Validation Master Plan For Computerized System Information Technology Essay

In recent years pharmaceutical industry focus much more on validation of computer system, but big question is that which systems do we have to validate? And how much validation is enough? Answer of the question may be simple but it is difficult to carry out. This paper provide information about the why validation master plan is required, scope, contents of computer validation master plan which includes different validation life-cycle models and risk based approach to minimize the risk in computer validation.

2.0 INTRODUCTION:

Now a day’s computers are widely used in pharmaceutical manufacturing for the development and production of the drugs. Computer system plays key role for obtain consistent, reliable and accurate data. So it is required to validation of the computer system for good development and manufacturing of the drugs. Every pharmaceutical industry have own rules, regulation and policies for computer validation. They developed the document for the computer validation master plan and follow that. If there is any question regarding computer system validation master plan gives the answer. Validation Master Plan provides information regarding the system validation, responsibility, risk assessment, vendor selection, change control process, error handling, maintenance and support.

This term paper presents some ideas about the development of computer system validation master plan. Computer validation master plan give information about how to validate installation, operational and performance qualification, how to design system and how to evaluate the system from the beginning to the retirement of the system.

3.0 History of Validation:

The concept of validation first introduce by two officers Ted Byers and Bud Loftus of FDA in mid 1970’s to improve the quality of pharmaceutical products. It was proposed of the validation concept for the response to severe problem in large parenteral volume in market. When the validation established it was focused only in production area but now days it is used in other area like, media fill, equipment sanitization, environmental control and purified water production.

4.0 Why Computer System Validation?

This requirement is naturally expanded in the department of development and other department like, department of pharmaceutical products and medical devices. During 1983, the FDA published the guidelines to inspect the computer system in the areas of production and foe medical devices which is also known as ̏ BLUEBOOK ̋. Validation is necessary to evaluate the all step performed accurately and implement the computer system.

5.0 Requirements for the Computer System Validation:

Computer widely used during production and development area. For the proper functioning and performance of computer system play important role to get reliability, consistency and accurate data. So, computer system validation should be a part of good development and production.

Section of 211.68 of US cGMP regulations have specific requirement for computers-

Automatic, mechanical, or electrical equipment or other types of equipment, including computers, or related system must perform satisfactorily. This used in manufacture, processing, packing and holding of drug product. This type of equipment regularly calibrated, inspected, or checks on the bases of written program to evaluate proper performance. Maintained the written records of checked calibration and inspections.

Only authorized person have authority changes in master production and control records or other records exercised over the computer or related system.

For accuracy input o and output from the computer or related system of formulas or other records or data should be check.

Verification of the degree and frequency of input/output done on the bases of complexity and reliability of the computer or related system.

When the backup file of data entered into the computer or related system it s mandatory to maintain the record except certain data like, calculation performed in connection with laboratory analysis are deleted b computerization or other automated process. In this kind of case written record shall be maintain with applicable validation data.

To check that backup data are accurate and complete and it is secure from alteration, inadvertent erasures, loss or hard copy or alternative system like, duplicates, tapes, or microfilm shall be maintained.

Specific guidance document FDA developed for computers application other FDA regulated areas. Mostly information is industry guide that is General Principle of Software Validation which agree with development and validation of software used for medical device. Recently FDA let out draft guidance for computer using in clinical studies. FDA guidance states that anticipated related generated computer system and electronic records during clinical studies.

Due to important of computer validation issue have been addressed by many industry organization and private authors:

The Good Automated Manufacturing Practices developed guidance for computer validation.

Validation reference books for the validation of computerized analytical and networked systems developed by Huber.

The Parenteral Drug Association has published a technical paper on the validation of laboratory data obtaining system.

6.0 Validation Master Plan:

Validation master plan is officially required by annex 15 to the European GMP directive. FDA regulation guidelines do not mandate validation master plan, still FDA inspector want the company follow the validation. The validation master plan is pursuit the validation practice and activities which are more efficient and consistent. Document of validation master plan outlines the qualification of a facility, defining the areas and system is fully validated. Furthermore, it gives written program for maintaining a facility with validated process. The validation master plan include the process validation, facility and utility qualification, equipment qualification, cleaning validation and computer validation.

7.0 Content of the Computer Validation Master Plan:

Purpose and Scope.

Roles and Responsibility

Validation Approach

Risk Assessment Plan

System Acceptance Criteria

Vendor Assessment

Computer System Validation Step

Change Control Process

Back Up and Recovery

Error Handling Corrective Action

Contingency Planning and Disaster Recovery

Maintenance and Support

System Retirement

Validation Report and Documentation

Templates and Reference

7.1 Purpose and Scope:

Validation master plan which should provide framework for consistent validation it’s mainly required by annex 15 to the European GMP directive. FDA regulation and guidelines do not mandate validation master plan still the validation master plan is the ideal thing to communicate with computer system internally and to inspectors. It also provides the consistent validation practice and activities so we can get the information easily. It covers the life cycle of the computer system which includes the planning, specifications, programming, testing, commissioning, documentation, operation, monitoring and modifying.

