One of the things I’m often asked to give an opinion on is whether or not a system (or software) is ‘GxP’ and whether or not it needs to be (or should have been) validated.
That’s not always a simple question to answer, as it needs to consider the requirements of multiple regulations, some of which are inferred rather than explicitly stated.
In some cases it’s easy – regulations and regulatory guidance such as 21CFR Parts 211, 610 and 820 clearly state that systems should be validated, as does the regulatory guidance included in EU/PIC/S GMP Annex 11.
In other cases it’s not that clear e.g. if a system stores records required by the US Food Drug and Cosmetics Act, it may fall within the scope of 21CFR Part 11 and subpart 11.10(a) will require the system to be validated, even if no specific GCP, GMP, GLP or CVP regulation clearly states that (I often refer to subpart 11.10(a) as the ‘catch all’ clause).
In other cases we get into questions as to whether a system or software is or is not a medical device – medical devices aren’t ‘validated’ per se, but they are subject to specific regulatory requirements and other normative standards and guidelines needs to be taken into account (e.g. IEC 62304, ISO 14971). Depending on how they are used, some systems/software may and may not be a medical device (e.g. a LIMS system), in which case the approach taken needs to follow medical device regulations and be capable of being validated.
There are then genuinely ‘grey’ areas where there is currently a lack of explicit or implied regulatory guidance – what about the physician spend reporting requirements under the US ‘Sunshine Act’, or serialisation systems such as required under the EU Falsified Medicines Directive?
Of course, many companies have tried to streamline the process by developing a questionnaire – you know the sort of thing. You’re presented with multiple questions and if you check ‘Yes’ to any one of them the system needs to be validated. This is often also used to determine whether or not the system is subject to Electronic Record/Signature controls.
Those questionnaire are useful in organisations that consistently do the same sort of thing e.g. for a manufacturing site operating under GLP and GMP under EU and US regulations. In those cases it’s relatively easy to develop a set of questions which will identify whether or not a system (or software) needs to be validated.
However, in larger organisations, or in organisations moving into new areas of business or new geographies, or implementing new technologies it’s hard to keep those questionnaires up-to-date.
While my experience isn’t always ‘typical’ (because I tend to get involve with more ‘interesting’ [challenging] projects), I find that in at least 50% of cases, those questionnaires don’t give the right answer. They indicate that a system/software needs validating when it doesn’t, or more worryingly indicate that validation isn’t required when it really is. That’s because the phrasing of the questions is understandably limited and the people who drafted the questions understandably had a limited scope and frame of reference in mind.
While these questionnaires are useful, when I develop one for an organisation I always allow the option to ignore the output, based upon a justifiable, well documented rationale. This always allows the option of a sensible decision being taken based on the specific circumstances of the system and project and under circumstances not foreseen by the questionnaire.
The decision to validate a system and the approach to that validation can of course be standardised where we are constantly doing the same thing, but in many cases what we are doing is new and/or different. What the regulatory authorities want us to do then is think about what were doing and why, based upon risk, and not just blindly follow what some generic questionnaire tells us.
All us us involved in validation and IT Compliance need to be prepared to think about these things from first principles and stand by an intelligent, logical rationale based upon a risk-based interpretations of the current regulations and regulatory guidelines – even if the output from the questionnaire gives an answer contrary to common sense.
So the next time you ask me whether your system needs validating, I’m not being rude and ignoring you – I’m thinking….
Back to Blog