A Perspective on Computer Validation

July 2, 2007
Siegfried Schmitt, Rory Budihandojo, Ludwig Huber
Pharmaceutical Technology
Volume 31, Issue 7

This article provides a historical review of computer validation in the pharmaceutical industry within the last three decades, evolving from the early years' initial concept and approach to today's current practices. Also included is how the regulations and industry have progressed in addressing the topic of computer validation.

In the early years, trying to champion and implement computer validation was quite challenging. The industry faced the unfamiliar installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) concepts. The common reaction to computer validation back then was quite similar to the Kübler–Ross "Five Phases of Grief" cycle (1). Some readers may have similar recollections and probably have heard some of the following responses:

  • Phase 1, Denial: "Our mission is to implement systems, not to write documents and fill out forms," or "Who says we have to do it, show me the regulations."

  • Phase 2, Anger: "We have years of experience in developing and implementing systems, we don't need !@#$*** validation," or "You are joking, you want me to do what?"

  • Phase 3, Bargaining: "Do we have to do all of those things?" or "Can we do this instead...?"

  • Phase 4, Depression: "This feels similar to paying a luxury tax," or "This is stressing me out, I don't have the time and resources to do all this work."

  • Phase 5, Acceptance: "Oh well, fine, if you really want me to do it, I'll do it."

Nowadays, although there are some who are still in the denial stage, the level of grief is more subdued, and the industry is more accepting. For many, computer validation has become a part of daily life, just like accepting and using the mandatory car seatbelt. The road to acceptance was not without its controversies. In the mid 1990s, many varied opinions led to confusion about the scope of computer validation. At one point, a computer's operating system (OS) was thought to be in scope and to require validation, and the OS vendor had to be audited. In another case, a consultant advised that a "change control" must be filed when replacing a printer's toner cartridge (now we know that consumables don't need change control). It was during this period of confusion that "common sense" became the buzz phrase and "it depends" were the first two words that preceded an answer to any computer validation question.

We have transitioned from the "common sense" and "it depends" environment to a risk-based and risk-management environment, especially since the US Food and Drug Administration is on board with risk management (2). We hope that a risk-management approach will level off the inconsistencies inherent to the "it depends" approach. Only time will tell whether it will be successful. By this transition, however, it seems that along the way we have inadvertently proved Darwin's theory of evolution: we have evolved and transitioned from a less-structured environment to a more technically structured and scientifically minded methodology to computer validation.

Origins of the computer-validation concept and approach

Although the concept of good manufacturing practices (GMPs) dates back to the early 1900s, current GMP regulations are mostly based on the practices that were revised in the mid-1970s, when the medical-device regulation amendments were introduced. It was during this time period that the manufacturing-validation concept (now known as process validation) was first discussed by FDA officials Bud Loftus and Ted Byers (3). In the late 1980s, the manufacturing-validation concept and approach of conducting IQ, OQ, and PQ were applied to computer validation. This approach was selected in part for the benefit of the relationship between industry and FDA. It was hoped that FDA would accept the computer-validation approach because it was already familiar with and accepting of the IO, OQ, PQ concept. Within the industry, applying IQ, OQ, PQ to computer validation was challenging at first. This was at a time when validation concepts such as unit testing, module testing, and integration testing in information technology and software engineering already were being practiced. Interestingly, this IQ, OQ, PQ concept has withstood the test of time and is still prominent today, although some may have substituted and intertwined other types of testing into the fold, including unit and integration testing, as well as other variations of testing (e.g., site-acceptance testing and factory-acceptance testing).

Perspective on regulations and regulatory guidance

Some believe computer validation has been mandatory for only a few years. Most computer validation practitioners believe it started in 1983 with FDA's publication of Guide to Inspection of Computerized Systems in Drug Processing (known simply as "The Blue Book") (4). FDA documents related to computer systems were published as early as 1976 and 1977, however (see sidebar, "Related FDA documents") (5–7). The 1976 FDA Inspector's Technical Guide provided inspectors with the following guidance (6):

Related FDA documents

An understanding of computer operation, and the ability to use a computer, does not require a detailed knowledge of either electronics or the physical hardware construction. An overall view of the computer organization with emphasis on function is sufficient.

Additional guidance was provided in the 1977 FDA Inspection Technical Guide Part II: "The accuracy and validation of the program is one of the most important aspects of computer control" (7).

Computer-validation articles published

Clearly, FDA regulations and expectations have changed since the late 1980s. More detailed documentation is now required to support and verify a system's quality. FDA publications also have become increasingly specific (e.g., in clinical system guidances and those governing the food-processing industry) (8, 9). FDA has a better understanding of the technology and its capabilities as a result of its body of national experts on computer systems, as well as the proliferation of computer and automated systems in the industry. Several other countries also have computer-validation requirements in their GMP regulations (10, 11).

A discussion about regulations would be incomplete without including 21 CFR Part 11 regulations of electronic records and electronic signatures. In 1991, industry and FDA representatives met to determine how to accommodate paperless record systems under 21 CFR Parts 210 and 211. Specifically, industry requested FDA's official position on substituting 21 CFR Part 211, section 186 "full signature, handwritten" with an electronic signature (12). In response, FDA publshed its progress report Electronic Identification/Signature Working Group in 1992 (13). The report identified seven key issues: legal acceptance, regulatory acceptance, enforcement integrity, validation and reliability, security, standards, and freedom of information. The final regulation was published in 1997, and although the regulation is now 10 years old, discussions and issues still revolve around most of these points. Former FDA Commissioner David Kessler is believed to have said that he was surprised by the number of experts he found when he searched the topic of Part 11 on the Internet, especially because FDA was still trying to address and develop a better understanding of the implementation and enforcement of the regulation. Even more interesting in hindsight is how the initial request for FDA to address a specific section of 21 CFR Part 211 has now evolved and encompassed all other aspects of the GMPs.

Even now, some uncertainty about Part 11 regulations remains. A contributing factor to this confusion may be the fact that earlier FDA guidelines on the regulation were revoked in 2003 (14) and replaced by a single guideline (15) with the intention of adding other guidelines later. FDA's reasoning behind withdrawing these guidelines (Fed. Register, Docket 00D-1540 in Feb. 2003) was "to avoid loss of time spent by industry in their efforts to review and comment on Part 11 issues that may no longer be representative of FDA's approach under the new GMP initiative." Since then, no additional guidelines have been issued, but FDA is working on a Part 11 amendment (16).

Perspective on the industry's approach

While FDA published its official regulations and guidelines, the industry also was actively addressing computer validation. In the late 1980s to the early 1990s, the Pharmaceutical Manufacturers Association (PMA, now Pharmaceutical Research and Manufacturers of America, PhRMA) Computer System Validation Committee (CSVC) led by Ken Chapman was the industry's main forum to discuss computer-validation issues. One series of discussions about system-development life cycle (SDLC) methodology resulted in the selection of the waterfall life cycle model (see Figure 1). In the mid 1990s, a variation of this waterfall model, the V model, became more popular (see Figure 2) and is still the model of choice. Looking back, there is no significant change in the computer validation SDLC. This is rather surprising because in some cases, using other methodologies might be advantageous (e.g., rapid prototyping methodology, which involves configuring how software should operate first, then documenting the final configuration and functional operation, followed by the software's operational verification).

Figure 1. "Waterfall" life cycle method.

PMA also published other computer validation related articles, mainly in Pharmaceutical Technology, which has published more than 40 articles about computer validation. Historically, this publication played a key role in shaping and spreading understanding of computer validation in our industry. Even individuals from FDA published articles in the journal back then (17). Sadly, this is no longer the case because, for better or worse, FDA is now stricter about allowing its employees to publish. (A list of computer validation–related articles is online at pharmtech.com.)

Figure 2: "V model" life cycle method.

The PMA CSVC was dissolved in the mid 1990s, and the US Parenteral Drug Association (PDA) became the industry's main forum. Part of PDA's computer-validation committee efforts focused on software-supplier audit and the creation of an audit repository center (ARC) (18). The ARC concept, however, has had varying success. Currently, the repository is managed by Syntegra. Since the late 1990s, the main industry forum for computerized systems validation has been the ISPE good automated manufacturing practice (GAMP ) group. The GAMP guideline is widely considered to be the de facto pharmaceutical-industry standard in computer validation. The current GAMP 4 version introduced the risk-management concept into computer validation in 2001, aligning with FDA's effort on GMPs for the 21st century. Currently, GAMP is working on version 5, which is slated for publication in late 2007 or early 2008. It is important to note that GAMP 4 explicitly excludes 21 CFR Part 11, although a separate guideline has been produced.

The healthcare industry has actively addressed Part 11 regulations. ISPE/GAMP and PDA both have published guidelines on Part 11, hoping to help clarify the implementation and compliance to the regulation. As discussed previously, there was much confusion about the implementation of Part 11 when it was initially introduced. Accordingly, PDA arranged a public FDA conference about Part 11 in June 2000 (19). The conference reinforced the public's concerns about Part 11, and based on industry's reaction, FDA issued the final guidance on Part 11 in August 2003 (15). FDA also scheduled a Part 11 public hearing in June 2004, again allowing the public to voice concerns and suggestions about Part 11. Unfortunately, President Ronald Reagan's funeral fell on the same day as the scheduled public hearing date, and the day was declared a federal holiday. The meeting was therefore cancelled and never rescheduled, prompting industry, as a "21 CFR Part 11 Coalition" to file a public petition letter in September 2004 (20). Since then, there has been a semblance of calm on the topic as FDA considers rewriting Part 11 and industry adjusts to a risk-based approach. The resulting decline in the number of Part 11 483s may be related to the fact that FDA is citing the predicate rule directly, rather than Part 11. Until the new amendment is issued, FDA is indeed showing enforcement discretion regarding the implementation of Part 11. It should be noted, however, that Warning Letters with severe consequences were sent to Able Labs, MDS Pharma, and Ranbaxy, and the warnings related to electronic records, even though Part 11 was not mentioned.

Perspective on enforcement and observations

We can understand FDA concerns about computer systems as we look at the following examples. The "Therac-25" medical-device software went awry between 1983 and 1987, overdosing patients with X-rays (21). FDA stopped the use of the device. According to the recollection of the authors, Wyeth Laboratories Inc. is believed to have received the first computer validation–related 483 from Center for Drug Evaluation and Research (CDER) in October 1983 for a lack of documentation for the validation of a computer system used for the statistical analysis of data. In the late 1980s, the generic-drug scandal caused concern because data had been falsified. One of the authors served as a witness in a grand jury investigation of the generic-drug scandal. Interestingly, Phil Piasecki, a former FDA official who later worked in the industry, once told one of the authors of an observation he made on computer systems. He noticed that the red light of a dehumidifier in a data center was on. After inquiring about the dehumidifier's purpose, he cited the company for not having a standard operating procedure (SOP) for its use and maintenance.

These examples illustrate the wide range of enforcement actions and levels of impact on patients' safety (from serious to limited and indirect impact). Since the mid 1990s, we have also seen numerous observations relating to computer-validation issues, ranging from "the system is not validated" to "the SOP is not followed." Since the early 2000s, however, it seems the number of observations has decreased. Between 2000 and 2005, the number of Warning Letters issued decreased by 50% (22), perhaps resulting from a shift in FDA's focus after the 9/11 attack in 2001 to homeland security and food safety (23). At the same time, FDA faces a decrease in budget spending (24).

