SOP for Computer System Validation in Pharmaceutical Industry


  1. Objective:

To lay down a procedure for computer system validation.

  1. Scope:

This procedure is applicable for all computerized system used in GxP regulated activities. This SOP is applicable for presently installed / available / planned computerized systems. This practices and approaches can be also used for new such systems which may be brought by the company in future.

  1. Responsibility:

IT, production, quality assurance, engineering, quality control department

  1. Procedure:

4.1 This procedure shall include validation of below computer system/software:
Manufacturing automation computer system/software: PLCs (Programmable logical controllers), MMI (Man Machine Interphase), BMS (Building Management System) etc.
Production monitoring computer system/software: Material management software, Material requisition and issuance software, work order management software, stock management software.    Laboratory computer system/software: Laboratory management software, computer system associated with HPLC, GC, LCMS/MS, UV-VIS spectrophotometry etc., laboratory calculations related software.
Batch release and other QMS system related computer system/software: Batch release software, QMS recording software, labelling software.
4.2 List of computerized system shall be maintained and shall be updated in case of new inventory.
4.3 Validation/qualification step shall include user requirement specification (URS), design specification (DS), functional specification (FS), installation qualification (IQ), operational qualification (OQ) and performance qualification (PQ) for new inventories.
4.4 Revalidation shall be performed in case of any major change. Periodic validation (revalidation) shall be performed routinely as per validation policy mentioned in validation master plan.
4.5 Below flow chart depicts the formal validation strategy:
Computer validation1
4.6 User requirement specification (URS): URS shall be prepared and shall be evaluated. URS shall contain requirement and specification e.g. security, access, storage, back-up, audit trail etc.
4.7 Design specification:
4.7.1 Based on URS, design and configuration specification shall be prepared.
4.7.2 Design specification shall be preferably provided by vendor.
4.7.3 Configuration specification shall cover the appropriate configuration of computerized system. This will include definition of all settings and parameters.
4.7.4 Hardware design shall define hardware components i.e. system, interface, component architecture.
4.7.5 Network design specification shall include network diagram, security consideration and performance requirement.
4.7.6 Risk associated with complex and major computer system/software (HPLC, GC etc.) shall be assessed.
4.8 Qualification/validation protocols:
4.8.1 Validation protocol shall be prepared for computerized system and supporting IT infrastructure.
4.8.2 Based on complexity of the system, protocols can be prepared for specific          component/function separately.
4.8.3 Each protocol shall identify following:
– The specific task to be completed.
– The methodology to be used.
– The critical criteria.
– The acceptance criteria.
4.8.4 Protocols can be either prepared by vendor or by the user.
4.8.5 Separate protocols or combined protocol can be prepared for IQ, OQ and PQ depending upon type of computer system, usage and its complexity.
4.8.6 All protocols shall be approved by QA head.
4.8.7 Qualification/validation protocol shall contain following non-exhaustive content-
– Objective
– Scope
– Roles and responsibilities
– Tools required
– Procedure
– Acceptance criteria
– Test data sheet
– Reference
4.8.8 Computer system validation shall be executed as per pre-approved protocols. Any change from the approved protocol shall be agreed by all concern department and deviation shall be logged if required.
4.9 Below checks shall be performed during operational phase of validation. Additional checks can be included wherever applicable.
– Data: Computer system exchanging data electronically with other system shall
include built in checks for the correct and secure entry and processing of data.
– Accuracy checks: Any critical data entered manually should be verified by either
second operator or by validated electronic system.
– Data storage: Data stored should be secured and its accessibility, readability and
accuracy should be checked. Integrity of back up data and ability to restore the data
should be checked.
– Printouts: Clear printed copies of data should be obtained wherever applicable and
wherever required.
– Audit trail: Any change or deletion/addition in any GMP data should be traceable.
– Security: Computer system should be accessed by authorized person only. Extent
of security shall depend on criticality of computerized system. Suitable method like
passwords, keys, biometrics, restricted access to the area should be in place.
– Electronic signature: Electronic signature should be secure and should represent
the person who processed the data.
4.10 Test (during OQ, PQ) shall be executed by designated person and result shall be verified.
4.11 SOP for calibration, operation, preventive maintenance shall be finalised at the time of OQ.
4.12 Users/operator shall be imparted training at the time of OQ.
4.13 Actual test result shall be recorded using evidence e.g. attached screen print and reports, printout etc. wherever applicable.
4.14 Any non-conformance/discrepancy during validation activity shall be recorded in       appropriate section of report.
4.15 Discrepancy observed during validation shall be classified as critical, major and minor and shall be evaluated. Before completion of validation activity all discrepancy shall be corrected and closed.
4.16 Below guideline shall be utilized to classify the discrepancy:
Critical: Those discrepancies which have major impact on the desired performance/outcome. Such discrepancies shall be rectified and closed before proceeding further.
Major: Those discrepancies which has minor impact on the desired performance/outcome. Such discrepancies can be conditionally accepted but must be corrected and closed within stipulated period.
Minor: Those discrepancies which has no impact on the desired performance/outcome. Such discrepancies can be accepted and closed with justification.
4.17 Test equipment used for validation should be calibrated.
4.18 Validation report shall be prepared. The document shall summarise the activity performed, any deviation/discrepancy observed during the activity, any outstanding plan and corrective actions and statement.
4.19 Validation report shall be approved by QA head.
4.20 Following consolidated document shall be available after completion of validation activity:
– Inventory list
– Validation plan
– URS and design specification
– Validation/qualification protocol
– Validation/qualification summary report
4.21 Annual review shall be performed for validated computer system/software and shall assess if revalidation is required. Review shall consider below non-exhaustive aspects:
– Any regulatory update
– Change or update in SOPs
– Status of qualification
– Any changes in computer system/software
– Deviation/OOS log review
4.22 Periodic revalidation shall be performed as per policy.

  1. Abbreviations:

SOP: Standard operating procedure
OOS: Out of specification
QA: Quality assurance
HPLC: High performance liquid chromatography
GC: Gas chromatography
GxP: Good anything practices
UV-VIS spectrophotometry: Ultraviolet- Visible spectrophotometry
LCMS: Liquid chromatography: Mass spectroscopy
MS: Mass spectroscopy
QMS: Quality management system
Eudralex Volume 4 GMP, Annexure-11: Computerized Systems
Good Practices for computerised systems in regulated “GXP”
Environments- PIC/S guidance
Copyright Notice: This Article/SOP/Compilation/Published Content is protected by Indian & International Copyright Laws. Reproduction and Distribution of the same without written permission is prohibited. Mail us at:
For any Feedback or suggestion mail at:
Weblink –

Comment List

  • PharmaState ACADEMY

    Thank you for the great post.
    Prancer is a pre-deployment and post-deployment multi-cloud validation framework for your Infrastructure as Code (IaC) pipeline and continuous compliance in the cloud.

  • PharmaState ACADEMY

    Excellent efforts

Write a comment