We frequently get asked, "Do you also offer Computerized Systems Validation?" One of the reasons for the interest is certainly: Authorities and notified bodies increasingly address the Computerized System Validation (CSV) in audits. This article introduces regulatory requirements regarding "Computerized Systems Validation" and provides guidance on how you can best meet these requirements.
Computerized Systems Validation (CSV) is a documented process of assuring that a computerized system does exactly what it is designed to do. [1]
In general, validation is the "confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled" [ISO 9001:2015].
As for medical devices, this involves an "assessment by objective means of whether the specified users are enabled to achieve the specified goals (intended purpose) within the specified context of use".
This may sound as if only the finished product, here the installed computerized system, must be validated.
However, many regulations go beyond such an understanding. Such as the FDA's requirements: they require the whole development process to be validated; not just its last phase or final product. More on this later.
DQ, IQ, OQ and PQ - we come across these acronyms in the context of CSV. They stand for:
These qualifications are particularly required in the pharmaceutical environment, e.g. by GMP-directives, and rank among equipment validations, just as CSV. IQ, OQ and PQ comprise certain aspects of validation / qualification:
Computerized Systems Validation generally comprises both computer hardware as well as software running on the hardware. Particularly for standard hardware such as PC based systems, Computerized System Validation substantially equates to software validation. In case of specific hardware, it should for example be examined if:
Requirements for validation of computerized systems can be found in:
In 21 CFR part 820.70, the FDA writes:
"When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented. “
21 CFR stipulates in part 11.10:
"Persons who use systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records. Such procedures and controls shall include validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”
This demand for validation corresponds with what is required under 21 CFR part 820.70.
This Guidance Document is intended to replace the no longer up-to-date FDA Guidance Document on "Software Validation" in those parts that do not concern the software becoming part of the medical device or the medical device itself.
The FDA emphasizes the risk-based approach in terms of critical thinking. Depending on the risk of the software/computerized system, specifically its critical functions, manufacturers must carry out "assurance activities" such as software tests.
On the positive side, the FDA's document distinguishes the development of medical device software from the development of software used in QM systems.
On the negative side, the guidance document can be considered no big success:
Once again, it seems no software engineering experts wrote the guidance. No matter if it concerns definitions, terminology, or methods. The document uses its own concepts.
It is difficult to reduce software quality assurance to analytical quality assurance, especially software testing. Quality cannot be tested in the software. The approaches on classification of software and the proposed test techniques are inconsistent, the examples are not taking into account the concepts presented in full range.
The already large number of CSV specifications becomes even more extensive.
In its latest version, ISO 13485:2016 states the requirements for validation of computerized systems more clearly:
In chapter 4.1.6, it is stipulated that manufacturers shall validate their computer software pursuant to documented procedures. This affects every software used in a process which controls the QM system. Validation shall not only take place before the first use, but also after modifications to the software.
To put it even stronger: in Europe, CSV used to be mandatory only for manufacturing and service processes. Since ISO 13485:2016, this requirement also applies to all computerized systems being used in any of the processes regulated by the QM system. In the context of FDA, this has always been the case.
GAMP 5 applies to medical device manufacturers as well. The authors write:
The scope has been widened [compared to Gamp 4] to include related industries and their suppliers, including biotechnology and systems used in medical device manufacturing (excluding software embedded within the medical devices).
Do you want to impress during audits and leave no questions about CSV unanswered?
Then, the medical device university is just right for you! Here, you will learn everything about computerized systems validation and the corresponding regulations - and you will be able to carry them out independently.
At first, you should understand: which requirements for computer system validation do you want to or must meet?
Both variants are addressed in the following.
If you intend to validate the "finished" (possibly already installed) computerized system, you must know the requirements for the computerized system. If these requirements are lacking, you must deduce them in retrospect.
Unfortunately, many companies and, in part, even authorities, lump different types of requirements together.
Strictly speaking, validation is an examination of whether the first type of requirements is met. However, it can be observed that in practice, the fulfillment of rather system or software requirements is examined during validations. However, technically speaking, this is actually a verification.
In the chapter "Step-by-Step Instructions" you can read about how to conduct this type of validation.
When "validating" according to the FDA Software Validation Guidance Documents, you will document the complete development process such as
IEC 62304 and IEC 82304 as well as the aforementioned FDA documents provide you with valuable information on how to define and implement such a development process.
To validate a computerized system, proceed as follows:
Describe the intended use of the system. Evaluate whether it is supposed to be used in one of the processes that is regulated by your QM systems. If this is the case the system must be validated.
If the requirements for your software and computerized system are not or not completely documented, catch up on this retroactively.
The next step is to specify test cases, i.e. to determine
Finally, you must execute, document and evaluate the tests according to the test specifications.
The following thoughts may help you with your Computerized Systems Validation:
Click here to also read the article on AAMI TIR 36 and IEC 80002-2. Both articles offer specific assistance to validation of "Computerized Systems".
Change history: