For pharmaceutical organizations, compliance with 21 CFR Part 11 (Part 11) is essential when using software solutions that store and maintain electronic records and electronic signatures. Part 11, issued by the U.S. Food and Drug Administration (FDA), establishes the requirements for ensuring that electronic records are trustworthy, reliable, and equivalent to paper records. Data integrity in these solutions is of utmost importance. Solutions that require validation are those systems that can impact product quality or patient safety.
A critical component of achieving Part 11 compliance is the process of Computer System Validation (CSV). Validation demonstrates that the software system consistently meets its intended use and meets regulatory requirements. During FDA inspections and audits, pharmaceutical organizations are expected to provide documented evidence that their systems have been properly validated through documented testing and verification activities.
The three crucial validation deliverables of the CSV process are Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ). Together, these documents form the foundation of a compliant validation package.
Why Validation Documentation is Critical for Computer System Validation
The validation documentation serves as proof that the system was implemented, tested, functioned and approved according to the organization’s quality management procedures. These documents ensure that pharmaceutical organizations can display:
- Proper controls over their solution
- Demonstrate compliance with FDA regulations
- Reduce risks associated with software failures
- Ensure data integrity and security
- Support inspection and audit readiness
- Verify that systems function as intended throughout their lifecycle
Without proper validation documentation, organizations may face regulatory observations, compliance gaps, increased operational risk and product quality/patient risk problems.
Validation Master Plan (VMP)
Before diving into IQ, OQ, and PQ, it is important to understand the role the Validation Master Plan (VMP) plays in the process.
The VMP serves as the overarching plan of the validation project. It outlines the scope, responsibilities, validation approach, testing strategy, deliverables, and acceptance criteria. The Plan provides a structured framework that guides all validation activities and ensures consistency across the project. All members of the validation project have to read, understand, and sign-off/approve their roles and expectations of the project. It is important that everyone is on the same page with validation.
Typical contents of the Validation Master Plan include:
- System description
- Validation scope
- Risk assessment
- Roles and responsibilities
- Testing strategy
- Documentation requirements
- Approval process
The VMP establishes the foundation and framework upon which IQ, OQ, and PQ activities are executed.
Installation Qualification (IQ) in Computer System Validation
Installation Qualification verifies and documents that the software system and its supporting infrastructure have been installed correctly according to approved specifications.
The primary objective of IQ is to confirm that the environment is configured properly before operational testing (OQ) begins.
IQ Activities Typically Include:
- Verification of hardware specifications
- Client / Server CPU, RAM, storage, etc.
- Operating System validation
- Server and Client Operating system (i.e. Windows version 2022)
- Database installation verification
- Microsoft SQL Server, Oracle, Azure SQL, etc.
- Application installation verification
- Network configuration review
- Confirm connectivity between server and client, IP Address / DNS config, etc.
- Security configuration verification
- Password policy, User authentication, role-based security, etc.
- Backup and recovery configuration review
- Automated jobs run as scheduled, backup storage, etc.
- Documentation of software versions and patches
- Documented proof of installed version
Example
If a pharmaceutical company implements a cloud-based ERP system on Microsoft Azure, the IQ phase would verify that the application layer, Azure SQL, interfaces with 3rd party solutions, user configuration and permissions, and supporting infrastructure have been installed and configured according to the approved design.
Key IQ Deliverables
- Installation Qualification Protocol
- Installation Test Scripts
- Installation Test Results
- Configuration Documentation
- IQ Summary Report
- Approval Signatures
Successful completion of IQ provides documented evidence that the system environment is suitable for operational testing.
Operational Qualification (OQ) Testing Requirements
Operational Qualification verifies that the system functions according to its intended design specifications under normal operating conditions.
OQ focuses on testing individual system functions, controls, workflows, and regulatory requirements.
OQ Activities Typically Include:
- User authentication testing
- Role-based security testing
- Electronic signature verification
- Audit trail functionality testing
- Data entry validation
- Workflow testing
- Report generation testing
- Error handling verification
- System configuration testing
- Interface and integration testing
Example
For a validated pharmaceutical ERP system, OQ testing may include:
- Confirming only authorized users can approve records
- Verifying audit trails capture all changes, non-editable, etc.
- Testing electronic signature functionality
- Ensuring data modifications are properly logged
- Validating workflow approvals and routing
Key OQ Deliverables
- Operational Qualification Protocol
- Test Scripts and Test Cases
- Expected Results Documentation
- Actual Results Documentation
- Defect Tracking Records
- OQ Summary Report
- Approval Documentation
OQ provides evidence that the system's features and controls operate correctly and consistently and in a repeatable manner.
