With the ever-evolving advancements of computerised systems and their involvements in the pharmaceutical, medical device, biotechnology and clinical trial industries, it is more critical than ever to ensure that these systems are appropriately assessed, validated and controlled. This is essential to safeguard the ensuing data integrity, product quality and ultimately patient safety. Given the highly regulated nature of these sectors, regulators require that GxP computerised systems demonstrate a consistent level of control, GxP compliance and fitness for intended use throughout the entire system lifecycle – from development to decommissioning. Computer Software Assurance (CSA) offers a smarter, risk-based, alternative approach to achieving Computer Systems Validation (CSV), allowing organisations to gain confidence and compliance and in a more effective, flexible and efficient way.
A computerised system is considered GxP relevant when it has a direct or an indirect intended use for supporting GxP regulated activities (including but not limiting to, manufacturing, inventory control, laboratory operations, distribution, or quality systems) within a regulated environment. Organisations are required to validate all of their GxP relevant computerised systems to ensure data integrity and the ensuing product quality and patient safety.
Despite the availability of ample guidance on conducting CSV over the years, the practical application of CSV by regulated organisations and software suppliers often lack maturity and focus in validating GxP computerised systems in real life scenarios. Typically, CSV describes a traditional step-by-step approach of validating computerised systems by testing and documenting all aspects of the software lifecycle, independent of the associated risk levels. This leads to an extensive validation exercise requiring a great deal of time and resources for performing validation testing across the board and creating comprehensive validation documents at every stage.
ISPE GAMP5 Guidance on Compliant GxP Computerized Systems – 2nd Edition advocates a more modern, lean and agile CSA approach to validating GxP computerised systems by utilising critical thinking, vendor collaboration, risk-based decisions and critical testing. Now, let’s break this down into simpler terms:
The CSA approach enables collaborating with software developers and leveraging on their knowledge and expertise rather than starting to explore and authenticate the software from scratch. This could be achieved by initially performing appropriate supplier qualification activities to build the level of confidence required to source the software and eventually form an ongoing relationship with the developer. This allows the validation exercise to be planned by leveraging on the developer’s design-level activities, validation efforts and documented evidence – minimising the need to duplicate the same activities.
The CSA approach drives organisations to use critical thinking, specifically to use the knowledge and experience of the SMEs in the relevant business process to identify the potential risks or pitfalls and critical aspects in implementing and incorporating the software into the business process. As such, when critical thinking and practicality is applied from a real-life perspective, it is highly likely that the validation exercise may be justified to require less overall testing of base software functionality and more risk-based, targeted testing on high-risk, critical aspects. This essentially means that successful validation of a computerised system does not depend solely on the amount of testing performed, but it does depend on performing the right level of testing for the organisation’s use of the system.
ISPE GAMP5 Guidance on Compliant GxP Computerized Systems – 2nd Edition has established a great framework to support the risk-based approach to validating GxP computerised systems, where they are evaluated and assigned a GAMP5 category based on the system novelty, complexity and the criticality of intended use. This risk-based GAMP5 category is used to determine the extent and rigour of the validation effort that is required from a CSA approach, so as to establish confidence and GxP compliance in the system.
Accordingly, on one end of the spectrum, the validation approach of a less complex, standard, commercial system, such as a simple Software as a Service or cloud-based application, will include a justification and reference to developer documentation, defining a user and functional requirements, and conducting user acceptance testing, based on the associated risk-levels of the requirements. On the other end of the spectrum, the validation approach of a complex, critical impacting, customised system will include a much broader validation approach, involving developer qualification followed by review of lifecycle documentation, design specification, integration testing, code review activities in addition to defining user and functional requirements specification and conducting system testing and user acceptance testing based on the associated risk-levels of the requirements.
This highlights how the CSA approach encourages a tailored validation strategy for each computerised system – based on its nature, intended use and associated risks. In contrast, the traditional ‘one-size-fit-all’ CSV approach often applies testing and documenting to all aspects of a system, which may dilute focus and potentially overlook high-risk aspects.
The CSA approach focuses on generating value adding validation documentation, rather than producing volumes of paperwork. Documentation developed under CSA will be tailored to the criticality of the system and the intended use, ensuring that the validation efforts are focused on what matters the most - data integrity, product quality and patient safety. Wherever possible, multiple activities will be consolidated into a single document allowing efficiency, traceability and clarity. For example, user and functional requirement specifications and the associated risk assessments may be combined into one integrated document. Unlike the traditional CSV approach, which often results in excessive, checklist-driven validation documents, CSA promotes a more meaningful and proportionate documentation strategy, enabling clearer evidence of assurance and more efficient validation efforts. The outcome will be a leaner, more focused and meaningful validation documentation that effectively meets regulatory expectations and GxP compliance.
By shifting the focus from producing extensive validation documentation to conducting tailored, risk-based and targeted validation activities, supported by just enough documentation evidence, CSA empowers organisations to validate smarter - not harder. This approach provides both organisations and the regulators with the assurance and confidence that the system can perform reliably, consistently and accurately while maintaining GxP compliance. That’s the difference between traditional CSV and CSA – a smarter approach to validation compliance.
SeerPharma has successfully used the CSA approach in validating a wide range of GxP computerised systems in the industry and is helping organisations to move towards the CSA approach in their Computer Systems Management strategy.
Contact Us to discuss your GxP computerised system needs and how we might be able to help.