White Paper

A Pragmatic Approach
to Computer Systems
Validation
 White Paper

Software validation has been described as a “necessary evil” in the regulated

world. With an execution cost of 50%-100% or more of the software price,
validation becomes such a burden that it can prevent companies from
purchasing software that would improve product safety, quality, and efficiency
or upgrading their systems when they do buy software.

Why do companies need to validate software? Is there an alternative method

to the “traditional” validation process? This white paper discusses the reasons
for validation and proposes a pragmatic approach that can save companies
time and money.

Why Validate?

The most common reason regulated companies validate software is because

it is required by the U.S. Food and Drug Administration (FDA) and other
regulatory agencies, including Japan’s Ministry of Health, Labor and Welfare
and the European Commission. Many companies spend a great amount of time
and money to go through the validation effort without understanding why it is
necessary, often only executing validation to satisfy requirements.

Instead of viewing validation as an evil necessity, companies should view it as

a process that makes good business sense. Good software validation practices
help increase usability and reliability of the software, reduce possible errors
and risks by finding issues before the software is used, and greatly minimize
recalls caused by adverse effects on patients.

In the 2002 “General Principles of Software Validation; Final Guidance for

Industry,” the FDA defined validation as “confirmation by examination and
provision of objective evidence that software specifications conform to user
needs and intended uses, and that the particular requirements implemented
through software can be consistently fulfilled.”

The reference to “user needs and intended uses” makes validation a practical
process, which does not have to be time-consuming or cost prohibitive. Typically,
companies spend too much time and effort in functional testing (also called
operational qualification or OQ) at the expense of a thorough usage testing
(known as performance qualification or PQ). The latter is more crucial for
companies with unique software requirements and a lot of custom processes.

The 2002 guidance outlines validation expectations and illustrates how risk
management can help define what and how much validation evidence is
required. It states: “The level of validation effort should be commensurate
with the risk posed.” In this document, the FDA also addresses the validation
of off-the-shelf software, stating: “The vendor’s lifecycle documentation,
such as testing protocols and results, source code, design specification, and
requirements specification, can be useful in establishing that the software has
been validated.”

In a similar vein, the FDA recommended a risk-based approach in “Guidance

for Industry: Part 11, Electronic Records; Electronic Signatures — Scope
and Application” (2003). The agency said, “We recommend that you base

A Pragmatic Approach to Computer Systems Validation 1

 White Paper

your approach on a justified and documented risk assessment and a

determination of the potential of the system to affect product quality and
safety, and record integrity.”

Another FDA guidance, “Pharmaceutical CGMPS for the 21st Century — A Risk-
Based Approach,” published in 2004, reiterated the importance of a risk-based
framework for regulatory oversight of pharmaceutical manufacturing.

Using Risk Assessment in Software Validation

Through the release of industry guidances, the FDA has provided informational
tools for baseline interpretation of regulations. The agency encourages
adoption of new technologies based on risk assessment while allowing more
focus on how the software will be used and the effects on patient safety
and product quality. For companies wanting to take advantage of today’s
technology, the utilization of risk assessment is an effective alternative to the
traditional avenues of validation.

Functional (OQ) Testing: One way you can use risk assessment to conform
to Part 11 guidelines and other related guidances is to evaluate a software
vendor’s internal testing to see if you can leverage it. Most vendors test their
software extensively before it is released and thoroughly document their test
results. Review a vendor’s test records and audit the vendor’s development
process and leverage that information to either reduce or eliminate functional
testing. The FDA calls it “least burdensome approach,” a strategy that allows you
to accept vendor validation documentation as part of your validation package if
such documentation passed your risk assessment. The pharmaceutical industry’s
“GAMP 5: A Risk-based Approach to Compliant GxP Systems” also encourages
leveraging vendor validation documents as much as possible.

Using software out of the box (or as close to it as possible) will let you take
full advantage of the vendor’s functional testing documentation. This does not
remove the usage validation requirement, but significantly reduces the overall
testing effort. It’s important that you understand the vendor’s test records and
methodology to be able to defend the acceptance of its data.

Usage (PQ) Testing: Upon acceptance of the vendor’s documentation, you

can focus on your critical business processes (CBPs) and company-specific
usage that are outside of your vendor’s standard configurations. Just like with
the functional testing, be sure to assess the risks of your CBPs and identify
high-risk areas.

Repetition of testing is a common pitfall among companies that pursue a

traditional validation method. During the PQ phase, some companies insist on
retesting functionality already fully validated by the software vendor. Such
practice prolongs validation without adding any value to the process.

Focus on your CBPs. If you are tempted to test outside of those processes,
remember the FDA’s recommendation in its 2002 guidance: “The selection of
validation activities, tasks, and work items should be commensurate with the
complexity of the software design and the risk associated with the use of the
software for the specified intended use.”

A Pragmatic Approach to Computer Systems Validation 2

 White Paper

In terms of software upgrade, using risk assessment when upgrading can be very
beneficial in reducing the validation effort. By using the vendor’s documentation,
audit, previous history, and knowledge of the software, companies can justify
testing only the new functionality as part of the PQ effort.