FDA's presentation titled "Data Integrity, Another Looming Crisis," revealed its recent enforcement has focused on record integrity (25). The presentation made it clear that based on recent inspection findings, FDA would refocus on the integrity of e-records and train inspectors in this topic. Despite challenges that FDA faces, it has increased significantly the understanding and knowledge of computer systems in the industry. The agency actively participates and has a Computer System National Expert representing FDA in industry forums (e.g., GAMP), as well as providing computer validation training courses internally and through selected providers. Hence, although we are now seeing fewer computer-validation 483s, partly because FDA is citing predicate rules instead of Part 11, these 483s are more meaningful and should not be interpreted as a reflection of relaxed enforcement.

Perspective on computer-validation practices

The Standish Group's "Chaos" reports, indicate that "incomplete requirements and specifications" and "changing requirements and specifications" are two of the top three "project challenged factors" for computer-system projects (26). This assessment seems to hold true in today's computer-validation practices. An informal poll conducted by the authors indicates that user requirements are the main challenge when validating a computer system. User requirements have been a factor since the early years of computer validation. Nonetheless, the general understanding about how to conduct computer validation in the industry has increased since the 1990s, and most companies now have groups or departments dedicated to computer validation. Since the introduction of the Sarbanes–Oxley financial regulations for a publicly traded company, more and more information technology (IT) departments have established compliance groups. It is generally accepted now that IT infrastructure must be qualified to meet growing regulatory requirements across the business.


FDA has published more than 30 documents related to computer systems and computer validation, and the term computer validation is no longer foreign to the industry. Computer-validation practices and regulations are evolving and reaching the maturity stage of other validation disciplines, even if more recently it seems that the efforts on computer validation and Part 11 compliance are less apparent than before. This complacency might be a result of the wait-and-see attitude toward what the new Part 11 regulation amendment might bring and may also result from the perception that computer validation–related 483 observations have decreased in recent years.

The intent of Part 11 regulations was to allow businesses to be more efficient, to enable automation, and to generate less paper documentation. Yet, these goals have not been fully realized. Most companies addressed how to meet and comply with the Part 11 regulations, but they did not necessarily develop business strategies to take full advantage of what the regulations allow the companies to do.

As technology evolves, computer validation also will change. We will see what the next 10–30 years bring. Could we see programmable drugs based on nanotechnology? For example, one article suggests that nanodiamonds could be useful in biological applications such as carriers for drugs (27) or perhaps as bioerodible implants with programmable drug release (28). Computer validation will need to be continuously simplified, standardized, and automated while reflecting the growing complexity of designed and engineered drugs and delivery systems.


The authors thank Alan Kusinitz, managing partner of SoftwareCPR, and George R. Smith Jr., FDA consumer safety officer at CDER's Office of Compliance, for their input and review.

Rory Budihandojo* is the computer validation manager at Boehringer-Ingelheim Chemicals and a member of Pharmaceutical Technology's editorial advisory board, rbudihandojo@bichemicals.comSteve Coates is the director of computer system quality assurance at Wyeth. Ludwig Huber, PhD, is a compliance expert at Agilent Company. Jose E. Matos is manager of manufacturing systems and process automation at Bristol-Myers Squibb. Siegfried Schmitt, PhD, is the quality director at GE Healthcare Global IT. David Stokes is the life sciences manager at Business & Decision. Graham Tinsley is president of THINQ Compliance Ltd. Maribel Rios is senior editor of Pharmaceutical Technology.

*To whom all correspondence should be addressed. The scope of this article is specific to the healthcare industry and to the view of the authors or FDA, which may not necessarily reflect the view of the companies where the authors and reviewers are employed.

Where were you 30 years ago?

Rory: "I was in the UK, going to school."


