What is a Computer Validation Report: Key Strategies for Compliance

In the software and hardware industry, there is a growing need to provide a Computer Validation Report (CVR), which documents the reasons to select a particular software or hardware within the industry.

Life sciences companies in particular are required to provide an audit of the selection process, for digital services used in pharmaceutical manufacturing.

In this article, we will define a Computer System Validation (CSV) and Computer Validation Report (CVR), what should be included in the report, and the categories in which computer systems fall under according to their complexity.

What is a Computer System Validation?

A Computer System Validation (CSV) is a process used in regulated industries, such as pharmaceuticals, biotechnology, and healthcare, to ensure that computer systems are operating as intended and produce accurate, reliable, and consistent results. This process is crucial for systems that manage or store data that impact product quality, patient safety, or regulatory compliance.

Why is CSV essential?

• Ensure Compliance: Meet regulatory requirements, such as those set by the FDA (Food and Drug Administration) or EMA (European Medicines Agency), by validating systems that handle electronic records or electronic signatures.
• Maintain Data Integrity: Ensure that the data processed and stored by the computer systems is accurate, complete, and secure.
• Reduce Risk: Identify and mitigate potential risks associated with the use of computer systems, minimising the chance of errors that could affect product quality or patient safety.
• Document Evidence: Provide documented evidence that the system performs as expected, which is essential for audits and regulatory inspections.

What is a Computer Validation Report?

Computer Validation Reports provide an overview of the entire validation project. It is a summary of all planned activities, their success or failure, and any deviations from the expected results or plans encountered.

Once the report is signed, the validation project is considered to be complete, and the system can be implemented. When regulatory auditors review validation projects, they typically begin by reviewing the summary report.

The purpose of a Computer Validation Report is to provide a concise overview of the entire validation effort and the results obtained. Additionally, the approval of the CVR authorises the release of the system for operational use.

The report brings together all the documentation collected throughout the life cycle and presents a recommendation for management approval that the system is validated and should be released for operational use.

The collection of documents produced during a validation project is called a Validation Package. Once the validation project is complete, all validation packages should be stored according to your site document control procedures.

What should a Computer Validation Report address?

1. Identification of the system subject to validation.
2. An inventory of all the deliverables generated during the validation effort including the document identifier and the approval date.
3. A summary of the results obtained during testing along with a discussion of any non-conformance encountered, their impact, and how they were resolved.
4. Details of any deviations from the Validation Plan and the impact of these occurrences on the validation project.
5. A list of any outstanding issues along with any known system limitations.
6. A statement of acceptance allowing for the release of the system.

The computer validation report should include:

1. A description of the validation project, including the project scope
2. All test cases performed, including whether those test cases passed without issue
3. All deviations reported, including how those deviations were resolved
4. A statement whether the system met the defined requirements

Within the validation processes there is a component known as “Good Automated Manufacturing Practices” (GAMP), that are divided into subcategories.

What are the GAMP categories?

GAMP categories are used to subdivide computerised systems according to their complexity. Therefore, the validation strategy can be focused on the points where the system is riskier. It is important to note that the more complex a system is, the greater the risks will be. These risks primarily involve data integrity, product quality and patient safety.

There are 4 categories in which GAMP 5 groups computerised systems according to their complexity. These categories define the approach to full validation. In other words, they determine:

• The type of validation route to follow
• The required documents that demonstrate your system is suitable for the use that will be given and is compliant with the GxP regulation (a comprehensive and critical framework that governs various aspects of the development, manufacturing, testing, distribution, and post-market surveillance of medical products.)

GAMP category 1: infrastructure

Description: Platforms on which computer applications or elements are necessary to operate and manage information technology environments run

Example: Operating systems, firewall, antivirus.

GAMP category 3: non-configurable software

Description: Software without configurable functions, they are marketed freely or are integrated into hardware to allow their operation

Example: Tools for statistical calculation, software for data acquisition without configuration capacity, control panel viewers, spreadsheets used as databases or as documents without some level of configuration.

GAMP category 4: configurable software

Description: Provided to run a specific business process. These configurations include, but are not limited to, operating, measurement, control parameters, and may use other external interfaces to complete the function.

Example: ERP (Enterprise Resource Planning), LIMS, Spreadsheet applications with formulas and / or input data linked to specific cells, production equipment control systems associated with the process (eg PLCs)

GAMP category 5: custom or bespoke software

Description: Tailored to meet specific needs of the organisation that optimise its processes.

Example: Software add-ons for categories 3 and 4, spreadsheets with VBA scripts, unique and dedicated systems, ERP systems or developments of these made to meet the specific needs for an organisation or a specific business, among others.

E-Sign provides services within the remit of GAMP category 5 and provides customers with the necessary Computer Validation Report to attest this for any required audit and compliance procedures.

The configuration of a computerised system refers to the values ​​that are assigned to a certain variable of specific software, which do not imply changes or modifications of the original functionalities, but rather indicate how the system should work to adapt to the needs of the users in the context of their bespoke processes.

There is no category 2 because, when the categories were defined in version 4 of GAMP, firmware had its own characteristics that differed from the rest of the categories, but this has evolved to the point the majority is counted as category 3, 4, or 5. So, when GAMP 4 transitioned to GAMP 5, category 2 was removed but the numbering was not changed, leaving only categories 1, 3, 4, and 5.

GAMP categories are useful for classifying systems according to their level of complexity to determine a validation strategy that can meet the requirements, but more importantly, to focus on the issues that pose a significant risk to the functionality of the systems. The GAMP category is fundamental to a computer validation report.

To conclude

It is becoming more commonplace for businesses not just to simply trial a software, but also to demonstrate its efficacy and security for the purpose in which it is to be adopted in business.  This practice makes perfect business sense and can facilitate efficient investment in infrastructure to drive business growth, as well as significantly improve compliance.

One of E-Sign’s core values is to facilitate in enhancing efficiency and security in all business processes. We have validated all aspects of E-Sign’s products to provide our customers with the appropriate validation documents and the assurance that our platforms can be fully deployed and compliant in any scenario.

For more information, please get in touch with our digital transformation team.