OBJECTIVE:

• This SOP shall define the system for planning, executing, documenting and maintaining validation of GxP-relevant computerized systems in accordance with EU-GMP Annex 11 and Annex 15.
•  This SOP shall ensure that computerized systems consistently perform as intended, protect data integrity, and do not adversely affect product quality or patient safety.

 SCOPE:

• This procedure shall apply to all computerized systems that directly or indirectly affect product quality, data integrity, or patient safety.
• This includes process-control systems such as PLC/SCADA, analytical instrument software such as HPLC/QC instrument data systems, environmental monitoring systems, quality management software, and electronic record/electronic signature systems, if any.
• The procedure shall apply to new systems, upgrades, replacements, and existing systems requiring retrospective validation. It shall also apply to system changes, periodic review, and retirement.
• Utility, office, or administrative systems not used for GxP activities are excluded; however, a documented GxP impact assessment shall confirm this classification.

RESPONSIBILITIES:

System Owner:

• To initiate CSV for new or modified systems.
• To prepare or arrange preparation of URS.
• To ensure system is operated per approved SOPs after validation.
• To initiate periodic review / CSV as per this SOP.

Quality Assurance (QA):

• To approve all CSV documents (plan, protocols, reports).
• To verify application of risk-based approach.
• To issue or approve the final System Release / Validation Approval.
• To ensure that deviations and change controls are closed before release.

Information Technology (IT) / Engineering:

• To install and configure the system as per Design Specification (DS).
• To execute IQ/OQ/PQ or support execution.
• To implement and maintain access control, backup, antivirus, and patch management.
• To maintain configuration and version control.

Vendor / Supplier:

• To provide system description, manuals, certificates, test evidence and installation requirements.
• To support FAT/SAT (where applicable) and respond to issues observed during qualification.

DEFINATIONS:

• Computerized System: Combination of software, hardware, network components, peripheral devices, procedures and associated documentation.
• Computer System Validation (CSV): Documented process of ensuring that a computerized system is fit for intended use.

GxP Impact Assessment: Initial determination whether the system affects product quality, data integrity or patient safety.

• PROCEDURE:

General Principles:

• All computerized systems used for GxP purposes shall be validated before use.
•  The extent and scope of validation shall be based on a documented risk assessment consistent with GAMP 5 principles.
• Validation shall be a continuous life-cycle activity beginning at system concept and continuing through retirement.
• All activities shall be defined in pre-approved documents and executed by trained personnel.

System Life-Cycle Phases:

Concept and GxP Impact Assessment:

• During project initiation, a GxP Impact Assessment shall be performed to determine whether the system affects product quality, data integrity, or patient safety.
• If the assessment confirms GxP relevance, this SOP shall be followed in full.

Planning:

• A Computer System Validation Plan shall be prepared for each system or project.
•  The plan shall define the scope, responsibilities, validation strategy, life-cycle model, applicable documents, acceptance criteria, and change-control approach.
• The Validation Plan shall be reviewed and approved by QA before any validation activity begins.

Specification:

• User Requirement, Functional, and Design Specifications shall be prepared in a traceable hierarchy.
•  The User Requirement Specification (URS) shall describe what the system shall do; the FS and DS shall describe how those requirements shall be achieved.
• Each specification shall address security, access control, audit trails, data storage, reporting, and backup requirements.
• All specifications shall be reviewed by the system owner and approved by QA.

  Risk Assessment:

• A documented risk assessment shall be conducted after the URS is finalized.
•  Risks shall be evaluated in terms of severity, probability, and detectability.
• The overall risk magnitude shall be calculated, and mitigation measures shall be identified. High and medium risks shall be addressed by design features, procedural controls, or additional testing.
• The risk assessment shall be reviewed by QA and shall guide the depth of testing required in qualification.

Build and Configuration:

• System development or configuration shall be performed according to the approved Design Specification.
•  Configuration items shall be uniquely identified and controlled under version control. Any deviation from approved design shall trigger change control.

 Verification / Qualification:

• Verification shall consist of Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
•  IQ shall confirm correct installation of hardware and software, availability of manuals and certificates, calibration of connected instruments, power supply and environmental suitability, and functionality of backup and restore mechanisms.
• OQ shall verify that all functions operate as defined in FS and DS, including alarm and interlock logic, user access levels, password management, audit-trail generation, data processing, and system behavior under power failure or communication loss.
• Both positive and negative testing shall be performed to demonstrate control of identified risks.
• PQ shall confirm that the system performs consistently in the actual operating environment using representative user scenarios.
• Results of all tests shall be documented and reviewed by QA.
• Deviations shall be investigated and closed before system release.

Validation Summary and System Release:

• Upon completion of all qualification stages, a Validation Summary Report shall be prepared summarizing the activities performed, deviations, conclusions, and recommendations.
•  QA shall review the report and, if acceptable, issue a formal System Release Certificate authorizing use of the system in GxP operations.

