The pharmaceutical, biotech, and medical device industries are subject to strict health authority regulations to protect data integrity, product quality, and patient safety. Validation of computerised systems is crucial for nailing these three objectives. Life Sciences and Healthcare companies must ensure that their processes are governed and controlled. According to the FDA, software validation regulations apply to all computerised operative systems that impact patient safety, product quality and data integrity.
To operate smoothly, companies integrate central IT computerised systems to support processes and business units, including but not limited to R&D, engineering, production, supply chain, distribution, procurement, and asset management. An ERP (Enterprise Resource Planning) computerised system facilitates the integration of these processes and business units. Furthermore, an ERP system maintains oversight of sensitive operations across the organisation, such as compliance, expiry management, quality, formulation, batch release and more.
Different ERP modules are interconnected. All modules share a common database, using Master Data principles such as ownership, uniformity, accuracy, stewardship, consistency, and accountability of the enterprise’s data.
Companies are continuously updating their ERP systems, implementing pioneering AI, machine learning, and automation that provide data, intelligence, transparency, and efficiency to remain competitive and compliant. There is a clear connection between regulatory compliance and enterprise software systems as the business and IT functions become increasingly integrated. For example, nuclear medicine and cell and gene therapy require the software tool to be considered part of the product, as business and IT work hand in hand.
ERP Computerized systems must be in control during the development and production after go-live.
Computerised system validation and change control ensure that ERP systems fulfill their intended use and produce accurate and reliable results throughout the entire life cycle. Computer Software assurance principles enable regulatory compliance and adherence to user requirements.
Benefits of a Validated ERP System, copyright KVALITO Consulting Group 2022
Computerized System Validation (CSV) and Computer Software Assurance (CSA)
The Pareto Principle specifies that 80% of consequences arise from 20% of causes, inferring an unequal correlation between inputs and outputs. Traditional CSV methodology indicates that manufacturers spend 80% of their time documenting and 20% testing. Conversely, under the CSA approach, 80% of the time is invested in testing higher risk processes and critical thinking, and 20% on documenting.
Critical thinking must always consider these three elements: Patient Safety, Product Quality and Data Integrity.
What is Critical Thinking, and why does CSA encourage us to apply it?
Critical thinking is the process of analysing available facts and pieces of evidence, making observations, and compiling arguments to finally form a judgement.
It´s an ancient method attributed to Socrates (470–399 BC). It is based on being sceptical and questioning yourself about every element you have in the picture. His method of questioning is known as “Socratic Questioning”. It is based on “seeking evidence, closely examining reasoning and assumptions, analysing basic concepts, and tracing out implications not only of what is said but of what is done “.
The CSA approach clarifies the norm by emphasising risk-based critical thinking, assurance needs, testing activities and documentation. After performing the Risk Assessment, and determining what elements, actions, or failures could cause a significant issue to patient safety, product quality or data integrity, the testing effort will be much more focused on those elements.
To ensure compliance with applicable GxP regulations and fitness for intended use, initial risk and impact assessments will identify business-critical processes and the corresponding validation and quality assurance approach. Systems impacted by GxP regulations (including electronic records and electronic signatures) and other regulations, such as Sarbanes-Oxley (financial), Data Privacy and Integrity, Legal, Health, Safety and Environment, and Information Security validation and quality assurance, must comply with regulations. Companies that are regulated by Health authorities are under obligation to both perform computerised system validation and to do it right.
Regulatory bodies such as the International Society for Pharmaceutical Engineering (ISPE), which established Good Automated Manufacturing Practice (GAMP®), have promoted a risk-based approach for over twenty years. CSA clarifies the course and methodology to determine a high risk and low risk and the required testing rigour to minimise manufacturer errors.
How are ERP Systems tested following CSV principles?
CSV’s classical testing approach is based on the well-known V-Model. A list of User requirements is transferred into technical documents, and then all of them are tested using the same approach and effort. Tests are commonly reused and increased based on new features introduced. As time passes, the testing effort gets bigger and bigger.
Figure 1: CSV V-Model Testing Approach, Copyright KVALITO Consulting Group 2022
How are ERP Systems tested following CSA principles?
Instead of testing the whole ERP once a part of a module has been modified, CSA will focus on testing on the modified parts and the interactions with other modules. When it comes to complex and inter -modules testing, like in the case of ERPs, a good technique that can be used is Object Orienting Testing, a combination of various testing techniques. This testing is performed through a step-by-step approach:
- Scope of testing: decide what will be tested based on Risk Approach analysis.
- Design and Analysis of Testing: what kind of tests will be performed? We can use combined units, integration, regression, smoke, stress, and performance testing.
- Testing of Code: ensure that each piece of the puzzle works as expected.
- Integration testing: ensure that all pieces of the puzzle, once they are assembled, work as expected.
- System testing: ensure that the whole module and system with the new puzzle inside is working as expected.
- User Testing: performed by end-user, who validates that all is as expected for the business users.
- Evidences: will be automatically generated by the testing tool, following GDPs (Good Documentation Practices), and then signed and stored on an eDMS (Electronic Data Management System).
The validation and quality assurance approach and related activities can be scaled according to the system’s nature, risk, and complexity.
The CSA’s guideline does not aim to create a new paradigm. Its objective is to put the effort in the right place and make the use of non-product software clear and straightforward: increase testing efforts while limiting documentation for low-risk non-product software systems. CSA states that Risk Analysis is the base for knowing where our efforts should be focused, instead of dealing with all ERP components in the same way, in terms of documentation and testing. From the outset, the FDA planned for CSA, but a lack of clarity and misinterpretation resulted in excessive documentation rather than higher quality. The central purpose of CSA is to emphasise critical thinking and conduct more business testing of the process and the outcomes.
KVALITO is a strategic partner and global quality and compliance services and network for regulated industries. To learn more about our services, please visit us on www.kvalito.ch
If you would like to benefit from KVALITO’s expert services, feel free to send us an email at firstname.lastname@example.org. Are you looking for a position as a life science consultant? Send your complete application to email@example.com