All computer systems need CSV implementation
The author is often consulted by clients who want to implement CSV because they have decided to manage their GxP data electronically. consultation is received.
In addition, there are many consultations because of the large amount of fees charged when the vendor in question is asked to implement CSV.
The digitization of data does not necessarily mean that CSV of all computerized systems must be strictly enforced.
The reason for this is that in 2003, the FDA published a risk-based approach.
When taking a risk-based approach, it is important to implement CSV for systems that handle data that directly impact patient safety, product (including API) quality, Data Integrity.
Examples include systems that manage manufacturing records, quality test records, shipping decision records, validation records, calibration records, etc.
On the other hand, CSV implementation for systems that handle data that indirectly affect patient safety, product quality, and data integrity (e.g., access control records, education and training records, SOPs, etc.), even if such data are defined in regulatory requirements such as GMP and SOPs, and record keeping is mandatory, is not as important It is not.
Critical data” and “critical systems” must be defined in the procedure manual, etc., and risk assessment (risk evaluation) must be conducted and defined in each process in advance.
The FDA issued in August 2003 a Guidance for Industry: Part 11, ElectronicRecords; Electronic Signatures – Scope and Application” contains an important FDA message The FDA’s key messages are.
The approach recommended by the FDA is one of documenting justified risk assessments and making decisions that focus on systems that have the potential to affect product quality, safety, and record integrity.
In response to this message, the January 2013 revision of PIC/S GMP Annex 11 Compterised Systems“, Chapter 1 Risk Management, contains the following requirements.
Risk management must be applied consistently throughout the life cycle of the computerized system, taking into account patient safety, data integrity and product quality.
As part of the risk management system, the determination of the scope of validation and data integrity controls must be based on a justified and explainable documented risk assessment (risk evaluation) of the computerized system concerned.
However, what should not be misunderstood is that as long as the system handles GxP data, it is subject to CSV implementation.
This does not mean that CSV should not be implemented at all, but rather that the degree of CSV implementation should be light, depending on the risk.
For example, let’s say that the FDA or other regulators have pointed out the CSV implementation details of an education and training management system or an access control system.
Regulators must point the finger equally at pharmaceutical companies around the world, which means that pharmaceutical companies around the world pay significant compliance costs.
The compliance costs spent by pharmaceutical companies are passed on to the drug price, resulting in a patient burden.
Spending extra compliance costs to implement CSV on computerized systems that handle data that has no (or only indirect) impact on patient safety or product quality will only increase the patient burden. It creates no value.
In the future, pharmaceutical companies need to have competence to make appropriate risk assessments. The future of pharmaceutical companies will require them to have the competence to make appropriate risk assessments.