CE Annex 11, FDA 21 CFR Part 11: Computerized systems and software validation

2020-08-11T09:12:12+00:00July 7th, 2020|

What is software validation?

Software validation is part of the computerized systems validation (CSV) process. Computerized systems validation is defined as documented evidence with a high degree of assurance that the software/computerized system functions as per the software design and user requirements, in a consistent and reproducible manner.

Our services



A computerized system is defined as a computer system that includes software, hardware and peripheral devices which are necessary for proper function of the system.

All computerized systems and software which include applications which may affect the quality of the final biopharmaceutical product or medical device should be assessed according to GMP (good manufacturing practice) and GAMP (good automated manufacturing practice) principles and requirements.

Risk assessment is mandatory at the early stages to determine the risk level, critical components and necessity and scope of the validation activities to be undertaken for the computerized system validation.

Computerized systems may include, from time to time, errors, flaws, mistakes, failures or faults (defined as “software bugs”), which should be detected as part of the computerized systems validation process.


  • Electronic Records – Defined in the FDA Code of Federal Regulations (CFR) as records which are maintained solely in an electronic format (not in hard copy) or in electronic and hard copy formats, and decisions are made based on these electronic records (ER).
  • Hardware – Defined as any programmable device including mainframe, mid-range, mini-, and personal computers, workstations or any programmable equipment used in a quality-related process.
  • Electronic signature – Defined as a computer data compilation of any symbol or series of symbols which are executed, adopted or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

FDA/CE compliance software

Every control system and/or computerized application used in the biopharmaceutical and medical device fields should meet the requirements detailed below:

  • Information security
  • Information backup
  • Information restoration
  • Information disaster-recovery capabilities
  • Periodic maintenance

Research and development

Consulting in a variety of areas, including design, research laboratories and clean rooms, development technologies, investor business presentations, regulatory strategies, market analysis, clinical trial protocols, GLP, GCP, ISO 17025, calibration, CMC and professional training.

read more

Design and engineering

Designing factories, clean rooms and laboratories, engineering documentation, certification, technology selection, process engineering, and validation, with a combination of theoretical knowledge, practical experience, and in-depth understanding of biomed regulations and in accordance with GxP principles.

read more

Manufacture and packaging

Consulting on manufacturing plant design, manufacturing process development and engineering, selecting the most appropriate technology, process scale-up, technology transfer, GMP, process improvement, yield optimization and improvement, employee training, validation of equipment, systems, and production and cleaning processes.

read more

GxP, quality and validation

Advises, establishes, accompanies and upgrades various types of quality management systems, offers GMP training and courses, coordinates adoption of GxP principles, ISO 13485, quality assurance and preparation for global regulatory audits while conducting risk analysis and evaluation, and verification and validation of equipment, systems, software, test methods, manufacturing and cleaning processes, until  a successful audit outcome is obtained.

read more

Regulation and registration

Regulatory consulting and drug registration,  medical devices, CE mark, dietary/nutritional supplements and cosmetics in Israel and worldwide, building a smart regulatory strategy, helping to prepare documents and meet requirements in a professional manner, in a short time, product labeling, shelf life and graphics, import licenses and meetings with regulatory bodies, until approval  (marketing authorization) is received.

read more

Software and systems

Digital healthcare consulting, software development and medical applications in accordance with US  FDA 21 CFR part 11 / EU Annex 11 / US HIPAA / EU GDPR requirements, ISO 13485/ISO 27001/ISO 27799, CE marking, risk assessment, verification and validation of software and control systems until marketing authorization (approval) is obtained.

read more

 Computerized system security


GAMP (good automated manufacturing practice) regulations and FDA 21 CRF Part 11 require systems, records and processes to maintain confidentiality, integrity and availability.

Physical security

Computerized systems defined as “critical” (based on risk assessment methodology) should include physical barriers that restrict access to the system by non-authorized personnel. These restrictions should be systematically kept and tested as part of the computerized system validation stage.

Network security and password management

Computerized systems that control biopharmaceutical and/or medical device processes or process-related parameters must include securities safeguards such as:

  • a dedicated production network which will be disconnected from the organizational administrative network
  • password code use for all actions related to process parameter changes
  • special restricted operations such as step bypass, critical parameter changing, process step sequence changing, special process step operations, etc., and access to “confidential” or “sensitive” information.

All security safeguards including authorization level and password management will be tested and verified as part of the computerized system validation.

Passwords must be given individually per user and according to the official authorization level definition and allowable functions per authorization level.

Passwords for all defined users shall be changed on a periodic basis by the user.

Computerized systems that display information of the biopharmaceutical and medical device production processes or Quality Control (QC) test results will require security measures such as password codes for all actions that require changes to system parameters, special or restricted operations and access to “confidential” or ”sensitive” information.