Read Also: OQ Scripts and FRS Templates for 21 CFR Part 11 Software: How to Validate Your Pharma ERP
Performance Qualification (PQ) for FDA-Regulated Systems
Performance Qualification verifies that the system performs effectively within the actual business environment using real-world processes and end users. The PQ is usually done in conjunction with any Standard Operating Procedures (SOPs) and Work Instructions (WI) the organization has in place to operate the system.
While OQ confirms that the system works as designed, PQ demonstrates that it supports intended business operations successfully.
PQ Activities Typically Include:
- End-to-end business process testing
- Testing is in conjunction with organization’s SOPs/WIs
- User acceptance testing (UAT)
- Business scenario testing
- Production workflow validation
- Data processing verification
- Cross-functional process validation
- Reporting validation
Example
In a pharmaceutical organization, PQ testing might involve:
- Processing a customer order from creation through fulfillment
- Managing inventory transactions
- Executing quality control workflows
- Completing batch record reviews
- Performing financial close processes
These activities validate that the system supports actual business operations while maintaining compliance requirements. It is important that the organization’s SOPs reflect the processes and workflows of the system. Organizations run into trouble when users use the system using their methods vs the methods that have been tested and approved.
Key PQ Deliverables
- Performance Qualification Protocol
- Business Process Test Scripts
- User Acceptance Test Results
- Deviations and Resolutions, if applicable
- PQ Summary Report
- Final Approval Records
PQ provides confidence that the system can reliably support day-to-day operations in a regulated environment.
Additional Computer System Validation Documents Required for Compliance
Beyond IQ, OQ, and PQ, several supporting documents are commonly included in a complete 21 CFR Part 11 validation package:
User Requirements Specification (URS)
Defines what the business requires the system to do. The URS should be the first step even before a system is selected. Select the system based on your needs vs the “big name” on the market.
Functional Requirements Specification (FRS)
Describes how the system will satisfy the user requirements.
Risk Assessment
Identifies potential risks to product quality, patient safety, and data integrity. Specifically, a Part 11 Risk Assessment is recommended. The Part 11 Risk Assessment evaluates the system to ensure electronic records and signatures are secure, accurate, and trustworthy. This will help you to determine the GAMP 5 level and the associated deliverables.
Traceability Matrix
Maps requirements to test cases and validation activities, ensuring complete coverage.
Standard Operating Procedures (SOPs)
Documents procedures for operational use, system administration, user management, backup, security, change control, and incident management.
Validation Summary Report (VSR)
Provides a final summary of validation activities, test results, deviations, and approval status.
Building an Audit-Ready Validation Package
FDA inspectors expect organizations to demonstrate a documented, risk-based approach to validation. The FDA expects documented deliverables. They are not going to sit there and look at the system.
An audit-ready validation package should clearly show:
- Requirements were defined and approved (URS)
- Risks were assessed and mitigated (Part 11)
- Installation was verified (IQ)
- Functional testing was completed successfully (OQ)
- Business processes were validated (PQ)
- Deviations were documented and resolved, if applicable
- Appropriate approvals were obtained
Maintaining complete and organized validation documentation not only supports regulatory compliance but also improves operational confidence and system reliability.
Important Note: Once your system is live and in production, any software changes (upgrades, fixes, etc.) have to be evaluated using your organization’s change control process. Based on the level of changes made to the controlled state of your implementation, a new round of validation may be required.
Conclusion
21 CFR Part 11 compliance requires more than simply implementing software. This is not a financial system that has no impact on product quality or patient safety and can be implemented in a backroom by your IT department. Organizations must provide documented evidence that systems are installed correctly, operate according to specifications, and perform reliably in real-world use. Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) are the core validation documents that support this objective.
When combined with supporting documents such as risk assessments, requirements specifications, traceability matrices, and SOPs, these validation records create a comprehensive framework for demonstrating compliance, ensuring data integrity, and maintaining audit readiness throughout the system lifecycle.
If you are specifically looking for an ERP solution that’s built for Pharma, Slingshot Pharma is the way to go. Slingshot Pharma provides a detailed and comprehensive validation package that includes the FRS, the Trace Matrix, IQ and OQ scripts, and the Validation Summary Report. Slingshot can work with you to determine which of the OQ scripts can be designated for PQ purposes.
.png)