In the past, Computer System Validation (CSV) in the life sciences was focused on software validation and infrastructure and computing platform qualification for systems that supported FDA-regulated activities and records. Today, organizations are increasingly focusing on overall, global IT compliance, to satisfy 21 CFR Part 11 but also equivalent laws in other countries, Sarbanes-Oxley (SOx), HIPAA, export and shipping regulations, and much more.
To meet these varied and global needs, pharmaceutical manufacturers must:
- Manage consistent computer system validation and system testing efforts across multiple projects and multiple sites
- Enable effective system inventory control, change management, periodic evaluations, and validation to ensure sustained compliance
- Manage ”just-in-time” deployment of qualified resources to the right places
- Provide global ”round-the-clock” access to a validation and testing center of excellence
- Provide onsite and offshore validation and testing teams that bring necessary skills at attractive cost.
This article looks at some of the CSV challenges facing drug manufacturers today, and “target states” that may be achieved:
Challenge I. Standards: Various standards exist across the organization. Policies, procedures, work instructions, and templates vary by business, department, or site. Significant costs result from overlapping SOPs and inconsistent standards, which make sharing of assets difficult. Industry-wide standard methodologies, guidelines, and tools have been issued by global organizations, such as ISPE and ICH, but in order to make the assets applicable to a wide range of companies, processes, systems, and products, they did not replace the more detailed, localized standards.
Target State: A centrally controlled and maintained, single, fully matured set of harmonized standards with integrated risk analysis. The investment in developing and maintaining the standards is made centrally, with subject matter experts from different business areas. Duplicate efforts are minimized and the quality is higher due to the involvement of the top experts across the organization and support by external expertise.
Challenge II. Interpretation: A significant cost to validation projects is caused by long debates among the various authors and reviewers, rework, and inconsistent interpretation of standards and requirements. Most regulations include very high-level statements that set objectives, but don’t specify how to implement the controls or how much is good enough. For example, 21 CFR Part 11 (11.10 (d)) requires “Limiting system access to authorized individuals.” This one statement can be expanded to varied requirements for technical security controls and procedural controls for managing access.
Ensuring consistent interpretation and execution of compliance activities becomes more difficult in large companies, due to mergers and acquisitions, new technologies like cloud computing, Software as a Service, and a wider use of automated testing tools, and the adoption of a risk-based approach to compliance.
Target State: A global compliance Center of Excellence (CoE) that is staffed with fully-trained competent individuals can support projects with uniform interpretation throughout the corporation. It is much easier to have a small group of Subject Matter Experts (SMEs) that interacts with each other and with project teams on a regular basis than require that all project teams adopt and follow a consistent interpretation. The CoE should include members from various sites and business areas and experts on various regulations that impact IT (e.g., GxP, SOx, HIPAA).
Challenge III. Organization and Governance: Many companies still have decentralized governance and uncontrolled execution. The ownership and management of validation activities vary from project to project and from one department to another. Projects are not handled consistently with clear roles and responsibilities. Some are led by IT, other by users or quality.
Target State: Uniform management of activities and centralized monitoring and benchmarking using objective and meaningful validation and quality metrics will allow a company to identify deficiencies, improve compliance processes, and improve quality. Once improved, compliance with quality standards will turn from being overhead to becoming an asset to the company. Central governance provides a wide view of the whole organization and the ability to measure and drive improvement of compliance processes. Central organization control with IT deeply involved and a central compliance group with coaches to enable a risk-based approach will result in a greater level of compliance at a lower cost.
Challenge IV. Efficiency Across Sites and Departments: Site-to-site efficiencies have not been achieved due to site- and department-specific procedures, templates, and interpretation. We’ve seen many cases where multiple sites develop complete validation packages for the same system that they use the same way, because there is no sharing of inventory and project information.
Target State: Centralized development of common standards and assets, joint planning and management of compliance activities, centralized inventory management, and knowledge sharing enable organizations to minimize duplication of effort and overlapping activities. In addition to reducing unnecessary costs, global management of IT compliance can increase overall effectiveness and achieve continuous improvement.
Challenge V. Execution: As stated earlier, we see excessive rework being done by validation teams. Most often, the rework is a result of different opinions and styles of project team members and inconsistent quality of work that is done by unqualified individuals. A common scenario is that individuals perform work that doesn’t align with their level and skills. Junior quality reviewers, who are qualified to review documents and identify incomplete or inaccurate information and deviations from standards, end up determining the course of action to remediate the problems. The solution is often redoing the work. On the other hand, we see highly-qualified, expensive resources performing low-level mechanical tasks, because a fixed team is assigned to the project and must share the workload.