Computer system and software validation is about the patients and the products we make for the patients. As consumers we want to trust that our medicine, medical devices, instruments our doctors use, and so forth, work the way we expect them to work.
There are product recalls for so many things – product recalls for food, toys, and even vehicle airbags. And when a doctor administers a mislabeled drug to a child using the adult dosage, bad things could happen. There have been many unfortunate instances where products have failed, causing great harm to patients. Therefore, regulatory agencies around the world require validation of computer systems and software.
Validation is not just a US FDA requirement. It is a regulatory requirement in most industrialized nations and a standard expectation around the world.
Let’s look at regulations from around the world so you can see how consistent this requirement is from country to country.
In the United States, the FDA code of regulations requires validation. Specifically, 21 CFR 11 requires validation to all FDA regulated industries. Also, 21 CFR 820 applies to Medical Device makers, requiring validation of software within medical devices, and validation of software and systems used in making devices and managing the quality programs associated with making devices
Other notable FDA regulations include 21 CFR 211 and 21 CFR 1271. Part 211 applies pharmaceutical manufacturers. It does not use the term ‘validation’ specifically, but the FDA has enforced validation for pharma via Warning Letters. It applies to Biological Products, Blood Products, and Cell/Tissue Products. Part 1271 also requires validation, applying to companies that produce cell and tissue products.
Infant formula companies must comply with 21 CFR 106. It contains the same verification terminology as the Pharma regulation, but it also specifies that companies need to validate their systems. Additionally, Part 106 requires infant formula companies to revalidate upon modification.
For countries that are a part of the European Union, validation is required for the software used in medical devices. The EU also requires validation for the systems used by makers of medicinal products. To review the related regulatory documents, look at EudraLex Volume 4 on Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use; specifically Annex 11 on Computerised Systems.
In Brazil, the ANVS Good Practices of Medicament Manufacturing states that validation is required. And in the Japan, their Guideline on Management of Computerized Systems for Marketing Authorization Holders and Manufacturers of Drugs and Quasi-drugs requires validation.
Another governing body, the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use, otherwise known as ICH, has guidelines that have been adopted as law in several countries. The US FDA uses ICH as guidance for their regulations and guidelines. You may want to review ICH Q7A (active pharmaceutical ingredients manufacturers) and ICH E6 (good clinical practice) – both state validation is required.
PIC/S, the Pharmaceutical Inspection Co-operation Scheme (PIC Scheme), has an impact on common inspection standards around the world. They work to harmonize inspection standards and improve cooperation in GMP between regulatory authorities and the pharma industry. PIC/S shares many standards with ICH. In 2016 they had 46 member countries and 7 countries in the member application process. Non-member countries also use PIC/S standards. Example documentation includes PE 005 for Blood Establishments, PE 009 for Medicinal Products Manufacturing and PE 011 for Good Distribution Practice for Medicinal Products. PIC/S guideline PI 011 for Computerized Systems states that validating a system after it has been put into use (aka retrospective validation) is not an option.
Lastly, the World Health Organization (WHO) is also a directing and coordinating authority for health within the United Nations system. Documentation requiring validation can be found in the Specifications for Pharmaceutical Preparations as well as the GMP for Pharmaceutical Products.
I mentioned in the beginning of this post that validation is about the patients and the products we make for the patients. It’s important to understand why regulators require computer system and software validation. So here are the key reasons along with a few examples of each.
Regulatory agencies have several enforcement actions at their disposal to punish companies who are out of compliance with the regulations.
Between 2013 and 2015, the FDA has issued over 200 Warning Letter citations for software and computer system issues. Nearly 1/3 of these were for validation issues. Furthermore, most of the validation issues were for simply failing to validate the software or computer system.
While regulatory inspections could happen infrequently at your organization, you might face customer audits in which failure to comply could lead to a lack of business from that customer. Computer System Validation is something to take seriously as there is a lot at stake for the future of your product and company.