Other security measures

PC access and screen savers must be used and will be restricted by password to provide additional security for the computerized system.

It is recommended to install anti-virus applications in every system that is connected to a network.


Computerized system/software testing, Validation & Verification

Validation pre-requisites

Company validation policy should define which validation and verification activities should be considered for computer system validation projects at a site or within a specific department.

The validation projects, scopes, priorities and requirements should be defined in the VMP (validation master plan) document.

Usually, computerized system validation will include any programmable device, including its software, hardware, peripherals, procedures, users and interconnections, and inputs for electronic processing and output of information used for reporting and/or control.

It is strongly recommended to complete an official risk assessment process to identify and assess the associated aspects and risks of the computerized system and its potential effect on the final product or medical device quality. The risk process should be done before or at the same time as the design stages, and should include brainstorming by all relevant disciplines and key personnel.

    לפרטים נוספים

    For further details

    A user requirement specification (URS) should be written and approved before purchasing software or computerized systems. The URS is essential to assure the software will support company needs.

    After user requirements have been defined as part of the URS and are verified to meet all requirements documented in the various design documents as part of the Design Review and Design Qualification stages, the system/software qualification stage can be initiated.

    The system Functional Specification (FS) document should be written by the supplier and approved by the client. The FS will be the basis for system testing during the Operational Qualification stage.

    Before initiating validation activity, it is very important to identify whether the system type is a closed or an open system.

    Prior to execution of the system IQ (Installation Qualification) and OQ (Operational Qualification), it is recommended to test and verify the system in the production environment or in the intended environment where the system will be routinely used.

    FDA compliant computerized system

    According to FDA standards for software and computerized systems, a system which is defined as FDA compliant,including electronic records and electronic signatures, must comply with the rules detailed in CFR Title 21. Compliance with these rules will determine whether these electronic records may be used instead of, or in addition to, hard copy records, or if electronic signatures may be used to replace handwritten signatures.

    Computerized system and software validation stages

    The purpose of computerized system validation is to verify that the installed system functions according to its design, user requirements and GAMP (good automated manufacturing practice) requirements.

    After the system testing stage has been successfully completed by the system developer, and after the URS, risk assessment, design review (DR) and design qualification (DQ) have been completed, the following validation stages detailed below may be initiated:

    • Installation Qualification (IQ): Documented evidence that demonstrates that the system to be qualified meets all specifications, is installed correctly and according to the recommended environmental conditions, and that all components and documentation required for continuous operation are installed and in place.
    • Operational Qualification (OQ): Documented evidence that demonstrates that all operational aspects of the system function correctly and per the user requirements.
    • Performance Qualification (PQ): Documented evidence that demonstrates that the system functions as required, in a consistent manner over time, and meets user requirements during operation. During the PQ you can “go live” with the software and test it in a real life/real time production environment.
    • User Acceptance Test (UAT): Documented end user acceptance testing that usually will be performed by the customer prior to routine system use.

    Since many software design and qualification documents are involved in computerized system software validation, it is strongly recommended to track the system qualification processes using a traceability matrix.

    Post validation changes implementation

    When software changes and/or new equipment/device installation into the system is required, all proposed changes should be properly documented. A new risk assessment and system re-validation may be required, based on the company change control methodology and procedures. New test cases will be required when making partial upgrades or changes, and validation when the next full version is installed.

    Additional computerized system validation testing

    As part of the computerized system validation process, the system will be tested, to stress or challenge the system and software boundaries, by using a set of different techniques and values, including using invalid values, restricted scenarios and other simulations.

    Usually, as part of the computerized system and software validation process, system functionality will be tested through the system user interface. If that is not possible, the system may be tested using databases, log files, etc.

    The system will be tested relevant to its design to verify that it responds to normally expected inputs and actions. Moreover, the system should be tested with challenge tests and under extreme and stress conditions.

    System response, among other tests, may be qualified for:

    • Invalid values and inputs
    • Error messages
    • Functional validity
    • Data validity
    • System logic
    • Transactions validity
    • System security
    • Authorization levels
    • Backup and disaster recovery
    • Procedures training

    Bio-Chem has been advising biomedical companies for more than 13 years.
    Contact us for software and system validation.
    To get in touch, click here
    +972 (0)72-233-7710

    Articles we wrote for your use

    Validation – What is it?

    חשיבות ה- Data integrity בחברות תרופות אמינות ושלמות הנתונים, או במונח הלועזי Data integrity מאפשרת הן לחברה והן לגופי הרגולציה אשר מבצעים ביקורות איכות ו-GMP תקופתיות, להבין שהנתונים שנוצרו [...]

    More articles for you

    Share This Article on Social Media

    You are invited to contact us

      צור קשר