OR WAIT null SECS
In-house experts can help select the right systems and suppliers, making validation and compliance easy, says Siegfried Schmitt, principal consultant at PAREXEL.
Q. We are planning to upgrade several of our automated systems in production and in the laboratories. These upgrades are necessary so that we can implement functionality like audit trails, which are now required to achieve data integrity compliance. We contacted suitable vendors, and some have now offered to sell to us fully 21 Code of Federal Regulations (CFR) Part 11 and data integrity-compliant software packages. Such a package seems like a very good deal, but it is not offered by the majority of suppliers. Can you give some insight on how other companies address this situation?
A. You are in a very typical situation where not all your automated systems are of a technical standard that make compliance with the applicable regulations possible, unless you upgrade or replace certain systems. It is an unfortunate fact that there are still vendors out there who make misleading claims, either out of ignorance, or worse, knowingly. The only party that can legally commission and operate a computerized system in a fully compliant manner is the system owner (i.e., someone within your organization). Only you know how you are going to use the specific system and for what purpose. No vendor can do this for you. Therefore, automated system suppliers can merely offer to sell you systems that are designed and built in a manner that allows you, the customer, to operate them in a compliant manner (e.g., complying with 21 CFR Part 11 or other regulatory requirements).
Let me give you an example to clarify this: You may purchase a system upgrade that provides audit trail functionality. Although the vendor gives you an audit trail as you requested, you may choose not to activate it (perhaps because it slows the system down too much). Now you may be in a non-compliant situation. Or, you decide to activate the audit trail, but upon review you find that it is not in human readable form, or that it only captures a fraction of the transaction, or that the amount of data in the audit trail is so overwhelming that it becomes unmanageable.
Savvy companies have in-house experts with a sound understanding of the regulations covering automated systems, how to perform computerized systems validation, and how to optimally harness the vendors’ expertise. These experts will put together the user requirement specifications (URS) for the various systems. The URS is the document that will steer how the system (or system upgrade) will help you to operate in compliance with the regulations (i.e., what it takes to make sure that data are trustworthy and your system is fully validated). In the URS, companies will specify what they expect from the audit trail (e.g., it must be human readable, sortable, exportable, searchable, etc.).
The URS also forms the basis for the testing requirements, namely the testing by the users. Users may be quality unit personnel who need to verify that on an analytical instrument the series of injections for an analysis tally with the method, or that there were no rogue injections. Only these people will know what they are looking for and how they want to perform their review. Your system vendors are now tasked with providing you with a system that meets your needs, and not just a ‘one-size-fits-all’ solution.
Don’t be lulled into a false sense of security by sales promises; instead, make sure you have experts at hand who can help you select the systems and suppliers who best meet your needs. Once you do this, you will find that validation and compliance even with the most demanding regulations become not only possible, but exciting.
Vol. 31, No. 3
When referring to this article, please cite it as S. Schmitt, "Computerized Systems Validation," BioPharm International 31 (3) 2018.