Validation of computerized systems
2. System specification
3. Functional specification
7. Validation of hardware and software
1.1 Computer systems should
be validated at the level appropriate for
their use and application. This is of importance in production as well as in
1.2 The use of a computer system includes different stages. These are
programming, testing, commissioning, document
operation, monitoring and modifying.
1.3 The purpose of validation of
a computer system is to ensure an acceptable
degree of evidence (documented, raw data), confi dence (dependability
thorough, rigorous achievement of predetermined specifi cations),
intended use, accuracy, consistency and reliability.
1.4 Both the system specifications and functional specifi cations should
1.5 Periodic (or continuous)
evaluation should be performed after the
1.6 There should be written procedures for performance
change control, programme and data security, calibration and maintenance,
personnel training, emergency
recovery and periodic re-evaluation.
1.7 Aspects of computerized operations that should be considered
— manual back-ups
— input/output checks
— process documentation
— shutdown recovery.
2. System specifi cation
2.1 There should
be a control document or system specifi cation. The
control document should state the objectives of a proposed computer
the data to be entered and stored, the flow of data, how it interacts with
other systems and procedures, the
information to be produced, the limits of
any variable and the operating programme and test programme. (Examples
each document produced by the programme should be included.)
2.2 System elements that need to be considered in computer
include hardware (equipment), software (procedures) and people (users).
3. Functional specifi cation
A functional or performance specification should provide instructions
for testing, operating, and maintaining the system,
as well as names of the
person(s) responsible for its development and operation.
3.2 The following general aspects
should be kept in mind when using
— power supply
— magnetic disturbances.
Fluctuations in the electrical supply can influence computer systems and
supply failure can result in loss of memory.
3.3 The following general good manufacturing practice (GMP) requirements
are applicable to computer systems.
Verifi cation and revalidation. After a suitable period of running a new
system it should be independently reviewed
and compared with the system
specification and functional specifi cation.
Change control. Alterations
should only be made in accordance with a
defi ned procedure which should include provision for checking, approving
implementing the change.
Checks. Data should be checked periodically to confirm that they have
and reliably transferred.
4.1 This is of importance in production as well as in quality control.
Data should be entered or amended only by persons authorized to
do so. Suitable security systems should be in place to
entry or manipulation of data. The activity of entering data, changing or
entries and creating back-ups should all be done in accordance
with written, approved standard operating procedures (SOPs).
4.3 The security procedures should be in writing. Security should also
extend to devices used to store programmes,
such as tapes, disks and magnetic
strip cards. Access to these devices should be controlled.
4.4 Traceability is of
particular importance and it should be able to identify
the persons who made entries/changes, released material, or performed
other critical steps in manufacture or control.
4.5 The entry of critical data into a computer by an authorized person
(e.g. entry of a master processing formula) requires an independent verifi cation
and release for use by a second
4.6 SOPs should be validated for certain systems or processes, e.g. the
procedures to be followed
if the system fails or breaks down should be defined
and tested. Alternative arrangements should be made by the validation
team, and a disaster recovery procedure should be available for the systems
that need to be operated in the event
of a breakdown.
5.1 Regular back-ups of all files and data should be made and stored in
location to prevent intentional or accidental damage.
6.1 Planning, which should include the validation
policy, project plan
and SOPs, is one of the steps in the validation process.
6.2 The computer-related systems and
vendors should be defi ned and
the vendor and product should be evaluated. The system should be designed
taking into consideration the types, testing and quality assurance
of the software.
6.3 After installation of the
system it should be qualifi ed. The extent of
the qualification should depend on the complexity of the system. The system
should be evaluated and performance qualification, change control, maintenance
and calibration, security, contingency
planning, SOPs, training, performance
monitoring and periodic re-evaluation should be addressed.
Table 1 indicates aspects of computer systems that should be subjected to
Summary of validation requirements for computer systems
1.1 Input device
1.2 Output device
1.3 Signal converter
1.4 Central processing
1.5 Distribution system
1.6 Peripheral devices
1.1 Machine language
1.2 Assembly language
1.3 High-level language
1.4 Application language
2. Key aspects
2.2 Signal conversion
2.3 I/O operation
2.4 Command overrides
2.6 Fixed set point
Variable set point
2.9 Input manipulation
2.10 Programme overrides
3.3 Worst case
3.1 Software development
3.2 Software security
4.2 Worst case
7.1.1 As part of the validation process appropriate tests and challenges to
the hardware should
7.1.2 Static, dust, power-feed voltage fluctuations and electromagnetic
interference could influence
the system. The extent of validation should depend
on the complexity of the system. Hardware is considered to be equipment,
and the focus should be on location, maintenance and calibration of
hardware, as well as on validation/qualifi cation.
7.1.3 The validation/qualification of the hardware should prove:
that the capacity of the hardware matches
its assigned function (e.g.
that it operates within the operational limits (e.g.
ports, input ports);
that it performs acceptably under worst-case conditions (e.g. long
temperature extremes); and
reproducibility/consistency (e.g. by performing at least three runs
7.1.4 The validation should be done in accordance with written qualifi cation
and the results should be recorded in the qualifi cation reports.
7.1.5 Revalidation should be performed when significant
changes are made.
7.1.6 Much of the hardware validation may be performed by the computer
vendor. However, the ultimate
responsibility for the suitability of equipment
used remains with the company.
7.1.7 Hardware validation data and
protocols should be kept by the company.
When validation information is produced by an outside fi rm, e.g.
vendor, the records maintained by the company need not include
all of the voluminous test data; however, such records
should be suffi ciently
complete (including general results and protocols) to allow the company
to assess the adequacy
of the validation. A mere certifi cation of suitability
from the vendor, for example, will be inadequate.
7.2.1 Software is the term used to describe the complete set of programmes
used by a computer, and which should be
listed in a menu.
7.2.2 Records are considered as software; focus is placed on accuracy,
security, access, retention
of records, review, double checks, documentation
and accuracy of reproduction.
7.2.3 The company should identify the following key computer programmes:
language, name, function (purpose of the
programme), input (determine
inputs), output (determine outputs), fixed set point (process variable
that cannot be
changed by the operator), variable set point (entered by the
operator), edits (reject input/output that does not conform
to limits and minimize
errors, e.g. four- or five-character number entry), input manipulation
(and equations) and
programme overrides (e.g. to stop a mixer before time).
7.2.4 The personnel who have the ability and/or are authorized
alter or have access to programmes should be identifi ed.
7.2.5 Software validation should provide assurance
that computer programmes
(especially those that control manufacturing and processing) will
consistently perform as
they are supposed to, within pre-established limits.
When planning the validation, the following points should be
Function: does the programme match the assigned operational function
(e.g. generate batch documentation,
different batches of material used in
a batch listed)?
Worst case: perform validation under different
conditions (e.g. speed,
data volume, frequency).
Repeats: sufficient number of times (replicate data entries).
Documentation: protocols and reports.
Revalidation: needed when significant changes are made.