The cost of compliant CSV can be as much, if not more than the remaining tasks required for system development and implementation. A balance must be reached in order to achieve compliance while minimizing cost of CSV. There are specific industry best practices for effectively controlling the cost of system validation. The cost of longer-term system maintenance and operations should be considered
- Develop and implement a data governance process where GxP data is considered a valuable corporate asset that must be accurate, trustworthy and secured through its life cycle
- Map data and process flows for all computer systems including enterprise systems with GMP components, laboratory systems, and manufacturing systems. This information is key to identifying and implementing risk-based actions
- Validate systems for their intended purpose, taking a risk-based approach
- Systems include computer hardware, software, peripheral devices, network infrastructure, operators, and associated documents including standard operating procedures
- It is not sufficient to purchase “Part 11 compliant” software because it does not address these other components
- Obtain buy-in for a strategy from Senior Management
- Know your organizational culture – can this work here?
- Include the business users in all decisions; include detailed scenarios
- Limit Customization, Migration and Conversion
Leverage Vendor Work Products
Manage Organizational Change Effectively
Monitor and Control Change Effectively
- Have the appropriate training to develop a strategic plan, implementation plan, and policies/procedures
- Establish a training program that is mandatory and includes an assessment
- Perform internal audits
- Evaluate newer technologies
- Stay ahead of the curve, reviewing all impending economic, societal, technological, and other changes that may have an impact on your organization’s validation program, policies/procedures, and efforts
CSV Policies & Procedures
Build a solid computer system validation (CSV) program, including:
- Validation Policy (the “What”) : These are very high-level documents that include statements such as “must” and “will”
- Validation Procedures (the “How”): These are much more detailed documents that are prescriptive, providing the specific steps to be followed in order to carry them out
Key Components of CSV Policies and Procedures :
- Address related subject, but at a different level and with different content
- Each type has a unique purpose that drives the content contained in it
- Describing the distinctions using who, what, where, when, why and how often helps to understand and properly structure them
- Policy specifies what, while procedure specifies how
- Policies typically include the word “must” or “shall,” as they are directive in their meaning
- Both are “living documents”
Policy Checklist for GxP Compliance:
- Computer System Validation Policy
- Information Technology Change Control Policy
- Information Technology Risk Management Policy
- Information Technology Security Policy
- Information Technology Asset Management Policy
- Information Technology Electronic Communications Policy
- Information Technology Electronic Records/Electronic Signatures (ER/ES) Policy
- Information Technology Social Media Policy
- Data Governance Policy
- Disaster Recovery Planning and Management Policy
- Business Continuity Planning and Management Policy
- Information Technology Good Documentation Practices Policy
- Information Technology Vendor Management Policy
- Information Technology Vendor Audit Policy
- Vendor Selection and Audit Procedure
- Computer System Validation (CSV) Procedure
- System Risk Assessment and Management Procedure
- Security and Access Management Procedure
- Change Control Procedure
- Functional Requirements Specification (FRS) Procedure
- System Design Specification (SDS) Procedure
- Unit and Integration Test Procedure
- Installation Qualification (IQ) Test Procedure
- Operational Qualification (OQ) Test Procedure
- Performance Qualification (PQ) Test Procedure
- Requirements Traceability Matrix (RTM) Procedure
- Operational Maintenance Procedure
- Data Backup, Recovery and Archival Procedure
- Periodic System Review and Revalidation Procedure
- System Configuration Management Procedure
- System Acceptance Procedure
- System Release Procedure
- System Retirement Procedure
- Disaster Recovery Procedure
- Business Continuity Planning Procedure
- System Documentation Procedure
- Training Management and Tracking Procedure
Related Reading
CSV, Data Integrity and 21 CFR Part 11 Requirements