A Complete Guide To Computer System Validation (CSV) - QBD Group - 2023

QBD GROUP
A COMPLETE GUIDE TO
COMPUTER SYSTEM
VALIDATION (CSV)
WHAT IS IT AND
WHY DO WE NEED IT?
TABLE OF
CONTENTS
1. INTRODUCTION 07
2. WHAT DO WE NEED TO VALIDATE? 09
2.1 WHAT IS VALIDATION? WHAT IS A COMPUTERIZED SYSTEM? 10
2.2 HOW ARE COMPUTERIZED SYSTEMS CLASSIFIED? 13
2.3 WHAT ARE KNOWN CATEGORIES OF COMPUTER SYSTEMS? 15
2.4 HOW MANY CATEGORIES ARE THERE? 15
2.5 WHAT ARE THE CATEGORIES? 16
2.6 WHAT DID COMPUTERIZED LEGACY SYSTEMS INHERIT? 18
3. WHY VALIDATE COMPUTERIZED SYSTEMS? 19
3.1 WHAT IS THE VALIDATION OF COMPUTERIZED SYSTEMS? 19
3.2 WHAT IS THE SUITABILITY FOR USE? 19
3.3 HOW IS THE SUITABILITY FOR USE DEMONSTRATED? 19
3.4 WHAT IS GXP? 19
3.5 WHAT GOOD PRACTICES ARE APPLICABLE? 20
3.6 WHAT IS THE SCOPE / IMPACT OF GXP? 20
3.7 WHAT DO YOU GAIN FROM KNOWING THE GXP IMPACT? 20
3.8 WHAT ARE THE DIFFERENT TYPES OF IMPACTS OF COMPUTERIZED SYSTEMS? 21
3.9 IS THERE AN ORDER OF IMPORTANCE FOR EACH TYPE OF IMPACT? 22
3.10 HOW CAN THE SYSTEM IMPACT INTERNAL COMPANY POLICIES? 23
3.11 WHAT IS DATA INTEGRITY AND WHY IS IT IMPORTANT? 23
3.12 HOW CAN THE SYSTEM IMPACT DATA INTEGRITY? 23
3.13 HOW CAN THE SYSTEM IMPACT BUSINESS? 23
3.14 HOW CAN THE SYSTEM IMPACT REGULATORY COMPLIANCE? 23
3.15 WHAT IS DATA GOVERNANCE? 24
3.16 HOW IS DATA INTEGRITY VERIFIED? 24
3.17 WHAT ARE ELECTRONIC RECORDS? 25
3.18 WHAT ARE ELECTRONIC SIGNATURES? 27
3.19 WHAT DOES AN ELECTRONIC SIGNATURE GUARANTEE? 28
3.20 WHAT ARE THE RISKS ASSOCIATED WITH THE USE OF ELECTRONIC SIGNATURES? 28
3.21 WHAT DOES NOT REQUIRE VALIDATION? 29
QBD GROUP
A COMPLETE GUIDE TO COMPUTER SYSTEM VALIDATION (CSV) PAGE 02
6. VALIDATION PLANNING 51
6.1 VALIDATION PLAN 51
6.2 HOW ARE COMPUTERIZED SYSTEMS CHARACTERIZED? 52
6.3 HOW IS THE PROCESS CHARACTERIZED? 53
6.4 PROCESS MAPPING 53
6.5 WHY IS IT IMPORTANT TO DETERMINE THE RISKS OF THE SYSTEM BEFORE 56
VALIDATION?
6.6 RISK ANALYSIS SYSTEM 57
6.7 WHAT ARE THE RISKS ASSOCIATED WITH ELECTRONIC RECORDS MANAGEMENT? 58
6.8 WHAT ARE THE RISKS OF USING ELECTRONIC SIGNATURES? ARE THERE RISKS 59
ASSOCIATED WITH COMPUTER SYSTEMS?
6.9 WHAT IS A USER REQUIREMENT? 59
6.10 HOW ARE USER REQUIREMENTS CLASSIFIED? 59
6.11 HOW ARE THE REQUIREMENTS/USER REQUIREMENTS DEVELOPED? 60
6.12 ARE USER REQUIREMENTS NEEDED FOR LEGACY SYSTEMS? 61
6.13 WHAT IS THE RISK ANALYSIS OF USER REQUIREMENTS? 62
6.14 WHAT ELEMENTS DOES THE RISK ANALYSIS REQUIREMENTS PROCESS CONSIST OF? 62
6.15 HOW DOES RISK ANALYSIS MAKE USER REQUIREMENTS? 64
6.16 HOW DO I DETERMINE THE LEVEL OF CRITICALITY? 65
6.17 WHAT ARE THE DELIVERABLES OF A RISK ANALYSIS? 68
7. SPECIFICATION PHASE 69
7.1 WHAT IS A FUNCTIONAL SPECIFICATION? 69
7.2 WHAT DOES A FUNCTIONAL SPECIFICATION DESCRIBE? 69
7.3 WHAT ARE THE KEY FUNCTIONAL SPECIFICATIONS? 69
7.4 HOW ARE FUNCTIONAL SPECIFICATIONS WRITTEN? 70
7.5 WHAT IS A DESIGN SPECIFICATION? 70
7.6 WHAT DOES A DESIGN SPECIFICATION DESCRIBE? 70
7.7 HOW ARE DESIGN SPECIFICATIONS CLASSIFIED? 70
7.8 HOW ARE DESIGN SPECIFICATIONS WRITTEN? 71
7.9 WHY DO THE FUNCTIONAL SPECIFICATIONS FIRST AND THEN THE DESIGN 71
SPECIFICATIONS?
7.10 TRACEABILITY MATRIX 71
7.11 WHAT ARE THE BENEFITS OF A TRACEABILITY MATRIX? 71
7.12 HOW IS A TRACEABILITY MATRIX CREATED? 72
7.13 CONFIGURATION AND CODING 72
QBD GROUP
4. WHO IS RESPONSIBLE? 30
4.1 WHAT ARE THE MAIN RESPONSIBILITIES? 30
4.2 WHO OWNS THE PROCESS AND WHAT IS THEIR RESPONSIBILITY? 31
4.3 WHO IS A USER AND WHAT ARE HIS RESPONSIBILITIES? 32
4.4 WHAT IS THE RESPONSIBILITY OF THE SYSTEM OWNER? 32
4.5 WHAT IS THE RESPONSIBILITY OF THE QUALITY DEPARTMENT? 32
4.6 WHAT IS THE RESPONSIBILITY OF THE (INTERNAL / EXTERNAL) PROVIDER? 33
4.7 SUPPLIER QUALIFICATION 33
4.8 WHAT SUBJECT MATTER EXPERTS CAN BE USEFUL? 34
4.9 WHAT IS THE RESPONSIBILITY OF THE AREA VALIDATION? 34
4.10 HOW ARE RESPONSIBILITIES ASSIGNED TO THE SYSTEM AND VALIDATION? 34
4.11 WHAT ARE THE MAIN PROBLEMS THAT ARISE IN THE ALLOCATION OF 35
RESPONSIBILITIES?
5. HOW TO VALIDATE COMPUTERIZED SYSTEMS? 36
5.1 WHO SHOULD COORDINATE THE VALIDATION PROJECT? 37
5.2 WHAT IS THE LIFE CYCLE OF A COMPUTERIZED SYSTEM? 37
5.3 WHAT IS THE LIFE CYCLE APPROACH? 37
5.4 WHAT ARE THE PHASES OF THE LIFE CYCLE OF A COMPUTER SYSTEM? 37
5.5 LIFE CYCLE APPROACH 38
5.6 WHAT ARE THE CHARACTERISTICS OF EACH OF THESE PHASES? 39
5.7 WHAT IS THE V-MODEL? 42
5.8 HOW MANY V-MODELS ARE NORMALLY HANDLED? 43
5.9 WHAT DETERMINES THE APPLICATION OF EACH MODEL? 43
5.10 HOW DOES THE LIFE CYCLE APPROACH RELATE TO THE V-MODEL? 44
5.11 WHAT ACTIVITIES CONSTITUTE THE VALIDATION PROCESS OF COMPUTER 45
SYSTEMS?
5.12 HOW IS EACH PHASE RELATED TO THE V-MODEL AND WHAT ARE THE 46
DELIVERABLES IN THIS PROCESS?
5.13 WHAT IS THE RELATIONSHIP BETWEEN THE QMS AND THE VALIDATION OF 46
COMPUTERIZED SYSTEMS?
5.14 WHAT REQUIREMENTS MUST THE QUALITY MANAGEMENT SYSTEM COMPLY WITH? 50
5.15 WHAT IS THE PURPOSE OF A VALIDATION MASTER PLAN OF COMPUTERIZED 50
SYSTEMS?
QBD GROUP
8. VERIFICATION PHASE 73
8.1 WHAT IS INFRASTRUCTURE? 73
8.2 QUALIFYING THE INFRASTRUCTURE? 73
8.3 WHAT ELEMENTS DOES THE INFRASTRUCTURE CONSIST OF? 75
8.4 WHY ARE THERE QUALIFICATION PROTOCOLS? 76
8.5 WHY IS DESIGN QUALIFICATION REQUIRED? 77
8.6 WHAT SHOULD THE DESIGN QUALIFICATION VERIFY? 77
8.7 WHAT IS INSTALLATION QUALIFICATION? 79
8.8 WHAT SHOULD INSTALLATION QUALIFICATION VERIFY? 79
8.9 WHY PERFORM INSTALLATION QUALIFICATION? 79
8.10 WHAT IS OPERATIONAL QUALIFICATION? 81
8.11 WHY PERFORM OPERATIONAL QUALIFICATION? 81
8.12 WHAT SHOULD OPERATIONAL QUALIFICATION VERIFY? 81
8.13 WHAT ARE THE SECURITY FEATURES THAT ARE CHALLENGED DURING 82
8.14 WHAT IS DATA AUDIT OR AUDIT TRAIL? 83
8.15 WHAT TESTS SHOULD BE PERFORMED TO CHECK THE AUDIT TRAIL? 84
8.16 WHAT IS PERFORMANCE QUALIFICATION? 85
8.17 WHY PERFORM PERFORMANCE QUALIFICATION? 85
8.18 WHAT SHOULD PERFORMANCE QUALIFICATION VERIFY? 85
9. REPORTING 87
9.1 VALIDATION REPORT 87
10. MAINTENANCE OF VALIDATED STATUS 88
10.1 MAINTAINING THE VALIDATED STATUS IN OUTSOURCED ACTIVITIES 91
11. CONCLUSIONS 92
12. HOW CAN QBD ASSIST IN THE VALIDATION OF YOUR COMPUTERIZED SYSTEMS? 93
APPENDIX: BASIC CONCEPTS & DEFINITIONS 94
QBD GROUP
A QBD GROUP
WHITE PAPER
The QbD Group supports life sciences companies

throughout the entire product lifecycle, from idea
to patient. Our offerings include Software WE ARE HAPPY TO HELP YOU
Solutions and Services.
understand the processes in

Are you looking for CSV services? QbD offers CSV
which your computerized system
expertise to help your company comply with the
is used
latest regulations. QbD has years of experience
understand the functioning of
with numerous projects in various GxP
your computerized system
environments. If required, our validation
(white-box approach)
approach can be tailored to newer technologies,
decide on the lifecycle and
such as machine learning and artificial
Computer System Validation
intelligence.
approach
and ensure highly consistent data
The actual approach and life cycle you want to
and compliance with all relevant
take to validate your computerized system(s) are
regulations. The first step
up to you. The most common and recognized CSV
towards data integrity!
approach is the GAMP5 methodology.
INTERESTED TO KNOW MORE? GET IN TOUCH!
+32 3 844 45 01 | www.qbdgroup.com | Contact us
QBD GROUP
INTRODUCTION
This guide aims to bring context and define the This Computer Systems Validation Guide is based
necessary and appropriate strategies for the on the following approaches:
validation of computerized systems for (human
and veterinary) Pharmaceutical Industries, Risk-based approach
Pharmaceutical Chemicals (APIs and excipients), Approach based on the life cycle of the system
Biologics, Biotechnology, Blood Products, Gas Approach on “V”-model for development and
Medicinal Products, and Medical Devices, used in system test
activities related to compliance with Good Approach based on the process which serves
Practices (GxP), activities include: the system
Approach on GAMP category system
Manufacturing / Production (GMP) Clinics
(GCP) This guide provides a general review of the
Laboratory (GLP) guidelines required for the qualification
Good Distribution Practices (GDP) Storage identifying regulatory infrastructure base (NOM /
(GWP) FDA / WHO), prior to the validation of computer
Documentation (GDocP) system requirements is performed.
It provides a suitable approach to compliance It also identifies the documentary base to support
with all types of computer systems, according to the validation of computerized systems, in
national and international regulations; and based accordance with the particular QMS of each
on the guidelines established in the GAMP® 5 organization.
Guide ISPE, providing an understanding of the
logics of work, definition of scope, and selection
of the validation strategy that best suits the
system to validate.
Copyright © 2023 QbD Group. All rights reserved. No part of this whitepaper may be reproduced,
distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic
or mechanical methods, without the prior written permission of the QbD Group, except in the case of brief
quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.
QBD GROUP
This work is designed to be used regardless of the Through the principles and methodologies
knowledge or experience of people related to suggested here, this guide will help the
validation or compliance with Good Practices, organization to ensure that computer systems
among others, the following areas or business prove their fitness for intended use, meet the
functions: good practices of the industry in an efficient
manner, provide practical guidance to facilitate
Administration the interpretation of regulatory requirements,
Quality Unit with a language and terminology easy to
Investigation understand and interpret, clarify the roles and
Development responsibilities of each of those involved in the
Manufacturing validation of computerized systems.
Laboratory
Engineering Finally, this guide is designed for understanding
Maintenance the principles of validation of computerized
Regulatory issues systems by the most diverse personnel, both
Human Resources those who occupy this knowledge as part of their
IT daily work and those who at some point will be
Support staff involved in the effort to validate a system without
Associated suppliers any prior knowledge of Good Practices, validation
or IT computer terminology, thus becomes a
valuable tool for both and for anyone who wants
to train others in basic and logical principles of
work on Computer Systems Validation.
QBD GROUP
CHAPTER TWO
WHAT DO WE NEED
TO VALIDATE?
Currently, the Health Industries such as Thus, the risks of “human error” are no longer
pharmaceuticals (human and veterinary), constant, while increasing the productivity and
pharmachemical, (APIs and excipients), biologics, efficiency of processes does not depend on
biotechnology, blood products, and medical people performing repetitive tasks or require a
devices, are required to establish a validation high level of effort, leaving human hands to
program to demonstrate that any process, control tasks and maintenance of these systems,
equipment, material, activity or system which provides room for creativity and process
actually leads to the expected results. improvement.
The computerized systems that have an impact With the above, it should be emphasized that the
on product quality, patient health, and data use of computer systems does not entirely
integrity (GxP, as in the case of those who serve replace the human factor, but rather enhances it,
production processes, storage of inputs and bringing it to a higher level within the process,
finished products, insurance quality, where human error still exists, but at another
documentation management, electronic records, level. Equipment and systems still rely on humans
etc.) must be validated, in order to meet to tell them “what to do” and “how to do it” and
normatively, ensure the integrity and traceability any human error in this part results in an error in
of information and product quality. the rest of the process. There is a phrase that
says “The machines do not commit a mistake, but
Computer systems with GxP impact are becoming the humans do it”. Wrong instructions will result
of particular importance today due to in erroneous results. For this reason, the human
technological advances in process automation factor is decisive in validating, from defining its
and data management and information generated responsibilities to the training and qualification of
by applications, and the increasing acceptance personnel.
and use of these technologies in both
administrative industrial, and productive Eventually, the growth of Artificial Intelligence (AI)
processes. integration into technology systems, mobile
device interfaces, and the use of cloud-based
As computer systems are increasingly integrated systems presents new challenges for current
into many of the most important business validation schemes, which must demonstrate
processes, they help to reduce or eliminate the fitness for use and compliance with requirements
risks inherent in manual processes traditionally at all times.
performed by qualified personnel.
QBD GROUP PAGE 09

A COMPLETE GUIDE TO COMPUTER SYSTEM VALIDATION (CSV)
2.1 WHAT IS VALIDATION? WHAT
IS A COMPUTERIZED SYSTEM?
During the validation process of computerized The definitions BELOW have the following
systems, various stakeholders are belonging to elements in common:
parts of the company where the knowledge of
issues related to validation, computer systems, Generating evidence
and information technology is usually not always Compliance of requirements
the common factor. It is necessary to use In accordance with the expected results
common concepts to avoid subsequent
misunderstandings or problems due to a lack of The definitions that handle national and
conceptual approval. international standards and guidelines for
computer systems must include:
The following section lists some definitions of
validation according to regulations and national
and international guidelines:
Definition of Validation
NOM-059-SSA1-2015
“Documentary evidence generated through the collection and scientific evaluation of

the data obtained in qualifying and specific tests throughout the entire life cycle of a
product, which aims to demonstrate the functionality, consistency and robustness of a
given process in their ability to deliver a quality product. “
Food and Drug Administration (FDA)
“Validation is the confirmation by objective evidence, that the previously established

requirements for the use of a process or system are met.”
WHO guidance on the requirements of good manufacturing practices (GMP)
“Establishment of documentary evidence that provides a high degree of assurance that

a planned process will be uniformly in accordance with the expected specified results.”
QBD GROUP PAGE 10

Definitions computerized /
computer system
NOM-059-SSA1-2015
“Computer/computer system, any equipment, process or operation having one or more

computers coupled and associated software or a group of hardware components
designed and assembled to perform a specific functions group.”
Food and Drug Administration (FDA)
“Functional unit of one or more computers and input/ output devices, peripherals and
associated software, used in common for all or part of a program and storing all or part
of the data necessary for program execution.”
GAMP® 5 ISPE
“System containing one or more computers and associated software, network

components, functions controlled by them and associated documentation.”
Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients (ICH7)
“Computer system: hardware components and associated software, appointed and

assembled to perform a specific function or group of functions.”
“Computer system: process or operation integrated with a computer system.”
ANSI
"A functional unit, consisting of one or more computers and associated peripheral
input/output devices, and associated software, that uses common storage for all or part of a
program and also for all or part of the data necessary for the execution of the program;
execute user-written or user-designated programs; performs user-designated data
manipulation, including arithmetic operations and logic operations; and that can execute
programs that modify themselves during their execution. A computer system may be a stand-
alone unit or may consist of several interconnected units."
QBD GROUP PAGE 11

According to the above, you can define computer
systems as a combination of hardware and
software that perform functions for the process
they serve (where process means, all the
constituent elements of it, such as personnel,
equipment, activities, input and output elements,
related documentation, among others).
Illustration 1: computerized system (ICH (2))

OPERATING ENVIRONMENT
Computerized system
Computer system Controlled function or process
Operating procedures
Software
and personnel
Hardware/Firmware Equipment
In other words, the computerized system is the

combination of hardware and software in
conjunction with the process they serve and its
Hardware
operating environment.
CS
Illustration 2: computerized system Process Software
QBD GROUP PAGE 12

2.2 HOW ARE COMPUTERIZED
SYSTEMS CLASSIFIED?
To identify what must be validated it is important

to know that the classification of computerized
systems can be performed as follows:
For its functions and design: Refers to

identifying, according to the functions
performed, what kind of system belongs.
Process: That is, according to the mode in
which the system is being used. According to
the needs of users, you decide what features
are required to set up or if a system tailored
to that function must be designed (see topic:
Characterization of the process).
System impacts: Identify the risks of
computerized patient’s health, impact on
product quality, data integrity, and business to
determine whether or not the system requires
validation and scope of validation (see topic:
What is the scope/impact of GxP).
Category GAMP: After identifying the type of
system, as used according to the process it
serves and the risks inherent system
classification according to the category GAMP
be performed, which identifies whether this
corresponds to a Category 1 (infrastructure
software), 3 not configurable, 4 or 5
configured (tailored) and from here is derived
which is the methodology to be followed for
validation.
QBD GROUP PAGE 13

