Validation Insights for an Off-the-Shelf Quality Management System

Validation Insights for an Off-the-Shelf Quality Management System

by Julia Winterhalder |
Nov 30, 2021 |
Anyone who has been involved in the implementation of a Quality Management System (QMS) knows that probably the most challenging part of the project is the validation. Of course, validation is a very important topic as the software system is supporting tasks and activities in a highly regulated industry, but the additional effort can feel overwhelming.

Don’t underestimate the time to validate a new software system

Normally you need a validation expert in your team to guide you through the process, which is a project on its own, in parallel to the actual technical implementation. It is nearly impossible to revalidate an existing system, so it is essential that you do it correctly in the first place. The importance and criticality of the validation adds a lot of time and requires additional budget for the project. The time to validate a new software system can be wildly underestimated and experience/training is necessary to know how to do it properly so an auditor will not find gaps in your documentation.

According to GAMP 5, there are four different application categories of software products related to good manufacturing practices and based on these categories there are different validation deliverables to be created, meaning the effort for the initial validation can vary a lot from one software component to another.

GAMP 5 Categories Overview

The table above identifies Category 1 and Category 3 in a very clear manner. Category 4 and Category 5 can be a bit trickier to define, depending on the software to be implemented. To be in accordance with GAMP 5 it is important to understand the difference between Category 4 – Configuration and Category 5 – Customization.

  • Configuration is the modification of a standard functionality of a software product to meet the business process or user requirements, for example including defined text strings for drop-down menus, turning software functions on or off, graphical dragging and dropping of information elements, and creation of specific reports.
  • Customization means writing code, scripts or procedures to meet business requirements by external programming language (such as C++ or .NET or SQL).

Custom applications developed to meet the specific need of regulated companies

A custom Application (Category 5), while being most flexible in fulfilling business user requirements, will require the most effort to validate as everything must be documented. The best way to do this is to follow the V-Model and keep an end-to-end mapping throughout all documents authored in the different project phases. The most efficient approach is to create the technical documentation at the end of the development phase because every change in the development scope will also lead to a change in the documentation. (Of course, this is not an insider secret, we all know how often scope is changed.) Every change to the system just takes a few seconds on technical side, but it can take days to update the changes to the documentation and route for and receive approvals.

Anyone who has gone through the process of implementing a new QM system and had to determine the correct category at the beginning, has likely realized that this is not as easy as it sounds. A misstep early in the classification of the system can lead to validation documents and efforts being greater than expected in the end. First, defining the deliverables to validate the system, including a Validation Master Plan, a User Requirements Specification as well as System and User Test Scripts is straightforward and there are even many resources online to guide you on the documents that are needed. Next, add some additional time required for all of these documents to be written, reviewed, approved, as well as for the formal execution of test scripts with post-execution approval. On top of these efforts there will likely be some issues identified and every resulting deviation will need to be tracked, evaluated, and resolved, or accepted as a known error. What started out as a few documents has ballooned into a robust documentation package that will easily add several weeks to your planned timeline.

Configured Products that meet user specific needs

On the other hand, you may be implementing an “off the shelf” or pre-configured QM system (Category 4), for which all the technical part of the validation was already done by the vendor and only the changes and customizations need to be validated. Here the business users and Quality organization will provide guidelines to determine whether the software supplier documentation can be accepted as-is or if there are additional vendor qualifications or retesting required to satisfy the business expectations. The testing can turn into a bit of the grey area, what is really OOTB and already covered versus what will require detailed testing, what will be sufficient to fulfill validation but also business needs. Fairly often a risk-based testing approach is considered, by classifying requirements as high, medium and low risk to the business process and then aligning the testing according to this assessment. This can help save a lot of additional time.

There is a second option to the Category 4 “off the shelf” solution that layers in the software as a service (SaaS) model. With this approach, imagine implementing a fully validated QM system as a cloud solution, fully pre-configured and with all validation documents already provided, and updated by the vendor with each subsequent upgrade that is pushed out to your hosted environment. You just cut your timeline in half – from a validation perspective this sounds great but from a user perspective it might not.

Users will be wondering: Will this pre-configured QM system behave as we need it for our existing processes? How much can we still adapt it to our needs and if so, what does this mean for the validated state of the QM system? When implementing a SaaS QM system, the “revolutionary” idea is that you treat each update as a change. Per definition a change has limited documentation requirements which means you don’t need a validation specialist – you will spend less time creating documents, executing test cases, and in the end, you will save a lot time and budget. Just one item to highlight for completeness — the periodic vendor upgrades (per vendor schedule) will need to be evaluated whether there are any impacts to the changes that have been brought in place before, to determine if any regression testing and validation documentation updates will be required. This common scenario is another reason to keep changes to the application as limited as acceptable by the business.


So, in summary the fully pre-configured and validated system will save time and budget because you will receive all of the authored, approved and executed documents from the vendor. There is nothing left that you need to take care of for the base implementation. Any of the application adjustments which need to be done to meet business requirements will be documented as changes. All you need to do is to take the existing technical documentation, capture the changes and test only those, and potentially revisit them during vendor upgrades. It may sound too good to be true, but it is not — we have implemented QMS solutions with this approach and the results speak for themselves.

Overall, yes, validation is scary. But when approached in a smart way it does not have to turn into a huge undertaking. Pre-configured software solutions have advantages and should be favored compared to full-blown custom solutions. If they are in a SaaS model and the business is fine with that — the solution will appear even better from a validation standpoint.

Please reach out to us with any questions around this topic. With many years of experience in Life Sciences projects our team lives and breathes the validation methodologies and can help you to make sure that your project will be properly validated, in a smart and effective way, and will withstand any audits — using your own validation methodologies or bringing in templates from our previous experiences.

> Get in touch with us


fme Life Sciences is a leading provider of business and technology services supporting the deployment of Content Services and ECM solutions to its clients in the Life Sciences Industry. We act as a trusted advisor and systems integration specialist across the Clinical, Regulatory and Quality and Manufacturing domains in Europe and North America. We do not exclusively recommend or promote any platform or vendor, but rather we focus on providing our clients with an independent perspective of the solutions available in the market.