Expert Advice

Home | Contact Us | Newsletter | Usersclub | Books | Audio Seminars

Who is Responsible for Computer System Validation?

The question about responsibility for computer validation comes up frequently. Suggested functions have been quality assurance, IT, validation groups, regulatory affairs, operations (end-users) and vendors of commercial of the shelf systems. In this Labcompliance Info we can give a couple of recommendations although the final decision will depend on the specific situation of each organization.


Observations and Prerequisites

  • The FDA does not specify who is responsible for computer validation. The only reference we could find is a Proposed Rule from May 3, 1996: 20104 Federal Register 20104 / Vol. 61, No. 87 - 21 CFR Parts 210 and 211Current Good Manufacturing Practice - Amendment of Certain Requirements for Finished Pharmaceuticals. This documents includes a statement related to responsibility for process validation: Process validation is a quality assurance function that helps to ensure drug product quality by providing documented evidence that the manufacturing process consistently does what it purports to do. To further ensure that validation procedures are current, this proposed rule would make the quality control unit responsible for reviewing changes in product, process, equipment, or personnel, and for determining if and when revalidation is required. The agency believes that placing responsibility for oversight of validation procedures in quality control units emphasizes the importance of proper validation to quality control. It is a proposed rule and not specific to computer systems.
  • In Europe the Responsible person states with the each each release of a batch that it has been produced in compliance with GMPs wit validation of processes and equipment being part of it.
  • According to our experience, the FDA and EU agencies don't care who does validation as long as it is done and documented according to approved procedures.
  • Validation can be a longer term and complex activity. For complex projects the responsibilities and tasks are shared between several people. For example operations typically define and verify requirement specifications, the validation group may develop test cases and QA reviews the tests protocols. Typically validation is cross functional team activity with team members from all functions that are affected by the computer system.
  • One person should have overall ownership for the validation project. This can be the system owner.
  • The person who develops test cases should have a good understanding about the computer system and about the application. Otherwise it is impossible to define critical test cases.
  • Persons who are responsible for the entire validation or specific tasks should be qualified for the assigned tasks. The qualification should be documented. For example, if a QA person develops test cases he/she should have a good understanding of the computer system and of the application.
  • Responsibilities should be defined in a validation master plan or SOPs and in individual project validation plans. While the validation master plan is a frame work and should include responsibilities by function individual project plan include names.
  • People who test the software or computer system should represent different types of typical users. For example, if the computer system is used by low skilled operators, test personnel should include these type of operators. The person who develops the software or computer system should not be the only one who tests it. This should ensure objectivity of the test.

Considerations and Recommendations

We recognize that the ideal arrangement depends on the specific organizational structure and also on the system. Therefore we can not give specific recommendations that are applicable for everything but document some of our thoughts that can be considered for defining responsibilities.

  1. The main responsibility for validation of computer system lies with the end-users. They know their systems and the applications best and typically also have the highest interest that the system works reliably as intended. They have to be in control of their system. End-user representatives write the specifications, develop test cases and do most of the initial and on-going testing. They should get help from validation groups on technical content and from QA on the format of test protocols.
  2. The system owner, also an end-user representative, owns the process to define, execute and document the validation activities and results. This requires the system owner to have experience in computer system validation.
  3. Validation groups manage validation of computer systems based on business objectives and the interpretation of applicable federal and international regulations,
    industry standards and guidelines that pertain to the validation of GxP
    systems. They author, review and execute the System Development Life Cycle and validation documentation. Review, analyze and evaluate qualification results, determine acceptability, and ensure that test exceptions and protocol deviations are properly documented and corrected. Further oversee the re-qualification testing resulting from
    deviations and corrective actions
  4. QA is involved in all validation activities. They take a lead in performing the vendor assessment and verify that all validation activities and documents comply with applicable regulations and internal procedures. They review and approve validation documents such as requirement specifications, test plans, summary test results and final validation reports. Review and approve Standard Operating Procedures
    associated with the planning, development and operation of one system. This means that all efforts should go through QA, from the starting point of defining needs or specifications to the end result of documented validation and authorizations. They have an additional important role: They must take the lead if things don't happen as they should do. In practice QA must defend compliance.
  5. For software developed in-house the development department develops functional and design specifications, implements and reviews the code, and tests code modules. Activities follow a software development lifecycle.
  6. IT designs and installs the network infrastructure. They develop scripts for installation and install network components. They advice on risk assessment and extent of testing related to network infrastructure. I do not believe that IT should be responsible for system validation. Typically they do not know the processes and applications running on the system.
  7. Suppliers develop software following a documented software development lifecycle. They test each function of the computer system. Test cases should be traceably to functional and user requirement specifications. They provide documented evidence that the software has been developed in a quality assurance environment and has been validated during development. They also provide functional specifications of the software and computer system and give recommendations on how to prepare the site or the installation. Vendor also accept users for vendor audits and offer protocol and services for installation and operational qualification.
  8. Finally, one last comment: If you have any doubt on what to do in a regulated environment, go basic to the basic principles. One of them is: people should be qualified for their assigned tasks. The FDA inspector will care less who is doing what, but they care if people are qualified for their assigned tasks. The task should be defined by procedures. So if QA signs for the technical content of a validation protocol, there should be some documented evidence, that the persons have the technical competence to do so. Companies organize this in different ways: There are companies where QA departments have technical expertise, there are other companies that have QA groups in the IT department. Both approaches are fine as long as this is documented and procedures are followed.

E-mail this page