What are the types of system
functionality and design?
Depending on their functions and design,

computerized systems can be classified into the
following types:
System type Description Example
Immersed PLC, Controllers, Control Panels equipment for the various processes.
Systems
Equipment
Software COTS Standard Software (Commercial Off The Shelf, or shelf software) has zero StatSoft® Statistica,
customization degrees and limited configuration capabilities. They are sold as EmpowerTM, Minitab, data
proven solutions that require further adaptation and standardization of the processing software supplied
process to meet the requirements. Usually, they are GAMP® categories 3 and 4. with measuring equipment, etc.
Spreadsheets Application for manipulating numeric and alphanumeric data arranged in tables They are made with
consisting of cells (which are often organized into a two-dimensional array of rows applications such as Microsoft
and columns). Functions include performing statistical calculations, logical Excel, StarOfficeTM, Calc TM,
operations, and data management, automating tasks using formulas and Open Ofice®, IBMTM /
macros, performing pattern recognition, merging data from different LotusTM 1-2-3, Corel Quattro
spreadsheets, creating charts, and managing a large set of variables. Usually, it Pro®, KSpread etc.
addresses the handling of validation results, handling of analytical results, and
preventive maintenance programs calibrations for statistical processing of results,
among other applications. The application that spreadsheets are made is not
validated, its extensive sheet and its functionality are validated.
DMS Document Management Systems (DMS) is used for storing and tracking QualityKick TM, EASYTOOLSTM,
electronic or scanned documents. These systems are designed to facilitate Master C.
distribution, consultation, review, versioning, document creation, and capture.
LIMS Laboratory Information Management System (LIMS) is called software to acquire FreezerPro®, LabWare ELN ©,
and manage information generated in the laboratory. It has several specific LabCollectorTM, NautilusTM,
options for each laboratory operation. Core LIMSTM, etc.
ERPs Enterprise Resource Planning (ERP) software is modular and designed to SAP®, JD Edwards®, BPCS,
integrate and manage information from each of the processes and activities of Microsoft DynamicsTM, Macola
the company. It is responsible for managing inputs, managing resources, and ©, Epicor, Axapta®.
workflows. It helps to have more control over internal activities and generates
reports and queries in real-time.
PAT Process Analytical Technology (PAT), the FDA defines it as a “System for designing, Eurotherm®, SIPAT ©, etc.
analyzing and controlling manufacturing through timely measurements of critical
quality attributes and performance for raw and process materials and processes
in order to ensure final product quality.” They are based on the principle that the
quality of a product must be from the design.
Software It is any software that serves as a platform to make business applications work or Operating systems like UNIX or
Infrastructure improve their functionality. It is sufficiently proven software that requires no Windows, office software like
further validation. The validation of business applications running on the software Office, Adobe, Antivirus, etc.
infrastructure is considered indirect evidence of its operation. They are classified
as category 1 GAMP®.
Table 1: Types of computerized systems for functionality and design
QBD GROUP PAGE 14

2.3 WHAT ARE KNOWN CATEGORIES
OF COMPUTER SYSTEMS?
It helps to determine the strategy and scope of

system validation depending on the complexity
and risks inherent in each category, both
hardware, and software. However, it will depend
on their respective risk analysis to establish the
same appropriate strategy. The categories
suggested by the GAMP® are a good reference
for determining the complexity and therefore the
risks inherent in systems.
For example, in the validation of an ERP (SAP)

Category 4 GxP to determine their impact and
corresponding risk analysis (for each of its
modules), you can decide not to challenge some
of the functional modules that compose (eg
Finance), making only one installation verification
this module if necessary.
Illustration 3: comparison lesser vs. largest category
2.4 HOW MANY CATEGORIES ARE

THERE?
There is 1 category for Hardware (Infrastructure)

and there are 3 for Software (Applications). Two
crucial aspects are taken into account when
determining the categories: the complexity of the
system and the risk inherent in depending on
their degree of proof (quality control software)
during development. Thus, the more standardized
and tested, the lower its category and therefore
the standard of proof required for validation. On
the other hand, the more personalized, the more
Illustration 4: validation test level vs. category
need for configuration, and the last test
conducted during development, will require more
detail in the validation challenges.
QBD GROUP PAGE 15

2.5 WHAT ARE THE CATEGORIES?
Category 1
Infrastructure software: established or commercially available software layer, eg.:

operating systems, database engines, programming languages, firewall, antivirus, and
office software. The operation of business software categories 3, 4, and 5 depend on
this software. Without denying the existence of the category 1 systems, they will not be
independently tested, but, indirectly when testing systems category 3, 4, or 5. Their
proper operation is shown in the process they serve. This software during design and
creation is subjected to extensive quality testing software.
Category 3
Non-configured systems: no configurations are freely traded in stores or as part of

teams. These are called COTS (Commercial Off The Shelf). Examples include tools for
statistical computing, software for data acquisition without configurability, Scribble
control panels, spreadsheets only used as databases or documents without any
configuration level, etc.
In this type of software, there are very low or zero-level settings that the user can
personalize. They are sold as “as is” solutions because they are acquired as they are
used (except worksheets category 3, which are not considered software “as is”). They
have the advantage that the operation can not be modified, which means that the risks
arising from incorrect operations are reduced. This generates the same disadvantage
of having to adapt the processes to system operation.
The V-model which is usually the simplest involves verification against user
requirements only.
QBD GROUP PAGE 16

Category 4
Configured systems or products: Partially configurable software packages that allow

you to run a specific business process. These configurations include, but are not limited
to, operating parameters, measurement, and control, and can use other external
interfaces to complete the function.
Examples of these systems are ERP (Enterprise Resource Planning), LIMS, Applications
spreadsheet in Microsoft Excel with formulas and/or input data linked to specific cells
(this is considered configuration), control systems production equipment associated
with the process (eg. autoclaves PLC), process control system as SCADA (depending on
the degree of customization can also be category 5), systems of equipment quality
control (M3 electron microscope), control temperature processes, among others.
The V-model usually includes the traceability of user requirements, functional and
design specifications and protocols, Design, Installation, Operation, and Performance
Qualification.
Category 5
Custom systems are those systems that are custom developed to meet the specific needs of the
organization to optimize processes. Examples are add-ons software for categories 3 and 4, MS Excel
with VBA scripts, unique and dedicated systems, ERP systems, or developments of these facts to the
specific needs of an organization, among others. In the validation strategy for this category of systems
it is recommended to put more emphasis on:
Specifications and testing modules

Design documentation and system operation
Service-level agreement
Technical support
Updates
Troubleshooting, errors, and failures
Change control
It is important to note that worksheets, depending on your level of configuration or customization

(use macros or Visual Basic programming) can be considered category 3, 4, or 5.
Remember that in the case of the Mexican Health Regulation, the qualification design based on user
requirements is very important. Related to this requirement, it can include revisions documentary
aspects mentioned above.
QBD GROUP PAGE 17

2.6 WHAT DID COMPUTERIZED
LEGACY SYSTEMS INHERIT?
For purposes of this guide, you can define legacy Example:

computer systems in 3 ways:
1. Computer system that has become obsolete,

but still used by the user and not easily willing
or able to be replaced or upgraded, or is no
longer supported by the supplier.
2. Those who do not comply with the 21 CFR
part 11 and launched before August 20,
1997, on old computer hardware according to
FDA Compliance Policy Guide 7153.17. This
definition applies only if it is consistent with
FDA regulations.
3. Systems in use before the start of automated
systems validation activities (should be Illustration 5 : Possible
included in the validation master plan). strategies for legacy systems
During the preparation of the Validation Master

Plan, it is necessary to identify the legacy systems In the flow chart of the validation guide ISPE
and define the criteria to be cataloged in this way, legacy systems, it is observed that for a legacy
and whose characteristics have advantages and system depending on its characteristics, you can
disadvantages, as well as very particular risks to choose to develop only the requirements or both
be taken into account when defining the strategy the Requirements Specification and
validation. specifications. Furthermore, existing procedures
should be evaluated and updated according to
Since in legacy systems, there are often no their risk, taking into account changes that the
documents and much fewer tests performed process and the system may have undergone. The
during the design stage, the validation strategy appropriateness of each of the routes to take risk
can have different shapes, in relation to the depends on the system and the required level of
development of requirements and specifications. proof and the availability of information.
QBD GROUP PAGE 18

CHAPTER THREE
WHY VALIDATE
3.1 WHAT IS THE VALIDATION OF 3.3 HOW IS THE SUITABILITY

COMPUTERIZED SYSTEMS? FOR USE DEMONSTRATED?
Validation of computerized systems is a The suitability for use is demonstrated by

documented process to ensure that a compliance with all established (mandatory)
computerized system does exactly what it was requirements. Since the requirements are directly
designed to do in a consistent and reproducible traceable to the user acceptance testing activities
way (suitability to use), ensuring the integrity and (protocol Qualification Execution or Performance
security of data processing, product quality, and (PQ)) and indirectly traceable to unit, integration
complying with GxP applicable regulations. The and functional test activities (protocols
robust and documented evidence shows that the Installation Qualification (IQ) and Operational
system is suitable for the contemplated purpose Qualification (OQ) (through the functional and
and it is doing what it is designed to do, with the design respectively, serving them to meet the
certainty that the result or the final product will requirements), it is the satisfactory conclusion of
have the expected quality. the PQ that we can state that it meets the
suitability for use.
3.2 WHAT IS THE SUITABILITY

FOR USE? 3.4 WHAT IS GXP?
The suitability of the system involves verifying It is an acronym for Best Practices (x), where “x”
that the system is functioning properly according stands for some of the best practices related to
to the needs of the process for which it was regulations and national and international
acquired. This will be demonstrated during reference guides. The English acronym is GxP,
validation and routinely checked during where G refers to Good and P refers to Practices.
operation.
QBD GROUP PAGE 19

3.5 WHAT GOOD PRACTICES 3.7 WHAT DO YOU GAIN FROM
ARE APPLICABLE? KNOWING THE GXP IMPACT?
Among others, the main Good Practices that Knowing the impact of GxP allows for a better validation
apply are the following: strategy, with particular emphasis on those points where
there is an increased risk of negatively impacting the
Good Manufacturing Practice (GMP) is performance of Good Practice also determining during the
associated with the manufacture of a product, characterization of the system if it impacts GxP allows
which is produced and controlled to quality differentiate those requiring validation for regulatory
standards for use, according to regulations compliance of those who do not. The role of process
that help ensure reliability to the final owners and/or Quality System is crucial in this
consumer. determination to be guardians and empowered the
Good Laboratory Practice (GLP) elements of the system under its interference in relation to
Good Distribution Practice (GDP) each regulatory requirement.
Good Clinical Practice (GCP)
Good Documentation Practice (GDocP) In the inventory of computerized systems, the definition of
Good maintenance practices those that have a GxP impact is important. This definition
Good industrial safety can be provided by considering the following aspects:
Etc.
1. The creation, maintenance or preservation of
3.6 WHAT IS THE SCOPE / records or documentation required by the
IMPACT OF GXP? Good Practice regulations for evaluating

product quality and making security decisions.
The term refers to any action or omission that

adversely affects any Good Practices defined as
part of regulatory compliance. In the case of 2. Automation of Best Practices, product quality
systems, processes, activities, equipment, or product safety decisions.
facilities, and personnel, they can have an impact
if GxP serves to support compliance with one of
the defined Good Practices. 3. The data output to other system modules or
external systems with the above features.
Since the Validation of Computerized Systems
provides an approach to risk, its proper
determination involves knowing the GxP impact 4. The input process data from other system
of systems from which the scope of the validation modules or other systems with the above
study is established. features.
It is also important to generate evidence of why some

systems are not considered GxP compliant. This evidence
can be provided during system characterization using a
checklist.
QBD GROUP PAGE 20

3.8 WHAT ARE THE DIFFERENT
TYPES OF IMPACTS OF
There are 6 major types of impacts to be It is important to remember that the same system
considered for computerized systems. These can have more than one type of these impacts.
should be evaluated both in the initial risk For example, an ERP system directly impacts the
analysis system and subsequent risk analysis (to business to manage company resources, but also,
requirements and during maintenance of if you have a quality module, can have an impact
validated state): on product quality, patient safety, and data
integrity. In the case of the control system of a
Examples of GxP impacts: tableting, this can have an impact on product
quality, but also on the integrity of the data it
Patient safety: This type of impact involves manages. Depending on the type of impact(s), it
systems that release products and manage increases the criticality of the system.
information for patient use (batch,
instructions, expiration date), eg HPLC,
software coding, etc.
Product quality: This impact is directly
involved in making or evaluating critical
parameters, e.g. IR spectrum, TOC, PLC an
autoclave, etc.
Data integrity: ERP systems, inventory control,
document management systems, etc.
Regulatory compliance: QMS control systems,
spreadsheets with training plans or
maintenance control, electronic logbooks, etc.
Internal policies and processes: Systems that
manage the qualification of personnel,
security systems, etc.
Examples of non-GxP impacts:
Business: This impact is determined by how

the malfunction, damage or loss of the system
and/or information can result in economic
(business) losses to the company. All systems
have this type of impact to a greater or lesser
extent. The business impact cannot be
neglected it enables continuity of the
organization that owns the system (user,
according GAMP®)
QBD GROUP PAGE 21

3.9 IS THERE AN ORDER OF
IMPORTANCE FOR EACH TYPE OF
IMPACT?
The impact on product quality, patient safety, and Example:

data integrity are the most important GxP
impacts. The impacts on product quality, patient
safety, and data integrity are crucial to the A drug distributor does not
decision of whether or not to validate the manufacture and does not perform
computerized system. In this sense, experience analysis to determine the purity and
and end-user knowledge are of great value for identity of the drug. They have a
the correct weighting of the impacts. system that manages the inventory and
distribution. This system does not
Although business impacts are not important directly affect the patient safety,
from a regulatory point of view, they should be however, it may affect product quality
seriously considered since the business must if the distribution is not performed
continue to exist in order to generate value according to the manufacturer’s
through its processes. An incorrect strategy that instructions. Because of the affected
considers a potential impact on the business due product quality, patient safety may also
to a breach of good practice, or costs not covered be compromised. These impacts would
by the maintenance of the system or required by generate a loss for both monetary and
the validation study can result in significant business reputation.
losses that jeopardize the operation of the

business.
As the illustration shows, possibly any of the

other impacts can lead to an impact on product
quality, and this, in turn, has an impact on patient
safety.
Patient
safety
Illustration 6 : impacts
QBD GROUP PAGE 22

3.10 HOW CAN THE SYSTEM IMPACT 3.13 HOW CAN THE SYSTEM IMPACT
INTERNAL COMPANY POLICIES? BUSINESS?
The failure of the quality management system The absence of a validated system, failure to
policies has the most significant effect. It is comply with the good practice provisions or
therefore important that every staff member part falsification of results or evidence that does not
of the validation process becomes aware of them. take into account hidden costs of maintaining or
Any breach of Good Practice may eventually supporting the system, the purchase of a system
cause business impact through loss of credibility that will soon be updated, loss of money due to
with customers, loss of demands, plant closure, the system not having the required functionalities
fines, or damages to patients. that would require changing the process, etc.
3.11 WHAT IS DATA INTEGRITY AND WHY 3.14 HOW CAN THE SYSTEM IMPACT
IS IT IMPORTANT? REGULATORY COMPLIANCE?
The FDA states in its guide “Data Integrity and The main impact on internal company policies is the failure
Compliance With cGMP” the following: data integrity of the quality management system policies. Therefore, it is
means that the data must remain Attributable, important that staff involved in the validation process (IT,
Legible, Contemporaneously recorded; Original (or Human Resources, Quality, Validation, Production,
actual copies), and Accurate. The above attributes are Maintenance, etc) are aware of them.
mentioned by the FDA under the acronym ALCOA as
well as complete, consistent, lasting, and available. An example is when a company does not adequately
These concepts have been reproduced in other control the training and qualification of its personnel,
guidelines and regulations. resulting in unqualified personnel operating the system
which breaks the validated state, increasing the uncertainty
of the system and taking, therefore, the inherent risks.
3.12 HOW CAN THE SYSTEM IMPACT
DATA INTEGRITY?
When it lacks controls for use, archiving, backup,

Attributable
restore, transmission, and modification of data and
Available
information that the system manages. Legible
An example: an employee, using control software Enduring Contempora-
inventory in the warehouse, has an error in moving Data neously

recorded
integrity
product “X” between stores. An IT colleague
responsible for the management system solves the Consistent
Original
error of the employee by modifying the data. In this
case, the system is vulnerable and its information can
Complete Accurate
not be considered integrated.
Illustration 7: attributes data integrity
QBD GROUP PAGE 23

When it comes to data, it should not be forgotten There are three types of data governance controls
that it is part of the records managed by the for maintaining integrity: people, process and
system. technology.
When dealing with data, there is a life cycle that People

generally includes the following steps: Training
Open work culture
Generation
Process Process
Report Procedures
Check Governance system design
Use for decision making Routine data verification
Storage Periodic surveillance audits
Discarded at the end of the retention period
Technology
Transfers between manual and/or IT systems may Computerized control system
occur within these phases. Automation
Data integrity must be maintained when the data
managed by the systems are relevant for Data governance should also have a risk
compliance with good practices when part of the approach (see topic: Risk Analysis)
evidence of regulatory compliance or when they
are critical for compliance and the measurement
of product quality attributes or patient safety. 3.16 HOW IS DATA INTEGRITY
VERIFIED?
When the system is not able to support and
maintain the integrity of the data it manages, a Verifying the integrity of the data in the electronic
major risk is generated as these critical data can records system is done in two ways:
be falsified, deleted, disclosed without

authorization, modified, or denied by issuers. 1. Routine verification of data and system logs
Data governance can maintain data integrity. at fixed intervals (checks, audits) (see topic:
Maintenance of Validated Status).
2. By studying validation through the
3.15 WHAT IS DATA GOVERNANCE? installation of testing protocols, operation,

and system performance (see topic: How to
It is the sum of total arrangements that provide validate computerized systems?).
assurance of data integrity, regardless of the

process, format, or technology by which they
were generated, recorded, processed, stored,
retrieved, and used.
QBD GROUP PAGE 24

3.17 WHAT ARE ELECTRONIC
RECORDS?
In developing the left side of the applicable V- Electronic records are data and information that
model, there must be defined requirements and are created, modified, archived, retrieved, and
identified risks related to the generation, distributed by a computer system with a specific
processing, reporting, verification, use for regulatory purpose. Electronic records are GxP
decision-making, storage, and discarded end of relevant and those that are not, the difference is
the data as well as making sure its attributes whether or not the performance impact of good
remain complete, consistent and accurate, practice is in force.
attributable, legible, contemporaneously
recorded, original and veracity copy, accurate, Until a few years ago the management of
durable and available. When applicable, develop information was made 100% on paper; from
specifications for these data in accordance with procedures, records, production orders,
the above. logbooks, and maintenance programs, among
others. However, with technological innovation,
During validation testing, the challenges more and better information management tools
necessary to identify and define the location of are emerging every day. Such as systems that
data and electronic records (IQ), the verification manage the quality management system, manage
of processes and procedures creation, file inventory systems, and production control
transfer, the backup and restoration of data as systems.
well as the evidence for the maintenance check of
these attributes during the operational process Derived from this, some companies decide to
(OQ) and as part of the results of the (PQ), should eliminate the use of paper, and manage all or
be established (risk-based). some of the documents electronically; the use of
these tools brings benefits such as reduced costs,
One element that contributes to the control of availability of information, ease in finding
the data and the traceability of its integrity information, environmental benefits by reducing
elements is the data audit (see topic: Data Audit) paper consumption; but it requires security
as this keeps an unalterable record of the actions measures to ensure the data integrity is at all
performed with the system information. times established.
Electronic signatures (see topic: What are Technological tools are becoming more accessible
electronic signatures?) also contribute to data and versatile, allowing in some cases to make
integrity by allowing them to be attributed and designs tailored to the needs of each customer
verified for use in decision-making. and company, increasing the electronic records
that are generated; however, not all records are
subject to validation. It is important to discern
which of these have a GxP impact and therefore
will be subject to verification/validation.
Testing electronic records during system

validation demonstrates the integrity of the data
being processed by the computer system.
QBD GROUP PAGE 25

The file is given a name and a format with which
it can be reproduced. Records to be checked
during validation are those with a GxP impact, for
example, a production order to be accepted, then
the product data are recorded and electronically
secured through a system. This is an electronic
record. However, if the same order was created
by mail and it is printed for manual data
recording, the product is signed and stored in a
folder for evidence of compliance with the
authority, this physical evidence is no longer
considered an electronic record.
Another example are the procedures. If a

standard operating procedure is created by an
application, distributed, protected, and
electronically authorized, it is an electronic
record. However, if the procedure is written by an
application and printed for approval, and
disseminated through physical copies, this is no
longer considered an electronic record. The
original electronically protected record can be
considered if it is carried out through this
medium as a control version.
In the example above ‘electronically authorization’

was mentioned, this refers to electronic
signatures validating the authenticity of the
person signing the document.
QBD GROUP PAGE 26

3.18 WHAT ARE ELECTRONIC
SIGNATURES?
It is a set of encrypted electronic data Electronic signatures require the user to be able
accompanying or associated with an electronic to identify themselves electronically in a manner
document, whose basic functions are: equivalent to a handwritten signature. An
unequivocally identifying the signer and ensuring electronic signature must have the same legal
the integrity of the information and data validity as a handwritten signature. The standard
contained in the signed document. also allows the use of biometrics and tokens.
Characteristics of an electronic signature and related best practices:
All user actions can be configured to require signing or signing and authorization.
Privileges on the use of electronic signatures should be set according to the authorization
level of each user.
Guarantee the identification of each user by removing accounts without deleting them.
Usually, electronic records are linked to other documents, such as procedures, that are
used for the same purpose and are used by the company to approve or reject the
information contained in these documents.
For purposes of FDA compliance, electronic signatures should also include the signature
motif.
As electronic signatures and their use may have legal implications, it is necessary to
document (via a policy in a procedure or a manual), the date from which they are
implemented and their validity as equivalent to handwritten signatures and scope (on
documents applicable).
The organization will ensure that the electronic signatures remain unique and non-
transferable to each user. This is achieved by verification of electronic signatures where at
least one of the elements is only known to the user. To ensure that electronic signatures
cannot be misused, it is highly recommended that the enabled user accepts the
responsibility of the electronic signatures document by committing not to disclose the
password and to report the stolen identification element.
To ensure that electronic signatures cannot be altered, copied, or transferred to be
counterfeited in another electronic record other than the original, it is necessary to
include in the validation tests the verification of their encryption, of the way they are
attached to information and attached to the document so that they cannot be extracted
by ordinary means. Several documents should be tested to verify that a specific signature
(a string of characters or electronic data attached for authentication) has been placed for
each document.
Electronic signatures should be used sparingly, implemented only in those activities and
processes that are justified by their criticality and importance.
QBD GROUP PAGE 27

