Validation of computerized systems as per WHO Technical Report Series, No. 937

Validation of computerized systems

1. General
2. System specification
3. Functional specification
4. Security
5. Back-ups
6. Validation
7. Validation of hardware and software
7.1 Hardware
7.2 Software

Computer systems should be validated at the level appropriate for their use and application. This is of importance in production as well as in quality control.

The use of a computer system includes different stages. These are planning, specification, programming, testing, commissioning, document operation, monitoring and modifying.

The purpose of validation of a computer system is to ensure an acceptable degree of evidence (documented, raw data), confidence (dependability and thorough, rigorous achievement of predetermined specifications),intended use, accuracy, consistency and reliability.

Both the system specifications and functional specifications should be validated.

Periodic (or continuous) evaluation should be performed after the initial validation.

There should be written procedures for performance monitoring,change control, programme and data security, calibration and maintenance,personnel training, emergency recovery and periodic re-evaluation.

Aspects of computerized operations that should be considered during validation include:
— networks
— manual back-ups
— input/output checks
— process documentation
— monitoring
— alarms
— shutdown recovery.

System specification

There should be a control document or system specification. The control document should state the objectives of a proposed computer system,the data to be entered and stored, the fl ow of data, how it interacts with other systems and procedures, the information to be produced, the limits of
any variable and the operating programme and test programme.

(Examples of each document produced by the programme should be included.)

System elements that need to be considered in computer validation include hardware (equipment), software (procedures) and people (users).

Functional specification

A functional or performance specification should provide instructions for testing, operating, and maintaining the system, as well as names of the person(s) responsible for its development and operation.

The following general aspects should be kept in mind when using computer systems:
— location
— power supply
— temperature, and
— magnetic disturbances.
Fluctuations in the electrical supply can influence computer systems and power supply failure can result in loss of memory.

The following general good manufacturing practice (GMP) requirements are applicable to computer systems.

Verification and re-validation. After a suitable period of running a new system it should be independently reviewed and compared with the system specification and functional specification.

Change control. Alterations should only be made in accordance with a defined procedure which should include provision for checking, approving and implementing the change.

Checks. Data should be checked periodically to confirm that they have been accurately and reliably transferred.


This is of importance in production as well as in quality control.

Data should be entered or amended only by persons authorized to do so. Suitable security systems should be in place to prevent unauthorized entry or manipulation of data. The activity of entering data, changing oramending incorrect entries and creating back-ups should all be done in accordance
with written, approved standard operating procedures (SOPs).

The security procedures should be in writing. Security should also extend to devices used to store programmes, such as tapes, disks and magnetic strip cards. Access to these devices should be controlled.

Traceability is of particular importance and it should be able to identify the persons who made entries/changes, released material, or performed other critical steps in manufacture or control.

The entry of critical data into a computer by an authorized person (e.g. entry of a master processing formula) requires an independent verification and release for use by a second authorized person.

SOPs should be validated for certain systems or processes, e.g. the procedures to be followed if the system fails or breaks down should be defined and tested. Alternative arrangements should be made by the validation team, and a disaster recovery procedure should be available for the systems
that need to be operated in the event of a breakdown.


Regular back-ups of all files and data should be made and stored in a secure location to prevent intentional or accidental damage.


Planning, which should include the validation policy, project plan and SOPs, is one of the steps in the validation process.

The computer-related systems and vendors should be defined and the vendor and product should be evaluated. The system should be designed and constructed, taking into consideration the types, testing and quality assurance of the software.

After installation of the system it should be qualified. The extent of the qualification should depend on the complexity of the system. The system should be evaluated and performance qualification, change control, maintenance and calibration, security, contingency planning, SOPs, training, performance monitoring and periodic re-evaluation should be addressed.

Validation of hardware and software

Table 1 indicates aspects of computer systems that should be subjected to validation.

Computer -


As part of the validation process appropriate tests and challenges to the hardware should be performed.

Static, dust, power-feed voltage fluctuations and electromagnetic interference could influence the system. The extent of validation should depend on the complexity of the system. Hardware is considered to be equipment,and the focus should be on location, maintenance and calibration of
hardware, as well as on validation/qualification.

The validation/qualification of the hardware should prove:

• that the capacity of the hardware matches its assigned function (e.g.foreign language);

• that it operates within the operational limits (e.g. memory, connector ports, input ports);

• that it performs acceptably under worst-case conditions (e.g. long hours,temperature extremes); and

• reproducibility/consistency (e.g. by performing at least three runs under different conditions).

The validation should be done in accordance with written qualification protocols and the results should be recorded in the qualification reports.

Re-validation should be performed when significant changes are made.

Much of the hardware validation may be performed by the computer vendor. However, the ultimate responsibility for the suitability of equipment used remains with the company.

Hardware validation data and protocols should be kept by the company.

When validation information is produced by an outside firm, vendor, the records maintained by the company need not include all of the voluminous test data; however, such records should be sufficiently complete (including general results and protocols) to allow the company to assess the adequacy of the validation.

A mere certification of suitability from the vendor, for example, will be inadequate.


Software is the term used to describe the complete set of programmes used by a computer, and which should be listed in a menu.

Records are considered as software; focus is placed on accuracy,security, access, retention of records, review, double checks, documentation and accuracy of reproduction.


The company should identify the following key computer programmes:

  • language,
  • name,
  • function (purpose of the programme),
  • input (determine inputs),
  • output (determine outputs),
  • fixed set point (process variable that cannot be changed by the operator),
  • variable set point (entered by the operator),
  • edits (reject input/output that does not conform to limits and minimize
    errors, e.g. four- or five-character number entry),
  • input manipulation (and equations) and programme overrides (e.g. to stop a mixer before time).

The personnel who have the ability and/or are authorized to write,alter or have access to programmes should be identified.

Software validation should provide assurance that computer programmes (especially those that control manufacturing and processing) will consistently perform as they are supposed to, within pre-established limits.

When planning the validation, the following points should be considered.

• Function: does the programme match the assigned operational function (e.g. generate batch documentation, different batches of material used in a batch listed)?

• Worst case: perform validation under different conditions (e.g. speed,data volume, frequency).

• Repeats: sufficient number of times (replicate data entries).

• Documentation: protocols and reports.

• Re-validation: needed when significant changes are made.


Reference: WHO Technical Report Series, No. 937.

For More Pharma Updates Visit –

error: Content is protected !!