Software validation, also called “computer system validation”, is a process that confirms a piece of software is designed for and satisfies its intended purpose. It involves reviews during software development or selection, and systematic installation procedures and testing during deployment. Validation is a basic part of software quality control, along with software verification. In software verification, the software is checked against a set of predetermined specifications.
For software used in heavily regulated industries — for manufacturing automation, process control, or environmental monitoring, for example — validation should follow an IQ/OQ/PQ quality assurance framework (installation, operational, and performance qualification). This provides a step-by-step approach to ensure no critical aspects of validation are missed. We’ll get into the specifics of how software validation is related to IQ/OQ/PQ later in this article.
Software validation presents unique challenges relative to quality management in other areas. For one, the scope of a software validation project can be unclear and difficult to manage, because of the wide range of potential users, diversity of potential features, and the unpredictability of the environment the software will be used in. Furthermore, software updates and changes must be accounted for as part of continuous validation. In this article, we’ll talk about the best practices for addressing these challenges, with a focus on highly regulated industries, like pharmaceutical manufacturing and distribution, medical devices, and aerospace.
In the US, software used in the pharmaceutical and medical device industries is regulated by the FDA, through rules listed in CFR Title 21. Generally, software used for electronic record-keeping and electronic signatures, which applies to quality management systems, is covered by 21 CFR 11. This states explicitly that validation is required “to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records”.
The regulations for validation of software related to medical devices are more detailed. Specifically, 21 CFR 820.30(g) covers design validation of software used in medical devices, which “shall include software validation and risk analysis, where appropriate.” 21 CFR 820.70 further regulates software systems used in manufacturing and quality control. Software validation is also part of the global medical device quality standard ISO 13485, which is similar to 21 CFR 820 and is also used by the FDA. Software validation is also discussed in detail for operations involving human cells, tissues, and cell- and tissue-based products, in 21 CFR 1271.
In the EU, the analogous regulations are covered in Annex 11 of the EudraLex Vol. 4, with inspections coordinated by the European Medicines Agency (EMA).
Software used in production and quality management in the aerospace industry, which is covered by AS9100, and other general manufacturing environments, such as those using the more general ISO 9001 standard, should also be validated through an IQ/OQ/PQ and risk analysis process. Note that software used in mission-critical aerospace applications is covered by a separate standard, DO-178C.
In general, the laws and standards listed here are fairly non-specific, and exactly what activities should be carried out in the process of software validation is left to the regulated entities. To fill some of these gaps, additional guidance can be used.
One example of this is the “ISPE GAMP 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems”, published by the International Society for Pharmaceutical Engineering. This guide, and the ancillary good practice guides, also published by ISPE, provide a more detailed approach for software validation in GxP. A second example is the ISO/TR 80002-2:2017 document, which covers validation of software used in the quality systems related to medical devices. There are several other comprehensive guides in this area, for example the Software Engineering Body of Knowledge (SWEBOK), however this guidance is more general to all software development and testing.
Since it is a fairly common situation, these regulatory bodies offer specific guidance for the use of commercial off-the-shelf (COTS) software from third party suppliers. We’ll discuss that in more detail later in the article.
It is important to note that the landscape for software validation in FDA-regulated industries is likely to change in the next several years. The FDA is expected to announce revised guidelines for software validation in 2020, which will focus more on an approach termed “computer software assurance”. The updated regulations should allow for a more streamlined process, place less emphasis on exhaustive documentation and strict validation practices, and better reflect modern software and automation.
The process of software validation is highly detail-oriented and can be labor intensive, but there are a number of reasons why it is important and beneficial to an organization:
Software validation is frequently needed in the following industries:
The details of the software validation process are dependent on the environment in which the software will be used and the risks involved. However, there are a number of practices that can help a validation project go as smoothly as possible.
On that last point, the FDA has anticipated cases where regulated companies will be using software provided by third parties, for example, the DicksonOne cloud-based environmental monitoring system. In this situation, the ultimate responsibility for validating software still rests with the regulated company. However, the validation process can be streamlined significantly by:
These recommendations are discussed in the FDA document General Principles of Software Validation, section 6.3, and in Annex 11 of EudraLex vol. 4. In cases where the vendor cannot provide full life cycle documentation, or when auditing is not possible, additional functionality tested is needed. This can be performed by the regulated company or by an independent testing lab.
Software validation is an important part of the implementation of computerized system control in manufacturing, environmental monitoring, or any other system that can impact product quality in highly regulated industries, or industries where product quality is a critical customer requirement. It is a detail-oriented process, but when done right, it has benefits for regulatory compliance, customer satisfaction, and operational efficiency.
Software validation follows the IQ/OQ/PQ framework that is well known to those familiar with GxP. However, it is expected to evolve in the coming years in response to the changing use of software in manufacturing and quality systems. In many cases, it is beneficial to work with an experienced vendor to provide software and validation assistance.
About the author: Before coming to Dickson, Director of Services Antoine Nguyen spent more than 18 years in quality and validation roles in the pharmaceutical and medical device industries.