3.19 WHAT DOES AN ELECTRONIC 3.20 WHAT ARE THE RISKS ASSOCIATED
SIGNATURE GUARANTEE? WITH THE USE OF ELECTRONIC
SIGNATURES?
Authenticity Among the risks associated with the use of electronic

signatures, it is known that it can be hacked. These
The document information and electronic risks, as always, are borne by the end user who uses
signatures are undoubtedly from the person them.
who signed it
Digital signatures (other than digitized signatures)
are a type of electronic signature that has a higher
level of security. To perform the digital signature, a
Integrity username and two keys, public and private, must be

used. The public key is what can be shown and
The information in the electronic text has not accessed by a third party and the private key will be
been modified after it was signed in no case known or accessed by someone else,
because this key is integrated into our identity and
our firm.
Non-repudiation The exposure of the private key is a very high risk

because its security is unique and ensures the
The persons who signed electronically can not security of electronic signatures. Anyone with the
say it was not them same key can create fraudulent signatures with the
same legal value as a handwritten signature.
Knowledge of the key by a third person can lead to
phishing, can be passed around by the user, and can
Notice be signed anywhere.
The information has been encrypted and the It is recommended to have a clear policy of control
issuer will only allow that the receiver can and password protection, and implement a secure
decrypt system for managing them. The organization must

ensure (and generate evidence of this) that the user
is aware of the responsibilities associated with the
use of electronic signatures. Such a system must
have the necessary elements in place to store and
manage keys and allow access only to authorized
users so that it is known who signed, where they
signed, and when they signed.
The standard also allows the use of biometric

identifiers and tokens to establish control measures
that are not used by outsiders.
QBD GROUP PAGE 28

3.21 WHAT DOES NOT REQUIRE
VALIDATION?
Throughout the chapter ‘Why validate computerized

systems’ the reasons why computerized systems
should be validated were described, however, it is
important to identify which features or components
of the computerized system do not require
validation.
The clearest examples are the commercial

operating systems, eg Windows, Unix, and Linux.
They are infrastructure systems that are required for
the application to work properly. However, these are
indirectly verified during validation, because they are
commercial systems. These are tested from a design
by the companies that develop them.
Another example is antivirus and firewall, which as

in the previous example, are extensively tested
before the release because they are constantly
developing new infectious agents. They need to be
constantly updated to protect companies from
malicious agents.
Finally, office or complementary software such as

Microsoft Office (Word, Excel, etc.), Adobe Reader, or
Teamviewer is not subject to validation. They
indirectly prove their operation during the validation
of the software and document the business
characteristics.
QBD GROUP PAGE 29

CHAPTER FOUR
WHO IS
RESPONSIBLE?
4.1 WHAT ARE THE MAIN

RESPONSIBILITIES?
Before the execution of validation, the people and

areas that should be involved throughout the
process must be identified. Each person must
know and accept the responsibilities that apply.
In the process validation of computerized

systems, there are 3 to 4 main responsible
parties, namely the process owner, the system
owner, and quality, and the fourth could be the
provider. The user is represented by the process
owner.
Process System
owner owner
Quality Provider
Illustration 8: Responsibilities
QBD GROUP PAGE 30

4.2 WHO OWNS THE PROCESS AND
WHAT IS THEIR RESPONSIBILITY?
The process owner is usually the boss or manager Usually, he is responsible for the availability of
of the area that the process serves. There can be information, configuration, maintenance, support,
more than one process owner. He is the main training of personnel, and the access control
actor in the success, regulatory compliance, and security system and takes measures to ensure
economic benefits that the system can generate. compliance and GxP.
He is called the process owner because he is
empowered to make decisions about the process
because of his hierarchical level, knowledge, and
experience related to it, his interactions, and his
relationships.
The process owner may also be responsible for

the system, however, this will depend on the type
of system and the size of its operations. It is
recommended that a process owner is a person
who knows the company widely, not only the
process variables that serve the application but
also the system.
Part of his responsibilities will include:

Manage the development of user requirements

Having a robust and comprehensive knowledge of the regulatory requirements related to
the process
Assemble the team that will participate in the operation, validation, and test execution
system and provide the necessary resources
Involvement in the risk assessment team
Approve the documentation resulting from the validation
Maintenance of the validated state
Training management system users
Elaboration of the required procedures for the process that serves the system
Allocation of system operating personnel during validation
Develop and report change controls
Monitor the matrix training of the personnel involved
Perform follow-up calibrations of equipment as required
QBD GROUP PAGE 31

4.3 WHO IS A USER AND WHAT ARE
HIS RESPONSIBILITIES?
According to ISPE, the “user” refers to a

pharmaceutical or consumer-oriented customer As part of their responsibilities, are the
organization that engages a provider to provide a following:
product. In this context, it does not only apply to
individuals and is synonymous with customers. It Report errors in the system
is common to conceptualize the user as a Communicate information about the
personal direct contact with the routine operation requirements the system must meet
of each of the activities within the processing to be suitable for the intended use
system, and defining the user causes problems Provide information about the process
when establishing user requirements because Data entry system
each conceptualizes their requirements from the Extract and use information system
limited perspective of their specific activities Support in the execution of validation
within the overall operation. tests
In these terms, we can have multiple levels of

users. The most important is the one who has the
overview of the process (managers, managers of
4.4 WHAT IS THE RESPONSIBILITY
the area or areas where the system serves,
OF THE SYSTEM OWNER?
process, and system owners). Their level of
responsibility is high for the results of the process
The system owner is either a technical person who
and system. Second, we have the key users (can
maintains the system and acts as a system
be any of the above), their characteristics are that
administrator or a key user who acts as an
they have broad skills and a knowledge
administrator of the system.
management system as well as a level of
responsibility that allows them to supervise
System owner actions include granting, reviewing and
younger users or parts of the authorized process.
revoking access to the system, participating in change
impact assessments and being responsible for rolling
Finally, we have the younger users, who are
out new releases and security patches involved in risk
those who are responsible for performing most
assessments, ...
system operations related to the entry and exit of
information. They usually have very small and
limited liability, and the critical process steps run 4.5 WHAT IS THE RESPONSIBILITY
by the system often require additional monitoring OF THE QUALITY DEPARTMENT?
and authorization.
Quality is responsible for regulatory compliance and

adherence to the company's internal policies and
procedures. Actions Quality performs: involved in risk
assessments, involved in change controls, approver
of validation documentation, determines and
approves validation strategy, ...
QBD GROUP PAGE 32

4.6 WHAT IS THE RESPONSIBILITY OF THE Supplier evaluations may include the following:
(INTERNAL / EXTERNAL) PROVIDER?

Completion of a checklist audit by the supplier
Gathering documentation from the supplier
Providers play an important role during the system
related to the development, testing, and
life cycle and each of the selected stages of the V-
system maintenance, including supplier
model.
procedures
Site audit of the supplier’s facilities
We can classify them as follows:
Supplier’s reputation
Supplier’s quality systems
Provider of computer system and consumables
Collection of the documentation from the
(implementation, support, maintenance)
supplier on the system development
Provider of infrastructure (implementation,
Supplier questionnaire
maintenance, support)
Staff competencies provider
Service provider qualification and validation
Historic quality (for already approved
suppliers)
To reduce the possibility of any inconvenience with
Service-level agreement (SLA) if it meets the
any provider, you must carry a rating and approval of
client’s requirements for optimal performance
this before purchasing supplies or services. Also, a
and system maintenance
way to eliminate risks associated with suppliers is to
Response times
ensure that the UK, is established from the same
Contracts
purchase order.
Suppliers’ responsibilities are defined in terms of the
Usually, for systems from suppliers with a lower
activities for which they are hired and the criticality of
category and therefore lower risk, a lower level of
their participation in the process.
verification is required. For example, COTS
providers, require a lower level of verification
4.7 SUPPLIER QUALIFICATION compared to tailored systems.
Given the criticality of its activities to the system t is important to always conduct a proper cost-
and its results, it is important to define which benefit analysis of the appropriateness of an
suppliers should be qualified and which not. The audit of a site provider versus a remote audit or
criteria for this should be defined in each merely documentary. In these cases, it is also
organization’s internal policies. important to mediate a risk analysis.
The decision to perform a supplier qualification Each of the evaluated criteria should be given a
should be documented, based on a risk grade that should be analyzed and documented
assessment and categorization system. in a report card of the provider, to indicate

whether the supplier is approved or rejected,
what results are out of specification, and what
preventive and corrective actions should be taken
by the supplier.
QBD GROUP PAGE 33

If the supplier is not approved or provides an 4.9 WHAT IS THE RESPONSIBILITY OF
unsatisfactory service, you should proceed with a THE AREA VALIDATION?
check of the quality management system of the
company that hired the supplier or a risk analysis This area is responsible for creating the necessary
to determine the frequency and scope; based on documentation to validate the system and
that, you should proceed with a check of the demonstrate what it says and does, and how it
quality management system of the company. works, such as:
Meetings with the process owners for the

4.8 WHAT SUBJECT MATTER EXPERTS characterization of the process and system
CAN BE USEFUL? processing requirements, risk analysis, and
specifications, as well as reviewing evidence
Having experts in the validation, implementation,
and reports
updating, and removal of a computerized system
Meetings with the system owners for the
is helpful because expert judgment is useful in
characterization of the process and system
increasing the reliability of decisions about the
processing requirements, risk analysis, and
undertaken activities.
specifications, as well as reviewing evidence
and reports
The informed opinion of people with experience
Meetings with users who use the software
in the subject, who are recognized by others as
every day
qualified experts, and can provide information,
Meetings with stakeholders to monitor the
evidence, judgments, and assessments, is what
progress of validation
gives value to the inclusion of experts in the field
Perform the necessary documentation for
during the system lifecycle.
validation
Run the protocols and document the evidence
The expert’s role is critical for strategy planning,
Develop validation reports
eliminating irrelevant aspects, including essential
Report if there is a deviation in the process
aspects and/or modifying aspects that require it,
test selection, and defining acceptance criteria.
Experts in the field can be:
4.10 HOW ARE RESPONSIBILITIES
People who develop software ASSIGNED TO THE SYSTEM AND
People who were responsible for the VALIDATION?
implementation of infrastructure
People who implemented the software The responsibilities of those involved in the
People who give support to infrastructure, different areas involved in software validation, as
servers, and PCs outlined in the Validation Master Plan of
Users who operate the system daily Computerized Systems.
And responsibility is the support for validation A validation committee (or equivalent) is formed
according to their area and knowledge with specific responsibilities that delimit the
management system that will remain in the VMPCS. (See: Validation Master Plan).
organization.
QBD GROUP PAGE 34

4.11 WHAT ARE THE MAIN
PROBLEMS THAT ARISE IN THE
ALLOCATION OF RESPONSIBILITIES?
The most common problems are:
The lack of communication between the

participating areas
The lack of information on why you should
validate software
Not accepting the responsibility assigned to
it and distancing themselves from it,
arguing that the activities are up to other
areas (Validation, IT, production, or quality)
Areas arguing that they have the time to
dedicate to software validation
Assigning all validation activities to one area
or person to be disregarded
responsibilities from other areas, owners
and users. The validation of computerized
systems requires close collaboration with
various roles and responsibilities where
staff is responsible for integrating the
information generated by other areas and
functions involved
Not knowing the process or setting it up
incorrectly
QBD GROUP PAGE 35

CHAPTER FIVE
HOW TO VALIDATE
For the implementation of the validation process

of computer systems, it is extremely useful to
view it as a project, depending on the criticality,
impact, complexity, and risks of the system.
Many variables are involved to control them in a
timely manner.
It is common for validation activities to be subject

to urgency and stress which in the case of
systems with greater complexity (such as
categories 4 and 5), increases the probability of
errors if you do not have adequate management
scheme activities and timing. For this purpose, it
is important to start understanding both the
process- or system-related activities as well as
those related to the validation itself.
NEED CSV SUPPORT? GET IN TOUCH WITH QBD!
QBD GROUP PAGE 36

5.1 WHO SHOULD COORDINATE A common mistake is to confuse the life cycle of a
THE VALIDATION PROJECT? system with the “V”-model for the development and
testing of the system, calling it a “V-model life cycle”.
The project coordination of the validation of any These are two different things. The V-model will be
system is recommended to be carried out by a discussed later as it relates to the stages of the life
person who has the most control and knowledge of cycle of systems.
the system and the process, for example:
In the case of ERP systems, it is recommended 5.3 WHAT IS THE LIFE CYCLE
that the IT area coordinates the validation effort APPROACH?
because it is a system that serves several
The life cycle approach allows us to consider the
processes. That would not be practical for process
characteristics of each stage for planning activities
owners to coordinate.
and scopes of validation, the risks and benefits for
In the case of LIMS systems for document
each stage and implementing the necessary controls.
management, it is recommended that the owner
is the person who coordinates the process as they
have better control over the process and system
5.4 WHAT ARE THE PHASES OF THE
requirements.
LIFE CYCLE OF A COMPUTER
For spreadsheets, the same user would be
SYSTEM?
responsible for coordinating and implementing
the validation of the leaves. At each stage, you can perform various activities that
If your organization has a PMI or a project office, typically accompany it. These steps become cyclical
that would be the responsible entity. with each change, improvement, or implementation
of a new system.
Notwithstanding the above, it should not be
forgotten that the validation of computer systems is a
joint effort where various stakeholders provide Concept Project
information for the preparation of the elements of
the chosen V-model.
It is important that all areas involved support and test
the system.
Retirement Operation
5.2 WHAT IS THE LIFE CYCLE OF A

COMPUTERIZED SYSTEM?
Concept Project Operation Retirement
The life cycle is a period of time during which a

Requirements Validation Changes Migration
computerized system ‘lives’ from conception to
retirement. For companies, the concept of the life
cycle begins with the need or opportunity to Specifications Release Control Destruction
automate one or more processes and ends with the

retirement or replacement of the system that served
Illustration 9 and 10: Life cycle stages
the automation.
QBD GROUP PAGE 37

5.5 LIFE CYCLE APPROACH
Concept
The GAMP® Guide 5 establishes a life cycle approach
as good practice for a better understanding of the Opportunities to automate processes
Development of initial requirements
system and its implications. This approach involves Establish scope, cost and benefit
systematically defining and implementing activities (determine if the project is carried
out)
from the four main phases:
1. System design
2. Draft
3. Operation (It is usually the longest phase)
4. Retirement System Project
Planning, supplier evaluation
Depending on the stage of the life cycle in which the Specification and configuration
levels (or coding for custom
system is in, the activities and V-model will apply.
applications)
Verification of acceptance for
commissioning
Recommendations: Risk management for identification
of risks to eliminate or mitigate
them to an acceptable level
Suppliers of products and services, as
appropriate, can participate in improvement
activities, maintenance, validation, auditing, etc.,
throughout the life cycle. It is subject to
satisfactory evaluation measures and approval of Operation
the supplier (Supplier Rating).
Implementation of defined and
It is important to maintain an inventory of existing
updated operating procedures
computer systems in the Validation Master Plan Training and qualification of
personnel to handle the system
of Computerized Systems (VMPCS) or the General
System security (control
Validation Master Plan (VMP). This inventory is maintenance)
recommended to include data such as the date
the system was implemented and the date the
last validation was completed so that the
validation management can track what stage of
the life cycle stage the system is in. Retirement
As part of the initial system characterization stage System retirement
of the life cycle, it is in, prior to the validation Data retention decisions
Data migration
study.
Or destruction of data
Management of these processes
Illustration 11: Life cycle stages
QBD GROUP PAGE 38

5.6 WHAT ARE THE CHARACTERISTICS
OF EACH OF THESE PHASES?
Concept phase
The main activity of this phase is to establish the focus of the organization to justify the
start of the proposed system implementation, defining the scope needed for enterprise
resource optimization.
Initial requirements for determining the use of the system based on operational needs
and the process, in the same way, may be the overall specifications for the system need
their construction and use.
Project implementation phase
Phases of project implementation are:
Planning
Specification, configuration, and coding
Verification
Reporting and release
Key supporting processes for project implementation compliance are:
Risk management
Change and configuration management
Traceability and document management
The results obtained during the execution of these phases provide documentary
support for justifying the system as suitable for its intended use. This generated
documentation can be used by the company as proof of compliance during inspections
by the corresponding regulatory body.
QBD GROUP PAGE 39

Planning
Project planning includes the following activities to be carried out:
1. project validation plans

2. development of requirements
3. supplier Evaluation
4. project scope definition
These activities are generally sequential but may run in parallel or overlap. In this phase, the
requirements and specifications should be clear enough for a risk assessment and ultimately
for a correct definition of verification tests (protocols).
In this phase, activities should be carried out taking into account the following:
Impact of the system on patient safety, product quality, data integrity, business
operations, internal policies, and regulatory requirements
The complexity of the system
The capacity provider (vendor classification)
System seniority
Category System
Existing GAPs
Specification, configuration, and coding
During this phase, the following activities are performed:
Specification: specifications are made with the level of detail required by the type of
system and its use.
Coding and configuration: Providers must choose and use the development methods
and models most appropriate to the coding and configuration requirements and based on
the approved specifications.
They should also ensure that their requirements and specifications take into account those
coding needs and system configurations for the intended use and how these developments
and configurations should be documented.
QBD GROUP PAGE 40

Verification
This phase confirms that the specifications have been met, through inspections and testing of
the system (depending on the type of system). This phase is present throughout the project.
Qualification tests and validation infrastructure for new systems run during this phase.
Reporting and release
In this phase, the system must be acceptable for use in the operating environment, according
to a documented and controlled process.
Release and acceptance for use in activities GxP should be done by the process owner and
system owner.
A computerized system validation must be prepared at project closure, summarizing the

activities undertaken, any deviations from the plan, and the results of the study.
In order to effectively maintain the system during operation, a handover (or release system)
by the process owner, owner, and operating system users is required as a prerequisite.
Operation phase
This phase is the longest phase, at this point, you can still make changes to the software,
hardware, and process for which it has been released and authorized by the organization.
These changes must be monitored and managed as part of continuous improvement and
maintenance of the validated state.
System and infrastructure procedures must be continuously updated in accordance with the
organization’s quality management policy.
Retirement phase
This phase involves the removal, decommissioning, and migration of data needed for
decommissioning.
It reaches this stage when it is determined that the computer system is obsolete for the
process for which it was designed, among other reasons because:
The software is obsolete or has lost supplier support

The hardware is not compatible with software updates
The process for which it was designed has undergone significant changes that originally
affected its suitability and use
There are new and better options to replace (retooling)
QBD GROUP PAGE 41

5.7 WHAT IS THE V-MODEL?
The V-model is a graphical representation of software It helps determine the best validation strategy according
development and testing activities, including its to the computerized system categorization, specifying
verification and validation process. the documentation to be generated and the type of tests
to be performed at each stage of the validation process.
The V-model can be viewed not only as the development Shows the logic of work in the process of system
activities and testing of the system but also as their development and verification.
sequence, their interrelationships, and the validation
process of the deliverables applicable to the V-model Determine in advance the V-model to be used so that
selected for each system. those involved become familiar with the validation
strategy to be followed. There are several V-models,
each suitable for a specific context.
Related to
USER REQUIREMENT PERFORMANCE
SPECIFICATIONS QUALIFICATION
Related to
FUNCTIONAL OPERATIONAL
Related to
DESIGN INSTALLATION
SPECIFICATION QUALIFICATION
Design Qualification
UNCONFIGURED
SYSTEM
Illustration 12: Standard V-model
QBD GROUP PAGE 42

5.8 HOW MANY V-MODELS ARE
NORMALLY HANDLED?
Although several V-models and even combinations of

them exist, 3 main models for the validation of
USER REQUIREMENT PERFORMANCE
computerized systems have been proposed in the SPECIFICATIONS QUALIFICATION
GAMP® 5 Guide. Their selection and application

depend first on the category into which it classified UNCONFIGURED
SYSTEM
the computerized system and then on the evaluation

of other factors discussed below.
Illustration 13: V-model suggested for
the validation of Category 3 systems
5.9 WHAT DETERMINES THE

APPLICATION OF EACH MODEL?
It depends on the complexity, category, impact, and USER REQUIREMENT PERFORMANCE

risks, the degree of outsourcing of system

components, the life cycle stage you are in, its age, FUNCTIONAL OPERATIONAL
and maturity.
DESIGN INSTALLATION
Each V-model test includes a degree system, this
degree should be defined according to the criticality
CONFIGURED
of the system or its components. SYSTEM
The definition of the applicable model should also be Illustration 14: V-model suggested for
from a practical point of view that proves only what the validation of Category 4 systems
needs to be verified, without ultimately verifying less
than necessary. In this regard, the experience of the
validator and appropriate risk analysis and
characterization of the system is crucial for the USER REQUIREMENT PERFORMANCE
correct choice of the V-model. In any case, when in

doubt, it is preferable to increase the level test than FUNCTIONAL OPERATIONAL
to decrease it.
DESIGN INSTALLATION
The models are not restrictive so that if for reasons
specific to each system, more tests than mentioned
UNIT (MODULE) UNIT (MODULE)
in the model are performed for all or part of the SPECIFICATION QUALIFICATION
system, it is possible to include them in the validation

