obtained.
Computer Installation Qualification (CIQ) is an important
step in the overall validation and qualification process for software and
computer systems. Our protocol leads you through the detailed
requirements.
Operational Qualification (OQ) is an important step in the overall
validation and qualification process for software and computer systems. Our
protocol leads you through the detailed requirements, progressively and
simply.
……………………………………….
CSV Validation Plan (Issue 3.)
-- $89.00
This document follows Validation Online's standard method of using
a fully detailed and interactive generic document and enabling to use the
attached SOP to quickly convert this generic document into a first class company
bespoke document. This CSV VP details and integrates all validation activities
and procedures required for a small to medium sized project, involving
production/facility/utility equipment using electronic controls or
monitoring.
The Computer Performance Qualification is the culmination of the
validation process. The protocol is used in conjunction with the system
operating SOP, to verify that the system process is consistent and correct. The
results of the testing must be recorder and reviewed with a view to ensuring
that the deviancies (within permitted tolerances) that exist are random and not
a trend that will lead to out of specification operation during production
use.