Most companies, when they get to the point of putting a Computer System Validation (CSV) and/or Data Integrity program in place, have many systems already deployed. Often a mix of business, scientific, manufacturing, building management and tracking systems. In addition, there are computerized systems that are combined with hardware to perform some tasks. So if you are tasked with implementing your company’s CSV or Data Integrity program (including 21CFR11 and/or Annex 11 compliance), where do you start?
Don’t start by validating everything, or even most systems, without a critical review. You will spend time and money inefficiently and it is an easy way to get bogged down in a very long and inefficient process. Chances are high that the GxP related systems are a minority of your installed systems.
My recommendation is that you start with a Gap Analysis. That is, you compare your situation with where you would like to be, and generate an assessment of the gaps. Don’t worry about how they will be addressed, but just take a few hours to review and assess. If you have the expertise in house, then that’s great! If not, it is not a difficult thing to identify a qualified consultant to work with you to perform the assessment and advise you of what gaps he/she perceives in your program. In addition, the list of gaps should be prioritized based on a combination of the regulatory exposure of the gap and its potential impact on your operations.
One key gap is often that a company may not have developed an overall plan for managing their equipment and software through a life-cycle approach. There may be no process in place for purchasing, deployment, validation, use, and retirement of equipment and software. This results in two big problems: 1) it is likely that any compliance related equipment/software is not going to be compliant when reviewed, and 2) there will likely be a woefully incomplete understanding of the impact of implementing such a program.
Once the gap assessment is completed, and a system is put in place for new equipment/software procurement that is compatible with compliance requirements, existing systems should be reviewed to determine if they have impact on GxP compliance. This list should be available for review so you can easily communicate the systems that require qualification/validation, and those that are for non-GxP purposes and you can start working on remediation for those systems.
These simple steps can put you firmly on the road to controlling your systems and their qualification status. Then you can look to your consultant or internal regulatory subject matter experts to work through setting up the plans, procedures, and qualifications as required for full remediation. Take advantage of the expertise to minimize the number of systems that require full qualification, based on their intended use. Consider using systems that are easy to validate, such as off-the-shelf solutions and SaaS based validated systems, some of which can save you a ton of time and effort. And don’t forget to consider the intended use of each system. For example, a computerized maintenance management system (CMMS) may require validation, but a system that processes work requests may not. If you have appropriate justification, you can target resources much more efficiently.
Overall, the company should have a system in place for managing their equipment and systems using a life cycle approach consistent with their validation plans and data integrity program. You may be surprised, after review and with the right support, that you can target your efforts and achieve compliance more easily and quickly that you might have initially imagined.