Software Validation: A QMS Compliance Overview

By ETQ on March 15, 2017

The U.S. Food and Drug Administration (FDA) requires companies to validate any software used in design, manufacture, packaging, labeling, storage, installation and servicing of finished devices. Companies must also use change control to ensure changes to IT systems don’t create unintended compliance risks.

But meeting FDA requirements around software validation and change control isn’t always straightforward, particularly if you don’t have in-house experts to guide the process.

With that in mind, let’s take a closer look at what’s required for initial validation, and how to use change control to maintain a validated Quality Management System (QMS).

Compliance Documentation Overview

Auditors will expect to see a number of documents to demonstrate that your GMP Compliance Management Software has been validated. The documentation required spans several phases:

  • Planning: In this stage, you must prepare a written validation plan.
  • Specification: Here you detail your requirements and conduct design reviews. Required documentation includes User Requirements Specifications (URS), risk analysis, CFR Part 11 compliance analysis and network diagram.
  • Test Planning: This is where you document how you’ll test your system. Documentation includes Installment Qualifications (IQ), Operational Qualifications (OQ), Performance Qualifications (PQ) and Requirements Traceability Matrix (RTM). The User Acceptance Test (UAT) shows that a particular item meets the URS.
  • Testing: In this phase, you must perform the required tests, mitigate/resolve any discrepancies and gather your results.
  • Review: The final stage of validation involves reviewing your results to demonstrate that your QMS performs as intended. Documentation includes the validation report, which companies often structure similar to the validation plan.

The FDA allows you to combine these documents, as long as all of the required information is complete.

Initial Validation and Compliance

When installing your QMS, you must develop your own Computer System Validation (CSV) and Software Development Life Cycle (SDLC) process to demonstrate the software is validated to your company’s specific requirements.

Even if you’re using off-the-shelf software, you’ve likely made some kind of configuration change during installation. While software companies often provide URS, PQ and User Acceptance Testing (UAT) documentation, you are responsible for updating these documents to reflect how you configured the system during implementation. Key steps include:

  • Updating and approving the URS and Traceability Matrix
  • Updating and approving the PQ/UAT documents.
  • Executing the updated PQ/UAT.
  • Including the PQ/UAT documents in the validation plan or report.
  • Including any discrepancy items and corrections.
  • Saving the documents according to your record retention policies.


Change Control and Maintaining the Validated State

To maintain the validated state of your QMS, you will need to develop change control procedures for making any changing to the software. In addition to internally driven changes, you will need to use this process anytime your software provider releases a new software version or patch for your system.

So what’s the correct way to handle internal changes and software patch releases? You’ll generally need to complete the following steps:

  • First, assess how the change might impact your processes (risk).
  • If the changes don’t require you to update the system (which may be the case with certain software releases), you can update your documentation to reflect the new version of the software.
  • If the changes do require an update to your system, you need to initiate a change request within your change control process.
  • Document the proposed changes, making updates to the URS, PQ/UAT, Traceability Matrix and Training Materials as needed.
  • Once the URS and PQ/UAT documents are approved, execute/retest the updated PQ/UAT.
  • Include the approved documents in the change request and save them per your internal record retention policies.
  • Approve and Close the Change Request.

It’s important to remember that regulators often closely scrutinize change control systems, viewing them as a representation of how well a company manages its systems overall. Without a robust change control process in place, you’ll likely look disorganized and invite even closer inspection from the FDA. Get it right the first time, however, and your process will help reassure regulators that changes to your QMS won’t impact product quality or safety.