How to go About Good Practice in Validating Computer Systems in a Regulated Environment


Computer System Validation is the technical discipline that involves the use of life sciences companies, to ensure applications provide the information they were intended to. FDA monitoring and regulations evidence the need for strict quality measures, The Food and Drug Administration (FDA)  which ensure specific controls and procedures during the Software Development Life Cycle (SDLC/ALM). Regulations such as those of the FDA also underscore the importance and need of not only following checks and procedures, but that these procedures are well documented. Said documents must be able to stand up to scrutiny by trained inspectors, especially since the financial penalties in the absence of an audit, can be exorbitant. Among the implications of not following relevant protocols in a  Life Science Software application, include the loss of life. In applying the appropriate SDLC/ALM protocols such as documentation, are all part of the technical discipline of Computer System Validation. In effect, Computer System Validation involves what many IT people consider testing software.


According to the FDA, process validation is “Establishing documented evidence which provides a high degree of assurance that a specific process will consistently produce a product meeting its pre-determined specifications and quality attributes” (1987).

In 2011, the FDA defined process validation as “the collection and evaluation of data, from the process design stage through commercial production, which establishes scientific evidence that a process is capable of consistently delivering quality product.”

Guidance of Validation Process

Validation involves all aspects of a process (including buildings, equipment, and computer systems) meeting requirements of quality, and compliance with applicable rules, regulations and guiding product quality, safety and traceability.

In 2011 three stages were involved in the validation process:

  1. Process design, the commercial process is defined based on knowledge gained through scale-up activities and development.
  2. Process qualification, the process design is evaluated and assessed to determine if the process is capable of reproducible commercial manufacturing.
  3. Continued process verification, ongoing assurance is gained during routine production that the process remains in a state of control

Purpose of Validation

To validate, is to confirm that a product or service meets the needs of its users. Validation starts at the planning stages, and continues through to the maintenance and operation phases. It is important to consider all the documentation that comes out of validation, and the entire process, so as to ensure that one’s system, and state remain validated over a period of time.


We are already familiar with the model of validation, and that the model follows a particular pattern of documentation. It is the relationship with these documents that is critical at the end, to not only maintains quality assurance of these documents, as would any cGMP document. It should be noted, that one must also consider the traceability of validation as one proceeds through an initiative.


When we talk about validation, we are referring to the whole validation and verification process. The process which is without validation and verification is a waste of considerable time, energy, money and resources, as the validation of unnecessary things can occur. So from the perspective of the specialist, validation is also very important.

Consideration of Validation

I often observe in my practice, organizations going overboard looking at  commercial off-the-shelf applications, which have very low risk, much in the same manner as custom developed applications with very high risk. So verification without validation is a factor that every organization that is looking into a validation process should take note of. Who is involved in validation? When we look across validation we observe that it is a process involving many organizations, and many individuals; especifically quality assurance, which is at the heart of software validation.

Key Role

Upon observing key roles such as the validation manager, he or she is really the driver, the overall architect of your software validation initiative, if you will. We look at the business system owner whose is consistently concerned with the business requirements. The input of business owners in the validation process is a vital key. When we consider the role of project managers, they are duly responsible for the overall implementation and execution of the validation program.

So in summary, the project manager’s role, and that of the head of quality assurance, is absolutely critical throughout the process, saving time and money. No validation effort is complete or effective, without the input of quality assurance. A technical lead is also needed to ensure that all technical requirements are addressed for the IQ and OQ procedures, as well as that development progresses in the manner intended. The role of the validation manager I think is one of the most critical roles within any validation initiative, as this individual is responsible for the overall methodology and the execution of the validation initiative. The validation manager also works hand in hand with the quality assurance manager and the development organization or your technical organization to ensure that the project is on time, within budget, and meets regulatory guidelines.

Importance of Quality Assurance

If quality assurance staff lack the skill set necessary or the quality assurance background to ensure the effectiveness of your validation initiatives as you goes through the validation process, variations in workload will result. This may determine when you actually decide to bring in consultants or when you decide to augment your existing staff. At the beginning of the project it may be noticed that the business system owners and the requirements development people, are very much involved at the beginning. Because what you are doing is establishing the requirements essential for this validation initiative. So when you look at validation as mapping the process according to the intended use, it is very important that was that these requirements are established up front, and those of you who are using off-the-shelf software, hold your vendors’ feet to the fire, in terms of getting the requirements down for their software application. Keep the intended use principle in mind during the early stages. As you get to the middle part of your validation initiative, you will find more resource load on the design or either the system’s integration part. So as we go through our systems integration, or as you’re deploying off-the-shelf software, you are required to deal with this aspect, and this may involve a significant number of resources during the middle of the project. And then as we move to the tail end, you may see more testing resources that are now need to be brought to bear.

