Computer System Validation

[zeihr]

Hello, I need help for establishing a procedure about computer system validation and software validation. Currently, we're using ms. excel sheet, scanner, PLC, and other software which installed in the production machine, and I have some questions:
1. Is computer system validation and software validation the same thing?
2. What should I include in each steps of validation (IQ,OQ,PQ) and master plan? We only conducted a verification for barcode scanner back then, never conducted a software validation before.
3. Any recommendation for some standards/regulation I can use for arranging the content of the procedure?

 

[yodon]

Other than it being a generally good idea, is something driving this; i.e., are you trying to comply with a standard?

I'm not a fan of the IQ/OQ/PQ approach for software. Not the best model, IMO. I do like to consider IQ aspects, though, which otherwise get overlooked.

For verification, you're proving requirements are fulfilled. For validation, you're giving assurance that the system will meet its intended purpose over the life of use. Aspects like concurrent users, robustness, usability / user interface, maintainability, etc. may all come into play. I'm a big proponent of structured exploratory testing - if you have good testers - to support validation.

 

[zeihr]

This always be something that asked by the auditor while we're in ISO 13485 audit, since we use ms. excel for creating some of our quality documents (e.g. CoA, which have some formula that linked to other database), and some of our production machine are using some software and programs like PLC, but we haven't do the software validation yet. And now we try to establish a procedure for this to follow the standard compliance (our main focus is to comply with 21 CFR 11 and EU Annex 11), but I still need info to arrange the procedure.

What is the best model for software validation? Maybe we didn't have to conduct the full validation steps IQ-OQ-PQ, but is it still necessary to create the procedure for each steps?

 

[yodon]

Highly recommend looking at the FDA Guidance for Computer Software Assurance (CSA). They *finally* released it (in draft since 2020). I believe it provides a very practical approach. Do realize that there's nothing that requires an IQ/OQ/PQ approach so don't let that drive your efforts.

 

[v9991]

1. Is computer system validation and software validation the same thing?

Aspect	Computer System Validation (CSV)	Software Validation
Scope	Entire system: hardware, software, users, environment	Only the software component
Focus	Ensures system performs reliably and securely for its purpose	Confirms software meets user needs and specifications
Examples	Excel with macros, PLCs, barcode scanners, ERP systems	Custom apps, firmware, embedded software
Regulatory Basis	FDA 21 CFR Part 820, ISO 13485, EU MDR, 21 cfr part 211	FDA 21 CFR Part 11, IEC 62304 (for SaMD)

Aspect	Computer System Validation (CSV)	Software Validation
Definition	Validation of the entire computerized system including hardware, software, and interfaces to ensure it meets intended use and regulatory compliance.	Validation focused primarily on software functionality, performance, and compliance. Part of CSV if software is part of a system.
Scope	Includes hardware (e.g., PLC, barcode scanner), software, interfaces, and integrated workflows.	Focuses on software alone, including custom and off-the-shelf applications.
Master Validation Plan (MVP)	Overview of system scope, validation strategy, responsibilities, deliverables, risk approach, and acceptance criteria.	Similar but focused on software elements and their validation lifecycle.
Installation Qualification (IQ)	Checks installation per specifications, environment, hardware and software configurations.	Verification of correct installation and environment for software.
Operational Qualification (OQ)	Tests operational functionality per specs under controlled conditions.	Verifies software functions meet requirements under simulated conditions.
Performance Qualification (PQ)	Validates system performance in real-life or production environment scenarios.	Confirms software performs effectively in actual or simulated use cases.
Barcode Scanner Verification	Part of hardware/system CSV, including verification of scanner operation and integration with software.	Limited scope, typically software input processing test.
Standards/Regulations	FDA 21 CFR Part 820, 21 CFR Part 11, ISO 13485, IEC 62304, GAMP 5, FDA CSA guideline.	Same as CSV but focused on software-specific standards like IEC 62304 and software validation guidance.
Approach	Risk-based, tailored based on system complexity and criticality.	Part of system validation or standalone for software modules.

2. What should I include in each steps of validation (IQ,OQ,PQ) and master plan? We only conducted a verification for barcode scanner back then, never conducted a software validation before.

3. Any recommendation for some standards/regulation I can use for arranging the content of the procedure?

First read the annexures then followed by the main text
GAMP 5 gives a great framework to deal with the CSV ; GAMP 5 Guide 2nd Edition

 

[zeihr]

Thanks for all the responses, guys. It really help. The procedure already created, right before we're inspected by NAFDAC. And yes, they also ask about the CSV in my company—not only the 13485 auditors. We managed to pass the inspection by explaining to them about our timeline for applying this, and by showing the procedure. I'll come here later if someday I need help regarding this topic again

 

[Tidge]

IQ/OQ/PQ may not be the worst approach to CSV, but it is among the worst.

Trying to apply IQ/OQ/PQ to CSV is evidence pointing in the direction that neither is understood.

Also: unless the medical device incorporates "batched" components relying on chemical formulae; I'd avoid any consideration of GAMP 5. GAMP 5 is IMO simply trying to dummy-proof the (manufacturing) engineering necessary for batch production; it is far less applicable outside of that realm than may be obvious to the uninitiated.

 

[LUFAN]

I'd also recommend reading ISO/TR 80002-2:2017 Medical device software Part 2: Validation of software for medical device quality systems. (80002-1 is not needed if you have ISO 14971). ISO/TR 80002-2:2017 applies to any software used in device design, testing, component acceptance, manufacturing, labelling, packaging, distribution and complaint handling or to automate any other aspect of a medical device quality system as described in ISO 13485.

ISO/TR 80002-2:2017 applies to

- software used in the quality management system,

- software used in production and service provision, and

- software used for the monitoring and measurement of requirements.

It does not apply to

- software used as a component, part or accessory of a medical device, or

- software that is itself a medical device.

 

[gabe2jadyn]

We use 3 different OTS Software programs for our OMS only. None of these programs effect the product. In the new FDA guidance document, everything is risk based, which is what we use but it almost seems like the process is more streamlined??? We do screenshots but in my reading, screen shots do not seem applicable, it's mostly recording that the software meets the intended use, the risk-based approach, production or QS software changes and determines the appropriate assurance activities. So my question, for each employee that uses these different software's, do we need to provide screen shots OR, can the qualified person record that each of the 3 OTS meets the assurance activities?

 

[Tidge]

We use 3 different OTS Software programs for our OMS only. None of these programs effect the product. In the new FDA guidance document, everything is risk based, which is what we use but it almost seems like the process is more streamlined???

I wouldn't describe the new non-product CSV guidance as a a more streamlined approach, it is simply more blunt that it isn't necessary to do the non-value added activities that we weren't mandated to do in the first place.

For the quality system stuff, if it meets your company's needs... there is a very limited scope about what the FDA would care about. That scope is pretty much limited to areas like integrity and authority... and even then it would be only in areas that affect communications with the agency and product in the market. For example: during development of the new guidance the FDA always pushed back on any company that hinted that employee training systems rose above low levels of concern/interest. This isn't because the FDA suddenly believes training isn't important... it's because the validation of a computerized training system isn't like the apocryphal nail that causes the loss of a kingdom.