FDA’s Computer System Validation Requirements: What you need to know
Computer systems that are in direct contact with a product during its manufacturing, testing or distribution, in an FDA regulated environment must be validated according to FDA guidelines for computerized systems and documented accordingly. This is required under FDA 21 CFR part 11 – all systems that govern GMPs, GLPs, GCPs must be validated. Current Good Manufacturing Practices (cGMPs) are mandated by the FDA to ensure that products manufactured by pharmaceutical, biotech and medical devices, tobacco and related products, meet the specific requirements for identity, strength, quality and purity.
FDA requirements for cGxPs are:
- Hardware is considered equipment within the meaning of the cGxP regulations
- Software is electronic records of Standard Operating Procedures (SOPs) within cGxP regulations
- Software maintenance is considered revision or change control
- Record controls require programs to ensure accuracy and security of computer inputs, outputs and data
- Record access requirements should be available for inspection and should be subject to reproduction
System Validation is required to assure the quality and performance of the systems used to manage the cGxP process. The validation process seeks to establish documented evidence that the system will manage the specific process, to consistently yield a product meeting predetermined specifications and quality attributes.
Ultimately a computer system validation project will ensure compliance, peak performance and functionality of those systems.
Under the validation process, written verification of all systems functions and the performance of those functions to system specifications, and data integrity and system maintenance, are compiled in alignment with industry standards and regulatory laws by the FDA.
Software should comply with core 21 CFR Part 11 requirements such as:
- Changes to any record are captured in the audit trail, and these entries are time stamped with additional information such as operator name and the reason for the record change.
- Security for the system should be sufficient to prevent unauthorized modifications.
- The use of electronic signatures for any transaction into the system.
The Software Development Lifecycle should be clearly defined and documented to ensure quality and prevent software defects. Software vendors or organizations that develop their own software, must not only follow the software development lifecycle, but should also have adequate security at their facilities to prevent unauthorized access to software, computer rooms and media storage areas. The organization must also have training policies in place to ensure software developers, designers, project managers, QA engineers can perform the technical aspects of their job.
The system should be validated for intended use to ensure the requirement specifications are developed for the intended use of the system. Testing the systems against the intended use specifications identifies any gaps, which can then be closed.
Software systems used for quality purposes in place of paper records are required by the FDA to be validated. Organizations must verify that the software is configured properly to meet their business needs. Having documented evidence verifying that the system was correctly installed and configured can save time and money in the future. Expert speaker Carolyn Troiano will conduct a session on industry best practices to use when performing the validation process.