What is
Computerized system and why Computerized System Validation required:-
In the era of automization, everything is depended on
computerized technology. To find out erroneous free result, to avoid long
taking time, to reduce manpower, to avoid manual write-up, to avoid arrangement
of hard documents, to avoid any loss of paper, to avoid any entry missing, to find
out immediate search availability etc. the Industry is going to depended on automization.
The meaning of automization is activity to be performed
by Instrument/ Equipment with help of Computer. Respective Instrument/
Equipment/ Machine is controlled through a well-designed software. The software
installed on a separate workstation (Computer) or inbuilt CPU. The activity is
done by Instrument/ Equipment/ Machine through predefined program or sequences
of Instructions. After completion of activity, results or output generated.
In case of documentation activity, designed software follows
the Instructions and generates electronic documents. Respective electronic
documents can be used in hybrid form. The meaning of hybrid is combination of
hard and soft copies.
Computerized
System: - The
computerized system are a device which generates electronic records and these
records can be create, modify, archive, backup, restored, shared, signed with
the help of relevant software by given program or set of instructions.
In pharmaceutical Industry nothing allowed to use
without qualify/ validate for manufacturing or testing of drug component.
Hence, before introduction of these computerized systems in premises a complete
strategy to be defined from before procurement to retire of these systems i.e.
complete life cycle.
The GAMP-5 provides a
detailed methodology to handle life cycle of computerized systems. According to
GAMP-5 the computerized systems are classified in 4 categories based on their
buildup strategy and configuration. Below are the different categories which
are classified by GAMP-5:-
Category-1: Infrastructure
Software: These software/ elements are designed in such a way as
they can linked together and create an Infrastructure and work as a supporting
environment i.e. Servers, Internet etc. for proper operation of main
functioning software. For example: IT infrastructure, Server, network
monitoring software, operating systems, security control system, Antivirus etc.
Category-3:
Non-configure software: In this category standard software comes. These types
of software are designed for all customers by using same configuration. No any
additional changes or configuration can be done after release of version.
Category-4: Configured software: In this category such type of software designed as they can be configured later according to customer requirements. In this type of application different configurations are available at time of software design and same package are released. As per customer requirements after release the software the required configuration can be enabled and can be used. For example: SAP, LIMS, Chromeleon, Labsolution, Empower software are best example of Category-4 software.
Category-5:
Custom build application: In this category such type of software/application
designed they can be customer specific only. In this category same application
can be different for individual organization. A special script required for
programing to build this type of application and these scripts are customer
specific.
There is slight difference in each category software
and based on design pattern these software are classified in above mentioned
category. And based on their classified category the validation strategy will
be changed. Hence it is most important to understand proper differentiation
between all categories of GAMP-5.
When any pharmaceutical unit thinks to introduce new
computerized system then below activity need to follow:
Change Control Procedure: The change control should be initiated for
introduction of new computerized system. The CSV team will define a paper plan
and accordingly action item will mention in change request along with time line
to complete the task within stipulated time line.
The first step is preparation of URS (User Requirement
Specification) hence we can also initiate one change request only for
preparation of URS and selection of vendor. If any vendor finalized to fulfill
our requirements then another change request can be initiated to complete the
further activity. Because of sometime long time elapse for selection of vendor
or design such type of application who fulfill the requirements hence it would
be better the second option for initiation of change request.
Preparation of URS (User Requirement Specification): URS is a documented specification which contains all
the basic requirements i.e. Design, operation, functionality, service relevant,
risk reducing, comply regulatory requirements, IT infrastructure as vendor can
easily understand what actually
requirements of customer.
In URS some points will be mandatory and some points
will be non-mandatory as they can be optional.
Selection of Vendor: After finalization of URS, same should be send to
multiple vendors and collect information regarding vendor background, their compatibility;
from how much time he provides the service, which vendor committed to fulfill
the all required or maximum required points of URS. In case of system breakdown
which type of service he will provide and what will be strategy to resolve the
breakdown. Is vendor certified with regulatory agencies or meet the
regulatory requirements.
Based on provided data or information from vendor,
shortlist the suitable vendor. If required vendor audit can be performed. The
vendor audit can be done onsite or postal audit. Based on vendor response,
vendor audit, vendor assessment a suitable vendor can be finalized who will
provide respective computerized system.
GxP Assessment: After finalization of URS and selection of vendor it
is most important to understand as respective system will classify in which
type of either GxP or Non-GxP system. Based on GxP and non-GxP computerized
system their validation strategy will change.
For non-GxP systems, very short steps required for validation i.e. for some of systems only Installation qualification is sufficient however, for GxP systems a complex procedure available to validate at every angle of compliance.
Risk Assessment:- Risk assessment to be perform before introduction of
system. Risk assessment to be done based on system design, infrastructure,
quality of used material in system, power consumption, Environment Health and
Safety view, Fire safety, data loss, Operation, maintenance, waste material
etc. Based on risk assessment and available control it should be decided that
respective system is suitable or not. If it will be part of organization then
what control should be required to eliminate risk.
