Complex production processes and legal requirements mean that companies need to thoroughly validate their IT processes. After all, who wants to waste money and resources or get into trouble with the law?
Dr. Ralf Jorczyk, expert on IT validation at SAP partner cormeta, knows which approach is the right one. We spoke with him about how important successful planning and implementation is for IT validation. Dr. Jorczyk takes the example of the pharmaceutical industry, but the main principles, of course, can be transferred to other sectors.
The aim of an IT validation is to improve the quality of a company’s IT systems. For sustained quality management, qualification and documentation are required in equal measure – regardless of whether we’re talking about operations, testing laboratories, the production process, or stockholding. Risks and weak points must be identified and averted.
Each company can decide on the extent to which it should validate its processes. For example, the question of whether users themselves need to be “validated” depends on what damage may be caused by any mistakes they might make.
Requirements and planning concept
A validation comprises the following phases: a validation plan, a specification with target criteria, a determination of the inventory to be validated, a risk analysis, and a test phase with subsequent documentation.
Legal requirements and specifications form the framework for actually putting the validation into practice. As a rule, every new IT system must be validated. Existing solutions are also subject to validation, but it is hardly possible for ageing systems to comply with the strict rules of the FDA (Food and Drug Administration, United States).
In the process industry, computer system validation (CSV) applies to software, hardware, processes, installations, peripherals, networks, and much more. It is difficult, however, to work out the peripherals to which the GxP (good practice in the areas of pharmaceuticals and medicine) regulations apply. Because inventories are so large, this is only really possible with professional assistance from specialist staff.
In addition, the term “IT system” is only generally defined – it can also apply to users or suppliers, for instance. This is because a user’s input has a direct impact on the IT system. A properly validated LIMS (laboratory information system) is no use if the user makes incorrect entries. Similarly, a validated ERP system cannot prevent a supplier from delivering the wrong goods. IT is thus challenged to make it impossible for such goods to be accepted and to find their way into production.
Don’t forget to document
Documentation plays an important role. Pharmaceutical companies and manufacturers of over-the-counter goods produce guidelines in accordance with GMP (Good Manufacturing Practice). These are updated by the authorities every year. By the way, the guidelines don’t just apply to production, but also to areas such as documentation, laboratories, distribution, and so on, which is why the general term GxP is used. GDP stands for Good Documentation Practice, while GAMP stands for Good Automated Manufacturing Practice.
Pharmaceutical companies in particular must comply with various provisions, for example, the FDA in the United States and the GMP guidelines within the European Union. On top of these, there are various ISO norms, regulations such as the German Drug Law (AMG), the German Medical Products Law (MPG), the Good Storage Practices (GSP) and the Code of Federal Regulations (CFR), which summarizes all the legally binding acts from the American authorities.
Manufacturers of medical devices, food, and cosmetics have similar rules with which they must comply. In the food industry, for example, FDA regulations are usually just as binding, especially if products are delivered to the United States, but there are also other industry-specific legal requirements that need to be met, such as HACCP (Hazard Analysis and Critical Control Points) or hygiene management. In-process checks in food production according to HACCP or batch traceability in line with EU Ordinance 178/2002 usually take place using software. As a result, the systems used for this may have to be validated.
IT validation is a continuous process
Validation projects are open projects. GxP regulations change, and a company’s inventory doesn’t remain static, either. What has been achieved should then be safeguarded and documented through regular audits. It makes sense for companies to keep their IT systems validated until they are no longer used and then replaced.
It may be advisable for pharmaceutical companies to reduce the amount of inventory to be validated, so that they don’t lose sight of what’s important. Looking at the inventory in terms of relevance to GxP and categorizing things as relevant or not relevant is often a good approach here. Anything that isn’t relevant is then put separately into defined risk groups.
It’s also important to be organized well in advance and have a detailed implementation concept with a corresponding validation masterplan. If you can identify, check, and describe critical processes here, you’ll be well prepared. That’s why it’s important to create a validation group comprising your own employees and external IT validation specialists. Of course, roles and responsibilities must be clearly defined so that the project gets off to a good start and stays on track.
Keep to the minimum
Pharmaceutical companies often have difficulty gauging the scope of a project correctly. They tend to go into too much detail, even though it’s sufficient to use just the three risk categories low, medium, and high – an approach that is generally accepted by the authorities. A validation concept should aim to meet the requirements of the validation as far as possible, but no further.
Using this approach, cormeta already succeeded in completing a number of validation projects, for example at Pascoe in Giessen, Germany, which became the first pharmaceutical company to work with state-recognized electronic manufacturing instructions – based on its SAP system. There is, after all, a great amount of documentation to be done in the pharmaceutical industry.
Let’s take the documentation that needs to be completed during production. This comprises a folder with handwritten additions and signatures. Even though digital signatures using the IT system (like at Pascoe) are possible, the move toward electronic documentation is slow. This is not only because such a shift is time-consuming and costly, but also because companies are concerned that the new processes will not be accepted by the authorities. However, the law does permit such electronic documentation.
For companies bound by GMP, validation is a legal requirement and – first and foremost – just costs money. If an IT system was previously in place, validation certainly enables you to measure whether the IT processes have become more effective, because reference values are often available. If, however, new ERP software is implemented and validated, such reference values do not usually exist.
Nevertheless, validation is good for increasing a company’s sense of security: Risks and faults are exposed and can be excluded. And a side effect is that companies often track down not just risks but also potential savings.
It is also more cost effective to avoid errors right from the start than to remove them later at great expense. For instance, it is of course better to ensure that a recipe is followed exactly during the production process than to have to call faulty goods back – an expensive operation, which damages a company’s image to boot.