Who is Responsible for Computer System Validation?
The question about responsibility for computer validation comes up
frequently. Suggested functions have been quality assurance, IT, validation
groups, regulatory affairs, operations (end-users) and vendors of commercial
of the shelf systems. In this Labcompliance Info we can give a couple of
recommendations although the final decision will depend on the specific
situation of each organization.
Observations and Prerequisites
- The FDA does not specify who is responsible for computer validation.
The only reference we could find is a Proposed Rule from May 3, 1996:
20104 Federal Register 20104 / Vol. 61, No. 87 - 21 CFR Parts 210 and
211Current Good Manufacturing Practice - Amendment of Certain
Requirements for Finished Pharmaceuticals. This documents includes a
statement related to responsibility for process validation: Process
validation is a quality assurance function that helps to ensure drug
product quality by providing documented evidence that the manufacturing
process consistently does what it purports to do. To further ensure that
validation procedures are current, this proposed rule would make the
quality control unit responsible for reviewing changes in product,
process, equipment, or personnel, and for determining if and when
revalidation is required. The agency believes that placing
responsibility for oversight of validation procedures in quality control
units emphasizes the importance of proper validation to quality control.
It is a proposed rule and not specific to computer systems.
- In Europe the Responsible person states with the each each release
of a batch that it has been produced in compliance with GMPs wit
validation of processes and equipment being part of it.
- According to our experience, the FDA and EU agencies don't care who
does validation as long as it is done and documented according to
- Validation can be a longer term and complex activity. For complex
projects the responsibilities and tasks are shared between several
people. For example operations typically define and verify requirement
specifications, the validation group may develop test cases and QA
reviews the tests protocols. Typically validation is cross functional
team activity with team members from all functions that are affected by
the computer system.
- One person should have overall ownership for the validation project.
This can be the system owner.
- The person who develops test cases should have a good understanding
about the computer system and about the application. Otherwise it is
impossible to define critical test cases.
- Persons who are responsible for the entire validation or specific
tasks should be qualified for the assigned tasks. The qualification
should be documented. For example, if a QA person develops test cases
he/she should have a good understanding of the computer system and of
- Responsibilities should be defined in a validation master plan or
SOPs and in individual project validation plans. While the validation
master plan is a frame work and should include responsibilities by
function individual project plan include names.
- People who test the software or computer system should represent
different types of typical users. For example, if the computer system is
used by low skilled operators, test personnel should include these type
of operators. The person who develops the software or computer system
should not be the only one who tests it. This should ensure objectivity
of the test.
Considerations and Recommendations
We recognize that the ideal arrangement depends on the specific
organizational structure and also on the system. Therefore we can not give
specific recommendations that are applicable for everything but document
some of our thoughts that can be considered for defining responsibilities.
- The main responsibility for validation of computer system lies with
the end-users. They know their systems and the applications best and
typically also have the highest interest that the system works reliably
as intended. They have to be in control of their system. End-user
representatives write the specifications, develop test cases and do most
of the initial and on-going testing. They should get help from
validation groups on technical content and from QA on the format of test
- The system owner, also an end-user representative, owns the process
to define, execute and document the validation activities and results.
This requires the system owner to have experience in computer system
- Validation groups manage validation of computer systems based on
business objectives and the interpretation of applicable federal and
industry standards and guidelines that pertain to the validation of GxP
systems. They author, review and execute the System Development Life
Cycle and validation documentation. Review, analyze and evaluate
qualification results, determine acceptability, and ensure that test
exceptions and protocol deviations are properly documented and
corrected. Further oversee the re-qualification testing resulting from
deviations and corrective actions
- QA is involved in all validation activities. They take a lead in
performing the vendor assessment and verify that all validation
activities and documents comply with applicable regulations and internal
procedures. They review and approve validation documents such as
requirement specifications, test plans, summary test results and final
validation reports. Review and approve Standard Operating Procedures
associated with the planning, development and operation of one system.
This means that all efforts should go through QA, from the starting
point of defining needs or specifications to the end result of
documented validation and authorizations. They have an additional
important role: They must take the lead if things don't happen as they
should do. In practice QA must defend compliance.
- For software developed in-house the development department develops
functional and design specifications, implements and reviews the code,
and tests code modules. Activities follow a software development
- IT designs and installs the network infrastructure. They develop
scripts for installation and install network components. They advice on
risk assessment and extent of testing related to network infrastructure.
I do not believe that IT should be responsible for system validation.
Typically they do not know the processes and applications running on the
- Suppliers develop software following a documented software
development lifecycle. They test each function of the computer system.
Test cases should be traceably to functional and user requirement
specifications. They provide documented evidence that the software has
been developed in a quality assurance environment and has been validated
during development. They also provide functional specifications of the
software and computer system and give recommendations on how to prepare
the site or the installation. Vendor also accept users for vendor audits
and offer protocol and services for installation and operational
- Finally, one last comment: If you have any doubt on what to do in a
regulated environment, go basic to the basic principles. One of them is:
people should be qualified for their assigned tasks. The FDA inspector
will care less who is doing what, but they care if people are qualified
for their assigned tasks. The task should be defined by procedures. So
if QA signs for the technical content of a validation protocol, there
should be some documented evidence, that the persons have the technical
competence to do so. Companies organize this in different ways: There
are companies where QA departments have technical expertise, there are
other companies that have QA groups in the IT department. Both
approaches are fine as long as this is documented and procedures are
E-mail this page