Computer / Software Validation
Download more than 350 documents: SOPs, examples, templates, checklists,
FDA waning letters, 483 inspectional observations, FDA and other official
guidelines, presentations/publications from FDA personnel.
S-125
Defines responsibilities and how to specify training needs,
training techniques and how to document results.
S-134
FDA’s 21st CGMP initiative suggests risk-based inspections. Companies are
expected to document risks that the system has on product quality, product
safety and public health. Information is used, for example, to define the
extent of validation, to define the scope of 21 CFR Part 11 and to implement
controls such as electronic audit trail, electronic copies and archiving of
records. This procedure establishes a method for identifying, evaluating and
prioritizing the risks associated with the use of systems in applicable GxP
applications, specifically but not only where such systems are subject to
regulation under 21 CFR Part 11.
S-241
S-252
Software and computer systems should be validated for compliance and
business reasons. The extent of validation depends on the risk the system
can have on product quality and safety and on the complexity. This SOP gives
guidelines on what the extent of validation should be for risk categories
S-253
The first and most important step of validation and qualification is
writing the specifications. Without clear specifications computer systems
cannot be fully tested. Well-written System Requirement Specifications (SRS)
or User Requirement Specifications (URS) facilitate all consecutive
validation/qualification steps and help to meet business objectives. The SOP
applies to the development of Requirement Specifications (URS or SRS) for
Computer Systems used in GxP regulated environments.
S-259
S-262
Computer hardware and software are frequently changed. Insufficient
documentation and uncontrolled changes can have a negative effect on the
reliability of software and computer systems. This SOP should help ensure
that changes computer hardware, firmware, software and computer systems
follow documented procedures. It describes procedures for initiation,
implementation, approval and documentation of the changes.
S-264
Quality standards, regulatory agencies and some company policies require
software used for evaluation of critical data to be properly validated.
Spreadsheet applications are considered as software and should be validated
to demonstrate suitability for their intended use. The purpose of this
operating procedure is to ensure that Spreadsheet applications are validated
during their development and installation and periodically reevaluated
during operation.
S-267
Software and computer systems should be validated for compliance and
business reasons. This SOP gives guidelines on how to validate electronic
laboratory notebooks. It applies to commercial e-notebooks with and without
customization.
S-268
Electronic Laboratory Notebooks (ELN) are frequently used in regulated
development and QC laboratories. The purpose of this operating procedure is
to ensure that ELNs used in regulated environments comply with regulations .
Following this SOP does not mean that users comply with all regulations in
all aspects. The procedure applies whenever Electronic Laboratory Notebooks
are used in a regulated environments
S-270
Documentation is a valuable asset to any company as it can contain
information, which if lost or altered may be critical for the company.
Electronic Document Management Systems (EDMS) control and retain documents
from creation, use, maintenance and storage, through to archiving and
retrieval. The trustworthiness and integrity of electronic information is
dependent on the reliability and integrity of the EDMS. Validation helps to
achieve proper design, development, installation and use of EDMS and is a
requirement of regulations. This SOP gives guidelines on how to validate
Electronic Document Management Systems.
S-271
Software and computer systems should be validated for compliance and
business reasons. Validation helps to generate accurate, reliable and
consistent analytical results. This SOP gives guidelines on how to validate
commercial off-the-shelf (COTS) computer systems.
S-272
Users of software and computer systems are responsible for validation.
This includes validation during development. User firms can delegate part of
this validation to vendors of the software or computer systems. User firms
should check through a formal vendor assessment process if vendors develop
and validate software and computer systems according to regulatory
requirements and industry practices. User firms should find the most
efficient method for assessment. This can range from simple documentation of
experience with the vendor through direct vendor audit. This SOP guides user
firms through this assessment process.
S-274
Users of software and computer systems are responsible for validation.
This includes validation during development. User firms can delegate part of
this validation to vendors of the software or computer systems. User firms
should check through a formal vendor assessment process if vendors develop
and validate software and computer systems according to regulatory
requirements and industry practices. User firms should find the most
efficient method for assessment. This can range from simple documentation of
experience with the vendor through direct vendor audit. This SOP guides user
firms through this assessment process.
S-289
PCs that are part of a network should be qualified. This SOP is intended
to qualify PC clients in the most economic and efficient way possible. It
applies to PC clients as part of a client server network.
S-291
S-315
Regulations and company policies require records to be available for up
to 10 or more years. Ensuring the authenticity, reliability and long-term
availability of electronic records is challenging because they can be easily
altered. This procedure should help to reliably maintain and retain
electronic records over the entire retention period. It applies to the
entire retention period of records as required by applicable regulations and
company policies.
S-316
Records are frequently generated on paper. Archiving large amounts of
papers records requires large storage capacities. Such paper archives are
also more difficult to search than electronic databases. Therefore companies
prefer to scan in paper records into standard electronic files, such as PDF
format and add meta data to facilitate search. The purpose of this procedure
is to make the scanning and archiving process compliant with GxP
regulations. The SOP is used to validate the initial process and to perform
scans in the routine.
S-317
Availability of records is important not only for compliance but also for
business reasons. For example distribution records must be readily available
in case of a product recall and without batch records or analytical batch
records drug products cannot be shipped. Also there is always a possibility
that computer data can be lost in case of hardware, software or operation
problems. Therefore good data back-up strategies and procedures are
important for quick data recovery in case of such problems. Back-up and
restore of electronic records. This SOP applies for manual and automated
back-up and restoring of data, operating system files, configuration
parameters and application software.
S-319
S-320
S-662
E-153
User Requirement Specifications is the most important validation document
for computer systems. Inadequate or incomplete specifications can have a
high negative impact on later validation phases and when using the system.
This checklist should help to identify User Requirement Specifications.
