top of page
  • Writer's pictureFrederic Landry

12 Software Validation Subjects That Should Be Covered by Your QMS.

Updated: Mar 31, 2023

One of the primary challenges we encounter when embarking on a CSV (Computerized System Validation) or a QSA (Quality Software Assurance) project is missing procedures. This is true with established businesses venturing in the Life Sciences industry, new organizations wanting to integrate GxP systems into their operations, and even, at times, established Life Sciences businesses. Those who have experience in these sorts of things will tell you that missing procedures can act as showstoppers when it comes to delivering a validated system.

In this blog, we will help you avoid such pitfalls. Below are 12 must have subject areas that should be addressed in your procedures, not only to validate a system, but also to maintain this validated state you worked so hard to reach:

Computerized System Validation

Describes the activities, deliverables and roles required to achieve and maintain computer systems in a validated state, ensuring compliance with the applicable GxP regulations.

System Management and Maintenance

Describes the activities required to ensure that systems and data are maintained in an operational state. This should include elements such as user account management, system updates/patching and other key administrative activities.

Backup and Recovery

Describes where data and information are stored or archived, and how such repositories are safely backed up. This procedure also describes how data/information can be recuperated and restored to its previous state, when required.

Physical Security

Describes the security measures that are implemented to protect systems, information, data, and personnel from physical harm originating from malicious and unauthorized parties.

Logical Security

Describes the logical security measures, such as firewalls and Virtual Private Networks (VPN), implemented to protect data and users. As an example, this is where general rules and policies around usernames and passwords, as well as the creation and use of administrative accounts, should be specified.

Incident and Problem Management

Defines the requirements ensuring that any unplanned incident that could impact product quality, patient safety or data integrity is adequality assessed and addressed. Such procedures should cover incidents and problems caused by, or impacting, validated systems.

Change Management (also known as Change Control)

A formal process that ensures system changes are assessed, documented, and implemented in a controlled fashion.

Configuration Management

Ensures that key system configurable elements are recorded and that changes applied to them are controlled and traceable.

Disaster Recovery

Ensures that processes and controls are in place to return to an operational state in the event of a major disaster leading to an interruption of services.

Record and Document Management

Provides guidance on the creation, maintenance, retention, and storage of company documents and records. Also explains acceptable uses of paper and electronic records.

Training Management

Defines processes for managing the training and development of employees and describes how to complete and document this training.

Electronic Signature

Explains how to generate electronic signatures in compliance with applicable regulations (ex. US FDA 21 CFR Part 11 and EU Annex 11 requirements). Also establishes when electronic signatures may replace handwritten signatures.

Final Thoughts

I am not saying that each topic listed above needs to exist as a separate document, nor am I saying that the document level or its content shall form a policy, a procedure, or a work instruction.

What matters is that these key topics are addressed by your Quality Management System (QMS).

This should be done with a level of detail that is both relevant and useful to your organization. The last thing you want is to implement procedures you are not able to respect, thereby immediately jeopardizing your ability to maintain compliance with your own rules.

Writing and implementing new procedures can be a time-consuming process, requiring weeks if not months of effort and coordination to ensure that those new procedural documents (policies, standard operating procedures, work instructions and associated forms or logs) have been reviewed and approved by the appropriate stakeholders, and that required training has been planned, performed, and documented.

If you are serious about saving time and avoiding costly mistakes implementing new procedures, you should investigate into leveraging industry templates for this exercise. Great procedural templates should be based on industry experience and have regulatory expectations and flexibility built into them. Quality templates are a great investment and will assist you in reaching compliance in the most efficient and effective manner possible.

No matter how you decide to go about it, one thing is for certain: You cannot ensure good validation practices are being followed without formally incorporating those key topics in your QMS.

Scott McGrail M.Sc. PMP
Frederic Landry

Chief Executive Officer (CEO) at InnovX Solutions

Frederic Landry has a successful track record in regulated industries, supporting product development, information technology, manufacturing, supply chain, and operations management. Through the combination of his experience and his passion for innovation, he is well positioned to help businesses of all sizes reach their full potential. When not in the office, you are most likely to find Frederic on a ski hill enjoying the outdoors. This Is the Way.


bottom of page