CUSTOMIZED
strategy. SYSTEM
Illustration 15: V-model suggested for

the validation of Category 5 systems
QBD GROUP PAGE 43

5.10 HOW DOES THE LIFE CYCLE
APPROACH RELATE TO THE V-MODEL?
Depending on the stage of the life cycle that the Also, depending on the time set for project
system is in, the chosen V-model and its activities can implementation and system validation, the V-model
be placed so that they are more compatible with can be shortened or extended within the cycle of the
development activities and system testing. system. In any case, it is important to consider the
following premises:
The validation of the system should be completed before the release of the preferred
system.
The assessment infrastructure should be completed before the start of the validation
preferred system. It can be performed in parallel, assuming the risk that in case of failure
to pass the qualification infrastructure, the rest of the validation cannot be approved and
tests must be repeated until the assessment infrastructure has been satisfactory.
Extended runtime of the selected V-model may lead to loss of control over the validation
process, unnecessary costs, changes that require reconsideration of the left side of the
model, or obsolescence of the system.
For new systems, the best time to begin the left side of the V-model (processing user
requirements, functional and design specifications, as applicable) is during the system
design phase and the best time to complete the right side of the V-model (developing
protocol design, installation, operation, and performance, as applicable) is before the
system operation phase.
For legacy systems, the beginning of the left side of the V-model (processing user
requirements, functional and design specifications, as applicable) is usually during
operation, as in the term on the right side of the model.
Systems that have not completed their validation study in the operation phase pose a risk
and therefore it is not recommended that the system be released through validation
testing. An exception may be legacy systems, in which case they should establish controls
to mitigate the release risk.
QBD GROUP PAGE 44

5.11 WHAT ACTIVITIES CONSTITUTE
THE VALIDATION PROCESS OF
COMPUTER SYSTEMS?
The activities in the validation process of computerized

systems are:
Illustration 16: 21 stages of the validation process
QBD GROUP PAGE 45

5.12 HOW IS EACH PHASE RELATED TO 5.13 WHAT IS THE RELATIONSHIP
THE V-MODEL AND WHAT ARE THE BETWEEN THE QMS AND THE
DELIVERABLES IN THIS PROCESS? VALIDATION OF COMPUTERIZED
SYSTEMS?
Mandatory deliverables for process validation of
computerized systems are divided into prerequisites,
The quality management system is an umbrella term
protocols, reports, and traceability matrix:
covering all business processes. In this context, the
validation activities and processes that serve the
Characterization system (highly recommended)
systems are no exception. There are three direct links
User requirements
of the validation study to the quality management
Risk analysis
system that must be taken into account to obtain the
Functional specifications
expected results:
Design specifications
Design qualification protocol
Compliance with established quality policies and
Design qualification report
processes
Installation qualification protocol
Documentation of inclusion in the BPD system
Installation qualification report
and documentation of its operation,
Operation qualification protocol
maintenance, design, control, system definition,
Operation qualification report
and validation, and the electronic records it
Performance qualification protocol
manages
Performance qualification report
Risk Management
Traceability matrix
Maintenance of the validated state through the
use of Change Control tools, handling of
Not all deliverables are mandatory for all systems,
deviations or non-conformities, internal audits,
this depends on the V-model chosen for each
CAPA management, staff training, supplier
validation and its scope.
evaluation, maintenance, and calibration
programs
The GAMP® Guide suggests that functional and
design specifications should be established as a
Records are documents to be considered within the
prerequisite for categories 4 and 5 because they
Quality Management System (QMS). Procedures
provide more specificity and robustness testing.
related to the use of systems and their management
(IT procedures) must comply with the GDocP and be
within the QMS. Validation protocols, reports, and
evidence must comply with the provisions of the
QMS.
At all times, the quality policies established by the

company must be adhered to and they must be
consistent with expectations and conformity
validation.
QBD GROUP PAGE 46

Validation studies and the management of their
results must be based on the following quality
Procedures for use system
processes:
Operational procedures that include not

Non-conformities
only the operation of the process, but
Corrective and preventive actions
also the system as part of the process
Customer complaints
Risk management
Internal audits
Change control
Qualification of suppliers
Training and qualification of personnel
The minimum procedures for specific preparation

of computerized system validation are divided as
follows:
Procedures for IT system management Procedures for use and IT system

management
Management of systems and new
developments Installation of network equipment
Management of physical and logical security Escalation management and demand
Supplier management for computer systems Change control (HW & SW)
Management of electronic signatures (if Security Management
applicable) Preventive Maintenance
Maintenance of computer systems Research problems
Backup, archiving and recovery of information Training
Verification of electronic records On/off servers
Contingency plan in case of emergencies Performance measurement
User management Capacity management
Virus management Help desk
Configuration management User management
Patch management and updates Virus management
On and off infrastructure (if applicable) Backup, archiving and recovery
Help desk Configuration management
Spreadsheets for version control Disaster recovery
Commissioning and decommissioning
QBD GROUP PAGE 47

In addition, the procedures of the quality As for document management systems, these are
management system to maintain the validated some of the points to consider during validation.
status are mentioned above. International guidelines recommend:
It is not necessarily important that these Keep documented information to support the
documents have these names, even several of operation of our activities
them can be included in other procedures or Maintain documented information to ensure that
unified into a single one or even those that do not the activities are carried out
apply to certain systems. In this regard, the
decision to create or not create procedures Therefore, it is vital to implement a document
should be based on the following assumptions: management system to demonstrate that activities
meet the previously established requirements.
They will add value to the process
They must be appropriate to the context and DMS systems reflect the processes and associated
system control needs and processes documents that are part of the documentation system
They must be appropriate for the users who activities. The management of the organization’s work
will use them methods computerized systems are critical because
they manage the most important implementation of
They should contribute to better control and good practices element documentation. In them,
reduction of risks. documentation is integrated in an orderly manner to
ensure proper understanding. Implementation of a
In addition, the counting of some, all or more of documented system helps build a hierarchical
the items presented here will depend on the structure of documents.
characteristics of the computer system and the
type of infrastructure being counted. The This system allows access to information recorded in
company must establish the necessary files and documents and ensures that the information
procedures. is stored securely and thus remains intact for the
necessary period of time. The documents managed by
One factor underscoring the importance of the these systems should be considered “electronic
relationship between the quality management records”.
system and process validation of computerized
systems is that there are validatable systems with Because of the high importance of the information
a high impact on the quality management system, needed for validation and maintenance, a document
some of which manage the QMS. Examples management strategy appropriate to the type and size
include: of the company is needed.
Document Management Systems (DMS) The structure of the quality system includes the
Quality control systems and Laboratory following elements managed by the DMS:
Information Management Systems (LIMS)
Quality modules in the ERP Quality manual and quality policy
Spreadsheets for process control and quality Procedures
management Instructions
Etc. Records of activities
QBD GROUP PAGE 48

Preparation of documentation on the
validation of computerized systems
Descriptions and job profiles should be prepared of

personnel involved in validation, describing their
responsibilities and activities. These responsibilities
should be assigned and ensure that communications are
understood.
The next step is to establish the requirements for

preparing and updating documents for validation.
It is recommended that a procedure is developed that
defines at least the following points:
Assignment of a document identifier, title, issue date,

validity, and next revision
Definition, format, language, format code, and type of
format (e.g., paper, electronic)
Responsible person for review and approval of the
document
For the control of information generated, a process

should be developed that includes at least the following:
Availability of documentation for consultation when

needed
Security and protection against loss, misuse, or loss of
integrity
Change management
Documented information is kept as evidence and

protected from unauthorized changes. Ensure that all
information used in computerized validation systems is
approved and up to date and that personnel receives
corresponding training. With the establishment of the
quality system and documentation, you have the
confidence that you have validation evidence to support
the results.
QBD GROUP PAGE 49

5.14 WHAT REQUIREMENTS MUST 5.15 WHAT IS THE PURPOSE OF A
THE QUALITY MANAGEMENT VALIDATION MASTER PLAN OF
SYSTEM COMPLY WITH? COMPUTERIZED SYSTEMS?
Formats and protocols for reviewing reports must be The Validation Master Plan (VMP) specifies and
discharged into the QMS, and therefore must be coordinates all qualification/validation activities to
controlled by the system organization documents. They ensure that the manufacture of pharmaceutical
must comply with internal policy documentation and products is carried out in accordance with the
aspects specified by NOM 059 for protocols and reports. standards and quality policies required by regulatory
agencies. The plan establishes guidelines for
The protocols must explain the method used to conducting validation studies.
perform each test, which produces a result that in
turn must meet acceptance criteria that should be
reflected in the protocol.
The report must contain the reference code
protocol. Each protocol should have its own report
and at the end should declare the analysis of each
qualification phase and the system as validated or
not validated. Each test protocol must have a unique
identifier that allows relating the requirement or
specification corresponding to it, along with the
report there must be a traceability matrix.
The report of each qualification phase should
address the results obtained during implementation
and conclusions based on compliance with
requirements and specifications. It is recommended
that the report include a format for recording
deviations, supplemented by an analysis of the
results.
Changes to the protocol during implementation
must be documented and justified. Change controls
included in the document can be used or reliance
can be placed on the changes in the internal control
procedure.
Formats and reporting protocols must be associated

with an overall Validation Master Plan or a
Validation Master Plan of Computerized Systems.
QBD GROUP PAGE 50

CHAPTER SIX
VALIDATION
PLANNING
6.1 VALIDATION PLAN
The validation plan consists of determining the level

of effort for the defined software and selecting the
tools used to implement, test and deploy the software.
Both are based on the results of the software
categorization and high-level risk analysis. The defined
level of effort results in the planning of appropriate
value-added activities and verification tasks. Once these
are performed, a validation report is issued to support
the conclusion that the software has been validated.
The validation plan must contain at least the

following:
Objective of the project

Overview of the system including intended
use, high level description, overview of the
architecture
Description and impact assessment
Roles and responsibilities for the project
High-level risk assessment
Vendor assessment (if applicable)
Validation Strategy (phases, schedule,
communication, procedures, guidelines)
Planned deliverables including responsibilities
and signatories
Overall acceptance criteria for the system to
be validated, including the approach for
handling deviations from the plan
Standard Operating Procedures planned to be
created / updated
QBD GROUP PAGE 51

6.2 HOW ARE COMPUTERIZED
SYSTEMS CHARACTERIZED?
The characterization of computerized systems is an In an analogy, the characterization is to know the plans of
important activity that precedes the development of a the house and the use that will give, while the
validation study. This characterization allows us to requirements are the basis on which the building (house
understand two fundamental aspects: design and validation process) is done.
The computerized system Characterization, depending on the stage of the life cycle
The process that serves the system the system is in, can be based on user requirements (new
systems) or on existing system specifications and process
As we understand these two elements at the beginning of knowledge (legacy systems).
the validation work, we can better imagine how all parts
of the deliverables have system validation. Their In some cases, a computer system can even be defined as
understanding also depends on the first deliverable the union of a host with other so-called “satellites” that
validation, requirements, and user requirements, which is complement the main functions of the system.
signed off, and all other deliverables.
Among the elements to look at in the characterization of the computer system are the following:
Scope and elements of which the system is composed

Objectives, main features, and expected results
Type of system
Category
Age
The stage of the life cycle it is in
GxP impact, criticality, and complexity
Risks inherent in the system
Definition of responsibilities, mainly for: System owner, users, and their levels, vendors, experts
in the field
Detection of existing GAPs
Electronic records of these vulnerabilities, their criticality, and risks
Data it manages
Use of electronic signatures, these vulnerabilities, their criticality, and risks
Applicable regulations
Required level of security
Documentation that counts (procedures, manuals, technical specifications, manufacturer’s
specifications)
Interfaces to that account
Etc.
With respect to process characterization that serves to define these elements:
Start and end of the process

Process owners
Inputs and outputs
General requirements related to the computerized system
Support for the documentation process (procedures, records, and reports)
QBD GROUP PAGE 52

6.3 HOW IS THE PROCESS Poor definition of user requirements also leads to
CHARACTERIZED? economic losses, increases the likelihood of rework

and change of objectives during validation, and
Similarly, it is important to determine which components reduces credibility by basing requirements not on
are part of the validation, and also which are not within facts but on assumptions.
the range. Much of this information is obtained from the

process and risk analysis system map.
6.4 PROCESS MAPPING

Characterization of the process
Process mapping is a tool that provides a global-local
view of the activities performed and to identify their
A process is a set of interrelated materials, personnel,
components. Prior to mapping, the processes needed to
equipment and systems. It coordinates a transformation
determine the operating parameters are standardized.
of input elements into a product or output element. The
Here lies the importance of the process owner, which is
aim of the process is to deliver a product or service that
the person with full knowledge of the activities,
meets customer needs; a quality product or service.
materials, suppliers, teams, customers (which can be
internal or external, see topic: Who is responsible?),
For both computer system validation and infrastructure
system, the one who leads the development. In addition,
assessment, it is suggested that the processes be
it is recommended that the staff has mastered the
mapped to determine the scope of
subject in question. When the process mapping is done
validation/qualification. Similarly, it is important to
without the users knowing or mastering the process, the
identify the components that are part of the validation
following errors may occur:
and those that are not within the range. The inventory of
systems and components covered by the validation
The objectives are not clear or the process is
should be included in the Validation Master Plan,
constantly being modified
including the justification or basis for determining
The process needs to be modified, which means
exclusions. For the process mapping of computer
reformulating the objective
systems, it is important to know why and how they are
Defined activities do not match the needs of the
used, as this is key to determining the scope of the
process
validation.
Developing user requirements that are not
achievable
Since user requirements are derived from knowledge of
Not meeting user expectations
the process, an understanding of the process enables
Designing a computer system that is not fit for
the development of requirements for a robust user.
purpose
Those requirements in turn have a decisive influence on
the quality of the rest of the elements of the V-model
You must propose and define a clear objective to
selected for each validation in particular.
indicate the What?, How?, and Why?. Goals should be
clear, achievable, measurable, and consistent. To get a
Failure to define user requirements according to the
better understanding of the process, a description of it
process may result in failure to identify the risks
can be made in which the expectations, needs, and
associated with the process and, therefore, failure to
products, once the objective is set, are identified to
implement controls to reduce the severity and
define the process.
occurrence of errors.
QBD GROUP PAGE 53

It is important that the objective is clear and understood
in order to move on to the next stage, which is
determining the process components. As part of the Example 1: A computerized system
process components, you should consider the following: category 3: labeling process by a
computer system
Input sources: e.g. previous processes, suppliers

Objective: labeling of finished products
(internal or external), customers, and other
through a computerized system
stakeholders.
Tickets: Identify the inputs needed for the process
Process description: The computerized
(raw materials, office supplies, peripherals such as
system called “Tag2” is used by selecting the
printers, handhelds, applications, etc.) to obtain the
characteristics to be labeled and indicating
goods or services.
the number of labels to be printed. Data is
Operational processes: Those directly related to the
entered using the keyboard. Security is not
service. enabled and settings are not changed.
Support processes: Those that support the activities
of the main process, provide them with the necessary Identify components:
resources to carry out the activity. These processes
without being part of the main processes are Input sources: Provider labels
necessary for the activities to run smoothly. It is Tickets: Customer needs labels to
important to identify the providers of these activities. identify the product
Outputs: Support processes and have identified what Paper labels, labeling procedure
product is expected from this transformation. When describing the characteristics: the
following inputs are needed
referring to a product, it may be a process of
Main process: It consists of the following
manufacturing a drug that is tangible or intangible,
activities, through conditioning in which
such as the administration of a document
the specifications that the label should
management system.
contain are received; the characteristics
Customers: You can have internal or external
of the label are entered and the number
customers. Internal customers are those who are
of labels to be printed is selected. Finally,
members of the organization and receive the product
they are sent to print through the
or service. External customers are those who are not
software.
part of the organization but require satisfying a need Support processes: Quality for
(with a product or service). verification of label attributes,
maintenance for computer support, IT
Once the components are identified, we proceed to support for computer system, document
create the process map and thus we will identify the management system to have up-to-date
interrelationships with other processes or threads. You documentation
can run a process mapping macro from the general and Output: satisfied with labels, which meet
break down activities to learn in more detail (macro, established customer quality
process, activities, and tasks) so go from the general to specifications
the particular. Below are examples of process mappings

for different categories of computer systems (see topic:
Hardware and software categories for computer
systems).
QBD GROUP PAGE 54

Example 2: A computerized system category 4: Example 3: A computerized system category 5:
labeling process by a computer system labeling process by a computer system
Objective: labeling of finished products through a Objective: labeling of finished products through a
computerized system computerized system
Process description: The “Tag2” called

Process description: The computerized system
computerized system has an interface developed
called “Tag2” is used by selecting pre-configured
in JAVA® programming language that allows you
by the user for different products that are packed
to condition batch data, date of production and
in the area templates. You have the option of user
expiration date of a production system in which
levels (access to the system is by username and
orders are recorded. The “Tag2” system is used by
password) and have 3 user levels: Level 1 display,
selecting the template of the product to be
Level 2 input data (due date, batch, production labeled and entering the order conditioning. In
date, and a number of printing labels) and the this way, the label is automatically filled and the
system administrator configures level templates number of labels to be printed is selected. The
and gives access to the system, has the option of system has the option to 3 user levels (access to
audit tracking enabled. the system is done with username and password):
Level 1 display, Level 2 input data (expiration date,
Identify components: batch, production date and number of labels to
print) and the system administrator configures
Input sources: Provider labels level templates and gives access to the system,
Tickets: Customer needs labels to identify the has the option of audit tracking enabled. The
product, label templates system requires custom programming
Paper labels, labeling procedure describing development through changes in the bar code
previously established no alerts.
the characteristics: the following inputs are
needed
Identify components:
Main process: It consists of the following
activities: order conditioning which contains
Input sources: Provider labels
the expiration date, batch number, and
Tickets: Customer need of labels to identify
production date. The system gives the
product, label templates
template according to the product to be Paper labels, labeling procedure describing
labeled. If the correct one is missing, it is used the characteristics: the following inputs are
by entering XX, expiration date, batch, needed
production date, and the number of labels to Main process: It consists of the following
be printed in the process. Finally, the system activities: Conditioning order is received. The
administrator can configure new templates or system template product to be labeled is
edit existing templates. All changes to selected and the order conditioning is
templates are displayed in the audit trail. entered. In this way, the label is automatically
Support processes: Quality for verification of filled and the number of labels to be printed is
label attributes, maintenance for computer selected. The system administrator can
support, IT support for computer system, configure new templates or edit existing
document management system to have up- templates. All changes are reflected in the
audit trail.
to-date documentation
Support processes: Quality for verification of
Output: satisfied with labels, which meet
label attributes, maintenance for computer
established customer quality specification
support, IT support for computer system,
document management system to have up-
to-date documentation
Output: satisfied with labels, which meet
established customer quality specifications
QBD GROUP PAGE 55

Analyzing the three cases, we have the same system 6.5 WHY IS IT IMPORTANT TO
called “Tag2”, but the scope is obtained depending on DETERMINE THE RISKS OF THE
their use and is different for each. SYSTEM BEFORE VALIDATION?
That is, in the first example, where you have a category 3 Primarily to determine the scope of validation, and
system, the system has all the tools to control and audit implement controls that reduce or eliminate identified risks
tracking users, but the way it is used is not required. So, to an acceptable level. Knowledge is required to detail the
although the system is capable, of process mapping system’s risks according to their rank, seniority, complexity,
purposes only how it is used is considered. So, you can degree of customization, and the process the system
define the scope to determine which components are serves. The more information you have about it, the better
part of the process and what are not. to control risk because we have data on controls
performed.
In Example 2, you have the same system “Tag2,” but the

The GAMP® 5 Guide recommends eliminating risk through
process activities change as more options become
changes in processes or system design. Design reviews can
available, such as access levels and audit trail tracking.
play a key role in eliminating risk from the start.
In Example 3, you are still using the same system;

Risks that cannot be eliminated from the design must be
however, it is used to automate the activities that an
reduced to an acceptable level by implementing controls.
interface performs to values that require the label and
Risk reduction includes applying controls to reduce severity
requires some degree of customization.
and occurrence and increase detectability.
To determine the scope of the process, consider that the

It should be a systematic approach to ensure that the risk
process is mapped as labeling, so the production process associated with a system has been eliminated or reduced to
system is not within the scope of the labeling process. an acceptable level. The extent of verification and level of
Thus, you can see how the scope changes in the same detail of documentation should be based on the risk to
system according to the activities performed. patient health, product quality, and data integrity, especially
taking into account the complexity of the system.
At the end of the process mapping, which serves the
computerized system, the user of this information will It is important to note that risk analysis is part of the risk
have more knowledge, complete and robust, so that he management system implemented in each company and
can conceptualize correctly: must be managed as established by each organization.
There are several tools to conduct risk analyses, including
The scope of project validation HACCP, HAZOP; FMEA. The FMEA tool is recognized by
The functionality of the system WHO as the most appropriate for the pharmaceutical
environment.
The inherent risks
User requirements to be assessed
In general, it is assumed that the inherent risk increases the
Validation activities
more critical and complex the system is.
Existing GAPs
The risk assessment is made depending on the stage of the
Allocation of responsibility
life cycle the system is in.
Efficient use of resources allocated for validation
It then addresses the risk assessment for user

requirements and for maintaining the validated condition.
QBD GROUP PAGE 56

6.6 RISK ANALYSIS SYSTEM The impact assessment should be supported by the tools of
the risk management system implemented by the
organization. Organizations may have established a risk
Once you have identified the risks according to the category
management process, which includes the use of the
of the system, determine the impact of those risks in the
methods described in GAMP® Guide 5. However, the
following areas:
methods described in the ICHQ9 guide can also be used.
The method chosen will make the process more functional.
Patient safety
The diagram schematizes and summarizes the steps of a
Product quality
risk management system:
Data integrity
Regulatory compliance
Conduct an initial risk assessment and determine the
Internal policies
impact on the system
Business impact
The initial risk assessment should be conducted and the

