Validation Determination

In the article Computer System Impact / Risk Assessment from May 2010 I discussed the use of the Impact Assessment for a Computerised system to determine the validation requirements. This article continues with that theme to provide guidance on performing and documenting the assessment within a Validation Determination Statement (VDS) for a computerised system.

GxP Assessment

The first stage of whether a system requires a validation is to identify whether the system has a GxP impact.

The following are examples of questions that can be used in making the validation determination for a computerised system

• The system is used to monitor, control or supervise a GxP manufacturing or packaging process and have the potential to affect Product Quality, Safety, Identity or Efficacy.
• The system is used for GxP analytical quality control.
• The system manipulates data, or produces reports, to be used by GxP quality related decision authorisation / approval processes, where the data supports the decision process or the electronic record constitutes the master record.
• The system is used to maintain compliance with a GxP requirement. The system is used to monitor, control or supervise warehouse or distribution within a GxP requirement.
• The system is used for GxP batch sentencing or batch records.

If any of the questions are answered “Yes” then the system has a GxP impact and the system requires a level of Validation and control through the Computer Systems Lifecycle. If all the questions are answered “No” then the system may be deemed not to have a GxP Impact. This should be documented to support the decision not to perform formal validation.

Computer System Risk Assessment

It is useful to have a high level determination of the computerised systems GxP Impact identified to help support the decision processes for the level of validation and controls to be applied throughout the computer systems lifecycle.

This initial risk assessment should consider the impact to GMP and the complexity (GAMP category) of the system. The following provides guidance for determining the GxP impact of the computerised system

High - The computerised system has a direct impact in Product Quality, Patient and Consumer Safety or High Impact GxP data integrity

Medium - The computerised system has a Direct Impact on GxP or health-related regulations (including the integrity of supporting systems data) but no direct impact on Product Quality, Patient Safety or GxP data integrity.

Low - Indirect impact to GxP or other health-related activities with no direct impact on Product Quality, Patient Safety or Data Integrity.

Based on the ISPE Guide for Risk-Based Approach to Electronic Records and Signatures high impacting electronic records and GxP data can be defined as data that directly supports batch release providing assurance of product quality, efficacy, safety, purity and / or identity.

The complexity of the system the level of Coding and Configuration can also be used to support the risk assessment. Using the GAMP 5 categories as detailed below

Cat 5 –Complexity High – Bespoke software applications

Cat 4 – Complexity Medium – Configured software applications (for complex configuration then you may wish to consider it as category 5)

Cat 3 – Complexity Low - Non configurable software (systems should only be considered to be Low Complexity if they are established market products with a proven track record within the industry, for example standard HPLC).

Overall Risk Rating is determined using the traditional 9 box grid image

Using the Risk Rating

Many decisions can be made from the initial risk ranking including the approach and extent of the validation.

• Supplier Auditing – High Risk items only. Medium and low risk computerised systems have only a postal questionnaire.
• Risk Assessments – High and Medium risk systems will be subject to more detailed risk assessments, low risk computerised systems will not.
• Level of verification activities – High and Medium risk systems have detailed formalised testing, Low risk computerised systems have reduced testing, either commissioning or supplier verification.
• Level of security – Low risk computerised systems minimal controls over security, High and Medium Risk computerised systems have full security controls applied.
• Frequency of periodic reviews. 

The above list is not exhaustive; the regulated company can use the Risk Rating to determine the level of validation, deliverables and controls through the lifecycle of the computerised system.