Updated: Sep 23
As ERP validation experts in the Life Science industry, we are often asked about applicable regulations and standards. Even if a sound computer system validation (CSV) program provides benefits that go beyond meeting regulatory requirements, regulatory compliance remains to this day the primary driver behind this industry-wide activity and understanding this regulatory landscape can be a daunting task.
If you are, or are associated with, a life sciences organization operating or thinking about operating in the United States, Canada or Europe, this blog should help you identify clinical research, pharmaceutical or medical device regulations you should consider when devising an ERP validation strategy.
“Do I need to validate my ERP system?” Yes, you do…
There is an ocean of regulations and standards tied with the Life Sciences industry and, for the purpose of the present blog, this ocean can be dividing into three great seas: clinical research, pharmaceuticals and medical devices.
There are regulations you must be familiar with in order to judiciously navigate each sea. Table1 is a summary of core regulations presented by regions and industry segments. It is limited to regulations making specific mention of the need to validate computerized systems, such as an ERP system would represent. Following this table, you will find extracts from those key regulations and standards. It is important to note that this list would need to grow significantly if we were to also include materials having to do with process, test method and/or equipment validation, or to specific features covered by an ERP system, which are topics best kept for future discussions.
Table 1: CSV COMPLIANCE TABLE
*Note that European medical device regulations are undergoing major changes. Medical devices within the EU are currently regulated by 3 directives: Council Directive 90/385/EEC on Active Implantable Medical Devices (AIMDD) (1990), Council Directive 93/42/EEC on Medical Devices (MDD) and (1993) Council Directive 98/79/EC on in vitro Diagnostic Medical Devices (IVDMD) (1998). Those directives are being replaced by two new regulations: Regulation (EU) 2017/745 and Regulation (EU) 2017/746. For simplicity sake, we will push potential discussions or comments around the new regulations and the current directives to a later time.
Applicable(s) Region(s): USA || Industry Segment(s): All
Subpart B - Electronic Records
11.10 Controls for closed systems.
Persons who use closed systems to create, modify, maintain or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid or altered records.
Applicable(s) Region(s): CAN & EUR || Industry Segment(s): Medical Devices
“4.1.6 The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application.
The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.
Records of such activities shall be maintained (see 4.2.5).”
“7.5.6 Validation of processes for production and service provision
The organization shall document procedures for the validation of the application of computer software used in production and service provision. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications.
7.6 Control of monitoring and measuring equipment
The organization shall document procedures for the validation of the application of computer software used for the monitoring and measurement of requirements. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application.
The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications.
Records of the results and conclusion of validation and necessary actions from the validation shall be maintained (see 4.2.4 and 4.2.5).”
Applicable(s) Region(s): CAN || Industry Segment(s): Medical Devices
Note: The need to validate software integrated into medical devices is specified in SOR/98-282 but nothing CSV specific can be found. However, SOR/98-282 does require a Quality management System certificate to be provided for Type II, III or IV (not for type I) devices. This means being ISO 13485:2016 compliant. See ISO 13485 above for CSV requirements tied with this standard.
“Validation means confirmation by examination and the provision of objective evidence that the requirements for a specific intended use have been fulfilled, as set out in the definition validation in section 2.18 of International Organization for Standardization standard ISO 8402:1994, Quality management and quality assurance - Vocabulary, as amended from time to time.
Application for a Medical Device Licence
(32)(2)(f) a copy of the quality management system certificate certifying that the quality management system under which the device is manufactured satisfies National Standard of Canada CAN/CSA-ISO 13485:2016, Medical devices — Quality management systems — Requirements for regulatory purposes.
(Note: The above statement repeats itself multiple times within SOR/98-282”
Applicable(s) Region(s): USA || Industry Segment(s): Medical Devices
“Subpart G—Production and Process Controls
§ 820.70 Production and process controls.
(i) Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.”