1. E. Kübler-Ross, Five Stages of Grief, www.businessballs.com/elisabeth_kubler_ross_five_stages_of_grief.htm.

2. Risk Management,www.fda.gov/oc/mcclellan/riskmngt.html

3. IVT Proposed Validation Standard VS-2, Computer System Validation, IVT 3 (2002).

4. Guide to Inspection of Computerized Systems in Drug Processing (1983), www.fda.gov/ora/Inspect_ref/igs/csd.html.

5. Timeline of Key FDA Software Documents, www.softwarecpr.com/libraryframepage.htm.

6. ITG Subject: The Computer in FDA-Regulated Industries (1976), www.fda.gov/ora/inspect_ref/itg/itg23.html.

7. ITG Subject: The Computer in FDA-Regulated Industries Part II Computer Hardware (1977), www.fda.gov/ora/inspect_ref/itg/ itg29.html

8. Guidance for Industry: Computerized Systems Used in Clinical Trials (1999), www.fda.gov/ora/compliance_ref/bimo/ffinalcct.htm.

9. Guide To Inspections of Computerized Systems in The Food Processing Industry (unclear publication date), www.fda.gov/ora/inspect_ref/igs/foodcomp.html.

10. Australian Therapeutic Goods Administration, Code of GMP for Medicinal Products, Annex 11 Computerised System (2002), www.tga.gov.au/docs/pdf/gmpcodau.pdf.

11. Concept Paper on Computerised System Guidelines (2006), www.emea.eu.int/Inspections/docs/51857706en.pdf.

12. 21 CFR Part 211.186 Master Production and Control Records, www.fda.gov/cder/dmpq/cgmpregs.htm.

13. FDA Electronic Identification/Signature Working Group Progress Report (1992), www.fda.gov/ora/compliance_ref/part11/FRs/background/esigrpt1.pdf.

14. "FDA Revoking Existing Part 11 Guidelines and Replacing with the Draft Scope and Application Guideline," Fed. Register (Feb. 25, 2003), www.fda.gov/OHRMS/DOCKETS/98fr/03-4312.pdf.

15. Guidance for Industry, Part 11 Electronic Records, Electronic Signatures, Scope and Application (2003), www.fda.gov/cder/guidance/ 5667fnl.htm.

16. G. Smith, FDA Compliance Safety Officer, CDER, presentation at GAMP Conference in Washington DC, June 2007.

17. A.S. Clark, "Computer Systems Validation: An Investigator's View," Pharm. Technol. 12 (1), 60 (1988).

18. PDA Audit Resource Center, www.pda.org/webmodules/webarticles/templates/new_professional_audit.aspx?articleid=111&zoneid=62.

19. FDA Part 11 Compliance Committee's Summary of the Public Conference on the Technical Implementation of 21 CFR Part 11, www.fda.gov/ora/compliance_ref/ part11/PDA-conf-sum.htm.

20. 21 CFR Part 11 Coalition public petition letter (Sept. 2004), www.chpa-info.org/NR/rdonlyres/.

21. Therac-25 Case Materials, http://computingcases.org/case_materials/therac/therac_case_intro.html.

22. "FDA Receives a 483 on Its Birthday from Henry Waxman and His Committee," http://pharmamanufacturing.wordpress.com/2006/06/28/regulators-issue-a-483-to-fda-henry-waxmans-birthday-greeting-is-of-a-whole-nother-sort/.

23. "CFSAN 2006 Program Priorities," www.cfsan.fda.gov/~dms/cfsan506.html.

24. Bush Budget Would Reduce Funding for FDA Safety Inspections of Foreign Drug Plants, www.medicalnewstoday.com/medicalnews.php?newsid=20107.

25. E. Rivera, "CDER's Guidance for Industry, Investigating Out-of-Specification (OOS) Test Results for Pharmaceutical Production," presented at the 14th International GMP Conference, Mar. 13–15, 2007.

26. Standish Group, 1994 Chaos Report, www.standishgroup.com/sample_research/chaos_1994_2.php.

27. "Diamond Nanoparticles Appear Not to Be Cytotoxic," www.thenanotechnologygroup.org.

28. "Bioerodible Implants with Programmable Drug Release," www.sciencedirect.com.

This article, including an online exclusion list of computer validation–related articles published in Pharmaceutical Technology, is posted on pharmtech.com