In recent years the industry has been moving towards the implementation of a risk based computer validation approach. This creates the challenge about how to implement a risk-based computer validation program.
This article will discuss ideas about how to implement a risk based approach computer validation program.
WHAT IS NEEDED TO IMPLEMENT A RISK BASED COMPUTER VALIDATION PROGRAM?
One critical component is to have a document hierarchy that enables a risk-based approach.
The document hierarchy requires the following:
- Validation Policy
- Computer Validation Standard
- Computer Validation Procedures
The validation policy is a high-level document describing the requirements for a risk-based validation program. The validation standard is a document that describes the specific requirements for the risk-based computer validation program. The computer validation procedure is a document that describes the specific steps to validate computer systems based on their level of risk. The procedure translates standard requirements into “how to” actions that promote a risk-based approach.
Challenges Impacting a Risk Based Approach
The biggest challenge related to the implementation of a computer validation risk- based approach is a very conservative quality unit’s over interpretation of regulatory requirements. Poor or very vague understanding of what is really a high risk normally results on a negative impact during the implementation of a risk-based approach. Conservative and subjective assumptions about regulatory expectations during a future audit normally create an environment of fear that has a negative impact on risk-based approach. The lack of appropriate qualification in quality is another challenge that affects the ability to implement a risk-based approach. To overcome these challenges companies need to ensure accurate and objective interpretations of regulatory requirements. Qualifications of the quality unit supporting computer validation are critical and should include the following:
- Technical skills
- Accurate and pragmatic understanding of regulatory requirements
- Computer validation background and skills
Risk assessments are a critical activity needed to enable a risk-based computer validation approach. The following risk assessments are needed:
- System-Level Risk Assessment
- Requirement Risk Assessment
The system-level risk assessment is intended to determine whether the system is high, medium, or low risk. This assessment should determine the system risk impact to the following:
- Product Quality
- Patient Safety
- Business Process
The system-level risk assessment is an input to the risk-based computer validation strategy. The outcome of the system-level risk assessment should support a risk-based validation approach.
The outcome of the system-level risk assessment should enable the following approach:
- High-risk systems should require a more stringent validation effort
- Medium-risk systems should require a less stringent approach than high risk systems
- Low-risk systems should require a much less stringent approach than medium risk systems
Procedures should clearly describe the required validation deliverables for each risk level. High-risk systems should have more testing and validation deliverables. Medium or low-risk systems should require less testing of non-critical, low-risk requirements. For medium or low-risk systems procedures should allow combining documents and integrating validation activities.
Requirements risk assessments are intended determine whether individual requirements are high, medium or low risk. The requirements risk assessment should assess the risk impact to the following:
- Product Quality
- Patient Safety
The outcome of these risk assessments is one key component for risk-based computer validation.
High-risk systems should require testing all high and medium-risk requirements. High-risk systems should require testing a sampling of low-risk requirements. Medium-risk requirements should require testing all high- risk requirements with a sampling of critical medium and low-risk requirements. Low-risk systems should require testing only critical high-risk requirements and sampling medium requirements.
These risk assessments will facilitate an objective risk-based computer validation approach. The output of these assessments is critical to the validation strategy.
Validation Protocols and Summary Reports
In a risk-based computer validation approach protocols should be integrated and combined to reduce the volume of documents. Protocols approvers should be reduced to two, including the system owner and quality. In a risk-based approach not all validation activities should require a complex large protocol when the qualification can be executed in a test script. The decision between a test script and protocol should be based on the complexity of the system or change. Protocol should be used for large system implementations and complex changes. Routine validation activities in support of change control can be done using pre-approved test scripts.
Pre-approved test scripts can be implemented by creating a procedure that describes the lifecycle of these documents. The procedure should describe the process and controls for creating, revising, and executing pre-approved test scripts. The pre-approved test scripts should be approved individually at the time of creation or revision to the document. For execution, the pre-approved test script can be printed and executed for post-approval. Pre-approved test scripts should include installation and functional verification scripts. Pre-approved test scripts can be created by leveraging existing protocols and from user requirements specifications. Pre-approved test scripts can be created to support repetitive qualification activities. The following examples of pre-approved test scripts should be considered:
- Security verification
- Recipe verification
- Audit trail verification
- Parameter verification
- P&ID verification
- Loop check verification
In a risk-based approach, protocols for routine validation activities can have a summary page integrated into the protocol instead of a report. The summary page should summarize the protocol execution and closed deviations and be approved with the protocol. The summary page should provide a statement on whether the protocol met all the acceptance criteria. For large projects, a summary report should be created.
Paperless validation systems are a great tool for enabling a computer validation risk-based approach. These systems eliminate paper validation documentation and system specifications. Paperless validation systems integrate electronic deviations to protocols and the creation of a traceability matrix with electronic protocols. These systems enable electronic review and approval of protocols and system specifications and electronic execution of validation protocols. Paperless validation systems automate and manage the entire validation life cycle and provide real time validation status of any system and metrics.
These systems expedite the validation process and remove the inefficiencies that plague paper-based processes. Paperless validation systems provide a holistic view of project status and validation deliverables for internal and external auditors with real time status. The benefits of implementing a paperless validation system are the following:
- Significant cycle time reduction
- Significant error reduction
- Enables faster release of equipment to support GMP operations
- Return of investment of less than 12 months
In order to implement a computer validation risk-based program, an appropriate document hierarchy is needed. Validation policies, standards, and procedures must be created or revised to enable a risk-based approach. System level and requirements risk assessments are a critical component of a risk-based approach for computer validation. Pre-approved test scripts along with simple and integrated summary reports also enable a risk-based approach. Paperless validation systems are a very efficient and compliant electronic tool that should be part of the implementation of a risk-based approach for computer validation.