Computer System Validation: Eight Challenges on the Way to the Target State
IT compliance today requires a paradigm shift from a project-specific engagement to a comprehensive, centralized compliance program.
By Arik Gorban, Associate VP, Compliance & Quality Strategies, iGATE Patni Life Sciences
In the past, Computer System Validation (CSV) in the life sciences was focused on software validation and infrastructure and computing platform qualification for systems that supported FDA-regulated activities and records. Today, organizations are increasingly focusing on overall, global IT compliance, to satisfy 21 CFR Part 11 but also equivalent laws in other countries, Sarbanes-Oxley (SOx), HIPAA, export and shipping regulations, and much more.
To meet these varied and global needs, pharmaceutical manufacturers must:
- Manage consistent computer system validation and system testing efforts across multiple projects and multiple sites
- Enable effective system inventory control, change management, periodic evaluations, and validation to ensure sustained compliance
- Manage ”just-in-time” deployment of qualified resources to the right places
- Provide global ”round-the-clock” access to a validation and testing center of excellence
- Provide onsite and offshore validation and testing teams that bring necessary skills at attractive cost.
This article looks at some of the CSV challenges facing drug manufacturers today, and “target states” that may be achieved:
Challenge I. Standards: Various standards exist across the organization. Policies, procedures, work instructions, and templates vary by business, department, or site. Significant costs result from overlapping SOPs and inconsistent standards, which make sharing of assets difficult. Industry-wide standard methodologies, guidelines, and tools have been issued by global organizations, such as ISPE and ICH, but in order to make the assets applicable to a wide range of companies, processes, systems, and products, they did not replace the more detailed, localized standards.
Target State: A centrally controlled and maintained, single, fully matured set of harmonized standards with integrated risk analysis. The investment in developing and maintaining the standards is made centrally, with subject matter experts from different business areas. Duplicate efforts are minimized and the quality is higher due to the involvement of the top experts across the organization and support by external expertise.
Challenge II. Interpretation: A significant cost to validation projects is caused by long debates among the various authors and reviewers, rework, and inconsistent interpretation of standards and requirements. Most regulations include very high-level statements that set objectives, but don’t specify how to implement the controls or how much is good enough. For example, 21 CFR Part 11 (11.10 (d)) requires “Limiting system access to authorized individuals.” This one statement can be expanded to varied requirements for technical security controls and procedural controls for managing access.
Ensuring consistent interpretation and execution of compliance activities becomes more difficult in large companies, due to mergers and acquisitions, new technologies like cloud computing, Software as a Service, and a wider use of automated testing tools, and the adoption of a risk-based approach to compliance.
Target State: A global compliance Center of Excellence (CoE) that is staffed with fully-trained competent individuals can support projects with uniform interpretation throughout the corporation. It is much easier to have a small group of Subject Matter Experts (SMEs) that interacts with each other and with project teams on a regular basis than require that all project teams adopt and follow a consistent interpretation. The CoE should include members from various sites and business areas and experts on various regulations that impact IT (e.g., GxP, SOx, HIPAA).
Challenge III. Organization and Governance: Many companies still have decentralized governance and uncontrolled execution. The ownership and management of validation activities vary from project to project and from one department to another. Projects are not handled consistently with clear roles and responsibilities. Some are led by IT, other by users or quality.
Target State: Uniform management of activities and centralized monitoring and benchmarking using objective and meaningful validation and quality metrics will allow a company to identify deficiencies, improve compliance processes, and improve quality. Once improved, compliance with quality standards will turn from being overhead to becoming an asset to the company. Central governance provides a wide view of the whole organization and the ability to measure and drive improvement of compliance processes. Central organization control with IT deeply involved and a central compliance group with coaches to enable a risk-based approach will result in a greater level of compliance at a lower cost.
Challenge IV. Efficiency Across Sites and Departments: Site-to-site efficiencies have not been achieved due to site- and department-specific procedures, templates, and interpretation. We’ve seen many cases where multiple sites develop complete validation packages for the same system that they use the same way, because there is no sharing of inventory and project information.
Target State: Centralized development of common standards and assets, joint planning and management of compliance activities, centralized inventory management, and knowledge sharing enable organizations to minimize duplication of effort and overlapping activities. In addition to reducing unnecessary costs, global management of IT compliance can increase overall effectiveness and achieve continuous improvement.