An integrated approach to risk analysis in the areas of
process includes determining user requirements and
compliance, internal policy compliance, data integrity
regulatory requirements primarily. Based on this initial
monitoring, and business impact will help maintain product
assessment and the result of the impact on the system, it
quality and thus patient health. These last two points are
may or may not be necessary to perform the next steps if
considered key points in the GxP impact assessment of the
the risk is at an acceptable level.
risks identified for each system and should be documented,
as well as the categorization system (see topic: categories
computerized systems) to justify the next steps of
validation.
RISK MANAGEMENT START-UP
Risk evaluation
Unacceptable
RISK IDENTIFICATION
RISK ANALYSIS
RISK EVALUATION
RISK MANAGEMENT TOOLS
RISK COMMUNICATION
Risk control
RISK REDUCTION
RISK ACCEPTANCE
OUTPUT / RESULTS OF THE RISK ANALYSIS PROCESS
Risk revision
EVENT REVISION
Illustration 17: output
QBD GROUP PAGE 57

Identify functions with implications for patient health, Implement and verify appropriate controls
product quality, regulatory compliance, internal policies,
data integrity, and business operations. Functions with The functions identified in the previous phases must be
implications for patient health, product quality, and data evaluated, taking into account potential risks, and how to
integrity should be identified from the information gathered control potential harm from those risks. Verification should
in the previous step, with reference to the relevant be documented that controls are operating efficiently.
specifications and taking into account the system
architecture, its category, and components. Evaluating risks and monitoring controls
Perform risk analysis and identification of controls During the periodic evaluation of the systems, the
organization should review the risks. This should include
The functions identified in the second step should be verification that controls are still effective. If necessary,
evaluated taking into account the potential risks and how to corrective actions should be implemented as part of change
control potential failures arising from those risks. The control.
decision to conduct a detailed assessment of the specific
functions for each case must be addressed and the criteria
may vary widely.
6.7 WHAT ARE THE RISKS
The criteria to be considered include the criticality of the ASSOCIATED WITH ELECTRONIC
process, the specific impact of the function within the RECORDS MANAGEMENT?
process, and the complexity of the system. It may be
necessary to perform a more detailed assessment The main risks when dealing with electronic records is
analyzing the severity of the damage, the likelihood of this retention and integrity. These risks, in turn, generate
failure, and the frequency with which it occurs. However, for potential risks to product quality, patient health, regulatory
this type of evaluation, we recommend using the compliance, internal policies, or even the business.
methodology of GAMP® guide 5, which is the most
common and widely accepted. To address the risks associated with data retention, policies
and/or procedures should be established to ensure that
data, regardless of where it is stored, is managed according
to established standards. Because the lack of a plan in the
DETERMINE FAILURES OR DAMAGE
event of data loss can cause irreparable damage to the
DETERMINE IMPACT organization and usually causes economic losses.
DETERMINE DANGERS Problem

definition This policy should provide an action plan in case situations
POTENTIAL FAILURE MODES (PFM) FOR EACH
FAILURE OR DAMAGE arise:
A natural disaster
ARE CONTROLS IN PLACE?
A human error
ASSIGN SEVERIOTY TO EACH FAILURE OR DAMAGE A malicious action
ASSIGN OCCURRENCE TO EACH PFM

A technical error
Risk
ASSIGN DETECTABLILITY TO EACH PFM evaluation
If an organization wants to avoid risk and ensure that its
PRIORITY RISK NUMBER operations continue despite the aforementioned potential
risks, it is recommended that members of the organization
EVENT REVISION
be made aware of the consequences of not having an
Electronic Records Management system to support their
Illustration 18: risk analysis business processes, or that proper business continuity
planning is undertaken.
QBD GROUP PAGE 58

Some supporting processes to reduce the risk of data Exposing our key is a very high risk because its security is
integrity loss are: exclusive and thus the security of electronic signatures, so
anyone who has the same can make fraudulent signatures
Backup, archiving, and restoration of information with the same legal effect as handwritten signatures.
User management and access levels Knowledge by a third person of the key can bring phishing
Physical and logical security management and can be passed by the user and signed anywhere.
Virus management
Maintenance systems A recommendation should have a clear control and
Actions in case of contingencies and disasters password security policy, and implement a secure system
Etc. for managing it. That system should include the necessary
elements to store and manage keys and grant access only
Elements of the same system such as the audit trail and use to authorized users so that it is known who signed it, where
of electronic signatures, as well as infrastructure such as it was done, and when it was done.
antivirus and firewall help maintain data integrity.
6.9 WHAT IS A USER

6.8 WHAT ARE THE RISKS OF USING REQUIREMENT?
ELECTRONIC SIGNATURES? ARE
THERE RISKS ASSOCIATED WITH User requirements are expectations that an organization
COMPUTER SYSTEMS? has regarding the system to meet your needs, whether for
business or regulatory compliance. They are the “whys and
wherefores” of the system.
The main potential failure modes that pose risks for misuse
of the most common electronic signatures are:
In this guide, the terms “user requirements” and “user
requirement specifications” will be considered equivalent,
Hacked and therefore unauthorized changes are made
using the acronym URS.
Loss of a security element
Wrong assignment of authority to the user
Incorrect user credentials when verifying electronic
6.10 HOW ARE USER
signatures
REQUIREMENTS CLASSIFIED?
Failure to document the date from which the electronic
signature is valid and replaces handwriting
User requirements are classified as:
These risks often occur to the end user, system owner or

Required: Those indispensable to maintaining product
process.
quality, patient health, regulatory compliance, and data
integrity. Non-compliance involves risks that should not
To be considered an electronic signature, it must contain at
be borne by the organization.
least two security elements: a combination of username
Desirable: Non-critical ones that serve for further
and password.
improvement, aesthetic impairment of the system, or
certain company policies and issues that are acceptable,
One can even use two keys, the public and the private. The
your risk is minimal. It is included as a possibility, but is
public key is what can be shown and accessed by a third
not fulfilled if the organization is not involved.
party. The private one will in no way be known or accessed
by anyone else because this key is integrated with our
This classification allows for the existence of requirements
identity and signature, usually, it is encrypted for some as
that may be exempt from compliance and does not affect
the token device.
the outcome of validation and regulatory compliance.
QBD GROUP PAGE 59

When user requirements are established based on
Required requirements include, but are not knowledge of the process, critical product quality
attributes, and understanding of regulatory
limited to, descriptions related to:
requirements, these requirements can be used to
apply a quality-by-design (QbD) approach.
System operation
System functions
User requirements form the basis for qualification
Data integrity
testing of design and performance, for the functional
Technical requirements
and design, risk analysis, and traceability matrix.
Operating environment
Performance
In the V-model, one can see how user requirements
System and information availability
affect each of the model elements. The requirements
Security of the information depend on the rest of the development process and
Regulatory requirements the test system, so good preparation not only
Use restrictions produces a V-model that is robust and reliable but
Etc. also flexible enough to make necessary changes
without also having to change the requirements.
If we set too specific requirements, this would mean

that, if necessary, any changes made to the system
Desirable requirements include, but are not
components would also have to change the
limited to, descriptions related to: requirements affecting the rest of the chosen
traceability V-model. Conversely, if the requirements
Data presentation format are sufficiently general and aimed at covering the
Aesthetic graphical interface expectation or need, this allows the changes made to
Performance optimization affect only the traceability of the specification and
Non-urgent performance improvements related qualification tests. Changing a requirement
Etc. may affect not only the traceability of the
specification and tests directly related to it, but also
the numbering of the list of requirements, which in
turn requires them to change all requirements.
6.11 HOW ARE THE
REQUIREMENTS/USER The development of user requirements requires
REQUIREMENTS DEVELOPED? appropriate involvement of various areas of a
company, not just the end user’s computer system. It
is important that these are drafted by a
User requirements clearly and concisely describe the
multidisciplinary team, looking not only at functional
functions and capabilities that the computer system
but also at regulatory, business operations, data
must meet. These requirements should be based on
integrity, internal policies, quality management
knowledge of the process serving the computerized
system, and patient safety issues.
system and should generally be considered as a
requirement (if too specific, it becomes a
specification). Preferably, no components or
functions of their operation should be included since
this makes their function more like specifications.
QBD GROUP PAGE 60

Some key recommendations for creating user requirements are:
They should be general. More generally the wording of the requirement gives more
flexibility for implementation in different scenarios, it facilitates continuous improvement
and change control, and also facilitates adaptability to unplanned changes.
The wording should be simple and concise and identify the need or expectation to be met
from the user’s perspective (see user definition), for example:
“The [product, process, or element in the process] must (n) …. (Active verb: have be,
do, make) …. “
The wording of the requirement does not explain how the expectation will be met, should
only identify the need.
Care should be taken to ensure that no more than one need or expectation is met, to
facilitate traceability. Furthermore, the same expectation may be covered by a broad
spectrum of solutions.
Each requirement should be assigned a unique code, for example (URS-001 …).
For new computer systems: it is possible to write generic requirements.
For legacy computer systems: it is possible to write slightly more specific requirements.
Moreover, user requirements provide important information about the existing interfaces
between the system and manual operations.
The wording and style used in the standard to define In the case of user requirements for newly developed
regulatory requirements allow greater flexibility for systems, these are created thinking about what the
compliance in different scenarios, and are conducive to system would be like. Usually, they are created at the
continuous improvement and control of change, i.e., are system design stage in their life cycle, when the process is
general. Moreover, the wording of the requirement does not yet fully defined and mature. Here they serve to
not explain how the expectation will be met, but only mutually adapt and incorporate requirements.
identifies the need to be covered.
For user requirements developed for legacy systems, they
are developed with the needs already identified by the
6.12 ARE USER REQUIREMENTS process they serve. In this case, they serve to compare to
NEEDED FOR LEGACY SYSTEMS? what extent the requirements still meet the needs of the
process and to make decisions to adapt the process or
To apply the method for validating computerized requirement to the organization.
systems mentioned in GAMP® Guide 5, it is necessary to
establish user requirements for all types of systems. This Remember that processes are living entities that change
is supported if we consider that “user requirements are and adapt over time and that the requirements that were
the description of what a computerized system should set for a process at one time may, over time, no longer
be and do, in order to meet a company’s expectations of meet the new needs of the process. This review is also
such a system”. Then user requirements do not depend part of maintaining the validated state.
on whether a system is new or inherited, but on the
fulfillment of the expectations that a business has of such
a system, always in view of the process in which it
participates and the changes that this process may have.
QBD GROUP PAGE 61

6.13 WHAT IS THE RISK ANALYSIS 6.14 WHAT ELEMENTS DOES THE
OF USER REQUIREMENTS? RISK ANALYSIS REQUIREMENTS
PROCESS CONSIST OF?
Conduct a risk analysis of user requirements that
contributes to scientific and systematic actions to detect, The following points should be considered in the risk
mitigate and monitor potential failures in systems, analysis for each requirement and possible tools to
operations, and processes that affect product quality. define them are:
Risk analysis of user requirements has two purposes:
Identify and characterize the process

To prevent potential failures associated with
(diagram/map process, 4 questions)
computer systems and process-related risks
Have met the needs of the process and approved
From the elements identified and the risk
the final version requirements
assessed, determine the best strategy for
Designate a person responsible for the risk
validation scope and rigor in accordance with the
analysis
risk level for each system requirement
Identify hazardous situations (brainstorm)
Identify critical control points and existing
It should be performed for each computer system and
controls that prevent the hazardous situation
cover at least the assessment of the following effects:
from occurring and damage from being
expressed (brainstorm)
Product quality
Identify any damage resulting from the violation
Patient safety
of each requirement, potential failure modes, and
Data integrity
effects/damage associated with each detected
Regulatory compliance
Internal company policies (fault tree, brainstorming, Ishikawa are three
Business potential failure modes for each defined effect)

Establish the severity of each damage and
The risk for legacy systems should be considered occurrence and detectability for each potential
potentially high, as most of these systems do not have failure mode (control charts, control sheets,
technical information such as manuals or specifications. statistical tools)
Because systems are often old and outdated, they will not Establish an acceptable RPN, determine the risk
be supported or updated to maintain data integrity or priority number (RPN), and if applicable Critical to
ensure the security of access and infrastructure for Quality (CTQ)
system operation.
Subsequently for risk management:
Create an action plan to achieve desired RPN

Define CAPAs
Re-evaluate results of actions
Compare with the original RPN and take action
QBD GROUP PAGE 62

How do you determine severity? How do you determine detectability?
By looking at impact and distinguishing, for example, for By weighing the controls implemented to prevent
each requirement between GxP impact, business impact damage and failures and their effectiveness. At this point,
or just nice to have. the knowledge and experience of users, process and
system owners, subject matter experts, and suppliers are
also important.
How do you determine probability?
Through brainstorming where users, process owners and

system owners (in addition, to suppliers and experts in
the field who can participate) contribute their experience
and historical or statistical data to provide information on
the frequency behavior of damage or failure in the
context of the process.
QBD GROUP PAGE 63

6.15 HOW DOES RISK ANALYSIS In other words, it is important that severity,
MAKE USER REQUIREMENTS? probability, and detectability constitute objective

criteria for the assignment. How high is high? How low
It is recommended that risk analysis for computerized is low?, And where is the middle? These criteria should
systems use the model proposed by the GAMP® 5 be documented.
guides.
For the objective criteria, you can use statistical
The purpose of risk analysis is not to control but to weigh measurements about the process and the experience
the risks. Control comes after the decisions made to of those involved in the operation and management
implement controls, which reduce the levels of severity of the system and process.
and probability and increase detectability. It is not enough
to have a risk analysis done on paper for the sole purpose Once the level of severity of the potential failure has
of compliance, but extensive knowledge of the process is
been determined, it must be assigned the value to
needed to make risk analysis an ally in controlling the
quantify the probability of the failure occurring.
risks inherent in the system and not a compliance
Combining the two weights gives us as a result the 3
problem. Properly used risk analysis can provide support.
existing risk classes:
Knowledge of product quality attributes and

Risk class 1: High risk
understanding of the process is critical in determining
Risk class 2: Medium risk
system requirements and making scientific decisions
Risk class 3: Low risk
based on risk to ensure that the system is robustly tested
and put to the test to demonstrate fitness for use.
After determining the risk class, we assign a value for
Assessment against user requirements should allow detectability, taking into account the current
identification of GxP covered by the system. User conditions of the process or system and using the
requirements should also provide the basis for same scale as the previous weightings. Finally, we get
demonstrating compliance with the GxP. The risk a value for the risk priority number (RPN), assigned
assessment and its results, including the rationale for as high, medium, or low, which will help focus the
which risk is classified as critical or non-critical, should be validation strategy. It will help focus attention on user
documented. requirements that require detailed verification or
controls to reduce the severity, probability, and
There are several methods proposed by the ICH Q9 to detectability of errors to an acceptable level:
determine which risks should be prioritized, but for the
analysis of user requirements, it is recommended to use Low-priority risks: Require implementation of
the computerized systems proposed by GAMP® 5,
specific controls for prevention and/or detection
because of its simplicity and practicality, given the
Medium-priority risks: Require general
number of requirements to be analyzed. The following
implementation of preventive controls and/or
figure shows the weighting scale proposed by GAMP® 5,
detection
requiring the detection of potential damage and its
High-priority risks: Require detection and
severity, assigning a probability and detectability, the
immediate correction
latter depending on the controls applied. The weighting
levels proposed by GAMP are 3 for all cases: High,
The following diagram summarizes the steps
Medium, and Low. The key to the use of these levels is
required to perform a risk analysis.
that the objective assignment criteria for each case are
robustly justified.
QBD GROUP PAGE 64

6.16 HOW DO I DETERMINE THE
LEVEL OF CRITICALITY?
There is still no approved criterion or parameter that

determines severity for all cases. The reality is that
determination is based on the knowledge or product
itself, mainly taking into account experience, the impacts
identified for that damage or failure, and the historical
events recorded over the life of the process:
Low Medium High
Severity No injury to patient, rejection of Minor patient damage, rework, partial Greater economic losses that may
acceptable product for trial, rejection, non-compliance with one or cause the closure process, irreparable
acceptable economic losses and more non-critical quality data loss, death or irreversible
partial loss of data recoverable by specifications, major economic loss, damage to patients, product
other means partial loss of data, safety risks and completely out of specification, risks to
process operator, non-compliance operator integrity
with regulations
Probability of It has not occurred when using the Has occurred 1 time in the last 12 Has occurred more than 1 time in the
occurence system or has strong controls to months of use, general checks have last 6 months of use, controls are
prevent it been made inadequate or non-existent
Detectibility It is detected less than 40% of the time It is detected 41 to 70% of the time It is detected 71 to 100% of the time
before causing damage before causing damage before causing damage
Table 2: Considerations for risk priority
QBD GROUP PAGE 65

Two examples of risk analysis of user requirements are
explained here. It is a system configured ERP category 4
and one of category 5, that manages the input and output
of a warehouse of raw materials:
URS-001 (category 4) URS-001 (category 5)
Classification Required Required
Description Access to computer systems must be Access to computer systems must be

controlled controlled
Potential The system does not have controlled The system does not have controlled
failure mode access according to a user profile to access according to a user profile to
which rights are assigned or functions which rights are assigned or functions
restricted restricted
Severity High High
Probability of Low High

occurrence
Risk class Risk class 2 Risk class 1
Detectability High Low
Risk priority Low High
Table 3: Example risk analysis to user requirements system category 4 & 5
In the case of the category 4 example, the severity was In the case of the category 5 example, the severity
high because of the critical nature of the data managed remains high, but the probability is also high because the
by the system. The occurrence was low because there is developer of the application, for lack of budget, did not
physical access control equipment where the loading and include access controls when creating the application,
approval data is set with biometric access for a single which in turn significantly reduces the detectability of
person because, through biometric access control, the unauthorized access.
system detects any unauthorized intrusion attempt and
triggers an alarm when detectability is high.
QBD GROUP PAGE 66

Considerations
In both cases, the organization has determined that

configuring access control by user profile is the most
efficient and least expensive way to reduce risk and
implement a control system, and thus for the process.
The introduction of controls helps reduce the level of
occurrence of a potential failure mode and increase
detectability. The more controls are in place, the greater the
detectability and the less probable the failure will occur. The
failure can be more easily detected and the frequency with
which it might occur decreases.
A breach of internal policies and applicable government

regulations carries the possibility of negative product quality
and patient health, with consequences for the authority.
As a result of the risks identified for the organization to

make decisions:
Reduce the risk

Transfer the risk
Eliminate the risk
Each organization sets its own risk tolerance based on the

risk and the ease with which it cannot remove or transfer
the risk.
One of the most important aspects of risk analysis, and an

important part of user requirements, is regulatory
compliance. The more non-compliance, the greater the risk
priority to address violations during computerized system
validation.
As can be seen, performing a risk analysis to support and

contribute to validation requires essential knowledge of the
process and the context in which the system is developing.
It is recommended that this risk analysis is performed with a
multidisciplinary team capable of analyzing the potential
failure modes with a comprehensive approach and
combining all the knowledge and experience in the process.
During qualification and validation, particularly rigorous,
detailed, and thorough evidence should be provided for
those requirements with a higher RPN. Those with lower
RPN levels need less rigorous proof.
QBD GROUP PAGE 67

6.17 WHAT ARE THE DELIVERABLES
OF A RISK ANALYSIS?
Each risk analysis should be integrated into a formal At the end of validation, each of these numbers should be
document that includes at least an objective, scope, included in the traceability matrix. A format of basic
description of the methodology used, the criteria to take information to be used for the breakdown of the risk
into account the weighting scale, and any other element analysis is as follows, with the same table showing the
to complement the understanding of the system, process, relationship between probable failure modes and user
and its own risk analysis. requirements.
One element that should never be lost sight of is the

traceability of each potential damage or failure and
failure to user requirements thus, regardless of the
category the system is in. This can easily be achieved by
assigning numbers or codes to each requirement and
then to each potential failure mode.
URS-001
Classification Required
Description Access to computer systems must be controlled
ID RA RA-001
Damage or failure Theft, accidental alteration or loss of information due to uncontrolled access
Potential failure mode Anyone can enter the system and modify or steal critical information
Impact Data integrity
Severity High
Existing controls Any
Probability of occurrence High
Risk class Risk class 1
Detectability Low
Risk priority High
Comments and The immediate implementation of controls is required and detailed in the
observations validation verification
Table 4: Format risk analysis
QBD GROUP PAGE 68