Purchase Order: After GxP assessment and after finalization of Vendor,
Purchase order to be generates to start the procurement procedure of system. In
PO stage, vendor quotation plays an important role because of value of money.
In quotation vendor mentioned price rates, discounts, covered services,
validity of quotation etc. Based on suitable quotation and vendor evaluation
final PO send to that vendor who is fit for company.
Validation Plan: Validation plan is that document where a complete
strategy mentioned for qualification of document. The validation plan contains
from description of system to till system retirement strategy.
Which document to be prepared and how it will be executed
during validation, should be clearly mentioned in Validation plan. Who is going
to perform IQ, OQ and PQ, it should be define in validation plan. During IQ,
OQ, PQ, if any failure occurred and after release of system If any discrepancy
occurred then how it will be handled, it should be mentioned in validation
plan.
For documentation, document retention procedure should
be clearly defined in validation plan. For backup and restoration, schedule
review (periodic review) of system, incidence management system, history of
vendor and which type of support will be provided from vendor etc. should be
clearly defined in Validation plan.
In case of system failure, to continue the business
plan a details strategy should be clearly defined in validation plan.
Installation Qualification (IQ): After approval of validation plan and after receiving
of system at site, the Installation Qualification to be performed by vendor or authorized
person of respective organization. During IQ, all the received part of system should
be checked against PO and provided checklist from vendor. It should be ensured
as the required system is provided be vendor according to URS.
The make, model, software version, software/ hardware
firmware, physical condition of system should be checked and same should be
documented. Proper commissioning of system, power supply check, startup of
system, successful initialization of system, supply of required current,
temperature and humidity in area at time of Installation and after
Installation, should be documented.
Operational Qualification (OQ): After successful completion of Installation Qualification,
the Operation Qualification to be initiated. During OQ, the Operational check
should be performed i.e. Installed correctly, meets the design requirements,
operates the way in which it was designed under load etc. A pre-defined strategy
for OQ to be pre-approved and started accordingly. The OQ can be performed by
vendor or authorized person of respective organization. The system should be
checked by giving command through software or manually and also checked to
meets the requirements of URS. If system meets and works according to
pre-defined test parameter and defined criteria, then it will be considered as
passed otherwise considered as failed. Same should be documented.
If any failure occurred during OQ, after taking
appropriate QMS tools respective discrepancy can be resolved and retrospective
validation should be performed for respective test or other relevant test also
and observations should be documented.
Performance Qualification (PQ): After successful completion and approval of OQ,
performance qualification can be proceed. During performance qualification, performance
check of system i.e. accuracy of system, robustness of system, reproducibility of
system being checked.
The definition of Performance Qualification is “Establishing
confidence through appropriate testing that the finished product or process
produced by a specified process meets
all released requirements for functionality and safety and that procedure are
effectively and reproducible”.
In simple work we can say as the performance
qualification is the executed test protocol documented evidence that confirm as
respective system meets the defined requirements to function in the production
environment.
Any qualification activity which was performed at
vendor site should not be sufficient to direct release the system in production
environment. At customer site, complete validation to be performed to ensure
meets the requirements of URS.
The vendor can be performed his SAT at customer site
and the approved protocol of customer is similar to vendor SAT protocol then
respective SAT can be referred by customer and same can be documented.
Reference Traceability Matrix (RTM): This document provide the traceability to comply the
every point of URS. It means in which document the respective requirement of
URS is tested and validated. For Category 4 and Category 5 the RTM can be prepared at time of design stage or Functional
specification and same can be documented to verify the meets the requirements
of URS. For Category 3 applications, RTM can be prepared after completion of validation
but before summaries the validation activity. If any test parameter found not
performed then it can be performed separately in relevant protocol after proper
documentation and taking approval of QA.
Summary Report: The summary report confirms as all the validation
activity was completed successfully or not completed successfully. If any
deviation or incidences happened during entire validation, it should be
documented in summary report. Any test parameter which is pending due to any
specific reason i.e. any further modification or any partial updation in system
and same will not make impact in production environment; it should be properly
documented in summary report with dedicated timeline and system can be released
with limitation if any or without limitation.
Certification: After completion of validation summary report,
certification of system release should be prepared which contains the details
of system, version no., date of release and short summary of validation along
with authorized signature.
Post Implementation activity: The periodic
review of system to be performed regularly to ensure proper functioning of
system or to identify any requirement of upgradation. The backup and
restoration is also most important part of computerized system to avoid any
data loss due to in case of system failure.
When system life cycle is
completed and system needs to retire then retirement procedure to be initiated
after taking change request procedure. Before system retirement, Calibration to
be performed (if applicable), all the data should be properly backup and stored
in relevant drive or disk. All the users should be disabled. After that system
can be retired. An alternative procedure should be available to view the data
of respective system in future.
Abhishek Singh is the author of Pharma technical support. He is pharmaceutical professionals, having experience of more than 12 years in Quality.