Computerized Systems Validation

in regulated industries

Regulatory requirements are strict for the healthcare industries. They are described in texts such as Annex 11 of the Eudralex Good Manufacturing Practices, 21 CFR Part 11, OECD Good Laboratory Practices Monograph No. 17, or standards like ISO 13485. In the case of non-compliance, manufacturing companies are sanctioned.

Validation provides evidence that systems meet regulatory requirements. But its benefits go beyond that. By adopting proven methods, manufacturers strengthen their systems’ control and data integrity throughout the process that demonstrates regulatory compliance. These methods are adaptable to the different levels of risk in the healthcare sector.

A computerized system must be understood in a broad sense, meaning it includes the software and hardware (the IT system), but also the network, procedures, users, and most importantly, data. All these components are subject to validation.

Validation activities are based on risks associated with the use of the system. The validation effort is optimized through criticality assessments and risk analyses covering the entire system life cycle.

It is expected that systems are validated before being put into service; this is called prospective validation. Their operation must match specified needs within the intended use.

Furthermore, the infrastructure supporting computerized systems, whether on-site or in the Cloud, must be controlled. This notably includes regular audits to guarantee compliance.

Complete and up-to-date documentation must be available, from system specifications to test planning, executed protocols and scripts, and reports, including change records.

Data integrity must be considered in the validation process. Data generated, stored, processed, analyzed, backed up, archived, and deleted must be secured and protected by proven means. Validation applies at every stage of the data life cycle. For a better understanding of the data life cycle concept, do not hesitate to consult our article dedicated to Data Integrity.

In addition, access security to systems and data must be ensured, in line with the company’s organizational structure, in order to control all actions performed with the system.

Finally, throughout the system’s utilization period, periodic reviews must be conducted, with the support of integrated tools such as the audit trail, which records each event related to the data.

For more details, you may refer to applicable regulatory texts for the healthcare domains. This includes Good Manufacturing Practices (GMP Europe), US cGMP (21 CFR Part XX), ISO 13485 (Medical Devices), OECD GLP (preclinical and safety studies), and ISO 15189 (medical laboratories). Complementary documents can also be referenced, such as GAMP 5 (see article below) or the OECD GLP Advisory Document on GLP & Cloud Computing (Supplement 1 to Document Number 17), which covers computerized systems including outsourced (Cloud) services.

If a system is used in clinical trials, it must be validated according to the general principles described in the previous section. Certain aspects must receive particular attention to meet GCP requirements.

The completeness and accuracy of the data transmitted by the investigation site to the sponsor must be verified. Reinforced encryption and access control measures ensure the protection and security of participants’ personal data.

All interfaces must be secured, and source data must not be altered during transfer to third-party systems such as CTMS, electronic Case Report Forms (eCRF), Laboratory Information Management Systems (LIMS), or Electronic Health Records (EHR). The ability to securely exchange data is crucial.

Non-expert users must be able to safely use the system through a user-friendly interface that detects errors or omissions in entry.

Finally, validation ensures the ability to randomize participant groups and provides a traceability system for blinded studies.

In the same way, best practices have been established for the manufacturing of medicines and medical devices. The requirements of these practices must be verified during the validation of computerized systems used in manufacturing.

Each system related to production or quality control must be validated to ensure that every piece of data in the batch record is accurate. Critical data, especially those related to batch release, must be protected and secured.

Validation must demonstrate the system’s ability to trace all relevant actions to support internal and external audits. Reports based on such data must be available and usable at any time.

Finally, any system involved in manufacturing must be able to interface with other company systems, such as ERP, in a smooth and secure manner. Data integrity must not be compromised during these exchanges.

The regulatory requirements specific to the distribution of medicines or medical devices must be verified during the validation of each system used in this field.

Product recalls in case of quality issues affecting patient safety require complete traceability down to delivery. This requirement is verified during validation, along with requirements related to complaint management.

In some cases, the manufacturer must also comply with requirements specific to product transportation, such as optimizing delivery routes or maintaining transport conditions.

Furthermore, validation must ensure real-time monitoring of stock levels, taking product expiration dates into account. Return management must also be controlled, facilitating compliant and secure reintegration or disposal of the products concerned.

Good Laboratory Practices include specific requirements to be verified during system validation. Analytical equipment is considered a computerized system as soon as it is operated by embedded or workstation software connected to the instrument.

Validation verifies not only the security and protection of study data against alteration or loss but also the ability to retain them for the legally required retention period.