Validation and controls are specific for each system
E-154
Laboratory computer systems used in regulated environments should be
validated and well controlled. This form helps to identify qualification and
validation requirements for software and computer systems
E-160
Commercial Off-the-Shelf computer systems used in regulated environments
should be validated and well-controlled. This checklist should help to
identify qualification and validation and to control software and computer
systems. Validation and controls are specific for each system. Therefore
going through checklists does not mean that everything is covered for each
system nor does it mean that all checklist items are applicable for every
system.
E-170
Documents that should be developed before, during and after computer
validation.
E-173
Laboratory computer systems used in regulated environments should be
validated and well controlled. This form helps to identify qualification and
validation requirements for software and computer systems
E-268
Real example for a URS of Spreadsheet Applications. You can also use this
as a template for other programs.
E-306
Simple example for complete validation package
MD5 hash calculations can be used to verify data file integrity. Regular or
occasional checks of file integrity are recommended for software
installation, data archiving, network transactions and e-mail transfer. This
ZIP file includes an easy to use program that can be used to learn about the
concept and for simple manual operations. It also includes procedures and
protocols to test the program and a procedure on how to use the program to
verify integrity of e-mail attachments. There is also a 21 page technical
description with code and implementation reference for those who want to
write their own program.
E-308
Examples are equipment and computer systems
E-321
Laboratory computer systems used in regulated environments should be
validated and well controlled. This form helps to identify qualification and
validation requirements for software and computer systems
E-322
This document is a must for installation qualification (IQ)
E-358
This is a complete 29 pages functional test script for an Excel
Spreadsheet. It includes a test schedule, two different test traceability
matrices and 12 functional tests with test procedures, acceptance criteria
and actual results. Test results are summarized in a summary sheet. You can
also use this as a template for other programs.
E-362
Limited access to systems and data is a key requirement of all GxP
regulations and quality standards. The function is built into most operating
systems or application software. However, because of the importance of this
functions, it needs to be tested.
E-741-02
E-741-04
E-741-07
E-781-02
A-109
A-264
published in PharmCanada, written by L.Huber
A-267
Written by nine world experts on computer validation
A-556
A-557
published in Accreditation and Quality Assurance
A-558
A-559
H-219
The table relates requirements of FDA's 21 CFR Part 11 to Annex 11 of the
EU/EC GMP directive.
P-213
David Bergeson, former FDA expert for computer validation.
P-214
FDA's expectations, enforcement practices and examples of warning
letters. Nine steps for implementation
P-215
Do you need to train yourself or your people on how to validate and
qualify equipment and computer systems? This presentation with many graphic
is an ideal way to start.
P-222
Presented at the IVT CSV Conference, Amsterdam, December 2006
It rarely happens that inspectors from Europe give presentations at public
conferences. However this happened at IVT's European Annual Computer System
Validation Conference on December 5-7 in Amsterdam with Ludwig Huber as
chair person. Malcolm Olver from UK's MHRA gave a presentation with the
title: Computer Systems & Software Validation: The expectations and
observations of a European Inspector. Mr. Olver explained the audience the
regulatory framework presented lists with questions typically asked during
inspections. Key point of the observations has been that the Validation
Master Plan (VMP) typically is raised too late in the project. He also noted
that frequently testing is not related critical functions of the process.
Most deviations have been related to inadequate change control, for example,
lack of control of software upgrades and no recommendations for revalidation
F-282
"Electronic Records; Electronic Signatures
F-381
This guidance outlines general validation principles that the Food and
Drug Administration (FDA) considers to be applicable to the validation of
medical device software or the validation of software used to design,
develop, or manufacture medical devices.
F-382
September 1999
F-383
F-384
September 2004 (Draft)
F-385
April 1999
F-386
F-387
F-389
Attachment A: Computerized Systems
The intent of this attachment is to collect, in one place, references to
computer systems of the program
F-390
This 10 page document is not new but still shows FDA' basic expectations
for computer systems, not only for GMP.
The objective is that readers will: understand how the GMPs are applied to
computer systems, know the similarities and differences between computer
systems and other systems, comprehend what is meant by validation of
computer systems, know one method for conducting an inspection of a computer
system
F-391
The FDA received responses from 36 organizations and
individuals, with more than 650 questions, comments or specific
recommendations for changes. FDA's comments are useful to understand FDA's
current thinking on specific aspects of software validation
F-399
May 2007 (Final))
F-424
The guidance document has been withdrawn from the FDA website mainly
because all existing part 11 guidance documents have been withdrawn in
February 2003. However there is absolutely nothing wrong with this guidance.
H-213
Annex 11 of the EU GMP directive specifies requirements for computers
used in GMP regulated environments. To some extent the requirements are
similar as FDA's 21 CFR Part 11.
H-217
Interpretation Annex 11 of the EU GMP directive specifies requirements
for computers used in GMP regulated environments. The International
Association for Pharmaceutical Technology (AVP) has developed this 27 page
interpretation guide for easier implementation.
H-281
G-305
Janis. v. Halverson during the FDA/Industry Combined Training Session on
21 CFR Part 11: Electronic Records; Electronic Signatures FDA on Jan 12,
1999
This presentation is very much up-to-date and has lots of good FDA
recommendations for computer validation.
G-316
P.Motise, IVT Conference Arlington, April 2002:
This presentation is very much up-to-date and has lots of good FDA
recommendations for computer validation.
G-331
George Smith, Consumer Safety Officer at CDER, US FDA, IVT Conference
Arlington, April 2007:
Main topics of the presentation are: Why a risk based approach and how we
arrived where we are, understanding what's coming to proceed with validation
efforts, choosing which system to validate and appropriate levels of
avlidation based on predicate rule. At the end Mr. Smith also gives an
update on the status of the new Part 11 regulation.
G-407
US FDA