未分類

Understanding “Users” in CSV Implementation

Understanding “Users” in CSV Implementation

The Ambiguity of the Term “User”

In reality, the term “user” is extremely ambiguous. Pharmaceutical companies and medical device manufacturers are user companies in relation to supplier companies. However, referring to an entire company as a “user” is too broad and makes the specific locus of responsibility unclear.

Additionally, operators who perform daily computer system operations and data entry (end users) are also called “users.” However, the term “user” in the context of CSV (Computerized System Validation) does not necessarily refer to those who directly operate the system. Understanding this distinction accurately is critically important for proper CSV implementation.

What is a Regulated User?

PIC/S GMP Annex 11 “Computerised System” (including the 2023 revised version) uses the specific term “Regulated User.” This concept is key to clarifying the locus of responsibility in CSV implementation.

The Position of Regulated User in PIC/S GMP Annex 11:

3. Suppliers and Service Providers 3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

4. Validation 4.5 The regulated user should take all reasonable steps to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.

As these provisions make clear, the regulated user is not the operator (end user) who routinely uses the computerized system on a daily basis. The regulated user refers to the person who has responsibility for compliance with regulatory requirements in the relevant business (operations).

In other words, whether or not one actually operates the computerized system on a daily basis is irrelevant to the definition of regulated user. The regulated user is in a position to bear responsibility for ensuring that the system meets regulatory requirements and is fit for its intended purpose.

Concrete Example: The Difference Between Regulated Users and End Users

Let us consider a manufacturing record management system at a pharmaceutical company as an example:

  • End User (Operator): Manufacturing operators who actually operate the system on the manufacturing floor and enter production data
  • Regulated User: Quality Assurance department managers or manufacturing department heads who are responsible for ensuring that the system meets GMP requirements and is operated appropriately

Thus, the regulated user is defined based on their role and responsibilities within the organization.

Who is Responsible for Creating the User Requirements Specification (URS)?

When implementing CSV, a User Requirements Specification (URS) must be created. Many readers probably understand that the URS should be created by the “user.” However, as mentioned above, the term “user” is ambiguous.

Naturally, it would be difficult for operators (end users) who routinely operate the system to create the URS independently. This is because the URS should include the following elements:

  • Business process requirements
  • Compliance with regulatory requirements (GMP, GxP, etc.)
  • Data integrity requirements
  • Security requirements
  • Audit trail requirements
  • Functional and non-functional system requirements

Comprehensively defining these requirements requires deep understanding of regulatory requirements and the ability to oversee the entire business process.

Therefore, it is reasonable to consider that the “regulated user” has responsibility for creating the URS. In practice, the regulated user collects business requirements from end users and integrates them with regulatory requirements to document them as the URS.

Who is Responsible for Conducting User Acceptance Testing (UAT)?

Similarly, the person responsible for conducting User Acceptance Testing (UAT) should also be the regulated user.

System Testing (ST) and Integration Testing (IT) are generally delegated to the vendor or IT department. These tests focus on technical verification of system operations.

However, UAT needs to verify that actual user operations using the computerized system can be executed appropriately. Specifically:

  • Confirmation of operations according to business workflows
  • Confirmation of regulatory requirement fulfillment
  • Ensuring data integrity
  • Confirmation of usability through actual operation by end users

To conduct such comprehensive verification, it is desirable for the “regulated user” to take the lead in implementation. However, in actual test execution, it is important to obtain participation from end users and incorporate perspectives from the field.

Role Division in CSV Implementation

The roles of each stakeholder in CSV implementation can be organized as shown in the following table:

RolePrimary ResponsibilitiesSpecific Roles in CSV Activities
Regulated UserResponsibility for regulatory complianceSystem qualification assurance• Approval and management of URS• Approval of validation plans• Supervision and approval of UAT• Participation in supplier assessment• Final approval of system release
End User (Operator)Routine system operationData entry and verification• Provision of business requirements• Participation in UAT (actual operation)• Training attendance• Operation according to SOPs
Quality Assurance (QA)Supervision of validation activitiesVerification of regulatory compliance• Management of Validation Master Plan• Review and approval of validation documents• Supervision of change control• Implementation of periodic reviews
IT DepartmentTechnical implementation and support• Creation of technical specifications• System construction• Execution of technical tests (IQ/OQ)• Provision of technical support
Supplier/VendorSystem development and provisionProvision of technical documentation• Provision of product documentation• Provision of development quality assurance information• Technical support• Provision of update information

Trends in International Regulatory Harmonization

The concept of “regulated user” in CSV implementation occupies an important position within international regulatory harmonization. FDA (U.S. Food and Drug Administration) guidance, EMA (European Medicines Agency) guidelines, and PIC/S GMP Annex 11 all agree on the principle that the user company bears ultimate responsibility for regulatory compliance.

In particular, data integrity guidance from the FDA, MHRA (UK Medicines and Healthcare products Regulatory Agency), WHO (World Health Organization), and others emphasizes management responsibility throughout the entire data lifecycle, and it is the regulated user who bears this responsibility.

Conclusion

When using the term “user” in CSV implementation, it is important to clarify its meaning:

  1. Regulated User: Bears responsibility for regulatory compliance, approval of URS, supervision of validation activities, and responsibility for conducting UAT
  2. End User: Operators who actually operate the system on a daily basis

By clarifying this distinction, the locus of responsibility in CSV activities becomes clear, enabling more effective and regulatory-compliant validation. As an organization, clearly defining who the regulated users are and assigning appropriate authority and responsibility forms the foundation for successful CSV implementation.

Which Companies Are Subject to FDA Inspection? Previous post Distinguishing Between Part 11 and Data Integrity: A Comprehensive Understanding and Appropriate Response Next post

Related post

Comment

There are no comment yet.