FDA 21CFR part 11 & Eu Annex 11 Computerized System and Software Validation

FDA_21CFR_part 11_and_Eu_Annex 11_Computerized System and Software Validation

What Is Software Validation?


Software validation is part of the validation of the computerized system (CSV) process. Computerized systems validation is defined as documented evidence with a high degree of assurance that the software/computerized system functions as per the software design and user requirements, in a consistent and reproducible manner.



A computerized system is defined as a computer system that includes software, hardware, and peripheral devices which are necessary for the proper function of the system.

All computerized systems and software which include applications that may affect the quality of the final biopharmaceutical product or medical device should be assessed according to GMP (good manufacturing practice) and GAMP (good automated manufacturing practice) principles and requirements.

Risk assessment is mandatory at the early stages to determine the risk level, critical components, and necessity and scope of the validation activities to be undertaken for the computerized system validation.

Computerized systems may include, from time to time, errors, flaws, mistakes, failures, or faults (defined as “software bugs”), which should be detected as part of the computerized systems validation process.


  • Electronic Records – Defined in the FDA Code of Federal Regulations (CFR) as records that are maintained solely in an electronic format (not in hard copy) or in electronic and hard copy formats and decisions are made based on these electronic records (ER).
  • Hardware – Defined as any programmable device including mainframe, mid-range, mini-, and personal computers, workstations, or any programmable equipment used in a quality-related process.
  • Electronic signature – Defined as a computer data compilation of any symbol or series of symbols that are executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

FDA/CE Compliance Software

Every control system and/or computerized application used in the biopharmaceutical and medical device fields should meet the requirements detailed below:

  • Information security
  • Information backup
  • Information restoration
  • Information disaster-recovery capabilities
  • Periodic maintenance

 Computerized System Security



GAMP (good automated manufacturing practice) regulations and FDA 21 CRF Part 11 require systems, records, and processes to maintain confidentiality, integrity, and availability.

 Physical Security

Computerized systems defined as “critical” (based on risk assessment methodology) should include physical barriers that restrict access to the system by non-authorized personnel. These restrictions should be systematically kept and tested as part of the computerized system validation stage.

 Network Security and Password Management

Computerized systems that control biopharmaceutical and/or medical device processes or process-related parameters must include securities safeguards such as:

  • A dedicated production network will be disconnected from the organizational administrative network
  • Password code used for all actions related to process parameter changes
  • Special restricted operations such as step bypass, critical parameter changing, process step sequence changing, special process step operations, etc., and access to “confidential” or “sensitive” information.

 All security safeguards including authorization level and password management will be tested and verified as part of the computerized system validation. Passwords must be given individually per user and according to the official authorization level definition and allowable functions per authorization level. Passwords for all defined users shall be changed on a periodic basis by the user.

Computerized systems that display information on the biopharmaceutical and medical device production processes or Quality Control (QC) test results will require security measures such as password codes for all actions that require changes to system parameters, special or restricted operations, and access to “confidential” or ”sensitive” information.

 Other Security Measures

PC access and screen savers must be used and will be restricted by passwords to provide additional security for the computerized system. It is recommended to install anti-virus applications in every system that is connected to a network.

 Computerized System/Software Testing, Validation & Verification

Validation Pre-requisites


Company validation policy should define which validation and verification activities should be considered for computer system validation projects at a site or within a specific department. The validation projects, scopes, priorities, and requirements should be defined in the VMP (validation master plan) document.

Usually, computerized system validation will include any programmable device, including its software, hardware, peripherals, procedures, users and interconnections, and inputs for electronic processing and output of information used for reporting and/or control.

It is strongly recommended to complete an official risk assessment process to identify and assess the associated aspects and risks of the computerized system and its potential effect on the final product or medical device quality. The risk process should be done before or at the same time as the design stages and should include brainstorming by all relevant disciplines and key personnel.

A user requirement specification (URS) should be written and approved before purchasing software or computerized systems. The URS is essential to assure the software will support company needs.

After user requirements have been defined as part of the URS and are verified to meet all requirements documented in the various design documents as part of the Design Review and Design Qualification stages, the system/software qualification stage can be initiated.

The system Functional Specification (FS) document should be written by the supplier and approved by the client. The FS will be the basis for system testing during the Operational Qualification stage. Before initiating validation activity, it is very important to identify whether the system type is a closed or an open system.

Prior to the execution of the system IQ (Installation Qualification) and OQ (Operational Qualification), it is recommended to test and verify the system in the production environment or in the intended environment where the system will be routinely used.

FDA Compliant Computerized System

According to FDA standards for software and computerized systems, a system that is defined as FDA compliant, including electronic records and electronic signatures, must comply with the rules detailed in CFR Title 21.

Compliance with these rules will determine whether these electronic records may be used instead of, or in addition to, hard copy records, or if electronic signatures may be used to replace handwritten signatures.

Computerized System and Software

 Validation Stages

The purpose of computerized system validation is to verify that the installed system functions according to its design, user requirements, and GAMP (good automated manufacturing practice) requirements.

After the system testing stage has been successfully completed by the system developer, and after the URS, risk assessment, design review (DR), and design qualification (DQ) have been completed, the following validation stages detailed below may be initiated:

  • Installation Qualification (IQ): Documented evidence that demonstrates that the system to be qualified meets all specifications, is installed correctly and according to the recommended environmental conditions, and that all components and documentation required for continuous operation are installed and in place.
  • Operational Qualification (OQ): Documented evidence that demonstrates that all operational aspects of the system function correctly and per the user requirements.
  • Performance Qualification (PQ): Documented evidence that demonstrates that the system functions as required, in a consistent manner over time, and meets user requirements during operation. During the PQ you can “go live” with the software and test it in a real-life/real-time production environment.
  • User Acceptance Test (UAT): Documented end-user acceptance testing that usually will be performed by the customer prior to routine system use.

 Since many software design and qualification documents are involved in computerized system software validation, it is strongly recommended to track the system qualification processes using a traceability matrix.

 Post Validation Changes Implementation

When software changes and/or new equipment/device installation into the system is required, all proposed changes should be properly documented. A new risk assessment and system re-validation may be required, based on the company change control methodology and procedures.

New test cases will be required when making partial upgrades or changes, and validation when the next full version is installed.

 Additional Computerized System Validation Testing

As part of the computerized system validation process, the system will be tested, to stress or challenge the system and software boundaries, by using a set of different techniques and values, including using invalid values, restricted scenarios, and other simulations.

Usually, as part of the computerized system and software validation process, system functionality will be tested through the system user interface. If that is not possible, the system may be tested using databases, log files, etc.

The system will be tested relevant to its design to verify that it responds to normally expected inputs and actions. Moreover, the system should be tested with challenging tests and under extreme and stressful conditions.

System response, among other tests, may be qualified for:

  • Invalid values and inputs
  • Error messages
  • Functional validity
  • Data validity
  • System logic
  • Transactions validity
  • System Security
  • Authorization levels
  • Backup and disaster recovery
  • Procedures training
Related Articles
Contact me today
Scroll to Top
Skip to content