Applicable(s) Region(s): USA, CAN, EUR, + || Industry Segment(s): Pharma
12.1 Validation Policy
12.10 The company's overall policy, intentions, and approach to validation, including the validation of production processes, cleaning procedures, analytical methods, in-process control test procedures, computerized systems, and persons responsible for design, review, approval and documentation of each validation phase, should be documented.”
Applicable(s) Region(s): CAN || Industry Segment(s): Pharma
“C.020.020 to C.02.024
Interpretation # 6
If you use an electronic system to create, modify or store records required under these regulations, you should validate the system for its intended use.
a. Ensure all access and user rights in electronic systems are properly controlled to prevent system users from compromising data integrity.
b. Control electronic records in a way that ensures the records:
i. can only be created and modified by authorized personnel
ii. are protected against intentional or accidental deletion
iii. are named and organized in a way that allows for easy traceability
iv. are tracked through an audit trail when created or modified (the audit trail should include changes made to the record, who made the change, the time and date the record was changed and, if applicable, the reason the record was modified)
v. are backed up at regular intervals to protect against potential data loss due to system issues or data corruption
vi. are available for review during an inspection and are readily retrievable in a suitable format
vii. include all necessary metadata”
Applicable(s) Region(s): EUR || Industry Segment(s): Pharma
This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.”
Applicable(s) Region(s): USA || Industry Segment(s): Pharma
“27.0 § 211.68 Automatic, mechanical, and electronic equipment.
(a) Automatic, mechanical, or electronic equipment or other types of equipment, including computers, or related systems that will perform a function satisfactorily, may be used in the manufacture, processing, packing, and holding of a drug product. If such equipment is so used, it shall be routinely calibrated, inspected, or checked according to a written program designed to assure proper performance. Written records of those calibration checks and inspections shall be maintained.
(b) Appropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. Input to and output from the computer or related system of formulas or other records or data shall be checked for accuracy. The degree and frequency of input/output verification shall be based on the complexity and reliability of the computer or related system. A backup file of data entered into the computer or related system shall be maintained except where certain data, such as calculations performed in connection with laboratory analysis, are eliminated by computerization or other automated processes. In such instances a written record of the program shall be maintained along with appropriate validation data. Hard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained.”
Applicable(s) Region(s): USA, CAN, EUR, + || Industry Segment(s): Clinical Research
“1.65 Validation of Computerized Systems
A process of establishing and documenting that the specified requirements of a computerized system can be consistently fulfilled from design until decommissioning of the system or transition to a new system. The approach to validation should be based on a risk assessment that takes into consideration the intended use of the system and the potential of the system to affect human subject protection and reliability of trial results.
5.5.3 When using electronic trial data handling and/or remote electronic trial data systems, the sponsor should:
(a) Ensure and document that the electronic data processing system(s) conforms to the sponsor's established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e., validation).”
“So, does it mean that I need to validate my ERP system?” Yes, it’s the law…
In conclusion, if you are working in the pharmaceutical, medical devices or clinical research industry, it’s highly likely that applicable regulations require you to validate your ERP system, or any other system that could impact patient safety, product quality or data integrity for that matter.
We hope you found this regulatory round up useful.Please don’t hesitate to reach out to us if you have other core regulations, standards or extracts you believe should have been included.We are always thankful for constructive feedback.
1. EUROPEAN COMMISSION, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11: Computerized Systems (2011)
3. INTERNATIONAL CONFERENCE ON HARMONISATION OF TECHNICAL REQUIREMENTS FOR REGISTRATION OF PHARMACEUTICALS FOR HUMAN USE,
4. INTERNATIONAL ORGANIZATION FOR STANDARDIZATION, ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes (2016)
5. THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
5a. REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (2017)
5b. REGULATION (EU) 2017/746 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (2017)
6. THE MINISTER OF JUSTICE OF CANADA, Medical Devices Regulations, SOR/98-282 (2020)
7. U.S FOOD & DRUGS ADMINISTRATION (FDA), Title 21 -– Food and Drugs, Chapter I, Food and Drug Administration Department of Health and Human Services,
Subchapter C –- Drugs: general,
Subchapter H – Medical Devices,