CHAPTER SEVEN
SPECIFICATION
PHASE
7.1 WHAT IS A FUNCTIONAL 7.3 WHAT ARE THE KEY

SPECIFICATION? FUNCTIONAL SPECIFICATIONS?
Functional specifications (FS) describe how the functional Depending on the computer system and process, the
elements of the computerized system should perform main functional specifications relate to the following
the expected actions to meet user requirements. aspects:
Functional specifications are the basis for operational
qualification testing. Operational configuration
Interface with other systems and devices
Security and controlled access (cells, sheets, books,
7.2 WHAT DOES A FUNCTIONAL PC)
SPECIFICATION DESCRIBE? Audit trail (if required), passwords, backup, archive

and restore, disaster recovery actions, information
Functional specifications are based on user requirements integrity
and the technical specifications of the system supplier. Performance calculations, macros, pivot tables, links,
They should describe “how the system should operate conditional formats, logical inference
to meet the requirement (suitability for use),” whether it Operational capabilities/information management
is a new system or a legacy system. They are usually Backups, information retrieval
written by the supplier or are based on technical
information provided by the supplier. They describe in
detail the conditions under which the system and its
proper operation must work.
QBD GROUP PAGE 69

7.4 HOW ARE FUNCTIONAL 7.5 WHAT IS A DESIGN
SPECIFICATIONS WRITTEN? SPECIFICATION?
It is important to state clearly that the user requirements Design Specifications (DS) are the description of the
are the general description of the expectations of the components that the system must have to meet the
system, so the functional specifications are specific defined characteristics from the User Requirements
descriptions of the functions of the system. and/or Functional Specifications.
Some of the key points to consider when writing functional

specifications are: 7.6 WHAT DOES A DESIGN
SPECIFICATION DESCRIBE?
They should indicate how or in what ways the system
can function to meet the expectation described in each In general, we can say that design specifications describe
user requirement: “The [system’s] active verb (suffered, the structure of the system and how it should be
enabled, runs, etc.)” maintained, hardware specifications, screen design,
Should describe configured functions established,
program design, interfaces, configuration specifications,
authorized, and documented by the system
parameters, documentation, and supporting software.
Should be careful not to include functions that the
We say it is the system and the conditions in which it
system does not perform, since ultimately each FS must
should be able to be used.
be tested during user qualification
Each Functional Specification should be assigned a
unique code, e.g. FS-001
7.7 HOW ARE DESIGN
Care should be taken not to include operational tests
whose execution or loss causes more problems than it
SPECIFICATIONS CLASSIFIED?
solves (cost, damage, etc.) There are design specifications for hardware and
Related to the above, it is very important to remember software.
that FS ultimately becomes the acceptance criteria for
testing the operational qualification protocol
Depending on the computer system and process, key
design specifications relate to the following:
In the case of logical security, there are elements whose
functional specifications must be verified:
Format printing, display, and data entry
Design templates
User name/password combinations
Code macros and formulas
Length and format of the password
Required Documentation
Locking of fields or cells
Assignment of user profiles Hardware specifications and peripherals
Biometric controls Version control
Audit trail SW support

Warning messages/alerts Passwords and user information repositories
Password rotation Program versions, operating systems and formats
Electronic signatures Procedures for operation, creation, modification,
reception, etc.
It is recommended that for the preparation of functional
specifications, the lead users, experts in the use of the In terms of procedures, there are some that are
system or providers, should be the ones who prepare them particularly important to check, depending on the
and/or perform their final review. characteristics of the system and the process
requirements (see topic: QMS section).
QBD GROUP PAGE 70

7.8 HOW ARE DESIGN 7.9 WHY DO THE FUNCTIONAL
SPECIFICATIONS WRITTEN? SPECIFICATIONS FIRST AND THEN
THE DESIGN SPECIFICATIONS?
It is important to state clearly that the user requirements
are the general description of the expectations of the Because design specifications are the description of how
system, so the design specifications are specific descriptions the design elements should be present so that they can
of the components of the system. perform the functions of the computer system. This is
especially important in new systems or in the design
Some of the key points to consider when preparing design
phase, where functions are designed first, and then the
specifications are:
elements to perform those functions. First what is to be
done is identified and then the means to do it are defined.
Must be linked to a user requirement
A single-user requirement can derive more than one DS
An FS may also derive more than one DS
A DS may not be reducible to more than one URS 7.10 TRACEABILITY MATRIX
Frequently begins with an adjective (the, etc.), followed
by a subject (computer, system, etc.), and then with the It is the document that shows the relationships between
statement of what the system must have to meet the elements of the multiphase validation, focusing and
functionality and suitability for use: “the system has …” relating each of the user requirements to the risk
followed by the description of the component, analysis(es), design or functional specifications, as
document, etc. The description is important to include appropriate, and to each of the challenges in the
not only the component but also its characteristics and qualification protocols (DQ, IQ, OQ, PQ).
how it must remain.
Recall that the DS ultimately becomes the acceptance
criteria for testing the installation qualification protocol
7.11 WHAT ARE THE BENEFITS OF A
TRACEABILITY MATRIX?
In connection with the above, it is very important to
remember that the design specifications ultimately become
Facilitates management and tracking of
the acceptance criteria for the test protocol rate installation.
requirements, specifications, and RA
Therefore, each of the specifications must be tested on the
Visualizes the scope of qualification and testing
relevant protocols to demonstrate suitability for use.
Helps demonstrate that validation is complete
Streamlines change management and visualization of
It is recommended that for the preparation of design
its impact on qualification
specifications, the key users or experts in the use of the
system (suppliers) should be the ones who prepare them
and/or perform their final review. It adds great value in audits and inspections, showing an
overall map of validation.
QBD GROUP PAGE 71

7.12 HOW IS A TRACEABILITY 7.13 CONFIGURATION AND CODING
MATRIX CREATED?
In the configuration and or coding phase the system is
installed and configured or developed according to the
The development of the traceability matrix begins when the
defined user requirements. These activities do not
user requirements have already been released, are plotted
with risk analysis(s), and are converted into the respective formally fall under the validation of the system but are
design specification, if any, or the functional specification. It the gateway between the left and the right side of the v-
must then be placed in the document for each test at model. The following activities could take place in this
different qualification protocols: phase:
If a design specification is plotted with its Installation of the system (cat 3-5)
respective user requirement and test installation Configuration of the system (cat4-5)
qualification protocol Development of the system (cat5)
If a functional specification, it is plotted with its Code review activities (cat5)
respective user requirement and test operational
Development test activities (cat5)
qualification protocol
Requirements necessary for system design are
traced directly to the design qualification protocol
Requirements related to system performance
are plotted directly with the performance
qualification protocol
#PQ
#URS #RA #FS #DS #DQ #IQ #OQ 2
1 1 1 2 5 1 2 3
2 2 NA 3 6 2 NA 4
3 3 NA 4 7 3 NA 5
4 4 NA 2 8 4 NA 6
5 5 5 NA 9 NA 6
Table 5: Example traceability matrix
QBD GROUP PAGE 72

CHAPTER EIGHT
VERIFICATION
PHASE
8.1 WHAT IS INFRASTRUCTURE? 8.2 QUALIFYING THE INFRASTRUCTURE?
Infrastructure Information technology (IT) is the The infrastructure is the medium on which the
foundation that supports operational industries. It computerized business system operates and must
collects, processes, and disseminates core therefore be qualified.
information, and in some cases is critical to business
processes. The uncontrolled use of this medium can The risks of not performing an assessment of the
cause direct or indirect involvement in product infrastructure are manifested when the system is put
quality, harm to patient health, impact on good
into operation, for example, when teams have
medicine production practices, or economic loss.
miscommunications with the server when the
Infrastructure is also an intrinsic part of the computer
infrastructure is vulnerable to attacks by malicious
system, as part of the computing environment.
people when it exhibits slow connectivity when the
infrastructure is not needed for the application.
The level of complexity and size of the infrastructure
Therefore, it is important to take an appropriate
will depend on the type of business, business needs,
design approach and consider the needs of the
and user requirements. As part of the needs of the
process and the systems that will support the
business, the choice of an in-house infrastructure, an
outsourced site, or an outsourced cloud follows. This infrastructure.
will depend on cost, space, availability, and

application requirements, among other factors. While not all applications require a dedicated server,
it’s also important to identify operating system
There is a software and hardware infrastructure. specifications and version, Internet server version,
IT infrastructure exists to support key business and RAM to decide which server can keep the
systems by providing: company functioning properly.
Platforms on which business applications run In terms of national and international regulations,
Processes: IT infrastructure that enables a there are different standards for the need to assess
controlled IT environment infrastructure as it is considered critical to the
Services: General IT indicated process.
Platforms, processes, and services are the main

In compliance with good manufacturing practices, the
components of the infrastructure.
following rules apply:
QBD GROUP PAGE 73

Eudralex To comply with the request in national
and international standards it has
In the pharmaceutical legislation in the references guides, including the following:
European Union, Volume 4 “Good
Manufacturing Practice for Human and PIC/S (Pharmaceutical Inspection
Veterinary Use guidelines in Annex 11 Convention and Pharmaceutical
Computerized Systems” on page 2 states Inspection Co-operation Scheme)
the following:
In the PIC/S Guide, Annex 11 ”
“This Annex applies to all forms of Computerized Systems” on page 94 states:
computerized systems used as part of the
activities regulated by GMP. A computerized “This Annex applies to all forms of
system is a set of hardware and software computerized systems used as part of the
components that together perform certain activities regulated by GMP. A computerized
functions. The application must be validated; system is a set of hardware and software
the infrastructure must be qualified.” components that together perform certain
functions. The application must be validated;
infrastructure must be qualified.”
Which specifies that computerized

systems that are part of or involved in
activities affecting good manufacturing
FDA practices must be validated and the
infrastructure must be qualified.
FDA 21 CFR part 211 its (CGMP for finished
pharmaceuticals) subpart D, 211.69 refers GAMP ® Guide IT Infrastructure Control
to computer systems or related systems. and Compliance (2005)
The draft of the “Data Integrity and
Compliance With CGMP, Guidance for This is a guide to compliance with
Industry” guide clarifies that the term regulatory expectations that supports
“related systems” refers to computer infrastructure assessment.
hardware, software, peripherals,
networking, cloud infrastructure,
operators and associated documents.
QBD GROUP PAGE 74

8.3 WHAT ELEMENTS DOES THE
INFRASTRUCTURE CONSIST OF?
As mentioned above, there are three main infrastructure 1. Platforms

components:
The key infrastructure platforms according to the “GAMP®
Each of these components is subject to specific tests IT Infrastructure Control and Compliance” guide are as
conducted during infrastructure qualification. follows:
System type Description Example
Networks Computer networks send and receive electrical signals, Cables, connectors, switches, routers,
electromagnetic waves and the like, and are used for etc.
information transport.
Hardware The hardware allows information transmit between the core Input devices: mouse, keyboard,
(memory of the CPU core) and associated peripherals. barcode scanner, etc. Output devices:
Hardware peripherals are classified as input, output, input-and- printers, screen (non-touch operation)
output, and storage. Thus, a peripheral is anyone that is not earphones (speakers), etc. Input-and-
part of the CPU and main memory; however, they enable input output peripherals: touch screen
and output operations, complementing the process. control, modem, port drivers, etc.
Storage peripherals: USB, magnetic disk,
magnetic tapes, etc.
Operating An operating system is the software that manages the basic Windows®, Linux®, UNIX®, etc.
systems processes of the system and what programs users should
install according to their activities.
Data It is software responsible for managing enterprise data across Web services, SAS®, etc.
Management its life cycle.
Software
Servers It is a computer that provides information needed by Mail servers, proxy, web, etc.
customers who have access to it.
Customers A customer is an application or computer that uses a server Client-server-web (the use of a wireless
over computer networks to use a remote service. access network for an application),
Client-mail-server (the use of computing
devices with an active e-mail account on
a mail host. Web access is also required
to access mail.), etc.
Applications Are programs that allow users to perform tasks or activities; ERP system for inventory, programming
applications use infrastructure platforms to perform their systems for recording temperature
actions. Applications can belong to category 3, 4 or 5 according sensors, system administration for
to the categories described in Hardware and Software Systems. document management system, etc.
Applications do not fall under the infrastructure classification.
Table 6: Key infrastructure platforms according to the “GAMP® IT Infrastructure Control and Compliance” guide
QBD GROUP PAGE 75

2. Personnel 8.4 WHY ARE THERE
QUALIFICATION PROTOCOLS?
Personnel operating, maintaining, and managing the
infrastructure must have:
Qualification protocols are not only required by law but also
clearly present the methodology of each phase, establish a
Defined roles and responsibilities
purpose and specific scope, document responsibilities and
Established job descriptions
define acceptance criteria for each test so that results can
Documented qualifications and experience
be compared to them.
Some of the key roles and responsibilities associated with

The scope and content of the protocol will be as extensive
infrastructure need to be identified and determined:
as the complexity of the system to be validated. It is not
specified or required that an exclusive protocol should be
Executive management (sponsor)
created for each stage of validation in the case of large
Project manager
systems, or a single protocol covering all stages when we
System owner
are dealing with a limited-size system. The only limitation is
Data owner
the order in which the tests take place and the
Infrastructure processes owner
interdependence of the results so that the qualification
Platform owner
steps are performed sequentially in the order mentioned:
IT quality assurance
IT regulatory compliance and quality
1. Design Qualification (DQ)
2. Installation Qualification (IQ)
3. Processes
3. Operational Qualification (OQ)
4. Execution or Performance Qualification (PQ)
The main processes involved in the infrastructure are:
Infrastructure processes are related to formalizing
Only when the previous phase is successfully completed,
procedures and documenting these processes to make
you can start the next phase or when the absence of
them standardized and reproducible.
significant open nonconformities is demonstrated, and
With the above, you can see which programs or
assessment and documentation of the absence of
applications require infrastructure for their operation,
significant impact in the next step. In any case, it will not
and thus how important it is that these components work
close a phase without successfully completing the previous
properly and are consistent with the needs of the
phase. Although the standard now lets you keep going even
application you want to use.
with nonconformities, it is best not to proceed to the next
The risk of current application failures when being in an
stage if there are nonconformities not closed.
operational environment increases to perform earlier
infrastructure assessment. For example, consider a
The form of these protocols depends on the provisions of
company that requires the use of a wireless hand for
the VMP or the internal procedures of each organization,
loading and unloading inventory. They should consider
without losing sight of the mandatory issues raised by the
issues such as the size of the network (which will reach
authority.
the perimeter connection coverage), and how many
customers will have as this may saturate the network and
Applied to computerized systems, design qualification aims
cause the application to work slowly or not work among
to demonstrate that the design proposed by the supplier
others.
meets the functional and regulatory requirements and
is therefore fit for purpose.
Since this is the first stage of validation, this qualification

must be completed before starting the installation
qualification.
QBD GROUP PAGE 76

8.5 WHY IS DESIGN QUALIFICATION
REQUIRED?
The purpose of this qualification is to have a high degree

of assurance that the system proposed by the vendor, at
least at the documentary level, can meet the design
requirements and is suitable for its intended use. In the
case of legacy systems, design qualification runs in
preparation for the rest of the validation so that GAPS
discovered during design qualification can be resolved
before the most critical and costly steps of validation. At
this stage, you may even decide to remove the system
when you consider the potential risk that the system no
longer meets the current requirements of the process. It
assumes that it is convenient.
8.6 WHAT SHOULD THE DESIGN

QUALIFICATION VERIFY?
It should check the technical documentation system, such as:
Manuals
Technical specifications of the system
Service requirements
Electrical or ladder diagrams
Architectural plans
It must document the intended use in user requirements
It must document configuration needs, modification and existing environment
It must include specific requirements regarding areas and facilities
Must document the general operational aspects of support that the system is suitable for use
It is very important to consider the qualification of the infrastructure design as this information
can be used for this protocol
The above elements are tested against the requirements to show that the stated technical elements
can meet the expectation and thus the system is (at least at the documentary level), fit for use. In
subsequent tests, Installation, Operation, and Performance are tested against the installed and
functioning, as stated in the documents reviewed during design qualification.
QBD GROUP PAGE 77

Since design qualification is a regulatory requirement, it For new systems, this information is additionally useful
applies not only to new systems but also to all systems for:
already in use that can be validated. Protocols for the
design qualification of systems already in use provide Selecting the best option before purchase
evidence that the system has the potential to continue to Identifying the supplier of the system and requesting
meet the requirements and expected use and help to adequate technical information to serve as a basis for
identify risks of incompatibility with the intended functional and design specifications
purpose due to changes in the original requirements or
the process for which they serve.
#DQ #URS Test description Acceptance requirements
1 1 Verify that you have obtained a master list of documentation You must have a master list of documentation that supports
to support validation and regulatory compliance validation and compliance
2 2 Verify that the system has protection, integrity and backup You must have a manual that indicates the system has protection,
information integrity and backup information
3 3 Verify that access to the system is controlled with logical You must have a manual showing that the system is controlled with
security logical security
4 4 Verify that you have obtained authentication credentials, There must be a manual for the system to indicate the authentication
which should be changed and/or updated regularly data that must be changed and/or updated periodically
5 5 Verify that the security policy specifies the maximum number It must have a security policy system where revenue indicates that the
of failed attempts to enter the system system has failed. The manual and configuration must state the ability
to set this requirement.
Table 7: Examples of design qualification tests
QBD GROUP PAGE 78

8.7 WHAT IS INSTALLATION 8.9 WHY PERFORM INSTALLATION
QUALIFICATION? QUALIFICATION?
Installation qualification verifies that all physical and NOM-059-SSA1 2015 installation qualification defines as:
interface components required for system operation
meet their suitability for use, and are installed in "They must have 9.6.2 installation qualification according to
accordance with the requirements of the qualification the design qualification and manufacturer's requirements."
and the design specifications. During installation
qualification, it is verified that everything is installed, in However, installation qualification will allow verification
good condition, and meets the design specifications. that once the system has been accepted by its design,
and is installed according to its technical specifications
and features all hardware and software components
8.8 WHAT SHOULD INSTALLATION required for the system to operate properly.
In the stage prior to the operation of the system, you must verify all hardware and software elements
of the system necessary to serve and operate the process. Among verified assessment elements at
this stage are:
Installed software and hardware elements and interfaces

The required documentation
Technical specifications
Topology
Types of interfaces
User profiles
Compliance with environmental conditions, required services, document policies, etc.
The HW and SW meet user requirements and design specifications and procedures or
predetermined standards
A risk analysis is performed
Adequate protection and information security
Installation methods and configurations
Flat site structure
Process diagrams of the system
Description and characteristics of associated hardware
User manuals
SLA maintenance program or provider
List of standard operating procedures
Training
Site features
Verification services
Existence of business continuity planning
QBD GROUP PAGE 79

When implementing the Installation Qualification (IQ) The test methods and evidence that must be submitted
Protocol, the use of photographs, print reports, and for qualification of the installation cover the following
screen capture as supporting documents is minimum elements:
recommended.
Identification of the part / document / element
Each of the installation qualification tests should be Location
traceable to the respective user requirements and design Condition in which it is situated
specifications associated with it. It should be recalled that Attributes to have the item controlled
in these protocols the design specifications are directly Validity
translated into the acceptance criteria for each of the Absence of change checks and open deviations
tests, even if deemed necessary, the specification may be
expanded during test development. With legacy systems, it is common that much of the
required documentation no longer exists or is no longer
Qualification/validation protocols are the proper updated and available. In these cases, consideration
definitions of acceptance criteria, as test methods for should be given to developing new documentation to
demonstrating compliance criteria are so important. The support the assessment. In the case of category 5 legacy
testing method is usually a direct verification, where the systems, it is very likely that no documentation on the
existence and status of the qualified installation element system has been developed. Here, if the system has
are inspected and documented (through photographs, been in operation long enough to demonstrate a high
screenshots and print reports, photocopies, etc.). degree of assurance that it is reliable, it is most
convenient to omit the development of the
documentation system and treat it as category 4, taking
into account the time of maturity and adjusting this
strategy validation.
#IQ Test description Acceptance requirements
1 Verify that you have obtained the qualification protocol and the The recommendation on the design qualification must be satisfactory
team preparing the report. Verify the recommendation in the
report card.
2 Verify that the analysis has an infrastructure that supports the The infrastructure should be assessed and it should be satisfactory
system
3 Make sure you have obtained a document describing system The document must be valid and authorized
configurations
4 Make sure you have obtained a document describing the flow The document must be valid and authorized
of information in the system
5 Check that count with a manual system The document must be valid and authorized
Table 8: Examples of installation qualification tests
QBD GROUP PAGE 80

8.10 WHAT IS OPERATIONAL It must be documented in the description of the testing
QUALIFICATION? steps needed to demonstrate the specification, for which

it is also important that the operating procedures reflect
The assessment of operation demonstrates that the not only the needs of the process but also the same
system involved in the study operates as determined system operating according to the process, as well as the
by design and determines the optimal operating integration between the two.
values for each of the control variables. In this stage of
qualification, each of the functions performed by the Functional specifications become the expected outcome
system and the security elements of the counting system of each function performed by the system, and may even
are tested according to their category. specify multiple acceptance criteria.
8.11 WHY PERFORM OPERATIONAL