7.2 Roles and Responsibility:

In FDA guidance document there is no regulation for roles and responsibility but it is necessary for proper distribution of the work to get the desire result of the validation process so individual organization is responsible for the validation of the computer system. In that organization have the various department like, IT department, QA department, documentation department have the own responsibility for the validation process of the computer system so, that system give the consistent, reliable and accurate data. System user is also responsible for validation of computer system.

7.3 Validation Approach:

Validation master plan determines the need of validation process and how it relates the SDLC of the product development of the system. VMP document mainly describe the execution of validation program which describe the system qualification principles, defines the sub-system to be validated and gives a written document for reach and maintaining the validation process. Validation of the computer system is not only one event but it’s a part of complete lifecycle of complete system which include

If user department wants new computer system they have to validate that new system which has to be use to solve an existing problem. Validation ends when the existing system is retired and its all important data migrated to the new system.

There are important steps between start and end validation processes which are as follow:

validation planning

user requirement

functional specification

design specification

validation during the development

vendor assessments

installation of the new system

testing and change control

Finally, computer system should be validation throughout the life cycle.

Computer system validation process is divided in to different life cycle phases in which first model is V- life cycle model and second model is 4Q life cycle model.

IQ

OQ

FS

DS

URS

PQ

Build/Code

URS- user requirement specification

FS- functional specification

DS- design specification

IQ- installation qualification

OQ- operational qualification

PQ- performance qualification

Design Qualification

Installation Qualification

Operational Qualification

Performance Qualification

V model is quite complex than the 4Q model because in 4Q model have only four step which fits on the COTS system. The main common thing in both models is that they don’t address the retirement phase. Limitation of the 4Q model is that it is not suitable if system needs any configuration for specific application or additional software required which is not included in the standard product and develop by the user form. For this kind of case the following model is referred.

OQ

Vendor assessment

Unit and Integration testing

I

N

T

E

G

R

A

T

I

O

N

D

E

V

E

L

O

P

M

E

N

T

Maintenance/ Use Retirement

PQ

IQ

User/system requirements

re

Functional specifications

Request for Proposal

Verify with vendor’s specs

Finalize requirements

Design specifications

Code development Code reviewHome made Purchased COTS

Q

U

A

L

I

FI

C

A

T

I

O

N

If there is no vendor that offers the commercial system the software needs to be develops and validated by the step on the left side of the model. The programmers have to develop functional specification, design specifications and the coed and perform testing in the all developing phases under the department of the quality assurance.

If user wants to purchase the system from the vendor, they have to compare the response of the vendor’s with their requirements. If vendors does not meet user requirement then requirement may be adjust or additional software is written following life cycle of the left side of the diagram. Selection of the vendor could be done on the base of the user’s technical and business requirement.

How long validation will go on it depends on the complexity of the computer system. If you use the standard software which has the less customization there is less testing required by the users. For that, the GAMP developed the software categories which are based on the level of customization. There are five category in which first and second defines operating system and firmware of automated system. Mostly the computer system is required to associate with one of the three categories which as follow:

Category

Description

GAMP 3

Standard software package. No customization. For example, MS word, computer controlled spectrophotometer

GAMP 4

Standard software package. Customization of configuration. For example, LIMS excel spreadsheet with application where formulae and/or input data are linked to specific cells.

Data network system.

GAMP 5

Custom software package. Either all software or a part the complete package has been developed for a specific user and application.

For example, Add-ons to GAMP Categories 3 and 4, excel with VBA scripts.

7.4 Risk Assessment Plan:

Now a day the risk assessment approach is adopted by industry for the testing of computer system. Verification or validation of computer system focus only GXP critical requirement of computer systems. It is performed in risk-based manner, for optimizing the effort and assures that the computer system works properly as per requirement.

Risk assessment is not only depending on the software of the system but also depend on process of the system facility. In FDA part 11 Electronic Records and Electronic Signatures recommends software validation document focus on risk assessment which affect on product quality, safety and record integration of the system. It is useful in determine system elements which made the terms by FDA.

Critical risk factors:

The need for validation and the extent of testing that will be required.

The need to implement audit trails in the system and structure the audit trail will ultimately take.

A strategy for maintaining records integrity and reliability throughout their retention period.

7.5 System Acceptance Criteria:

On the bases of manufacturer requirement and cGMP guidelines the design specification of the system is installed.

In calibration program of instrument includes calibrated, identified and entry.

As per specification hardware and software are verify and confirmed.

7.6 Vendor Assessment:

Vendor selection is very important key to get computer system with high efficiency. Vendor’s selection is based on their qualification because their product development and manufacturing practices fulfill the requirement of user’s quality.

