Computer System Validation has changed! Have you embraced it?

Computer System Validation has changed!  Have you embraced it?
February 2024

Introductory Summary

Computer System Validation is traditionally described as (one or more) processes of establishing and recording that the specified requirements of a computerized system are consistently and continually fulfilled throughout its lifetime.

The approach to performing validation - or, alternatively, assuring that the system is always sustained in a validated state - should be based on an ongoing risk assessment that considers the intended use of the system along with other factors concerning the availability, maintainability, and supportability of the system as well as matters in and around information security and privacy as well as alignment with regulatory guidance.

Historically, validation was performed prior to an initial system launch followed by incremental changes, such as when upgrades took place.

Today, business and technology operating models are more complex, and involve multiple parties. They require greater agility and involvement by those multiple parties that absolutely must be clearly defined within contractual agreements.

This article highlights modifications to traditional concepts and practices due to the increased prevalence of Software-as-a-Service (SaaS) solutions that have emerged over the past decades. Today, such solutions can, be regarded as the norm!  And they tend to be transparent to end users. Our focus in this paper is specifically upon the use of such solutions in clinical research functions.

Ultimately, and per regulatory guidance, clinical trial sponsors are accountable for ensuring that technology-based solutions used in their clinical trials always operate in a validated state.

Sponsors may, of course, delegate (using robust contractual agreements) duties and responsibilities to Contract Research Organizations (CRO) - including solution service providers– who assume those responsibilities.

Hence, sponsors must – directly or indirectly – be assured of the validated state of the solutions they have chosen to utilize. Furthermore, sponsors (or, again, their delegates) have an explicit duty to validate their use of a given solution in the context of specific use-cases (for example, a given clinical trial).

This validation of use is, therefore, fundamentally different from the intrinsic validation performed by the solutions providers.

Are solutions from providers validated?

Yes (and No)!  

Established providers (e.g. Salesforce, Veeva, Medidata, Viedoc et al) have formulated robust controls (typically instantiated by their own QMSs) around their software services development, operations, maintenance and so forth thereby providing their customers (sponsors, CROs and others) with a high level of ongoing comfort.  They – and their solutions - may therefore be regarded, generally, as “low risk”.

Nonetheless, periodic due diligence of these providers is to be recommended, especially when contractual arrangements and scope change. And, in fact, such providers have also been, occasionally, directly subject to regulatory agency scrutiny.

Providers have successfully – and commendably - sought to leverage recognized standards such as SOC-2 and various, relevant ISO/IEC standards to reinforce their positions, provide evidence of controls and to smoothly facilitate customer due diligence on an ongoing basis.

“Lesser” solution providers – be they small scale by nature or, alternatively, by offering new and/or novel solutions for emerging niche needs – may, however, face challenges in this regard.  There isa tough balance to be struck by them as they grow.  But, in the end, for a sponsor, it’s all about management of risk.

Stepping aside from the duties of providers, when customers - sponsors or CROs - configure providers’ solutions, they should, separately, take a risk-based approach to validating their use of the configured solution(s) using their own QMS.  Such a QMS may need updating to accommodate these new axioms.  Providers often stand ready to support and assist their customers in these efforts as well as during customers’ regulatory inspections.

How are solutions kept in a validated state?

SaaS solution providers must take responsibility for provisioning and maintaining their core services and sustaining them in a validated state.  New solution versions (incorporating new or enhanced features along with fixes to previously known defects) are oftentimes pushed into production on a predefined date with appropriate pre-notifications made to customers along with information about the new release.  Exceptional or emergency updates are also catered for in this scheme of working.

Rather separately, solution providers (and their contracted sub-providers) also take responsibility for the underlying tech-stack – operating system, hypervisor services, hardware, networking, protection systems and so forth.  All such underlying components are required to operate seamlessly to the providers’ customers with the provider conducting ongoing, proactive, operational oversight.

Do customers need to validate solutions?

Customers’ validation efforts should focus on their business workflows and configurations. Customers should also incorporate organizationally based duties and responsibilities, including those contracted to other parties, such as CROs and other providers.

This concept of validation for use is vitally important and is very different from the in-house activities performed by providers.

Customers must recognize this difference and perform their validation for use duties in a risk-based fashion specific to them.

Such duties need not be onerous and may leverage the intrinsic capabilities of the solution to generate evidence of validation execution. Further, automation of such duties can drive down time and cost of such activities.

 

How should customers take a risk-based approach to their validation for use?

Customers should assess the methods and risk of their business processes when formulating their configuration parameters and the adoption of the providers’ solutions. Therefore, customers’ validation efforts should focus on high-risk areas and recognize that, perhaps, their processes may require adjustment.

Customers should not repeat actions already performed by the provider in their validation. Instead, and if needed (for example, in a regulatory inspection) the relationship with the provider should be leveraged to support them such as providing the necessary evidence.

 

What do providers make available to its customers to support their compliance obligations?

Transparency is crucial.  Customers should ensure that providers are cognizant of their customers’ regulatory obligations and be able to provide evidence of execution of defined controls. Such controls should vividly embrace the over-arching topics of

•      Quality Management System

•      Information Security

•      Hosting Operations

•      Data Integrity

•      Data Privacy

•      Service Life Cycle

•      Utilization of Electronic Records and Electronic Signatures.

 In essence, this means that providers are expected to act as delegated parties of sponsors.

Why are contractual agreements important?

Regulatory inspectorates increasingly focus upon the contractual agreements between a solution provider and customers as the basis for defining parties’ duties and responsibilities. This, per this paper, also includes duties pertaining to validation.


About Validify

Validify provides life sciences organizations with the flexibility to determine the appropriate level of testing and documentation required to meet regulatory expectations.

With Validify, you can digitize your computer systems validation (CSV), implement a risk-based computer software assurance (CSA) approach, or entirely automate the CSV.

You can use Validify to proactively manage risks, generate and update validation documents, and stay compliant at all times.

About the author

Tony Hewer

Founder & Director, Cepheus Consultancy Limited

Tony’s IT career spans over 40 years with the past 25 years in the clinical research space. He’s had experience in software development, program management and quality, security, and regulatory disciplines. He has a BSc and PhD in astrophysics from University College London.

Want to hear more or book a demo? Click here

Are you ready to move to the next generation of software validation?

Tell me more