Complete traceability of operations performed on the data is another major point of focus. Each action must be documented with associated justifications to ensure full transparency and facilitate audits.

In addition, the accuracy of data generated by equipment under metrological control and transmitted via secure interfaces must be verified, thus ensuring reliability of the results obtained.

Finally, systems must be able to securely exchange data between the laboratory information system (LIMS or LIS) and sponsors or clients. This interoperability ensures smooth and secure communication of information while meeting stakeholder expectations in compliance with regulatory requirements.

Efor’s CSV experts conduct computerized system validation activities fully independently. We apply a methodology that integrates risk and criticality analyses, adapted to the latest regulatory and technological developments. This proven approach, implemented by our experts, demonstrates your computerized systems’ compliance.

Efor supports you across the entire system life cycle through project management assistance, consulting, auditing, or technical support. Depending on your needs, we can handle either all or part of your validation activities, integrating with your Quality Management System or providing templates and methods.

Context

As part of developing new pharmaceutical manufacturing and distribution activities (vaccines, rapid diagnostic tests, etc.) and expanding laboratory activities (medical and food/environmental), a manufacturer digitized its Quality Management System.

Efor validated this system for its intended use at the client site:

• Electronic document management
• Quality process management
• Regulatory Affairs management

Constraints :

• Multi-site, international project
• Migration from digital and manual systems into the new application
• Client templates used for protocols and reports
• Integration of third-party software
• Delivery in two phases: first the EDMS, then processes with Regulatory Affairs

Quality Management System Validation

The validation strategy was based on:

• Risk analysis from user requirements and functional descriptions
• Configuration specification including access security matrix
• IQ/OQ/PQ test protocols
• Validation report

The Organization – Preparation phase delivered:

• User Requirement Specifications (URS)
• Configuration specifications
• Risk analysis
• Supplier qualification
• Test protocols

The next phase was execution of tests and drafting of reports.

The final phase was CSV & production launch, with all actions and checks required to release the application. It was authorized by an acceptance certificate.

The final report formalized project closure after active monitoring and confirmed the validated status of the system.

Context and Constraints

This project involved replacing an in-house production management system with a market ERP for a healthcare company subject to GMP requirements. Migration of critical data from the legacy system was also conducted, requiring strict integrity checks.

The objectives included modernizing an aging information system, reducing the number of interfaces and specific applications, and improving data integrity and security.

The main constraints were:

• Regulatory compliance management: integrating GMP and regulatory authority requirements
• Multi-stakeholder coordination: collaboration between client teams and service providers
• High documentary workload: managing and tracing numerous critical documents in a structured environment using a test management system
• Tight deadlines: adherence to a strict schedule to avoid delays impacting go-live, aligned with one of the two annual technical shutdowns

This project dealt with significant volumes: 17 impacted applications, 91 functional specification documents, 25 client stakeholders, and 18 external stakeholders (12 integrators/developers and 6 Efor consultants in validation and organization). The total duration was just over two years, producing 280 deliverables.

Validation: Key steps and sequencing

The project was structured into several stages to ensure robust validation and GMP compliance.

1. Audit of the integrator and review of the specifications: An integrator audit was performed early to assess capability for pharma-specific requirements. Critical points were identified and project scope adjusted
2. Review of ERP and interface functional specifications: The 91 documents were reviewed and approved (QA delegated by the client). Special attention was given to system interfaces and data formats.
3. Traceability matrix URS/FS: A matrix was implemented in a validation/test management tool, linking User Requirements (URS) to Functional Specifications (FS). This ensured complete traceability and facilitated design reviews.
4. Risk analysis workshops: Conducted with stakeholders to identify risks impacting patient safety, product quality, and data integrity, and to define mitigation measures.
5. Validation support activities:
   • Drafting and review of validation deliverables (protocols, reports, critical documents)
   • Test management: Test planning and execution supervised by a Test Manager. A test management tool was used to record evidence and deviations.
6. Go-live and production support: Data migration and end-user training were organized to ensure smooth transition. Post-go-live monitoring was implemented to oversee system performance and compliance.

Tools

Several tools supported project execution: SharePoint for document sharing, a test management system for planning and execution, and visual management tools for follow-up of tasks and milestones.

Conclusion

This ERP validation project in the healthcare sector demonstrated the importance of a structured and collaborative approach to meet GMP regulatory and operational requirements. Thanks to rigorous methodology and stakeholder involvement, objectives were achieved within the defined timeframe, with 280 deliverables produced. This project illustrates the complexity and challenges of validation in a GMP environment while highlighting best practices to ensure quality and compliance.