What's the Problem?
Validating computer systems is unavoidable. Here's how to pass FDA inspections while minimizing validation time and cost
January 12, 2004
By Bob Violino
| Mention computer-system
validation to a technology or compliance manager, and you're likely to hear a groan. Consider the following rule from Title 21 of the Code of Federal Regulations (CFR): "When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented."
Such rules can be daunting, and one of the most vexing components of the regulations is the validation of computer systems to ensure the accuracy, reliability, and consistent performance of applications and automated processes.
In addition, the FDA initiated Part 11 of the CFR so that it could accept electronic records and signatures instead of paper records and handwritten signatures. The law is designed to ensure that electronic records and signatures are trustworthy and compatible with FDA procedures. The agency issued new guidelines on CFR Part 11 last September intended to give companies more flexibility about what needs to be validated.
"The approach before was for companies to attempt to validate everything; it was causing lot of confusion and angst in the industry," says Joseph Famulare, the FDA's director of the Division of Manufacturing and Product Quality, part of the Center for Drug Evaluation and Research (CDER). "We're trying to narrow the scope of [validation] so that companies are not applying it to everything under the sun."
|Tips for Validation Success
1 Create a clearly defined and comprehensive strategy or methodology for accomplishing initial and ongoing validation, including a determination of which systems need to be validated.
2 Form project teams that understand how to accomplish validation and can communicate strategies and progress to the entire organization.
3 Hire outside consulting experts to help with validation as needed.
4 Articulate validation's business value to senior managers so they're more willing to provide sufficient funding.
5 Assure that once validated, existing systems remain validated as required by the FDA.
For example, Famulare says, many companies have asked the FDA if they must validate applications such as word processing programs. "We've seen over time that Part 11 has become over-burdensome to some companies that are trying to validate all types of things," he says.
According to Famulare, the FDA recommends that companies base systems validation on documented risk assessment and a determination of the system's potential to affect product quality and safety and records integrity. "Companies will have to evaluate what records they have and what's needed in terms of the criticality of those records," he says. "What do they represent?"
For many businesses, validation and compliance in general is likely to be complex and costly. Pharmaceutical Research and Manufacturers of America, a trade organization that represents research-based pharmaceutical and biotechnology companies, has estimated aggregate costs of full compliance at more than $2 billion for the pharmaceutical industry alone.
That figure doesn't take into account the latest guidelines issued by the FDA in September, and the organization isn't sure what the impact will be, says Alan Goldhammer, associate vice president for regulatory affairs. "With the new FDA documents this is still in a state of flux," Goldhammer says. "People [in the industry] are favorably disposed to the new approach, but it's very difficult to quantify this kind of information."
It's also difficult to estimate how much of the cost of compliance will be for systems validation, Goldhammer says. It's a balancing act between underspending — and risking FDA fines for violations — and overspending on validation efforts.
"We see a lot of situations where companies either underkill or overkill on this," says Jim Bradburn, principal consultant in the regulatory compliance practice at IBM Life Sciences.
Many companies have vague, general policies stating requirements without clearly delineating strategies or processes for accomplishing both initial and ongoing validation, Bradburn says. Project teams often have varying degrees of understanding of how to accomplish validation. Another common problem is that the cost of validation is usually not appreciated as having business value, leading to reluctance to fund adequate efforts.
Companies must develop a comprehensive methodology to ensure they perform successful inspections while minimizing validation time and cost, Bradburn says. The methodology, similar to the best practices that many IT departments have been establishing to increase efficiency, should:
· Ensure that every system that requires validation is validated
· Define the proper level of attention paid to critical systems without being excessive
· Provide techniques to rapidly and effectively accomplish the tasks of validation
· Ensure that the validation is defendable
· Ensure that once validated, every system remains in a constant "state of validation"
Bradburn says the methodology should include definitions of the boundaries of systems. It should also include a determination of system risk based on a prescribed, rational process; selection and sizing the tasks to meet the defined level of system risk; and best practices and guidance for how to determine the appropriate level of specifications, procedures, and record-keeping detail that is really necessary and valuable.
Companies should create a project team that has an understanding of how to accomplish validation and to ensure that the methodology is followed, Bradburn adds.
The Reason Is Quality
Dozens of vendors now offer software and consulting to help organizations with validation. Ross Systems, one such company, helps life science organizations with workflow, document management, quality assurance, and other compliance functions. Its Validator suite provides tools that companies can use to make sure they're in compliance with FDA rules. There is huge demand from firms struggling with validation, reports chief technology officer Eric Musser.
"Validation is critical for their success," Musser says. "A lot of companies have validated paper-based systems, but they also have electronic records and they need to validate those systems as they become the systems of record." Businesses should keep in mind there are even more significant benefits to validation, Musser notes.
"Don't lose sight of the endgame, which is good manufacturing practice," Musser advises. "The reason behind all this is quality. Companies shouldn't be focused on the penalties, but on the benefits."
Acom, which offers CFR Part 11 consulting services including assessments, remediation, training, and validation planning and execution, also emphasizes the potential gains from validation efforts.
Companies know they have to be compliant with the FDA rules, but they also are aiming to achieve improvements in business processes and security platforms, says Greg Moore, chief technology officer at Acom. Among these improvements, he says, are the application of standards where they are currently lacking, implementation of data access controls, and the creation of documentation about employees' access and use of data, systems backup, records retention, and information security.
Still, many life science organizations struggle with validation, as well as other aspects of FDA rules, mainly from a lack of understanding of what's required, Moore says. The fact that the FDA has "rethought its initial approach to Part 11" and made changes in its documentation "again has caused some level of ambiguity," Moore adds.
Acom, through its Computer Systems Validation practice, helps clients clarify what they need to do based on the systems they have in place and on their use of specific electronic documents.
Clinilabs, a New York-based clinical trials company that studies and treats sleep disorders, launched its CFR Part 11 compliance efforts in 2002 and is using Acom's services for systems validation. The company has had to ensure that it is compliant as it shifts from a paper-based method to electronic transfer of research data to and from its facility, says Moshe Reitman, Clinilabs' director of operations.
Reitman says Clinilabs could not handle compliance without the help of an expert to point out which systems need to be validated, and to what extent.
"Becoming compliant and validating our systems could bankrupt us if we did it the same way that Pfizer or Johnson & Johnson did it," Reitman says. Acom is providing "an extremely robust set of procedures," he reports. "We're a small company and we've spent over $100,000 [on compliance], and that will probably double" before the effort is complete.
Wanted: More Risk Analysis
Some pharmas have developed their own in-house validation team to help facilitate the process. Idec Pharmaceuticals validated systems in its clinical manufacturing facility under the guidance of its own internal experts, who set policy and procedures.
"Knowing how much is enough validation is a big issue in the biotech arena," says David Wilkinson, IT manager for manufacturing systems at Idec.
"We've traditionally taken a very conservative approach to validation," Wilkinson says. "Moving forward, one thing we'd look at more is using risk-based analysis, where we assess a variety of good practices-related system-risk scenarios and, based on those, make a decision on how much validation is required."
Bob Violino is a writer and editor based in Massapequa Park, N.Y. He may be reached at firstname.lastname@example.org.
ILLUSTRATIONS BY LARRY GOODE
Systematize Your Regulatory Info!