Validation testing

Validation testing is an area that software vendors really focus a lot of their attention, specifically on the IQ, OQ and PQ of validation. However, that’s not all there is to software validation. There’s a whole process involved here. So as you look at the resource load across your validation initiative, be sure that you have the right number of resources at the right time during your validation process. As you look at validation as a dynamic process, maintaining the state a validation is absolutely critical. You need to make sure that the system is validated the first time correctly, as well as over time; the system maintains a state of validation. You need to be concerned with change control than with configuration management control. As you look at your system, there may be operating system changes, network system changes, as well as security changes. You have a number of changes that come up throughout the validation initiative. It is important to make sure that these changes are addressed overtime, and that more importantly, they are documented and follow procedures.

Validation initiative

Upon establishing a validation initiative, standard operating procedures must also be put in place. These procedures include backup and recovery processes for security Training is a crucial part of a validation initiative. It is also necessary for example to look into a comprehensive incident management procedure. This is often overlooked when organizations are validating off-the-shelf software. But it must be ensured that every incident is actually tracked so as to monitor, and take corrective action processes to be put in place validating that the system is corrected after such reported incidents, and all procedures are done in a controlled manner.


Validate is a system to which ensures that incidents are corrected, and so corrected in a controlled manner. When we look at what triggers software validation or revalidation if you well, every software installation or the integration of new software applications and/or modules could actually trigger software validation. Maintenance upgrades such as the upgrade of an operating system, or changes in your network, could also trigger software validation. The additional new hardware, software could trigger it, or systems integrated requirements. Regulations as you well know are constantly changing. Over time different product control requirements could also trigger revalidation. Within a validation master plan, there should not only be the triggers for software validation, but also there should be follow-ups to ensure that the system is maintained in a validated state. Who are the consultants that one can use for software validation, and what’s the business case for consultants? Consultants can play a really key role. For one, they bring independent expertise to the table. When you look at software offenders with commercially off-the-shelf software, and you are given IQ, OQ, QP scripts, those scripts are designed to work the first time, but they don’t necessarily offered the independence that a software consultant could to bring to the table. So first of all they bring independence, but more importantly expertise in software validation can help accelerate the process and deliver best practices for software validation.

Been There Done That, or NOT!

I run into a lot of companies that have never done a validation project. They may have never validated an ERP system, or never validated an integrated system. Software consultants can be invaluable, helping to save time and money, from having to go and learn things, and accelerate the learning curve for your organization. These consultants can be very valuable. Consultants can also deliver predefined validation protocols, and package deliveries of methodology that can help accelerate your process. But more importantly, ensure that there is a quality process at the heart of your validation initiative. Finally they can augment your existing staff. Recalling the workload I discussed, the validation workload varies over the entire life cycle of your validation initiative. Consultants could come in, and at different points in time during that process, help you accelerate retaliation initiative. So there’s a good reason for using experience qualified validation consultants and I recommend that you should look at those if you have an either complicated validation initiative or if you’re looking to validate a system for the first time. Consultants can be invaluable, giving assistance through the whole process. So why consultants should get involved early in the process? The early involvement of consultants,  are so that they understand the requirements and keep in mind that intended use principal If you are validating a system according to Intended use, you need all consultants to understand what the intended use of the system is, so that it affects the usability. So get the consultants involved earlier, they can help you to optimize your validation process if you don’t have standard operating procedures in place. They can assist with optimizing, and as I have seen in some organizations, validating low risk systems, in the same manner that they validate higher risk systems. It is strongly recommended that you conduct a comprehensive risk assessment prior to your validation, to ensure that you’re not expending valuable resources validating systems that are very low risk. So you want to look at the strategy for your overall validation, and you want to get consultant’s to really help you with, that so that you can have a comprehensive validation assessment around your particular initiative. And also one of the most overlooked areas is that of migration. Organizations are either developing custom systems, or their migrating from system ‘A’ to system ‘B’, and they don’t consider migration. Migration is absolutely important key. Sometimes when you look at custom systems, validation efforts can be about 30%, of your validation initiative. But if you have a large migration initiative, it can be even more. I strongly recommend that you take validation and migration into consideration and be careful not to overlook this area. Records management is also important when looking at validation initiatives. It is crucial to ensure that all records associated with your validation and nation are properly archived and stored for future use. It is also a good idea to conduct an audit management on your validation systems over time. Conducting a risk assessment is also a valuable tool.


So if you are about to plan a validation project you can follow those highlighted principles to assure you have the correct resources to get this project done

  1. Asses your system going under validation
  2. Analyse your intend of use
  3. Put in place all resources on time
  4. Consider all possible aspects of the system to include migration factor
  5. Use best practice knowledge either from internal or external resource


Rami Azulay

ALM Master @


Download PDF: How to go About Good Practice in Validating Computer Systems in a Regulated Environment