How can you be sure that the software vendor did follow quality assurance program?

The answer of this question it’s depend on risk and impact of the product quality which derived from:

Vendor’s experience regarding with documentation.

External reference

Assessment checklist which is available in your company

Third party audits

Direct vendor audits

Computer System Validation Step:

Design Qualification:

Design qualification defines as a functional and operational specification of the instrument and it also help in the selection of suppliers. DQ covers all the necessary function and the performance criteria for the computer system which meet the business requirement. If have any error in DQ that will impact on the business. So it is require giving sufficient time and resources in DQ phase.

Design qualification includes the following steps:

Description of the task for computer system which is expected to be perform

Explain intended use of the system

Explain the intended environment

Explain the selection of system requirement specification, functional specification and vendor

Vendor assessment

Explain final selection of the system requirement specifications and functional specification

Development and documentation of final system specifications

In the development of user requirement specification well documented procedure should be follow. In this process the most important thing is that all representatives of all user requirements should be involved.

User requirement have following key attribute:

Necessary- increase in development, maintenance, validation and support costs because of the unnecessary function.

Complete- adding of all functions at initial stage is lees expensive than adding of all functions at later stage.

Feasible- it is necessary that it must be implementation of all specified functions on time otherwise it delay in project.

Accurate- to solve the application problem for that all functions specified accurately.

Unambiguous- avoid wrong interpretation and guessing.

Testable- function which is not testable cannot be validated.

Uniquely identified- helps to link specification to test cases.

7.7.2 Installation Qualification:

Installation Qualification defines as a system should be properly installed and suitable for the operation and use of the instrument. The steps which are before and during installation are as follow:

Before Installation-

During before installation owner must have to provide the site requirement to the manufacturer

Check the site to fulfill the requirement of owners

During Installation-

During installation cross check the computer hardware which is received by vendor and check the any damage

Evaluate the documentation for the completeness

Install hardware like, the network device, peripheral, cables

Install and verify the software which follow the manufacturers recommendation

Do the backup copy of software

Arrange the device and peripherals like, printers and equipment modules

Make a list with description of the hardware and software which is install in the computer

Restore the information either electronically or on paper

Checklist of equipment manuals and SOPs

Make a installation report

7.7.3 Operational Qualification:

Operational qualification defines the computer system will works according to its functional specification in the selected environment. Before the OQ testing done it should always consider that what the computer system use will be for. Testing is based on justified and documented risk assessment.

Basic criteria are as follow:

Impact on product quality

Impact on business continuity

Complexity of system

Level of customization

Information taken from the vendor on type of test and test environment

Most extensive tests are required when the system is developed for a specific user. In this case all functions should be tested by the user. Tests are conducted for the function on the bases of the highly critical for the operation or for the functions which influenced by the environment.

7.7.4 Performance Qualification:

Performance qualification is defines as it is the process which demonstrates the system perform as per specification which is suitable for its regular use. To achieve the performance throughout the life cycle of the computer system for that does the regular preventive maintenance of computer system.

The practical definition of PQ is checking and testing of the computer system with total applications. For instance, in testing of the running system the important type of system performance characteristics are considered and compare with document predetermined limits.

PQ testing includes,

To check and assure that the entire applications work as intended, complete system testing done.

System is scan to check for the regular virus

Audit should be done regularly to the computer system

Regression testing: data files are reprocessed and compared the result with previous result.

7.8 Change Control Process:

Changes can be made due to error come up with the program or additional or different software or hardware function. If change to specifications, programming codes or computer hardware must follow written procedures and be documented. Change request from should submitted by users or authorized person or management. Furthermore, changes should follow standard procedures for initiation, authorization, implementing, testing, and documenting. Validation plan include all activities and validation report documented. Testing should be done in program after change in any program. It is necessary to check the entire program run normally after change done in program.

7.9 Back-up and Recovery:

In the case of failure the system is essential back-up and recovery to store existing data available in future. There are so more than one strategies of back-up and recovery in which each strategies have policies and procedure. It facilitates expected way for the system back-up and recovery. This may be use to simplify back-up and recovery management. Standardization of desktop is best way to decrease the variability in management of recovery. Use thin client computing architect focus on recovery which reduce the workload and personnel required in process. New Back-up system called as worm media which means write once, read many gives high security with more principle for back-up.

Different back-up and recovery strategies:

strategy

desciption

cost

Traditional Back-up to Tape

Manual process if copying data from hard disk to tape and transporting to secure facility

Low

Back-up to Electronic Tape Vault

Copying data from disk to remote tape system via WAN link

Medium

Disk Monitoring

Copying data written to one disk or array of disks to second disk or array of disks via WAN link

high

7.10 Error Handling and Corrective Action:

Error Handling actions like, Root Cause Analysis, CAPA plan, OOS and DMAIC etc in validation master plan should specify by system user.

