1. What is software validation?
Software Validation is part of the computerized system validation (CSV) process. Computerized system validation defined as a documented evidence with a high degree of assurance that the software/computerized system, functions as per software design and user requirements in a consistent and reproducible manner.
Computerized system is defined as computer system that includes software, hardware and peripherals devices which are necessary for proper function of the system.
All computerized systems and software that includes applications which may finally affect the quality of the Bio-Pharmaceutical/Medical Device product, should be assessed according to the GMP (Good Manufacturing Practice) and GAMP (Good Automated Manufacturing Practice) principles and standards.
Risk Assessment is mandatory at these early stages in order to determine risk level, critical components and the necessity and scope of the validation activities that should be undertaken for the computerized system validation.
Computerized system may include from time to time errors, flaws, mistakes, failures or faults (defined as “software bugs”) which should be detected as part of the computerized system Validation process.
- Electronic Records – Defined in the FDA Code of Federal Regulation (CFR) as records which maintained solely in an electronic format (not in a hard copy) or as electronic and hard copy formats and decisions are made based on these electronic records (E.R).
- Hardware – Defined as any programmable device including mainframe, mid-range, mini, workstations, personal computers and any programmable equipment used in a quality related process.
- Electronic signature – Defined as computer data compilation of any symbol or series of symbols executed, adopted or authorized by individual to be legally binding equivalent of the individual’s handwritten signature.
3. FDA/CE compliance software
Every control system and/or computerized applications used in the Bio-Pharmaceutical and Medical Device fields should meet the requirements detailed below:
- Information security
- Information back up
- Information restore
- Information recovery capabilities in cases defined as “disaster”
- Periodic maintenance
4. Computerized system security
As part of the GAMP (Good Automated Manufacturing Practice) standards and FDA 21CRF part 11 requirements, systems, records and process should keep confidentiality, integrity and availability.
4.2 Physical security
Computerized system, which defined as “critical” (mostly based on Risk Assessment methodology), should include physical barriers that restricts access of non-authorized personnel into the system. These restrictions should be systematically kept and tested as part of the computerized system validation stage.
4.3 Network security and password management
Computerized system that controls Bio-Pharmaceutical/Medical Device process or process related parameters must include securities such as:
- A dedicated production network which will be disconnected from the organizational administrative network
- Password codes usage for all actions related to process parameter changing
- Special restricted operations such as steps bypass, critical parameters changing, process steps sequence changing, special process steps operation etc. and access to “confidential” / ”sensitive” information.
All securities including authorization level and password management will be tested and verified as part of the computerized system validation.
Passwords must be given individually per user and according to the official authorization level definition and allowable functions per authorization level.
Passwords for all defined users shall be changed on periodically basis by the user.
Computerized systems that displays information of the Bio-Pharmaceutical and Medical Device production processes or Quality Control (QC) test results will require security measures such as password codes for all actions that require system parameters changing, special or restricted operations and access to “confidential” / ”sensitive” information.
4.4 Other securities
PC access and screen saver must be in usage and will be restricted by password in order to provide an additional security for the computerized system.
It is recommended to install Anti-Virus applications in every system that is connected to the network.
5. Computerized system/software testing, Validation & Verification
5.1 Validation pre-requisites
The company Validation Policy should define which Validation/Verification activities should take into consideration in all of the computer system Validation projects at a site or within a specific department.
These validation projects, scope, priorities and requirements should be defined in the VMP (Validation Master Plan) document.
Usually, computerized system Validation will include any programmable device including its software, hardware, peripherals, procedures, users, interconnections, inputs for the electronic processing and output of information used for reporting and/or control.
It is strongly recommended to complete an official Risk Assessment process, involving all the disciplines key personnel in brainstorming, Before or in parallel to the design stages in order to identify and assess the associated aspects and risks of the relevant computerized system and its potential effect on product/device quality.
URS should be written and approved before software/computerized system purchasing. The URS is very essential to assure the software will supports the company needs.
After user requirements were defined as part of URS and were verified to meet all requirements documented in the various design documents as part of the Design Review and Design Qualification stages, the system/software qualification stage can be initiated.
System Functional Specification document should be written by the supplier and approved by the client. The FS will be the basis for system testing as part of the Operational Qualification stage.
Before validation stage initiation, its very important to identify whether the system type is closed or open system.
Prior to computerized system IQ (Installation Qualification) and OQ (Operational Qualification) execution, it is recommended that the system will be tested and verified in the production environment or in the intended environment the system should function routinely.
5.2 FDA compliant computerized system
According to FDA standards for software and computerized systems, system which is defined as FDA compliant, electronic records and electronic signature, in case exists, must comply the rules detailed in the CFR (Code of Regulation) title 21. Compliance with these rules and standards will determine whether these electronic records can be in usage instead or in addition to hard copy records or whether electronic signature can be in usage and replace handwritten signature.
5.3 Computerized System and Software Validation stages
The computerized system Validation purpose is to verify the system installed and functions according to its design, user requirements and GAMP (Good Automated Manufacturing Practice) standards.
After system testing stage was completed by the system developer successfully, the validation stages detailed below can be initiated, after URS, Risk Assessment, DR and DQ were completed:
- Installation Qualification (IQ) – A documented evidence that demonstrates the system to be qualified meets all specifications, is installed correctly and according to the recommended environmental conditions and that all components and documentation required for continues operation are installed and in place.
- Operational Qualification (OQ) – A documented evidence that demonstrates all the operational aspects of the system functions correctly and as per the user requirements.
- Performance Qualification (PQ) – A documented evidence that demonstrates the system functions as required in a consistent manner over time and fits the user requirements and operations. In the PQ you can “go live” with the software and test it in a real life/real time production environment.
- User Acceptance Test (UAT) – A documented end user acceptance testing that will be usually performed by the costumer, prior to system routine usage.
As many software design and Qualification documents are involved as part of the computerized system software validation, it is strongly recommended to track system qualification using Tractability Matrix.
5.4 Post validation changes implementation
In cases of software changes and/or new equipment/devices installation into the system is required, all proposed changes should be documented properly. A new Risk Assessment and re-validation of the system may be required, based on the company’s Change Control methodology. New test cases will be required in case of partial upgrades/changes and validation when the next full version is installed.
5.5 Additional computerized system validation testing
As part of the computerized system validation process, the system will be tested in order to stress/challenge the system and software boundaries using set of different techniques and values including using invalid values, restricted scenarios and other simulations.
Usually, as part of the computerized system and software Validation process, the system functionality will be tested through the system user interface and in case it is not possible, it can be tested using data base, log files etc.
The system will be tested in comparison to its design in order to verify it responds to a normally expected input and actions. Moreover, the system should be tested for challenging tests and under extreme and stress conditions.
System response, among other tests may be qualified for:
- Invalid values and inputs
- Error messages
- Functional validity
- Data validity
- System logic
- Transactions validity
- System security
- Authorization levels
- Backup and disaster recovery
- Procedures training
About the author:
Eran Yona Bio-Chem CEO and GxP consultant