Challenge V. Execution: As stated earlier, we see excessive rework being done by validation teams. Most often, the rework is a result of different opinions and styles of project team members and inconsistent quality of work that is done by unqualified individuals. A common scenario is that individuals perform work that doesn’t align with their level and skills. Junior quality reviewers, who are qualified to review documents and identify incomplete or inaccurate information and deviations from standards, end up determining the course of action to remediate the problems. The solution is often redoing the work. On the other hand, we see highly-qualified, expensive resources performing low-level mechanical tasks, because a fixed team is assigned to the project and must share the workload.
Target State: With the appropriate training and coaching by compliance subject matter experts who are allocated to projects globally on a part-time basis, the company can benefit from having the right level of resources with the right skills on the right projects at the time they are needed. More flexibility and better resource allocation will result in trained, competent technical personnel following quality and compliance standards with high-quality first draft deliverables. The SMEs will coach the teams to success, reducing the likelihood that auditors will identify failures late in the process. Using a global delivery model will allow the company to utilize the right skill level for the right tasks and to use lower-cost resources where available and appropriate.
Challenge VI. Tools: System life cycle assets, such as templates, outlines, forms, and guidance documents are often inconsistent across departments and are not targeted to drive value. They are put in place to minimize the risk of project team members taking shortcuts and skipping sections, but are not flexible and drive unnecessary efforts with minimal value to quality or compliance. We’ve seen cases where an extensive validation package was prepared for a new CD writer, or complete detailed Installation Qualification protocol, scripts, and report were produced for the installation of utilities such as Winzip and virus scan.
Target State: A centralized, consistent, flexible, shared and continually enhanced set of tools that are supported by quality coaching will drive value, help the project teams to produce better deliverables faster, and provide the right level of consistency. While adding flexibility often means opening the door for shortcuts and negligence, quality coaching and quality reviews can mitigate those risks.
Challenge VII. Training: Training is usually conducted within each business on standards and processes; however, there is minimal coaching and guidance. The short training that is usually provided is rarely enough to qualify individuals without coaching and support until they gain hands-on experience. Often multiple training sessions have to be taken in a very short period of time, where the individual’s ability to absorb, understand and retain the materials is in question.
Target State: It is unrealistic for companies to expect that everybody involved with IT systems can become a compliance expert by taking a few training sessions on company policies, standards, and procedures. While training is still required, greater success can be achieved when the company trains a few compliance experts to coach validation teams and business owners to take responsibility for compliance projects.
Challenge VIII. Personnel: Working with many life science companies shows that usually there are capable, knowledgeable central validation groups, but weaker decentralized execution groups. CSV standards are often deployed without the appropriate training and coaching and without assurance of consistent interpretation. Organizations believe that simply reading standard operating procedures (SOPs) and receiving a few hours of training enable individuals to follow a consistent approach.
Target State: Central organizational control, with business, IT, and quality personnel deeply involved and integrated in the CSV effort, as well as quality coaches (CSV subject matter experts) acting as a center of excellence, enable a successfully executed risk-based approach to CSV. Evolution to business user ownership of CSV is also essential to enabling the system owners and business areas to drive compliance based on business and regulatory risk.
Implementing a Global Delivery Model
Implementing a global delivery model must be done carefully and in stages. Working with an experienced partner will prevent failure and disappointment. The process should be handled in stages over a period of time. The implementation duration would vary from one company to another, depending on its maturity with regard to best practices, the level of harmonization across the enterprise, and the overall level of integration between sites. We normally recommend a five-phase approach:
Phase 1: Start with initial on-site engagements to allow the pool of resources, which will be the global team, to interface with key stakeholders at the site and active projects.
Phase 2: Establish repeatable processes to begin to accrue competitive advantages: compliance, quality, reliability, consistency, responsiveness, lower cost.
Phase 3: Adopt a defined Global Delivery Model for pilot department, operating company or selected set of technologies.
Phase 4: Expand Global Delivery Model globally under a quantitatively managed process for continuous improvement.
Phase 5: Optimize the Global Delivery Model process to assure global compliance, maximum efficiency, and strategic differentiation.
The Paradigm Shift
In conclusion, transition to a global delivery model that supports IT compliance projects across the enterprise is more than just an approach to solving the challenges that I described earlier in this article. It is a paradigm shift from a project-specific engagement to a comprehensive compliance program that is managed as a service level agreement between the central organization (internal or external) and the business. Resources are available globally to support projects on an as-needed basis, bringing the right skills to the right place at the right time.