Change control computer system validation

Changes to computer systems must be reviewed in order to verify its compliance with the change management process, to ensure that the appropriate procedures have been followed, and that the validated status of the system has been maintained. The results of the audit are recorded and saved as part of the change control file for the computer system. 

Once the systems from the three levels are validated, the same levels of security, change control, and disaster contingency will be applied to all. (See Chap. 7 for a thorough examination of computer systems validation and additional discussion about some of its more challenging compliance aspects. Also see Chap. 7 for a comprehensive examination of FDA s expectations as they relate to computer system validation). 

Agalloco, J. Computer systems validation—Staying current Change control. Pharm Tech, 14(1), 1990. 

Agalloco J. Computer systems validation—staying current change control. Pharm Technol 1990 14(1). 

Qualification of equipment and validation of computer systems are not one-time events. They start with the definition of the product or project and setting user requirement specifications and cover the vendor selection process, installation, initial operation, ongoing use, and change control. 

On satisfactory completion of the computer system qualifications, with PQ conducted in conjunction with a successful process validation, a final report must be prepared by the pharmaceutical manufacturer s validation team. This is normally referred to as the validation report. The objective of the report is to give an overview of the results of the execution of the validation program for the computerized operation and to draw a conclusion as to the suitability of the computerized operation for pharmaceutical manufacturing. This may be unconditional use or there may be restrictions. In the latter case the proposed remedial ac-tion(s) must be approved and, as applicable, considered under change control. A schedule to complete any outstanding actions must be documented and progress formally reported. 

As with any computerized system, it is important that the implementation of the electronic submissions system be documented and validated. Changes to the system must be controlled in order to maintain the system s state of validation. Refer to Chap. 7 for an extensive overview of computer validation. 

There should be written procedures to establish systems to manage and control changes that may impact the development, validation, or implementation or affect the maintenance of a validated state for computer systems. Such procedures and controls should apply to all GXP operations and all the systems that support GXP operations. 

This section should contain information on computer systems that control critical manufacturing processes. The developer of the system should be identified and information provided also should include a brief description of procedures for changes to the computer system. This section also should contain a validation summary for each of these systems and a certification that an IQ and OQ have been completed. 

Computer validation should not be undertaken unless fundamental validation controls have been fully understood and implemented within the pharmaceutical or healthcare company s organization. Here we allude to properly qualified personnel, effective document management and change control systems, internal audit procedures, methods of managing the deviations from standard practice thereby exposed, and a culture of continuous improvement (see Chapter 4 for more details). Senior management must not fall into the trap of assuming through complacency or idleness that these controls have been fully instituted In most firms there is usually much that still needs to be done in these areas. Let us examine these controls a little more closely. 

Suppliers of computer systems and associated services must be managed to assure that the software, hardware, and/or related services they supply are fit for purpose. Enhancements and modifications to computer systems and associated documentation must be implemented under change control and, where appropriate, configuration management. Changes affecting the validated status of a computer system must be approved before they are implemented. 

The Validation Report authorizing use of the computer system should not be issued until all operation and maintenance requirements, including document management, calibration, maintenance, change control, security, etc., have been put in place. 

While the individual changes have been reviewed during the change control process, a comprehensive review of all the collective changes has not be performed in order to assure the original IQ/OQ remains valid, and to assure the [computer system] does not require requalification or revalidation. [FDA 483, 2001]... 

Quality System (including status of required computer validation/revalidation, change control, and training/qualihcation of QA staff)... 

Facilities and Equipment Systems (including equipment IQ/OQ, computer qualihca-tion/validation, security, calibration and maintenance, and change control)... 

The third review level examines the document sets for particular computer systems identified in the hrst review level. Validation Plans and Validation Reports are typically among the first documents to be inspected. If the review of a computer system is not superhcial, the main life-cycle documents identified in Chapter 4 may be inspected. The inspector is likely to ask to see evidence of system specification and qualification, supplier evaluation, data maintenance, change control, training, and security. Sometimes inspectors will ask for supplementary information to be sent onward to them if they are seeking clarification of an issue. 

The FDA will consider the lack of computer validation as a significant inspection finding and log it as a 483 noncompliance citation. The MHRA may take a more lenient view depending on the criticality of the system on GxP operations. The lack of a detailed written description of an individual computer system (kept up to date with controls over changes), its functions, security and interactions (EU GMP Annex 11.4) a lack of evidence for the quality assurance of the software-developed process (EU GMP Annex 11.5), coupled with a lack of adequate validation evidence to support the use of GxP-related computer systems may very well be either a critical or major deficiency. Ranking will depend on the inspector s risk assessment. 

Failure to validate computer software for its intended use according to an established protocol when computers or automated data processing systems are used as part of production or the quality system as required by 21 CFR 820.70(i). For example your hrm s XXXX is computer controlled. It uses software programs to record data from measurements of the radius of curvature and comeal refraction of the eye. However, your firm has not validated the software and computer system used to record this data for its intended uses. Your firm has no documentation to assure that they perform as intended. Also, there is no validation and documentation of subsequent changes to the software. 

The transition from the project to routine should be accompanied by training of all parties included in the system life cycle. The training programs for computer validation and change control should be amended by the aspects of Part 11, so that there is a comprehensive understanding of what the implications of Part 11 are when implementing and maintaining systems. 

When a computer-related system is validated, its components must be clearly defined. Changing one or more system components affects the validated state of the system. Change control procedures should assure or reestablish the validated state of the system when a change is applied. 

Setting up proper risk assessment procedures and applying them to the change control process markedly reduces the efforts required to keep systems in a validated state. Harmonization, standardization and efficiency can be increased by appointing a company computer validation committee per site and/or at a corporate level. Good cooperation between QA and IT is a prerequisite for keeping systems validated. 

---