 Operation and Maintenance:

• After release, the validated system shall be operated under controlled conditions in accordance with approved SOPs.
•  Access shall be limited to authorized users with unique credentials. Audit trails shall be reviewed periodically, and backup and restore shall be verified as per schedule.
• Any malfunction or deviation shall be documented and investigated according to the deviation procedure.

Change Control:

• All modifications to validated systems shall be managed through the site Change Control procedure.
•  Each proposed change shall undergo an impact assessment to determine whether it affects validated functionality or data integrity.
• Where impact is identified, partial or full re-validation shall be performed. QA approval shall be obtained prior to implementation.

Periodic Review and Re-Validation (CSV):

• Each validated computerized system shall remain in a validated state throughout its operational life.
•  To ensure this, a Computerized System Periodic Review (CSV) shall be performed at defined intervals or when triggered by specific events.

 Frequency of Periodic Review:

• For high-criticality systems such as batch-release, process-control, or laboratory data systems, the periodic review shall be conducted at least once every three years.
• For moderate-risk systems, the review may be conducted once every five years or as defined in the Validation Master Plan. QA may require more frequent review based on risk or regulatory expectation.

 Event-Based Triggers for Re-Validation:

• Re-validation or unscheduled CSV shall be initiated when any of the following occur:
• Major software or firmware upgrades that alter functionality or configuration.
• Replacement or upgrade of critical hardware components such as servers or operating systems.
• Significant network architecture changes affecting connectivity or data flow.
• Change controls with potential impact on GxP functionality or data integrity.
• Findings from audits, inspections, or recurring deviations indicating inadequate control.
• Migration of the system or its database to a different platform or data center.
• Long-term inactivity followed by system reactivation.

Periodic Review:

The CSV shall include, as a minimum:

• Verification that the validated configuration and software versions remain current and documented.
• Review of change controls, deviations, CAPAs, and incidents since the last validation.
• Verification of user access lists and privileges.
• Review of audit-trail functionality and example entries.
• Confirmation that backup, restore, and archival procedures remain effective.
• Verification that SOPs and training records are current.
• Evaluation of risk assessment relevance and the need for new mitigation.
• The results of the CSV shall be documented in a Periodic Review Report summarizing findings, conclusions, and actions required.
• QA shall review and approve the report. Where deficiencies are identified, corrective actions shall be defined with clear timelines and responsibilities.
• If necessary, partial or full re-validation shall be performed.

Data Integrity and Security:

• All computerized systems shall comply with the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available).
• Each user shall have a unique login ID and password. Passwords shall consist of at least eight alphanumeric characters, expire every ninety (90) days, and lock the account after three failed attempts.
• The system shall record all user activities in a secure, time-stamped audit trail that cannot be altered or disabled. Audit trails shall be reviewed by QA at a defined frequency and the review shall be documented.
• Electronic records and signatures shall meet the requirements of 21 CFR Part 11 and Annex 11.

Backup, Archival, and Retrieval:

• All GxP data and configurations shall be backed up in accordance with the approved Backup SOP.
•  Backups shall be verified periodically for integrity and successful restoration, if applicable.
•  Archival of historical data shall ensure that the data remain readable and retrievable for the entire retention period. Restoration tests shall be performed at least annually and after any hardware replacement.

 System Retirement:

• When a computerized system is to be withdrawn from use, a System Retirement Plan shall be prepared and approved by QA.
• The plan shall describe how data and records will be archived, how long they will be retained, and how retrieval will be ensured.
• A System Retirement Report shall be prepared after successful archival and verified by QA to confirm that regulatory requirements for data retention and integrity are met.

 Documents of CSV:

• All documents generated during validation, operation, and review shall be controlled under the Document Management System.
•  The following records shall be retained for a minimum of ten (10) years or for the lifetime of the associated GxP data, whichever is longer:

GxP Impact Assessments

Validation Plans and Protocols

URS, Functional Specification (FS), Design Specification (DS)

Risk Assessments

IQ/OQ/PQ Protocols and Reports

Validation Summary Reports

System Release Certificates

Periodic Review (CSV) Reports

Change Controls, Deviations, and CAPAs

Training Records

•  All records shall be signed, dated, and maintained in a secure and retrievable manner.

 Training:

• All personnel involved in specifying, testing, operating, or administering computerized systems shall be trained in this SOP and in basic principles of data integrity and computerized system validation.
• Training records shall be maintained and verified during internal audits and periodic review.

REFERENCE:

• EU-GMP, Volume 4, Annex 11 – Computerized Systems.
• EU-GMP, Volume 4, Annex 15 – Qualification and Validation.
• ISPE – GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems.
• Site Validation Master Plan (VMP).

RECORDS:

 REVISION HISTORY: