This post was recently updated on September 19, 2018

Computer system and software validation is about the patients and the products we make for the patients. As consumers we want to trust that our medicine, medical devices, instruments our doctors use, and so forth, work the way we expect them to work.

There are product recalls for so many things – product recalls for food, toys, and even vehicle airbags. And when a doctor administers a mislabeled drug to a child using the adult dosage, bad things could happen. There have been many unfortunate instances where products have failed, causing great harm to patients. Therefore, regulatory agencies around the world require validation of computer systems and software.

Computer System Validation is required for companies that perform any of these activities:

• Designing, developing, running clinical trials
• Manufacturing, packaging, and labeling
• Storing and distributing
• Installing and servicing (i.e., diagnostic equipment)

Products requiring validation:

• Pharmaceuticals – drugs used to diagnose, cure, prevent or treat disease. Medicines (medications, medicinal products, medicaments)
• Biologicals – product made from any virus, therapeutic serum, toxin, antitoxin used for prevention, treatment or cure of diseases or injuries (i.e., vaccines)
• Human cell and tissue products – products containing or consisting of human cells or tissues that are intended for implantation, transplantation, infusion, or transfer into a human recipient (i.e., bones, skin, heart valves, corneas)
• Medical devices – an instrument, apparatus, implant, in vitro reagent, or similar that is used to diagnose, prevent, or treat disease. Examples include tongue depressors, medical thermometers, diagnostic systems, medical lasers, surgical implants, prosthetics, etc.
• Infant formula

Who says that you must validate your computer systems?

Validation is not just a US FDA requirement. It is a regulatory requirement in most industrialized nations and a standard expectation around the world.

Let’s look at regulations from around the world so you can see how consistent this requirement is from country to country.

CSV Regulatory Requirements in the United States

In the United States, the FDA code of regulations requires validation. Specifically, 21 CFR 11 requires validation to all FDA regulated industries. Also, 21 CFR 820 applies to Medical Device makers, requiring validation of software within medical devices, and validation of software and systems used in making devices and managing the quality programs associated with making devices

Other notable FDA regulations include 21 CFR 211 and 21 CFR 1271. Part 211 applies pharmaceutical manufacturers. It does not use the term ‘validation’ specifically, but the FDA has enforced validation for pharma via Warning Letters. It applies to Biological Products, Blood Products, and Cell/Tissue Products. Part 1271 also requires validation, applying to companies that produce cell and tissue products.

Infant formula companies must comply with 21 CFR 106. It contains the same verification terminology as the Pharma regulation, but it also specifies that companies need to validate their systems. Additionally, Part 106 requires infant formula companies to revalidate upon modification.

CSV Regulatory Requirements in Europe

For countries that are a part of the European Union, validation is required for the software used in medical devices. The EU also requires validation for the systems used by makers of medicinal products. To review the related regulatory documents, look at EudraLex Volume 4 on Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use; specifically Annex 11 on Computerised Systems.

Validation Requirements outside of the US and EU

In Brazil, the ANVS Good Practices of Medicament Manufacturing states that validation is required. And in the Japan, their Guideline on Management of Computerized Systems for Marketing Authorization Holders and Manufacturers of Drugs and Quasi-drugs requires validation.

Another governing body, the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use, otherwise known as ICH, has guidelines that have been adopted as law in several countries. The US FDA uses ICH as guidance for their regulations and guidelines. You may want to review ICH Q7A (active pharmaceutical ingredients manufacturers) and ICH E6 (good clinical practice) – both state validation is required.

PIC/S, the Pharmaceutical Inspection Co-operation Scheme (PIC Scheme), has an impact on common inspection standards around the world. They work to harmonize inspection standards and improve cooperation in GMP between regulatory authorities and the pharma industry. PIC/S shares many standards with ICH. In 2016 they had 46 member countries and 7 countries in the member application process. Non-member countries also use PIC/S standards. Example documentation includes PE 005 for Blood Establishments, PE 009 for Medicinal Products Manufacturing and PE 011 for Good Distribution Practice for Medicinal Products. PIC/S guideline PI 011 for Computerized Systems states that validating a system after it has been put into use (aka retrospective validation) is not an option.

Lastly, the World Health Organization (WHO) is also a directing and coordinating authority for health within the United Nations system. Documentation requiring validation can be found in the Specifications for Pharmaceutical Preparations as well as the GMP for Pharmaceutical Products.

Four Reasons Why Regulators Require Validation

I mentioned in the beginning of this post that validation is about the patients and the products we make for the patients. It’s important to understand why regulators require computer system and software validation. So here are the key reasons along with a few examples of each.

1. Safety – Do no harm

• Software in a medical device to treat an illness can’t fail to dispense the correct treatment
• Lab software needs to correctly detect and measure impurities
• Complaints systems need to correctly analyze trends in product quality

2. Effectiveness – Do some good

• Diagnostic software intended to detect an illness can’t fail to detect
• Lab software needs to correctly detect the potency (strength) of the product
• Clinical trial systems records need to correctly reflect patient data from before or after treatment

3. Accuracy – The data must be correct

• Software that controls a medical imaging system can’t mix up records between patients
• Distribution systems records need to be accurate regarding what went where to enable recalls
• Blood management software needs to correctly identify the blood type

4. Integrity – It needs to be transparent who authored, changed or deleted data

• Software needs to prevent and allow detection of data falsification (i.e., prevent deletion of lab tests, enable audit trails to allow review of changes)
• FDA inspections require this

What happens if you don’t follow the regulatory requirements?

Regulatory agencies have several enforcement actions at their disposal to punish companies who are out of compliance with the regulations.

• Warning Letter – the most common tool; usually issued after an inspection resulting in a 483, and then an unsatisfactory response
• Injunction – civil action to prevent production or distribution of the product
• Product seizure – happens when the FDA believes that a company is likely to distribute adulterated or misbranded product
• Import restrictions
• Clinical hold
• Delay in approval of new products or facilities
• Consent decree
• Rejection of application data – often occurs for clinical trials
• Disqualification of clinical investigators
• Debarment
• Criminal prosecution

Between 2013 and 2015, the FDA has issued over 200 Warning Letter citations for software and computer system issues. Nearly 1/3 of these were for validation issues. Furthermore, most of the validation issues were for simply failing to validate the software or computer system. To see the latest Warning Letters, visit our Document Library.

While regulatory inspections could happen infrequently at your organization, you might face customer audits in which failure to comply could lead to a lack of business from that customer. Computer System Validation is something to take seriously as there is a lot at stake for the future of your product and company.

  Read More Posts About: Computer System Validation