All the guidelines mentioned say that the approach toward computerized systems used in clinical practice (e.g., regarding validation) should be risk proportionate.
There are some eternal values in regulated companies’ lives: GCP, 21 CFR Part 11, and computerized systems validation. However, even these are subject to change.
Recently the most important of them have been updated:
And we can add the well-acknowledged guidance to this list: GAMP®5: 2021 Good Practice Guide: Enabling Innovation.
The changed regulations do influence all of us involved in clinical trials. To make business processes sustainable, there’s an industry trend in place: to adopt a risk-based approach. All the guidelines mentioned say that the approach toward computerized systems used in clinical practice (e.g., regarding validation) should be risk proportionate.
Considerations when applying a risk-based approach for the validation of electronic systems include the following:
- The purpose and significance of the record and the criticality of the data (e.g., how the record and data will be used to support the regulatory decision and/or ensure participant safety)
- The intended use of the electronic system
- The nature of the electronic system (commercial off-the-shelf (COTS) system, customized electronic system)
And here is the question that was touched upon by our QA Director during the RQA Conference: to which extent might it be reasonable to leverage the CSV-related activities to the vendor?
In general, there are two major approaches to it.
- You can stick to time-proven SOPs on validation and elaborated workflows on change control. You will have to develop User Requirement Specifications and User Acceptance Testing Scenarios, ensure proper documentation of each step, and get the documented evidence of every change acceptance.
- The other way around is to rely on software development vendors. You’ll have to select the vendor, conduct the vendor assessment, and delegate the number of activities to the vendor. Not only ‘a number of,’ but ‘all of them’ in some cases. ‘You don’t have to validate our system – we have done it for you.’ This is the statement that regulated companies get from some software developers when discussing GxP systems. This sounds incredibly optimistic and still arguable.
What is our standpoint here?
Here at Flex Databases, we base everything on fundamental priorities, the same as always:
- Patient Safety
- Data Integrity
- Product Quality
If the computerized system you are going to use does not influence these, considering minimizing the validation efforts might be a good idea. However, it doesn’t mean not validating the system at all. As the system owner is responsible for everything, the approach, process, and outcome must be documented.
All the guidelines say that vendor-provided documents and services can be used. Here’s the list of what can be leveraged to the vendor:
- User requirements
- Functional specifications
- Testing / OQ
- User manuals
- UAT Scenario
To make your vendor the trusted one, ensure that you have qualified it, and here’s what is to be assessed:
- Vendor’s Quality Management System
- Software development process
- Change control
- Technical controls
- Data safety and backups
Once you have assessed the vendor and signed the contract, any service can be used, including the UAT, if you are sure, it covers exactly what you will use. However, for high-risk systems, the end users are highly recommended to perform UAT themselves to ensure they know how it all works.
If you’d like to start using the software development vendor, here’s the short checklist of questions to answer before you begin the process to make it easier and more targeted:
- What is the intended software use?
- What is the risk?
- What is the vendor assessment result?
- What documents are provided by the vendor?
- What is your validation approach?
Implementing a risk-based approach to your eClinical systems validation might look like a lot of work, but with the right vendor you can minimize your efforts while maximizing quality and sustainability of your business processes. If you want to learn more – contact us at email@example.com