How Much Will Using Vendor Documentation Save?

In talking with customers that use the VxT, MasterControl found that the tool
saved significant time and was most commonly described as being easy to use.
On average, for an upgrade, customers using the VxT only need 45 minutes to
complete validation.

In another study, a MasterControl survey of about 3,500 quality professionals

showed that the average cost of software validation is about $50,000.2 The
high cost is a key reason for “release sitting,” referring to companies delaying
software upgrades for several years. Release sitting leads to a heavier and
costlier validation burden because the longer a company waits to upgrade, the
more changes in the software that would need validation. Upgrading after three
or more years of release sitting typically requires a full revalidation effort.

At MasterControl, we have developed an array of tried-and-tested validation

solutions and services for regulated companies like yours. In particular,
MasterControl Validation Excellence (Vx) Solution is designed to foster the
FDA’s least burdensome approach and risk-based validation strategy. The
solution combines a functional (OQ) component and a best practice usage
(PQ) component that you can incorporate into your validation project. It offers
the benefit of the patented (U.S. Pat. 10,324,830) MasterControl Validation
Excellence Tool (VxT)™, a first-of-its-kind software usage risk evaluation
application that dramatically cuts down the validation time and effort. Below
are the key features of the solution.

MasterControl Functional Testing (ATOQ)

This part of the solution provides completed validation and support
documentation of MasterControl’s internal IQ/OQ tests. It demonstrates to
regulators that basic functions of the MasterControl application perform
correctly against a specification. It includes functional requirement testing
performed on individual components of the system and operational test of the
whole system. The package includes:

• Validation Plan
• Functional Requirement Specifications (FRS)
• Executed IQ protocols
• Automated testing documentation for each version of MasterControl software
• Traceability between FRS and OQ testing
• Final validation report

MasterControl Usage Testing (TPQ)

Our solution simplifies the PQ portion of software validation, which verifies that
the software will function according to a company’s user requirements and in
the intended usage environment. MasterControl conducts extensive PQ testing

A Pragmatic Approach to Computer Systems Validation 3

 White Paper

based on the MasterControl best-practice configurations, so if you assimilate

our internal PQ into your validation evidence, you may not have to execute
anything for your usage testing at all. These protocols are executed with every
release of MasterControl.

The VxT will help you identify your CBPs and determine how much of the
MasterControl TPQ you can leverage for your validation. The tool will show you
the critical client-specific testing that you still need to perform and recommend
additional testing if necessary.

Usage Testing (PQ) Library

If your customized processes are not fully covered by the functional component
of this solution, MasterControl provides PQ templates for standard or common
high-risk components. When the VxT identifies areas that should undergo
client-specific validation, you can use the PQ templates as test scripts to
customize and execute according to your configuration and intended usage.
MasterControl validation experts are also available to write and help execute
the scripts for you as part of our validation services.

With MasterControl Vx Solution, you will enjoy the following benefits:

• Dramatically reduce validation time and effort, thereby reducing the

probability of project failure due to prolonged implementation time.
• Dramatically reduce overall validation cost.
• Allocate more validation focus on usage testing, which is tailored to test the
customer’s unique intended uses.
• Simplify requalification testing, which allows customers to more frequently
install upgrades that provide enhanced functionality and address
technical problems.

Conclusion

When software solutions are not deployed and validated properly the results
can be product recalls, production downtime, business closure, or—worst-
case scenario—risk to patients’ health. Using a risk-based approach to validate
software allows regulated companies to save effort, time, and money and at
the same time ensure compliance. Avoiding software validation pitfalls begins
with evaluating potential risks and developing a plan to deal with hazards once
they have been identified.

Companies should keep their efforts in line with FDA and industry guidances,
which recommend the least burdensome approach to validation based on the
risk of the records generated by the system. If you heed this line of thinking,
software validation ceases to be a necessary evil. It becomes a pragmatic
approach to ensuring quality and compliance.

A Pragmatic Approach to Computer Systems Validation 4

 White Paper

References

(1) Results based on completed project data information from MasterControl

customers’ implementation from June 2006 to Sept 2007.

(2) At the 2017 Masters Summit, MasterControl CEO Jon Beckstrand

cited a company survey on the cost of upgrading and validating a quality
management system.

About MasterControl

MasterControl Inc. creates software solutions that enable life science and
other regulated companies to deliver life-improving products to more people
sooner. MasterControl’s integrated solutions accelerate ROI and increase
efficiencies by automating and securely managing critical business processes
throughout the entire product lifecycle. More than 1,000 companies worldwide,
ranging in size from five employees to tens of thousands, rely on MasterControl
cloud solutions to automate processes for new product development, clinical,
regulatory, quality management, supplier management, manufacturing and
postmarket surveillance. MasterControl solutions are well-known for being
scalable, easy to implement, easy to validate and easy to use. For more
information, visit www.mastercontrol.com.

© 2020 MasterControl Inc. All rights reserved.

WPXXXXUSENA4-02/20

A Pragmatic Approach to Computer Systems Validation 5