QUALIFICATION? The most important elements to consider
in this phase are:
The operational qualification is to verify that in each of its
functions, the system performs according to what the
The correct operation of the installed
provider says the system does. For example, in a filling software and hardware elements and
liquid in which a computerized system operates the interfaces
equipment, the developer mentions that by pressing the The required SOPs
“Start” button by the user, the contents will start to be Adequate protection and information
filled into manual flasks. So in operational qualification, security (testing, not just
the system is controlled to perform this function, based documentation)
Recording of emission data
on what was defined in the functional specifications.
Training of SOPs
Security
In this sense, the standard does not allow the vendor or
Access control
developer to perform qualification testing to replace on-
Audit trail (if applicable)
site testing by the customer, because the documentation Alarms, alerts, messages
provided by the vendor cannot be traced to the Communication with database
functional and, therefore, user requirements. Moreover, interfaces and subsystems
suitability for use can only be demonstrated by Starting and stopping of the system
verification of the location of the organization’s system, Deactivation of the system
personnel, facilities, equipment, and procedures. A Control sequences

21 CFR tests, if applicable: creation of
system that has been “pre-validated” or whose validation
electronic records, use of electronic
package has already been delivered cannot be
signatures
considered validated.
Backup, archiving and restoration of
information
8.12 WHAT SHOULD OPERATIONAL

During operation, qualification should test all functions In implementing the Operational Qualification (OQ)
performed by the system and involved in the process. Protocol, the use of photographs, print reports and
The functions not involved in the process can rightly be screen capture as documentary support is
separated. All existing security elements in the system recommended.
should also be checked.
QBD GROUP PAGE 81

The test methods and supporting documents to be 8.13 WHAT ARE THE SECURITY FEATURES
submitted for operational qualification include the THAT ARE CHALLENGED DURING
following elements: OPERATIONAL QUALIFICATION?
Operation yes / no There are two types of computer system security:

Operating parameters: physical security and logical security. Both must be
Response times verified during system operation.
Absence of errors
Stress test system
Backup power supply
Server redundancy
Etc.
Absence of change controls and open deviations
Qualifications for both operation and performance

can potentially be tested with White Box or Black
Box. The use of White Box testing is especially
recommended in cases where there is custom
software or hardware (customization); in other cases,
the use of Black Box testing is accepted, which is
more practical given the level of standardization of
systems other than the 5 categories. White Box tests
are those in which all process or system elements
that lead to obtaining results are inspected and
evaluated. These elements must be specified and
verified in detail at both installation and operation. In
Black Box testing, functionality is tested.
During validation of a Category 5 system, some

elements that are usually checked in the White Box
are:
Programming diagrams
Wiring diagrams
Hardware configuration
System logical inferences
Programming developments and macros
Formulation of operations (programming
notation versus mathematical notation), etc.
An example of systems that should be white box

verified are SCADA systems; these are Category 5
systems built based on the need for automation and
therefore all components should be verified.
QBD GROUP PAGE 82

8.14 WHAT IS DATA AUDIT OR AUDIT
TRAIL?
A data audit (also called an Audit Trail) is a software

component with a secure log and timestamp that
provides evidence of the sequence of activities that at
any time affected the data of an operation,
procedure, or event in a computerized system. It is
the chronology of the “Who”, “What”, “When”, and
“Why” of a record. It also includes monitoring the
creation, modification, or deletion of data. In this
context, the audit trail can have two effects on the
security system:
Allows tracking of all changes to both the system

and the information it manages for delineation of
responsibilities for an anomaly and
reconstruction of any changes
It is a deterrent against attempts by intruders to
make unauthorized changes
QBD GROUP PAGE 83

8.15 WHAT TESTS SHOULD BE
PERFORMED TO CHECK THE AUDIT
TRAIL?
During validation, tests are performed to demonstrate The records generated may not be altered or
the following: changed
The log contains at least:
All activities are recorded in the log Date
No one can shut down or suspend Hour
Only personnel with appropriate privileges can view Name of the user
and print the report Activity performed
#OQ Test description Acceptance requirements
1 Check that you have obtained the qualification protocol and The recommendation of Installation Qualification must be satisfactory
system installation report. In the report card verify the
recommendation.
2 The user must approve the document by electronic signature The user must approve the document by electronic signature
Check that the system administrator allows the user to create, Check that the system administrator allows the user to create, delete,
3 delete, modify new folders according to the required root level modify new folders according to the required root level
4 Check that users cannot change the date and time on the Users cannot change the date and time on the computer equipment
computer equipment
5 Check that the system asks for a username and password to The system should prompt you to enter username and password to
access the system access the system
6 Check that the system administrator allows the user to view The system should allow the user to view the administrator’s data
the data audit (audit trail) audit (audit trail)
7 Check that the data audit (audit trail) allows searching for tracks The data audit (audit trail) system shall allow searching by traceability
using the following options: Search by a date parameter (from-to),
search user, search action tasks
8 Check that the history recorded in the control system cannot The audit history system for recorded data (audit trail) should not
be changed or deleted allow modification or deletion
9 Check that the system activates cycle start on command of XX XX command to activate the system starts the cycle, displays the cycle
data screen and allows the deactivation cycle with the cancel button
Table 9: Examples of operational qualification tests
QBD GROUP PAGE 84

8.16 WHAT IS PERFORMANCE For performance qualification, it must run with
QUALIFICATION? different users and different scenarios within the

process. The execution under process and its results
The purpose of the performance qualification system is a are expected to be consistent with meeting the
computerized document verification that a system is established user requirements. Unlike operational
capable of performing and controlling the activities qualification, this qualification will test the system for
required by the process in accordance with the expected results for the entire flow (or flows) of the
approved specifications before operating in a specified process with all integrated components. Tests are
operating environment (GAMP). This specified operating defined with reference to the process flow identified
environment includes personnel, facilities, procedures, under process.
equipment, and any other policies relevant to the

implementation of the system in the organization. It is to When implementing the Performance Qualification
demonstrate the effectiveness and reproducibility of the (PQ) protocol, the use of photographs, print reports,
operations performed by the system once it is integrated and screen capture as documentary support is
into the process. This verifies the demonstration that the recommended.
previously established requirements of the process and

routine use conditions are met, always within the At the end of each phase, a report presenting the
established operating ranges. results must be prepared.
This report should be prepared as a conclusion of the

qualification, summarizing its activities, and if there
8.17 WHY PERFORM PERFORMANCE
were any deviations from the validation plan and the
QUALIFICATION?
status of the system compared to the objectives of
the project and the previously established
In addition to compliance, performance qualification is
requirements. It should also clearly identify the status
the stage where validation is to demonstrate the
of the accepted or unaccepted research to which it
suitability to use the system by meeting all user
relates. The format and additional content of each
requirements (expectation system). These qualification
report reflect the provisions of the Quality
tests attempt to mimic the process in which the system
Management System and validation procedures in
performs to demonstrate that the procedures and
each organization, without losing sight of the
process controls meet user requirements.
absolute minimum required by regulatory
compliance (see topic: What requirements must the
Quality Management System comply with?).
8.18 WHAT SHOULD PERFORMANCE
The report can be prepared in several ways to
During performance qualification, evidence is provided present the results and conclusions. It is common to
that the system, with all its elements, is performing prepare a report for each running protocol with an
according to the process parameters, and the system analysis and summary of results. However, you can
performance is verified. also create a general report card, especially for those
simple low-risk systems or where multiple protocols
The set of tests in this qualification must be increased are unified.
according to the procedures and process controls, with

respect to the user requirements established at the After performance qualification, we conclude
beginning of the validation cycle. It should verify the whether or not a system can be declared validated
consistency of results through tests involving complete (deemed qualified or not in the case of
workflows and their application to different users. infrastructure).
QBD GROUP PAGE 85

15
#PQ Test description Acceptance requirements
1 Check that you have obtained the qualification protocol and The recommendation of Operational Qualification must be
report from operational computerized system. In the report satisfactory
card check the recommendation.
2 Request a user role to prepare documents to enter the system The system must allow the user to enter the system
with your username and correct password
3 Request all users with roles to prepare to attach a file to the The system should allow all users to attach a document and should
folder during processing and notify user reviewers also send an e-mail notification to user reviewers
4 Request the user with a review role to move the file to the The system allows the user to download the file
review stage and download it according to the route that mail
notification shows
5 Request the user with a review role to process a folder and The system should allow the user to attach a document and should
notify the processor also send an e-mail notification to the user processor
6 Request the user with a review role to attach the file and notify The system should allow the user to attach a document and should
the user with authorization role to review the document also send an e-mail notification to the user with authorization role
7 Request the user to electronically sign the document, add it to The system must allow the user to authorize a role to electronically
the folder authorization, and send a notification to the user and sign the document and must also allow the file to be attached and
the reviewing developer associated notifications to be sent
8 Allow users with a role to develop, review and approve the The document must contain digital signatures with the date and time
document by digitally signing it they were made
Table 10: Examples of performance qualification tests
This requires the preparation of a validation report Access is controlled

justifying such a conclusion and establishing compliance The determination that individuals who develop,
with the following regulatory aspects that should have maintain or use systems have the ability, training,
been demonstrated during the validation phases: and experience to perform their assigned duties
Ensure accuracy, reliability, functionality, consistency, It must also indicate the existence of all documents
and the ability to distinguish between invalid or recorded in the validation plan relating to the
changed records deliverables, showing release.
Expect the ability to control protection, integrity, and
backup information Finally, the report must clearly establish that all
You have obtained the protection of records to be mandatory requirements have been met for the system
created, modified, maintained, archived, retrieved, to be considered suitable for its intended use (validated).
and/or transmitted The report should include the conclusion of all validation
Has a system of protection, integrity, and backup phases (DQ, IQ, OQ, and PQ) and the system must be
information declared as VALID or NOT VALID.
QBD GROUP PAGE 86

CHAPTER NINE
REPORTING
9.1 VALIDATION REPORT
The validation summary report provides a summary of

the validation activities carried out. Approval of the
Validation Summary Report confirms that the system
meets business and applicable regulatory requirements,
and that the system can be implemented in production.
At minimum the validation summary report must

include the following:
Results of the vendor assessment (if applicable

Summary of the activities
Summary of the deliverables
Summary of deviations, including rationale,
corrective actions planned and how these will
be followed up.
Deviation from the Validation Plan (e.g.,
deliverables and procedures which were
initially planned, or not, for creation, update or
obsolescence, or scope, planning, tools,
resources, communication, and schedule
modifications)
QBD GROUP PAGE 87

15
CHAPTER TEN
MAINTENANCE OF
VALIDATED STATUS
Once you have qualified the infrastructure and In the retirement phase, which can include data
validated the computer systems, it is important to migration, withdrawal for destruction, and retention of
have oversight to ensure they are kept under control. information or infrastructure as part of maintaining the
validated state, the decommissioning can be performed
While computer systems and infrastructure are in which all information that needs to be traced to the
dynamic in nature, i.e. changes, version upgrades, computer system/infrastructure must be removed and
extensions, infrastructure upgrades, and staff that the final disposal will be indicated. In the case of
operates changes, are presented; methodologies are specified information if a migration has been performed,
established to maintain the qualified/validated state, or if it is obsolete, indicate how long you intend to retain
as these changes may directly or indirectly affect as a consultation and where to verify this. Similarly, the
product quality, patient safety, data integrity, internal risk analysis should form the basis for evaluating and
policies, regulatory compliance or business. Changes deciding on the elements to be controlled at this stage.
are transparent to users, that is, unobserved level
interfaces do not affect system operation, but
changes may also partially or completely alter Physical security
process flow.
The physical security of a computer system
Ideally, during the design phase of the life cycle of includes the application of physical barriers
computer systems/infrastructure, the and control procedures against threats
implementation of the qualification/validation system primarily to hardware and the integrity of
is carried out. In the next step, which is the operation the data it manages.
of the computer system/infrastructure and where
changes may occur according to their effect, addenda This type of security aims to deal with the
to documents are developed, or through a new threats posed by both humans and the
assessment / full validation. nature of the physical environment in which
the system resides. The main threats are:
An addendum to document qualification /validation is
recommended only if the change is small, affects only Natural disasters, accidental fires, and
part of the study qualification/validation and the any variation caused by environmental
impact is not significant. That way you do not have to conditions
redo the study, but only those items that were Threats caused by man as theft or
affected. It is important that the risk analysis identify sabotage
and consider all other elements of the qualification Intentional internal and external
affected by the changes that may lead to greater disruptions
damage and loss of validated status.
QBD GROUP PAGE 88

Assessment and ongoing monitoring of the Key elements to consider for logical security
physical security of the system is the basis for include the following:
beginning to integrate security as a primary
function thereof. A controlled physical access User name/password combinations
Locking of fields or cells
environment helps reduce losses and has the
Assigning user profiles
resources to deal with accidents. Elements of
Biometric controls
physical security to be verified include:
Audit trail
Warning messages / alarms
Physical barriers: doors, security bars, etc. Password rotation
Devices such as switches with key locks, etc. Electronic signatures
Firewall and antivirus settings
Even combinations of physical and logical security
elements, such as biometric doors with access Security policies must be established for the
control, can exist. above items. These policies may be defined in the
Quality Manual, Validation Master Plan,
In all cases, the ability of the physical security
procedures or internal policies of the organization,
element to protect the system must be
as appropriate.
documented and questioned.
During operational testing, the following should

always be checked for both physical and logical
Logical security
security:
The logical security of a computer system

The existence of the security element and its
includes application software barriers and
constituent elements. The configuration of the
procedures that protect and provide access
security element.
to data and the information contained
The non-violation of the security element.
therein.
The effectiveness of the security element in
maintaining data integrity and system operation.
Logical security aims to achieve the following
Documentation management and configuration
objectives:
of the security element.
For SCADA systems, part of operational
Restrict access to programs and files
verification includes verification of each of the
Ensure that users can work unsupervised
signals in the system, both in intensity and in
and cannot modify programs or files that
relation to each of the activated functions.
do not match
Ensure that data, files, and programs
being used are used correctly
Verify that the information sent is only
received by the recipient that was sent
and that the information received is the
same as the information sent
Have alternative contingency steps for
sending information
QBD GROUP PAGE 89

Qualified status must be maintained by implementing programs as described below:
Change Control: You must document the changes in infrastructure/computer systems and
conduct an impact assessment
Training and qualification of personnel: There must be evidence of training as per what is
indicated in the parent training and personnel must be qualified as specified in the company’s
procedure.
Preventive/corrective maintenance: There must be evidence of preventive maintenance
according to the program, and evidence of corrective maintenance for both software and
hardware, as well as deviations, CAPAs, and risk analysis assessing the impact on the
qualified/validated state of the infrastructure / computerized system
Deviations: You should follow up on deviations or non-conformities according to the procedure
established in the organization
Preventive actions and corrective actions: It should follow up CAPAs and assess the impact on the
qualified/validated state
Risk Management System: A system should be in place to identify, mitigate and monitor
potential failures in the infrastructure and computer systems
Continuous monitoring: Check by routine monitoring the status of the infrastructure/computer
system and the monitoring of these programs to determine if they are in a state of control
You must document the control methodologies It is imperative that any field personnel that is
for the above programs and the allocation of involved in the operation or management of
responsibilities for them. Maintenance of the infrastructure/system is aware of
qualified/validated condition is an activity that nonconformities, CAPAs, and change controls.
occurs on an ongoing basis; adequate monitoring, Thus, they are documented in a timely manner
documentation, and evaluation of program when a deviation or non-conformity, CAPA or
impacts can maintain the control condition. change control occurs.
Some examples of cases where qualified/validated states are lost:
System changes that are not documented: Change of version of the computerized system,
changes of settings, server change, removing/gaining modules in systems
Maintenance: Not performed or not according to the program, undocumented maintenance, major
maintenance where components are replaced and an impact assessment is not performed
Training: Lack of continuity of training or new personnel are not trained in accordance with existing
procedures. This may result in process flow not being respected and activities not being approved.
Deviations: Failure to follow up on deviations that arise or are not documented
CAPAs: CAPAs are not implemented or their closures are not documented
Risk management system: Not having a risk management system, not having tools to identify
errors, controls are not in place to mitigate or eliminate risks
QBD GROUP PAGE 90

10.1 MAINTAINING THE VALIDATED
STATUS IN OUTSOURCED
ACTIVITIES
Very important to keep computerized systems

validated/qualified is keeping track of all outsourced
activities that affect them. For example, hosting services,
systems operating from the cloud, and maintenance
performed by a third party.
In such cases, it is necessary for suppliers to be involved

to keep the maintenance program in a
validated/qualified state; the key activity to consider is:
Site audits
If possible, it is advisable to conduct a vendor visit, for

example, hosting to verify compliance and document
activities such as backups, debugging information,
physical server maintenance, and personnel training.
When it is not possible to conduct on-site visits, for
example, for cloud-based system vendors, the
maintenance plan should document why you cannot
conduct an on-site audit (geographic location, internal
vendors, or other) and ensure that service contracts are
updated, and valid and adhered to according to the
service and contract scope. This can be done as part of
the ongoing vendor assessment.
QBD GROUP PAGE 91

CHAPTER ELEVEN
CONCLUSIONS
This guide establishes the necessary basic In addition to the risk categorization of each
guidelines, and the scope of validation, to system, the validation process of the deliverables
understand the process of validating depends on its age, the stage of the life cycle it is
computerized systems and the GxP impact in in, and the chosen V-model that best fits the need
organizations. However, the activities to be to demonstrate the appropriateness of using the
performed depend on the life cycle chosen, the system.
deliverables to be met, and the level of effort and
documentation required to demonstrate This guide provides a comprehensive overview of
regulatory compliance. These depend on the the Validation of Computerized Systems, where
complexity of each of the systems to be validated, an understanding of the logic of the work allows
their age, their effects, the process for which it is the methods presented here to be adapted to the
intended, and their respective risk analysis, needs of each organization in different scenarios.
determining the best strategy for validation.
This entire guide emphasizes the great

importance of knowledge of the process for which
the computerized system is intended to verify the
suitability and thus the use of the system. The
process drives, and in this sense, it is essential for
a good computerized validation study to have a
robust knowledge of the computerized system
and the process it serves through proper
characterization systems. Another very important
aspect is having a complete QMS that allows
interaction of the areas involved to prepare the
documentation to support such validation.
QBD GROUP PAGE 92

CHAPTER TWELVE
HOW CAN QBD ASSIST IN THE VALIDATION OF

YOUR COMPUTERIZED SYSTEMS?
Are you looking for CSV services? QbD offers CSV The actual approach and life cycle you want to
expertise to help your company comply with the take to validate your computerized system(s) are
latest regulations. QbD has years of experience up to you.
with numerous projects in various GxP
environments. If required, our validation The most common and recognized CSV approach
approach can be tailored to newer technologies, is the GAMP5 methodology.
such as machine learning and artificial
intelligence.
WE ARE HAPPY TO HELP YOU
understand the processes in which your computerized system is used

understand the functioning of your computerized system (white-box approach)
decide on the lifecycle and Computer System Validation approach
and ensure highly consistent data and compliance with all relevant regulations. The first
step towards data integrity!
INTERESTED TO KNOW MORE? GET IN TOUCH!
QbD Growth BV | Groenenborgerlaan 16, 2610 Wilrijk, Belgium
QBD GROUP PAGE 93

APPENDIX
BASIC CONCEPTS
& DEFINITIONS
ADDENDUM Addenda, an addition to a document.
REGRESSION ANALYSIS A task of verification and validation of software to the extent of analysis and
AND TESTING testing. Verification and validation should be repeated when changes are made to
a component or system software previously discussed.
APLLICATION Software installed on a platform/hardware that provides specific functionality.

