In this post, CSV stands for ‘Computerized System Validation’. CSV is a specialized practice within the regulated life sciences industry. Computerized systems, software and various applications used to collect and store critical data must be validated according to regulations by health authorities.
Here is a list and short description of 6 topics any CSV professional ought to be aware of and follow:
1. Guidelines by regulatory authorities
Very important is to be aware of current industry regulations, specifically those that impact CSV. The FDA site and the European Union’s Annex 11 to GMP guidelines are good starting points. The GAMP5 guideline from ISPE is a ‘must-have’ for CSV professionals, although this 350+ page guide, is not available for free. The GAMP5 guideline provides a risk-based approach to validating different categories of computerized systems and offers guidelines on CSV methodology and how to leverage information that can be provided by the suppliers of computerized systems. Also, don’t forget to look at the warning letters published by the FDA and/or by associated groups, specifically on the use of electronic systems in Good Manufacturing Practices (GMP) operations. Substantial amounts of information on this topic can easily be found by searching the internet.
2. Data Integrity regulations
Life sciences facilities that manufacture pharmaceutical products and medical devices for human use constantly collect and store data. This data can be laboratory results, quality metrics, supplier data, or even patient information data. The US Food and Drug Administration (FDA) and the European Medicines Agency (EMA) have strict regulations governing data integrity and periodically update these regulations. The Concept Paper describing Considerations for a Corporate Data Integrity Program published by ISPE in March 2016 provides very useful information on this topic.
3. General Data and Patient Data regulations
In the past year there seems to be a ‘commotion’ regarding new regulations on data security, patient data and transfer of data. Specifically, the EU-US Privacy Shield was designed in February 2016 to replace the long-standing International Safe Harbor agreement, mainly on the topic of data access, adding implications to latest Cloud computing developments. (Note: In April 2016 this initiative was challenged, so some revisions would not be surprising).
Furthermore, the EU published its General Data Protection Regulations (GDPR) in April 2016, which as soon as it goes into effect in two years, it enforces new and stricter regulations on handling EU citizen’s data by various organizations.
Finally, when validating computerized systems that handle patient data, the CSV professional must take into consideration the following regulations: Protected Health Information (PHI), and HIPPA (Health Insurance Portability and Accountability Act of 1996). In short, these regulations apply to data access, information security and storage of patient data.
4. Cloud computing in the Life Sciences
Critical data obtained during pharmaceutical product manufacturing operations used to be mainly stored in-house and maintained by the traditional IT infrastructure departments of the life sciences organizations. In the last few years, with the emergence of Cloud computing, we see the emergence of a trend, where more and more data are being stored in virtual places – basically somewhere other than the traditional on-premise locations. The IT infrastructure qualification state and the validation of computerized systems housed in this infrastructure is one of the important topics the CSV professional must consider. There are numerous challenges and benefits in adopting the cloud computing direction. You may take a look at the following link for more related information on CSV and the Cloud.
5. Mobile Medical Applications (mobile medical Apps)
In the last few years we have seen a rise in the use of health-related applications that can be executed on mobile platforms such as smart phones and tablet computers. These mobile medical Apps often fall under the category of FDA’s definition of ‘medical device’. If these devices fall further under the enforcement requirements of the authorities, they must be validated to ensure compliance with regulations. The purpose of this validation is to ensure that the functionality of these mobile Health Apps “does not pose a risk to a patient’s safety if the mobile App were to not function as intended” – Quote from FDA’s guidance for Industry and FDA staff, February 2015. There is even an ‘Interactive Tool‘ created by the FTC to help determine when FDA laws apply to a new mobile Health App that “collects, creates, or shares consumer information”.
6. Automated validation tools
The CSV ‘work’ entails risk assessments, collecting user requirements, planning of the validation project, creating validation templates and executing validation tests mapped to user requirements and regulations. All this work can sometimes be overwhelming to handle manually, for example by the use of an Excel sheet. We have seen recently the development of automated validation tools, which have been shown to not only save time during the validation effort, but also keep track and map all requirements, test scripts and deviations. Some of these tools available are: Procedure Capture by Raltus, GxP Manager’s SVV application and TestTrack by Seapine Software.
Summary
A knowledgeable CSV professional having taken into account the 6 points mentioned above, can support the CSV activities of a life sciences organization to assess the applicable regulations and collect user requirements, plan for the necessary validation activities, execute validation test scripts and provide a final validation report. This work not only enhances the ease of mind regarding patient safety linked to the computerized system in question, but it also increases the degree of assurance that the computerized system is in compliance with regulations and that it functions and performs as intended. Ultimately, once the validation work is approved by stakeholders and the ‘owners’ of the computerized system, it can be shown to inspectors during audits.