One of the biggest challenges some companies have is the validation of legacy computer systems.
As the validation requirements and expectations change over the year’s companies struggle with the strategy for validating legacy computer systems
Validation planning for legacy computer systems can be challenging for some companies due to lack of an adequate strategy and planning.
This article will discuss and provide guidance about how to create a validation plan for legacy systems.
INPUTS TO A VALIDATION PLAN FOR LEGACY SYSTEMS
In order to create a validation plan for legacy computer systems we need to understand the inputs that will enable the creation of the plan.
The following inputs must be considered when creating a validation plan for legacy computer systems:
- Applicable Regulatory Requirements
- Company Global Standards
- Current Applicable Procedures
- Industry Standards
- Industry and Regulatory Guidance
All these inputs are critical and needed during the creation of a validation plan for legacy computer systems.
Understanding applicable regulatory requirements is critical during the development of a validation plan for legacy systems. Applicable regulatory requirements such as Annex 11 or Part 11 need to be clearly understood and used as a key input to the validation plan. The applicable regulatory requirements are also a key input to the creation or revision of company global standards and applicable procedures.
The validation plan for legacy computer system must consider the following regulatory requirements:
- 21 CFR Part 11 Electronic Records Electronic Signatures
- Annex 11: Computerised Systems
- ICHQ7 Computer Systems Section
The ideal approach is to use the applicable regulatory requirements as an input to the global standards and procedures. This approach will ensure alignment with current regulatory requirements at the program level. This will prevent having some systems aligned with current regulatory requirements but not having standards and procedures in compliance. In this approach the aligned global standards and procedures are used to assess compliance.
COMPUTER SYSTEM VALIDATION GLOBAL STANDARD
The computer validation global standards need to be created based on the applicable regulatory requirements. The global standard will define the requirements for the company computer validation program. The standard should translate the applicable regulations into requirements statements. The standard requirements statements should be high level but must ensure compliance and alignment with the applicable regulatory requirements.
The global computer validation standard should include the following lifecycle requirements:
- Requirements Definition
- Design and Coding
- Development testing (Cat 5)
- Qualification activities
- Validation reporting
- Operation & Maintenance
The global standard is the foundation for assessing the procedures and legacy systems against the new requirements.
LEGACY SYSTEMS GAP ASSESSMENTS
Prior to performing system gap assessments the computer validation procedure need to be assessed against the requirements of the global standard. During the procedure assessment identified gaps should be documented as corrective actions in the CAPA quality system. Opening CAPA’s for each identified gap will provide adequate tracking and closure in a quality system. The computer validation procedure needs to be revised to address each GAP to ensure alignment with the global standard requirements.
Legacy systems gap assessments need to be performed against the revised computer validation procedure. During the system assessments gaps will be identified against the procedure requirements. All gaps identified against the procedure requirements need to be documented and tracked in the CAPA quality system. During the assessments process, procedure and potentially technical control gaps will be identified. The outcome of the gap assessments will be an input to the legacy system validation plan.
The results of the gap assessments should be summarized in a summary report that provides the following information:
- Number of gaps found during the assessment
- Gap summary
- Remediation activities
- Due dates
LEGACY SYSTEMS VALIDATION PLAN
The legacy system validation plan must be based on all the gaps identified during the assessment. One validation plan can be created for all systems that have identified gaps. When the volume of systems is high more than one validation should be created and they can be based on functional areas such as Quality Control, Information Technology, and Automation.
The validation plan must identify and document all activities needed to bring legacy systems in compliance against the global standard and procedure requirements. The validation plan should be approved by the impacted system owner and quality.
The Validation Plan must provide the following information:
- Purpose and Scope
- Roles and Responsibilities
- Impacted Legacy Systems
- Validation Strategy and Remediation
- Acceptance criteria
TYPICAL LEGACY SYSTEMS GAPS
Legacy systems gaps will vary based on the age of the system and the company lack of alignment with current regulatory requirements. Legacy systems that are older tend to have the highest amount of gaps and this normally include technical controls related data integrity and security. Procedure controls are also gap found in legacy systems that this normally include annex 11 requirements such the audit trails and user access reviews.
The following legacy systems gaps can be found during the assessments:
- URS document was not created
- Traceability matrix was not created
- Qualification testing no adequate
- No IQ, OQ PQ’s
- Validation Plan was not created
- No Part 11 testing
- Validation summary report not created
- No data integrity testing
Gaps identified during the gap assessment remediation to bring the system in compliance with current expectations.
LEGACY SYSTEMS GAP REMEDIATION
Legacy systems URS documents need to be created based on the current use of the system. Creating the URS for legacy systems require support from the system owner and users. The legacy system URS should be based on all the function used by the users and it should include Annex and Part 11 requirements which includes data integrity.
The following points should be considered during the creation of a legacy system URS document:
- Create a list of all available system functions
- Identify all functions currently used
- Translate into user requirements statements all functions used in the system
- Document the business process or workflow
- Translate the workflow into user requirements statements
- Identify applicable annex & Part 11 requirements
- Closed system
- Audit trails
- Translate applicable annex & part 11 requirements into URS statements
Once the requirements are created they can be used for the qualification process. OQ protocols can be created from user requirements. PQ protocols can be created from the business process or workflow requirements. The traceability matrix then can be created by mapping the requirements to the testing found in the OQ and PQ protocols.
The validation of legacy systems can be very challenging. Performing gap assessments against current regulatory requirements and industry guidance provide objectivity about the areas that need remediation and alignment.
The gaps identified during the assessment provide input to the strategy that needs to be documented in the legacy system validation plan.
The validation plan will provide the strategy and roadmap for the qualification of legacy systems.