未分類

What is Validation (Revised Edition)

What is Validation (Revised Edition)

What is a Quality System (Software)?

A quality system (software) is one that fully meets user requirements. It is not only about the absence of defects (bugs), but also requires that the system is fit for its intended use and effectively supports business processes.

Definition of Validation

According to ISO 9000:2015, the international quality management standard, validation is defined as follows:

“Validation is confirmation, through the provision of objective evidence, that requirements for a specific intended use or application have been fulfilled.”

In contrast, the IT industry often defines validation differently, typically referring to software testing and debugging activities. This misunderstanding is also observed among some people in the pharmaceutical industry. It is important to note that merely testing software and fixing bugs does not constitute validation.

In the pharmaceutical industry (particularly for FDA and EU regulatory authorities), validation means ensuring complete conformity of the system to user requirements. In other words, during User Acceptance Testing (UAT), it is most critical that users use the system according to new business processes and confirm that the processes can be executed without problems.

Regulatory Framework in the Pharmaceutical Industry

Validation of computerized systems in the pharmaceutical industry must comply with the following major regulations and guidelines:

US FDA Regulations

21 CFR Part 11: Regulations concerning electronic records and electronic signatures (enacted in 1997). It requires verification to ensure that computerized systems maintain accuracy, reliability, and consistent intended performance.

Computer Software Assurance (CSA): In September 2022, FDA issued draft guidance “Computer Software Assurance for Production and Quality System Software.” This guidance recommends a transition from the traditional Computer System Validation (CSV) approach and emphasizes a risk-based approach, critical thinking, automated testing, and exploratory testing. CSA reduces the documentation burden and focuses on patient safety, product quality, and data integrity.

EU Regulations

EU GMP Annex 11 (Computerised Systems): Guidelines for computerised systems used in GMP-regulated activities. The current version was issued in 2011, but a significantly revised draft was published in 2024 for stakeholder consultation. The revision expanded to over 400 pages and includes the following new elements:

  • Cloud services
  • Artificial Intelligence/Machine Learning (AI/ML) systems
  • Enhanced cybersecurity
  • Comprehensive approach to data integrity
  • Strengthened supplier management

New Annex 22 (Artificial Intelligence): A new annex (draft stage) establishing requirements for the use of AI and machine learning in pharmaceutical manufacturing.

International Guidelines

ISPE GAMP 5 Second Edition: Published by the International Society for Pharmaceutical Engineering (ISPE) in July 2022. An industry-standard guideline providing a risk-based approach to compliant GxP computerized systems. The second edition integrates the following modern approaches:

  • Emphasis on critical thinking
  • Agile development methodologies and DevOps
  • Cloud computing
  • AI/ML technologies
  • Blockchain/Distributed Ledger Technology
  • Open-source software
  • Exploratory and automated testing
  • Leveraging supplier documentation

ICH Q9 (Quality Risk Management): Provides principles of quality risk management and serves as the foundation for GAMP 5 and Annex 11.

Modern Validation Approaches

Traditional Computer System Validation (CSV) focused on extensive documentation and detailed step-by-step test protocols (IQ/OQ/PQ). However, this method faced the following challenges:

  • Excessive documentation burden
  • Prescriptive and rigid approaches not commensurate with actual risks
  • Focus on compliance rather than patient safety and product quality

Modern approaches (CSA and GAMP 5 Second Edition) emphasize the following:

Risk-Based Approach: Tailoring verification efforts based on risks to patient safety, product quality, and data integrity.

Critical Thinking: Knowledgeable and experienced subject matter experts (SMEs) use critical thinking to define appropriate approaches.

Lifecycle Management: Managing systems through concept, project, operation, and retirement phases.

Data Integrity (ALCOA+ Principles):

  • Attributable
  • Legible
  • Contemporaneous
  • Original
  • Accurate
  • Complete
  • Consistent
  • Enduring
  • Available

Automation and Tool Utilization: Improving efficiency and quality through automated testing tools, continuous integration, and utilization of electronic records.

Validation Practice

To implement effective validation, the following steps are essential:

Clarifying User Requirements Specification (URS): Clearly define the functional requirements the system must meet.

Risk Assessment: Evaluate potential risks to patient safety, product quality, and data integrity.

Developing Validation Plan: Establish an appropriate validation strategy based on risks.

Installation Qualification (IQ): Confirm that hardware and infrastructure conform to specifications.

Software Validation: Verify that the application meets functional requirements. Utilize exploratory and automated testing.

User Acceptance Testing (UAT): Actual users use the system in business processes and confirm that it is fit for its intended use. This is the most critical stage of validation.

Documentation: Maintain an appropriate level of documentation that provides objective evidence. However, documentation creation is not an end in itself, but a means to prove system conformity.

Continuous Monitoring: Ensure that the system maintains its validated state during the operational phase.

Change Control: Implement appropriate change management processes to ensure that system changes do not affect the validated state.

Validation in Practice – Key Requirements by Regulatory Framework

AspectFDA (21 CFR Part 11 & CSA)EU (Annex 11)GAMP 5 Second Edition
Primary FocusElectronic records/signatures, risk-based software assuranceComputerised systems in GMP activitiesRisk-based lifecycle approach
Documentation ApproachReduced burden with CSA, focus on critical thinkingComprehensive but proportionate to riskModern tools and automation, less paper
Risk ManagementICH Q9 principles, patient safety focusQRM throughout lifecycle, ALCOA+Foundation of all decisions
Testing StrategyAutomated, exploratory, unscripted testingRisk-based, end-to-end validationFlexible testing (scripted and unscripted)
Supplier ManagementVendor qualification essentialFormal agreements, clear responsibilitiesLeverage supplier documentation
Data IntegrityALCOA+ principles mandatoryEnhanced controls, audit trailsEmbedded throughout lifecycle
Emerging TechnologiesAI/ML guidance developingNew Annex 22 for AI/MLDedicated appendices for AI/ML, blockchain, cloud
Validation LifecycleSoftware development lifecycle (SDLC)Concept through retirementV-model with iterative approaches
Change ControlDocumented validation for changesRobust change control mandatoryIntegrated with QRM
Audit TrailRequired for regulated activitiesTamper-evident, reviewableSystem-enforced where possible

Summary

Validation is not merely testing or bug fixing, but a process of confirming through objective evidence that a system meets user requirements and is fit for its intended use. In the pharmaceutical industry, a risk-based approach throughout the entire lifecycle is required to ensure patient safety, product quality, and data integrity.

Current regulatory trends (FDA CSA, GAMP 5 Second Edition, revised EU Annex 11) emphasize critical thinking, risk management, and adaptation to modern technologies (AI/ML, cloud, Agile). Validation should move away from excessive documentation creation and be positioned as a substantive quality assurance activity.

Most importantly, in User Acceptance Testing (UAT), actual users must use the system in new business processes and confirm that they can execute them without problems. This proves that the system truly meets user requirements and is “fit for intended use.”

The evolution of validation practices reflects the pharmaceutical industry’s commitment to patient safety while embracing technological innovation. Organizations must balance regulatory compliance with operational efficiency, leveraging modern tools and methodologies to ensure that computerized systems remain effective, reliable, and compliant throughout their lifecycle.

The Myth of Category Classification Previous post About Risk Next post

Related post

Comment

There are no comment yet.