Promoting a Validation Mindset: System Owners

The system owner is the individual responsible for the availability, security, compliance, maintenance, and support of a computerised system and for the security of the data residing on that system.  The system owner is initially responsible for oversight of the computer system validation effort, and is ultimately responsible for maintaining the system in a validated state throughout the life of the system.

Assignment of the system owner role is often dependent upon the scope and scale of the software system.  In the case of small-scale local systems, the ownership role is most often assigned to the process owner.  In the case of complex or global systems, the ownership role is typically assigned to a designee who is closer to the core of the system and is in a better position to manage transactions with the resources necessary to support the development, validation, implementation, and maintenance of all the business aspects of the system. In some cases, these roles, system owner and process owner, are assumed by separate individuals and these independent roles are defined in the system’s validation plan.  Data ownership should also be defined, and in the case of complex systems, more than one owner may be responsible for the integrity of data transacted on the system.

The process owner is responsible for defining the business processes that the system will support, which will provide the details for intended use of the systems.  This requires the input of the the process owner, or authorized end-user designee(s), in dictating and approving the user requirements for the the system. It is essential to the success of the system validation and implementation that the information provided for the user requirements is accurately communicated by the person(s) most knowledgeable in the information processed that are to be automated by the data system.  In the case of a complex and/or global system, there may be many business system perspectives to be considered and harmonized. Expert representatives from all affected business entities and process roles should be enlisted to provide a comprehensive and precise interpretation of the required system functions and data sets. The company’s internal policies, procedures, and practices with regard to the business operation must also be taken into account in defining the system to support compliance within the system.  Regulatory requirements that govern the business operation must also be addressed, and monitored for compliance throughout the system’s life.

The system owner is responsible for oversight of the installation, development, validation, implementation, user training, security, maintenance, and life-cycle support of the system.  

The qualifications of personnel directly involved in the installation and development of the system should be supported by resume and/or company training records that indicate proficiency in the skills relative to the technical aspects of the system.  Observation of Industry standards, best practices, and company guidelines should be enforced to ensure that the system is reliable and maintainable upon implementation. When outsourcing these efforts, it is advisable to perform a vendor assessment to determine the suitability of the software and/or services delivered.

Validation documentation must be approved and controlled.  The system owner must formally approve, at a minimum, the validation plan, user requirements, system compliance assessments, validation reports, and the validation summary that will release the system for production use.  Validation documentation, whether hard-copy or electronic, should be controlled under a system or procedure that enforces check-out/check-in and version control for any revision to the documents. While the validation plan, reports, and executed protocols related to the initial validation project are considered final upon completion of the project, the user requirements, assessments, specifications, training plans, security plans, support plans and any other documents that will be subject to change during the life-cycle of the system, must be available for revision under future change control projects.

Training for personnel who will operate the system must be identified in procedures, delivered to end-users, and documented as completed to ensure that they can adequately perform their assigned responsibilities.  Authorization for system use must be limited to qualified personnel with documented training specific to their operational role within the system. User accounts must be unique to individual users and should be periodically reviewed throughout the life of the system to maintain access control.

Prior to to implementation, the system owner must ensure that all supporting systems and procedures are in place.  This includes the approval, activation, and availability of operational procedures for end users and support personnel.  A plan should be in place for training and granting access for end users, as well as a plan for maintenance and support of the system’s production environment.  A production support plan should include some level of service agreement with the business entity providing infrastructure and software support resources. Backup/recovery and business continuity plans should also be approved to ensure that the system, its business process, and its data is not compromised in the event of a system failure.  Technical support must be retained in a manner that addresses user concerns, identifies and resolves system anomalies, and responds in a timely manner to the process owners need for updates to the system requirements.

The system owner is responsible for monitoring and assurance of the integrity of data generated and stored on the system.  Periodically, the system owner should initiate a data integrity review of the system to verify that critical data has not been compromised and that the system aspects designed to assure data integrity are adequately maintained.  These aspects that include electronic records and signatures subject to 21 CFR Part 11, electronic audit trails, data backups, security and access permissions, user training, operating procedures, and any change control validations should be evaluated to identify any present or potential breaches to data integrity.

About Performance Validation:

Performance Validation has been serving the life science industries since 1988, and is a nationwide leader in providing validation, commissioning, and quality services for pharmaceutical, biotechnology, and medical device manufacturers. Have a question on Commissioning, Qualification, Validation please use our contact us form.