Validating Legacy Computer Systems When Everyone Thinks They’re Working Well

Q: I’m working with our sister company in Japan where they are validating legacy computer systems. A question has come up about a system that hasn’t been modified for more than 10 years. There haven’t been any quality problems caused by the application, and the incident calls are not related to quality. They can show that any infrastructure changes did not have an impact on product quality.

Do you have a recommendation on what to do for validating legacy computer systems? Would it be acceptable to write a summary that describes the functionality of the application, the history of changes and incidents, and how they assessed risk; then have the site management sign and file? I’m assuming they don’t require a full set of validation evidence because the system has been functioning as intended for many years. Is this assumption correct?

A:  No, it’s not acceptable to just write a summary. Instead, you should write a requirements document (if they don’t already have one) and show by objective evidence the system meets the requirements. In other words, you need to validate the system. If you don’t have a requirements document, you really can’t say “the system has been functioning as intended for many years”.

I doubt the system hasn’t seen some changes. That would mean that in 10 years’ time there’s been no hardware changes (no new processors, no multi-threading, etc.) or anything else. In addition, since virtually all incident calls are statements of dissatisfaction (complaints), I doubt they have no quality problems with the system. They probably mean the problems have not caused a quality issue with the product. But quality also includes the data supporting the product.

[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]In the U.S., validation — including validating legacy computer systems — has been required for quite a while.[/pullquote]

I assume they market to the U.S., where validation — including validating legacy computer systems — has been required for quite a while. Furthermore, infrastructure changes must be validated. Also, legacy systems need to be compliant with Part 11 if they are involved in recordkeeping.

Keep in mind that validation is “use based”, and I can’t tell the system use from what you’ve described. But I do think FDA — as well as the Japanese government — would have serious concerns if the uses are significant.

Martin Browning, President & Co-Founder, EduQuest (22 years as a senior official and investigator for the U.S. FDA; co-author of the original Part 11 regulations). Martin also serves as the developer and chairman of the EduQuest training class on FDA Auditing of Computerized Systems and Part 11/Annex 11.


Leave a Reply

Your email address will not be published. Required fields are marked *