Why is Computer System Validation

Required and What Happens if You Don’t

Comply?
Computer system and software validation is about the patients and the products we
make for the patients. As consumers we want to trust that our medicine, medical
devices, instruments our doctors use, and so forth, work the way we expect them to
work.

There are product recalls for so many things – product recalls for food, toys, and
even vehicle airbags. And when a doctor administers a mislabeled drug to a child
using the adult dosage, bad things could happen. There have been many
unfortunate instances where products have failed, causing great harm to patients.
Therefore, regulatory agencies around the world require validation of computer
systems and software.

Computer System Validation is required for companies that perform any of

these activities:

 Designing, developing, running clinical trials

 Manufacturing, packaging, and labeling
 Storing and distributing
 Installing and servicing (i.e., diagnostic equipment)

Products requiring validation:

 Pharmaceuticals – drugs used to diagnose, cure, prevent or treat disease.

Medicines (medications, medicinal products, medicaments)
 Biologicals – product made from any virus, therapeutic serum, toxin,
antitoxin used for prevention, treatment or cure of diseases or injuries (i.e.,
vaccines)
 Human cell and tissue products – products containing or consisting of
human cells or tissues that are intended for implantation, transplantation,
infusion, or transfer into a human recipient (i.e., bones, skin, heart valves,
corneas)
  Medical devices – an instrument, apparatus, implant, in vitro reagent, or
similar that is used to diagnose, prevent, or treat disease. Examples include
tongue depressors, medical thermometers, diagnostic systems, medical
lasers, surgical implants, prosthetics, etc.
 Infant formula

Who says that you must validate your computer systems?

CSV Regulatory Requirements in the United States

In the United States, the FDA code of regulations requires validation.

Specifically, 21 CFR 11 requires validation to all FDA regulated industries. Also, 21
CFR 820 applies to Medical Device makers, requiring validation of software within
medical devices, and validation of software and systems used in making devices and
managing the quality programs associated with making devices

Other notable FDA regulations include 21 CFR 211 and 21 CFR 1271. Part 211
applies pharmaceutical manufacturers. It does not use the term ‘validation’
specifically, but the FDA has enforced validation for pharma via Warning Letters. It
applies to Biological Products, Blood Products, and Cell/Tissue Products. Part 1271
also requires validation, applying to companies that produce cell and tissue products.

Infant formula companies must comply with 21 CFR 106. It contains the same
verification terminology as the Pharma regulation, but it also specifies that
companies need to validate their systems. Additionally, Part 106 requires infant
formula companies to revalidate upon modification.

CSV Regulatory Requirements in Europe

For countries that are a part of the European Union, validation is required for the
software used in medical devices. The EU also requires validation for the systems
used by makers of medicinal products. To review the related regulatory documents,
look at EudraLex Volume 4 on Good Manufacturing Practice, Medicinal Products for
Human and Veterinary Use; specifically Annex 11 on Computerised Systems.

Validation Requirements outside of the US and EU

In Brazil, the ANVS Good Practices of Medicament Manufacturing states that

validation is required. And in the Japan, their Guideline on Management of
Computerized Systems for Marketing Authorization Holders and
Manufacturers of Drugs and Quasi-drugs requires validation.

Another governing body, the International Conference on Harmonisation of

Technical Requirements for Registration of Pharmaceuticals for Human Use,
otherwise known as ICH, has guidelines that have been adopted as law in several
countries. The US FDA uses ICH as guidance for their regulations and guidelines.
You may want to review ICH Q7A (active pharmaceutical ingredients manufacturers)
and ICH E6 (good clinical practice) – both state validation is required.

PIC/S, the Pharmaceutical Inspection Co-operation Scheme (PIC Scheme), has

an impact on common inspection standards around the world. They work to
harmonize inspection standards and improve cooperation in GMP between
regulatory authorities and the pharma industry. PIC/S shares many standards with
ICH. In 2016 they had 46 member countries and 7 countries in the member
application process. Non-member countries also use PIC/S standards. Example
documentation includes PE 005 for Blood Establishments, PE 009 for Medicinal
Products Manufacturing and PE 011 for Good Distribution Practice for
Medicinal Products. PIC/S guideline PI 011 for Computerized Systems states
that validating a system after it has been put into use (aka retrospective validation) is
not an option.

Lastly, the World Health Organization (WHO) is also a directing and coordinating
authority for health within the United Nations system. Documentation requiring
validation can be found in the Specifications for Pharmaceutical Preparations as
well as the GMP for Pharmaceutical Products.

Four Reasons Why Regulators Require Validation

I mentioned in the beginning of this post that validation is about the patients and the
products we make for the patients. It’s important to understand why regulators
require computer system and software validation. So here are the key reasons along
with a few examples of each.

1. Safety – Do no harm

 Software in a medical device to treat an illness can’t fail to dispense the

correct treatment
  Lab software needs to correctly detect and measure impurities
 Complaints systems need to correctly analyze trends in product quality

2. Effectiveness – Do some good

 Diagnostic software intended to detect an illness can’t fail to detect

 Lab software needs to correctly detect the potency (strength) of the product
 Clinical trial systems records need to correctly reflect patient data from before
or after treatment

3. Accuracy – The data must be correct

 Software that controls a medical imaging system can’t mix up records

between patients
 Distribution systems records need to be accurate regarding what went where
to enable recalls
 Blood management software needs to correctly identify the blood type

4. Integrity – It needs to be transparent who authored, changed or deleted data

 Software needs to prevent and allow detection of data falsification (i.e.,

prevent deletion of lab tests, enable audit trails to allow review of changes)
 FDA inspections require this

What happens if you don’t follow the regulatory requirements?

Regulatory agencies have several enforcement actions at their disposal to punish

companies who are out of compliance with the regulations.

 Warning Letter – the most common tool; usually issued after an inspection
resulting in a 483, and then an unsatisfactory response
 Injunction – civil action to prevent production or distribution of the product
 Product seizure – happens when the FDA believes that a company is likely to
distribute adulterated or misbranded product
 Import restrictions
 Clinical hold
 Delay in approval of new products or facilities
 Consent decree
  Rejection of application data – often occurs for clinical trials
 Disqualification of clinical investigators
 Debarment
 Criminal prosecution

Between 2013 and 2015, the FDA has issued over 200 Warning Letter citations for
software and computer system issues. Nearly 1/3 of these were for validation issues.
Furthermore, most of the validation issues were for simply failing to validate the
software or computer system. To see the latest Warning Letters, visit our
Document Library.

While regulatory inspections could happen infrequently at your organization, you

might face customer audits in which failure to comply could lead to a lack of business
from that customer. Computer System Validation is something to take seriously as
there is a lot at stake for the future of your product and company.