SOFTWARE Software or program that is specific to the solution of the application problem
(GAMP5).
ARCHIVE It is the process by which records are protected from the possibility of
modification or deletion, and these records are stored under independent data
control for the required retention period. Archived records must include, for
example, associated metadata and electronic signatures.
AUDIT TRAIL (DATA An audit trail is a form of metadata that contains information about actions
AUDIT associated with the creation, modification, or deletion of GxP records. A data
audit provides a secure record of life cycle details such as the creation, addition,
deletion, or modification of information in a log, paper, or electronic, without
hiding or overwriting the original record. A data audit facilitates the reconstruction
of the history of such record-related events, regardless of medium, including the
“who, what, when, and why” of the action.
BACKUP Systematic, independent, and documented process for obtaining audit evidence
(records, factual statements, or other information) and its objective evaluation to
determine the extent to which audit criteria (set of policies, procedures, or
compliance process requirements used as reference) have been met.
BIOMETRIC A security copy. It is a copy of one or more electronic files made as an alternative
in case the original data or system is lost or becomes unusable (for example, in
the event of a system failure). It is important to note that the backup file differs in
that backups of electronic files are usually stored only temporarily for the purpose
of disaster recovery and may be overwritten periodically. Such temporary
backups should not be considered a mechanism file.
BIOMETRIC DEVICE The method of verifying the identity of an individual is based on the measurement of
the physical characteristics of the individual(s) or repeatable action(s) if those
characteristics and/or actions are measurable specifically for each individual.
QBD GROUP PAGE 94

GOOD In the context of these guidelines, good documentation practices are measures
DOCUMENTATION that collectively and individually ensure that documentation, whether paper or
PRACTICES electronic, is secure, attributable, legible, traceable, permanently and
simultaneously recorded, original, and accurate.
BUSINESS CONTINUITY A documented and maintained plan to define the ongoing process supported
PLAN and funded by management to ensure that necessary steps are taken to identify
the impact of potential losses, maintain strategies for viable recovery and
recovery plans, and ensure continuity of services of the written plan through staff
training, testing, and maintenance plan.
BUSINESS CONTINUITY A managed process for developing and maintaining inter-organizational plans to
PLANNING counteract disruptions to business operations.
INSTALLATION Documented that a system has been installed according to written specifications
QUALIFICATION OR for design and configuration verification.
INSTALLATION
VERIFICATION TESTS
INSTALLATION Documented evidence that equipment, facilities, and systems have been installed
QUALIFICATION according to previously established design specifications.
OPERATIONAL A documented evidence that equipment, facilities, and systems consistently

QUALIFICATION operate according to previously established design specifications.
PERFORMANCE Documented that a system is capable of performing or controlling the activities of

QUALIFICATION OR required processes according to requirements and user specifications are written
PERFORMANCE in your business environment and computer testing.
VERIFICATION TESTS /
REQUIREMENTS
OPERATIONAL Documented that a system operates according to the operational specifications

QUALIFICATION OR written along sets of specified operation checks.
OPERATIONAL /
FUNCTIONAL
VERIFICATION TESTS
QUALIFICATION This is the performance of specific tests based on scientific knowledge to

demonstrate that equipment, critical systems, facilities, personnel, and suppliers
meet previously established requirements, which must be completed before
processes are validated.
CAPAS Corrective and preventive actions
QBD GROUP PAGE 95

CHANGE CONTROL The process of ensuring that a computerized system remains valid following a
change. It includes assessing the effect of the change to determine when and if
repetition of a validation or verification process or a specific part of it is necessary
for appropriate action to ensure that the system remains in a validated state.
LIFETIME OF THE The period of time that begins when a computerized system is designed and
SYSTEM ends when the product is no longer available for use by end users. The system life
cycle typically includes:
A requirements phase
A planning phase
A development phase includes:
A design phase and a programming and testing phase
A qualification phase and a release system consisting of:
A system integration and testing phase
A system validation phase
A system release phase
An operation and maintenance phase
A system withdrawal phase
LIFE CYCLE All phases in the life of the system from initial requirements to retirement,
including design, specification, programming, testing, installation, operation, and
maintenance.
CLIENT-SERVER The client-server model describes the interaction process between the local
computer (the client) and the remote (server).
The client makes its requests (queries, applications, requests) to the server, which
processes this request and sends the results back to the appropriate client.
Typically, clients and servers communicate with each other over a network, but
they can also both be in the same system (same hardware).
CODING It is the process of converting information from a source into symbols for
communication. In other words, it is the application of the rules of a code.
The reverse process is decoding, that is, the conversion of these symbols into
information that can be understood by the receiver.
CONFIGURATION The adaptation of a software application or hardware element to other elements

of the environment and the specific needs of the user.
CHANGE CONTROL A formal process by which qualified representatives of appropriate disciplines

(PARENTERAL DRUG review proposed or actual changes to a computer system. The main purpose is to
ASSOCIATION (PDA)) document the changes and ensure that the system remains in a state of control.
QBD GROUP PAGE 96

CHANGE CONTROL Documented system for change control, including assessment and effect of the
AND MANAGEMENT OF proposed change on processes, and computer systems.
DEPARTURES
COTS (COMMERCIAL Commercially Available Software Direct Sales; a software component supplied by
OFF-THE-SHELF the supplier of a computerized system for which the user cannot claim full control
SOFTWARE) over the software life cycle. Commercially available software whose suitability for
use is demonstrated by a broad spectrum of users.
REQUIREMENT The criteria that a system component must meet to be accepted by a user,
CRITERIA (IEEE) customer, or other authorized entity.
DATA GOVERNANCE All provisions to ensure that data, regardless of the format in which it is
generated, is recorded, processed, retained, and used to ensure complete,
consistent, and accurate recording throughout the data life cycle.
MASTER DATA Unique data is used on a shared basis by multiple users for different purposes.
DATA Original records are true copies, including source metadata and all subsequent
transformations. These reports are generated and recorded at the time of the
GxP activity data. Data must be accurately captured by permanent means at the
time of the activity. Data may be contained in paper records (such as worksheets
and logs), electronic records and audit trails, photographs, microfilm or
microfiche, audio or video, or any other means by which information related to
GxP activities is captured.
DATA LIFE CYCLE All phases of the process in which data is created, recorded, processed, reviewed,
analyzed and reported, transferred, stored and retrieved, and monitored until its
disposal and destruction. Plans should be in place to assess, monitor and
manage the data and the risks associated with that data in relation to the
potential impact on patient safety, product quality, and/or reliability of decisions
made at all stages of the data life cycle. The set of records of all information
relevant to the process in physical or electronic form. The computer system
consists of hardware, software, and network components, along with control
functions and associated documentation. Tests performed to determine whether
or not the system meets the acceptance criteria and to enable the customer to
determine acceptance of the system. See also Factory Acceptance Test (FAT) and
Site Acceptance Test (SAT).
ENCRYPTION Encryption is the process of making information deemed important unreadable.

Once encrypted, information can only be read by applying a key. This is a security
measure used to store or transfer sensitive information that should not be
accessible to third parties. It may include passwords, credit card numbers, private
conversations, etc.
QBD GROUP PAGE 97

PRODUCTION The business and computing environment in which a computerized system is
ENVIRONMENT used by end users. Computerized systems for the regulated production
environment is the business and computing environment in which the
computerized system is used for regulated good laboratory practices.
USER REQUIREMENT If prepared as a separate document, this is a formal document defining the
SPECIFICATIONS (URS) requirements for using the system software in your planned production
environment.
FUNCTIONAL The functional specification document. This defines the functions and technology
SPECIFICATIONS solutions specified for the computer system based on the technical requirements
to meet the user requirement specifications (e.g., the specified bandwidth
needed to meet the user requirements for the expected use of the system).
FDA Food and Drug Administration, U.S. regulatory agency.
FDA COMPLIANCE Those that do not comply with 21 CFR Part 11 and were started on old computer
POLICY GUIDE 7153.17 hardware prior to August 20, 1997.
DIGITAL SIGNATURE The electronic signature is based on cryptographic methods for authenticating
the sender, using a set of rules and a set of parameters capable of verifying the
overall identity of the signer and the integrity of the data.
ELECTRONIC Compilation of computer data or a symbol or series of symbols executed,

SIGNATURE adopted, or authorized by a person to be legally attested and equivalent to the
person’s handwritten signature.
FIRMWARE It is a program fixed on a ROM memory and logic sets the lowest level that
controls the electronic circuits of a device. It is considered part of the hardware to
be integrated into the electronic device as well as software, it provides logic and is
programmed by some kind of programming language. The firmware receives
external commands and responds to control the device.
STATIS RECORD FORM Static record formats like a paper record or PDF. It is one that is “fixed” and allows
limited interaction between the user and the contents of the record. For example,
a static record, once printed or converted to PDF files, cannot be reprocessed or
allow more detailed baselines or display hidden fields.
GAMP Good Automated Manufacturing Practices
GAP G: Good, A: Average, P: Poor.
CONFIGURATION A discipline that applies engineering, management, and supervision to identify

MANAGEMENT and document the functional and physical characteristics of a configuration item.
Management of changes to those characteristics, recording, and reporting of
change processing and implementation, and verification of compliance with
specified requirements.
QBD GROUP PAGE 98

GXP Acronym group of good practice guidelines for preclinical activities, clinical
activities, manufacturing, testing, storage, distribution, and post-marketing of
pharmaceuticals, biologics, and regulated medical devices, such as good
laboratory practices, good clinical practices, good manufacturing practices, good
pharmacovigilance practices, and good distribution practices.
HARDWARE (HW) It is the physical part of a computer or computer system; it consists of electrical,
electronic, electromechanical, and mechanical components such as cable circuits
and light circuits, motherboards, utilities, chains, and other materials, physical
state, whatever it takes to make the team work.
GXP IMPACT Action that can directly or indirectly affect regulatory compliance, quality policy,
product quality, and consumer perception.
INFORMATION It consists of a group of data and ordered surveillance that serve to build a system
based on a particular phenomenon or message from an entity. Information can
solve problems and make decisions because its rational use is the basis of
knowledge.
INFRASTRUCTURE Hardware and software, network software and operating systems, or in general,
that allows the application to operate.
DATA INTEGRITY It refers to the extent to which data are complete, consistent, accurate, and
reliable and that these characteristics are maintained throughout the life cycle of
the data. Data must be collected and stored securely so that it is attributable and
readable while being original or a true and exact copy. Ensuring data integrity
requires adequate quality systems and risk management, including adherence to
sound scientific and good documentation practices.
ISO International Organization for Standardization
IT Information Technology
MAINTRENANCE OF Maintenance of facilities, equipment, and systems is another important step to

VALIDATED STATE ensure that the process remains under control. Once that is achieved, the
qualified/validated status must be maintained through routine monitoring,
maintenance, calibration procedures, and programs.
METADATA Metadata is data that provides contextual information about other data needed to
understand the data. This includes structural and descriptive metadata. These data
describe the structure, data elements, interrelationships, and other characteristics of
the data. They also allow data to be attributed to a person. The metadata needed to
assess data significance should be linked to data security and properly evaluated. For
example, in weighting, number 8 is meaningless without metadata, i.e., the mg unit.
Other examples of metadata are the stamp date/time of an activity, the operator
identification (ID) of the person who performed an activity, the ID of the instrument
used, processing parameters, sequence files, etc.
QBD GROUP PAGE 99

WHO World Health Organization
PC Personal Computer
PERIPHERAL It is called peripheral and/or auxiliary and independent devices that are
connected to the central processing unit of a computer, making input/output (I/O)
complementary.
VALIDATION MASTER The document containing information about the validation activities performed
PLAN (VMP) that establishes details and timelines for each validation work to be performed.
Responsibilities related to the plan should be established in accordance with
GMP. Systematic, independent and documented process for obtaining audit
information and objective evaluation to determine the extent to which agreed
criteria have been met.
PROGRAMMING LOGIC Hardware element that can be programmed to make decisions based on logical
CONTROLLER (PLC) arguments (in the form of electrical signals that activate or deactivate a function).
The PLC and connecting elements are considered Category 2 or modified
hardware.
SOP Standard Operating Procedure
PROCESS OWNER OR The person responsible for the business process.

LANDLORD
SYSTEM OWNER OR The person responsible for the availability and maintenance of the security of a
LANDLORD computerized system and the data contained in that system.
PROTOCOL The written work plan that defines the objectives, procedures, methods and
acceptance criteria for an investigation.
REQUIREMENT TEST It represents that stage of the software development life cycle in which the
(IEEE) development team and the user area of an information system must ensure that
the developed system conforms to the defined requirements.
USER REQUIREMENT Verification of fully computerized configured system installed in the production
TEST environment (or in an environment equivalent to the validation production
environment) for, as intended, the computerized business process when
standard end users trained in operational procedures are operating and that they
define the use and control system. User requirement testing can be a part of
performance qualification (PQ) or a separate step in PQ.
DISASTER RECOVERY Process for planning or deploying resources to restore normal commercial
function in the event of a disaster.
QBD GROUP PAGE 100

ELECTRONIC RECORD Any combination of text, graphics, data, audio, image, or other representation of
information in digital form that is created, modified, archived, retrieved, or
disseminated by a computer system.
VALIDATION REPORT A document that states the conclusion and determines whether or not the
system meets suitability to use force and good practice.
SCADA Software for Supervisory Control and Data Acquisition. Often used to automate
processes, it served as a PLC hardware component to manage the actions by
which the system takes control of the process.
SYSTEM SECURITY Ensure the confidentiality, integrity, and availability of their systems and networks.
Security is divided into physical security and logical security.
SERVER A server is a computer that is part of a network and provides services to other
client computers.
QMS Quality management system
OPEN SYSTEM An environment in which access to the system is not controlled by persons
responsible for the content of electronic records contained in the system.
CLOSED SYSTEM An environment in which access to the system is controlled by persons

responsible for the content of electronic records contained in the system.
CUSTOM COMPUTER A computerized system individually designed for a specific business process.
SYSTEM
COMPUTERIZED Any equipment, process, or operation that has attached to it one or more
SYSTEM/COMPUTER computers and associated software or a group of hardware components
SYSTEM designed and assembled to perform a specific set of functions.
COMPUTERIZED/COMP A functional unit of one or more computers and associated input and output
UTER SYSTEM devices, peripherals, and software, utilizing common storage for all or part of a
program and all or part of the data necessary for program execution.
QUALITY Represents the set of measures taken in a planned and systematized manner to
MANAGEMENT SYSTEM ensure that pharmaceutical products are of the quality required for their
intended use. Quality Management therefore incorporates GMP, GDP, GLP, GDP,
GVP, and Risk Management principles. Including the use of appropriate tools.
COMPUTER SYSTEM A system containing one or more computers and associated software (IEEE).
COMPUTERIZED A computerized system collectively controls the operation of one or more automated
SYSTEMS processes and/or functions. It includes hardware, software, peripheral devices, networks,
and documentation, e.g., manuals and standard operating procedures, as well as personnel
who interface with the hardware and software, e.g., users and IT support personnel.
QBD GROUP PAGE 101

LEGACY SYSTEMS A computer system that has become obsolete, but continues to be used by the
user and is unwilling or unable to be easily replaced or upgraded.
SLA A written agreement between a service provider and its customer to set the
agreed level of service quality.
OS Operating System
INFRASTRUCTURE Infrastructure platform on which business software and systems operate or

SOFTWARE improve their operation.
BUSINESS SOFTWARE Software used for business processes, which may include those subject to
regulatory compliance. Software defined by a market-driven need, commercially
available, and whose fitness for use has been demonstrated by a broad spectrum
of business users. Software or a specific program for the solution of an
application problem.
SOFTWARE (SW) A set of computer programs, instructions, and rules for executing certain tasks on
a computer.
THIRD PARTIES Parties not directly managed by the holder of the manufacturing and/or import
authorization.
TOKEN It is a string of characters that has a coherent meaning in a certain programming

language. Examples of tokens could be keywords (if, while, int…), identifiers,
numbers, signs, or a multi-character operator. They are the most basic elements
on which any translation of a program is developed, they arise in the first phase,
called lexical analysis, but are still used in the following phases (syntactic analysis
and semantic analysis) before being lost in the synthesis phase.
USER A person who uses a device or computer and performs multiple operations for
different purposes. A user is often a person who acquires a computer or
electronic device and uses it to communicate with other users, generate content
and documents, use software of various types, and many other possible actions.
COMPUTER SYSTEM Documented process of ensuring that a computer system does exactly what it
VALIDATION (CSV) was designed to do in a consistent and reproducible manner (SUITABILITY FOR
USE), guaranteeing data integrity and security, product quality, and compliance
with applicable GxP regulations.
VALIDATION OF It is the confirmation by verification and provision of objective evidence that the
COMPUTERIZED specifications of the computerized system conform to the needs of the users and
SYSTEMS intended uses and that all requirements can be consistently met.
VERIFICATION The act of checking, inspecting, testing, verifying, auditing, or otherwise

establishing and documenting whether items, processes, services, or documents
meet specified requirements.
QBD GROUP PAGE 102

REFERENCES
BIBLIOGRAPHY
ASTM E2500-07 Standard guide for Specification, Design and verification of Pharmaceutical and
Biopharmaceutical Manufacturing Systems and Equipment.
ICH Q7 Good Manufacturing Practice for Active Pharmaceutical Ingredients, Capítulo 5.4 Computerized
systems, 12.10, 13.11, 20. 10 nov. 2000
ICH Q9 Quality Risk Management. 9 nov. 2005
CEFIC. European Chemical Industry Council. Task Force Computer Validation. “Computer Validation Guide”
Final Draft 13 Jan. 2003
Siddhartha Gigoo. “Calificación y Validación de Sistemas para la Infraestructura IT”. Pharmaceutical
Technology en español. Marzo / Abril 2007. pp. 24.
IEEE. The Institute of Electrical and Electronics Engineers. Glossary.
EMEA. Eudralex Vol. 4. annex 11, 15.
ISO/IEC 17799 Tecnología de la información – Técnicas de seguridad- Código para la práctica de la gestión de
la seguridad de la información. 2005.
FDA 21 CFR part 11 “Electronic records, electronic signatures: scope and application”
FDA. Data Integrity and compliance with cGMP Guidance for Industry. April 2016
Norma Oficial Mexicana NOM-059-SSA1-2015 “Buenas prácticas de fabricación de medicamentos”
NOM-241-SSA1-2012, Buenas prácticas de fabricación para establecimientos dedicados a la fabricación de
dispositivos médicos
NOM-164-SSA1-2013, Buenas prácticas de fabricación para fármacos
Andrews, John. “Validating Pharmaceutucal Systems, Good Computer Practice in Life Science manufacturing”.
Taylor and Francis Group / Sue Horwood Publishing. England. 2005.
ISPE GAMP® 5. “A risk based approach to compliant GxP computerized systems”. 2008
GAMP® Good Practice Guide. The Validation of legacy systems. The official Journal of ISPE. November-
December 2003. Vol. 23, No. 6
“Applying GAMP® 5 to Validate an ERP System”. The oficial Journal of ISPE. November/December 2010, Vol.
30 No. 6
ISPE GAMP® Good Practice Guide. IT Infrastructure Control and Compliance. 2005
ISPE GAMP® Guide: Records and Data Integrity 2017
“An approach to IT Infrastructure Qualification”. David Stephenson. The official Journal of ISPE. September /
October 2005, Vol. 25 No.5
“Establishing Compliance of a Company´s IT Infrastructure – A Practical Guide to Meeting GxP Requirements.
John Andrews and Richard Labib. The official Journal of ISPE. November / December 2004, Vol. 24 No.6
PIC/S Guidance. PI 011-3 Good practices for computerised Systems in regulated “GXP” environments. 25
september 2007.
Draft PIC/S Guidance PI 041-1 (Draft 2) Good Practices for Data Management and Integrity in regulated
GMP/GDP environments. 10 August 2016
ISO 9001-2015 Sistemas de gestión de la calidad-Requisitos
ISO 31000:2009 Gestión de riesgos. Principios y directrices
“ How to “Right-Size” Computer System Validation Based on Criticality and Complexity”, Frank Houston and
Mark Weinglass. Journal of Validation Technology [Autumn 2010]
QBD GROUP PAGE 103

SPECIAL
THANKS TO
Fabiola Negrete
Enrique Vargas
Jonathan Boel (ed.)
Jaime I. Castro Palma

Roberto Rodriguez Ortega
Ana Ochoa Valentina Degrees
Julio Jimenez Cruz
Sergio Jimenez Mora
Daniel I. Martinez Mendez
Paola Piña Camarena
Israel Velasco Alvarez
Quality is never an accident;

It is always the result of intelligent effort
John Ruskin
1819-1900. British writer and critic
QBD GROUP
NEED CSV SUPPORT? GET IN TOUCH!

A Complete Guide To Computer System Validation (CSV) - QBD Group - 2023

Uploaded by

Copyright:

Available Formats

A Complete Guide To Computer System Validation (CSV) - QBD Group - 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Complete Guide To Computer System Validation (CSV) - QBD Group - 2023

Uploaded by

Copyright:

Available Formats

QBD GROUP

The QbD Group supports life sciences companies

understand the processes in

INTERESTED TO KNOW MORE? GET IN TOUCH!

+32 3 844 45 01 | www.qbdgroup.com | Contact us

QBD GROUP PAGE 09

“Documentary evidence generated through the collection and scientific evaluation of

Food and Drug Administration (FDA)

“Validation is the confirmation by objective evidence, that the previously established

WHO guidance on the requirements of good manufacturing practices (GMP)

“Establishment of documentary evidence that provides a high degree of assurance that

QBD GROUP PAGE 10

“Computer/computer system, any equipment, process or operation having one or more

Food and Drug Administration (FDA)

“System containing one or more computers and associated software, network

Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients (ICH7)

“Computer system: hardware components and associated software, appointed and

“Computer system: process or operation integrated with a computer system.”

QBD GROUP PAGE 11

Computer system Controlled function or process

In other words, the computerized system is the

QBD GROUP PAGE 12

To identify what must be validated it is important

For its functions and design: Refers to

QBD GROUP PAGE 13

Depending on their functions and design,

System type Description Example

Table 1: Types of computerized systems for functionality and design

QBD GROUP PAGE 14

It helps to determine the strategy and scope of

For example, in the validation of an ERP (SAP)

2.4 HOW MANY CATEGORIES ARE

There is 1 category for Hardware (Infrastructure)

QBD GROUP PAGE 15

Infrastructure software: established or commercially available software layer, eg.:

Non-configured systems: no configurations are freely traded in stores or as part of

QBD GROUP PAGE 16

Configured systems or products: Partially configurable software packages that allow

Specifications and testing modules

It is important to note that worksheets, depending on your level of configuration or customization

QBD GROUP PAGE 17

For purposes of this guide, you can define legacy Example:

1. Computer system that has become obsolete,

included in the validation master plan). strategies for legacy systems

During the preparation of the Validation Master

QBD GROUP PAGE 18

3.1 WHAT IS THE VALIDATION OF 3.3 HOW IS THE SUITABILITY

Validation of computerized systems is a The suitability for use is demonstrated by

3.2 WHAT IS THE SUITABILITY

QBD GROUP PAGE 19

1. The creation, maintenance or preservation of

3.6 WHAT IS THE SCOPE / records or documentation required by the

IMPACT OF GXP? Good Practice regulations for evaluating

The term refers to any action or omission that

It is also important to generate evidence of why some

QBD GROUP PAGE 20

Examples of non-GxP impacts:

Business: This impact is determined by how

QBD GROUP PAGE 21