Root Cause Analysis – it determines what happened, at when and why?

Structural investigation that a goal is to find the cause of problem and it is essential to remove it.

CAPA plan – it is used to investigate the root cause level and resolved.

DMAIC- Define, Measure, Analyze, Improve And Control

OOS – What going wrong?

Form these CAPA plan widely used for correct action. It concentrates on investigation into depth of the cause and to prevent reoccurrence of the problem. After accomplishment of CAPA plan it is essential to evaluate for its effect. Furthermore, to correct the problem in effective way the best method is the use combination of CAPA plan and Root Cause Analysis. Use PDCA as per Derming- Shewart cycle which is used to identification and investigation, root cause elimination, review and assure for effect of performed actions.

7.11 Contingency planning and disaster recovery:

Computer system is made by manually so it can be fail to work. Contingency planning and recovery process is used for when system is failed. It is used to restore the data existed in failed system. When system get failed before that data has been generated and stored in computer system as per PIC/S guidelines for use in the GXP computer system. Furthermore, user have to develop the sops for disaster recovery process to verify that failed system is handled in controlled way and all problem and risk will be checked.

7.12 Maintenance and Support:

It is essential to maintain the computer system in hardware and software. System failure is different for both so, separate maintenance is necessary for hardware and software.

Type of Maintenance for Hardware:

Component replacement

Corrective changes

Preventive hardware maintenance actions

Type of maintenance for software:

Corrective maintenance

Perfective maintenance which improve the stability of computer system

Adaptive maintenance which used to change software to make work in any environmental condition of system.

After the changes in system it is essential to do testing for assure that software is not change and not impact by parts which was changed. After maintenance of the software, revised software documented and validated. Corrective and preventive action should be done during maintenance of software. Review of document is necessary and to conclude that system is improved or not.

7.13 System Retirement:

System retirement should be implemented with proper planning and strict control for data retention which are complying with regulatory requirement, policies and store all existing data into new replaced system. System retirement must be done as per written procedure and report of action taken after failed system should be documented.

When system went to out of order it means system is retired. Factor for retirement is old technology, redundant application, failure with new regulatory requirement due to lack of advanced functions in new system. In GXP if any computer system is retired to replaced with new system. For that owner should be make formal request and include a new system through change control procedure. System retirement plan must be developed by system owner.

7.14 Validation Report and Documentation:

Validation summary report is generated by the system owner which is outcome of the validation project. In validation report system owner should include:

Brief discussion of the system

Identification of the system

Software version which were tested

Description of hardware

Statement of system status

List of test protocol, test results and conclusion

List of all critical issue and deviation with risk assessment and corrective action

Listing of all deliverables

Final approval or rejection statement

Standard Operating Procedures:

Validation activities performed according to written procedure. These specific procedures used to validate the system. Some examples are as follow:

Training for GxP, 21 CFR Part 11 and computer validation

Risk assessment for systems used in GxP environment

Validation of Commercial Off the Shelf computer system

Validation of Macro Programs and Other Application Software

Risk based validation of the computer system

Development of user requirement specification of computer

Quality assessment of the software and computer system supplier

Auditing software suppliers like preparation, conduct, follow-up

Development and maintenance of test scripts for equipment hardware, software and system

Handling of problems with software and computer systems

Data back-up and restore

Disaster recovery of computer system

Archiving and retrieval of GMP data and other document

Access control to computer system and data

Configuration management and version control of software

Change control of software and computer system

Revalidation of software and computer system

Retention and archiving of electronic records

Qualification of PC clients

Retirement of computer system

Review of computer system

Auditing computer system

7.15 Templates and Reference:

To efficiently follow, document and results of validation templates are very useful. To perform validation process and how much it is needed determine by validation example. Some templates and reference for validation tasks lab compliance have.

Such document includes templates/ examples for:

Requirement Specifications for Chromatographic Data System (E-255)

Requirement Specifications for Excel Applications (E-268)

User Requirement Specifications- 20 Good/Bad Examples (E-308)

Computer System and Network Identification (E-326)

Template/Examples: Test Protocol For ExcelTM Spreadsheet Application (with traceability matrix): Includes 12 test scripts examples for functional testing vs. specifications, specifications vs. test cases and test summary sheet (E-358)

Testing of Authorized System Access (E-362)

MD5 Checksum File Integrity Check Software with Validation Documentation: DQ, IQ, OQ,PQ (E-306)

8. Conclusion:

Validation Master Plan should be developed regarding to the company policies and internal procedures, including both infrastructure and application. There are many different ways of putting together validation master plan. Validation master plan provides tool for management and framework for the validation activities which should be performed and planned. It is main thing to determine validation activities, role and responsibility of each personnel, change control, how system works maintenance and support requirement and system retirement plan.