Tuesday, June 12, 2012

Validation is a Parallel Process, Not a Parallel Universe

By

I hope by now I’ve convinced you from my previous blog posts that computerized systems validation is more than testing. It has its own terminology that comes from process manufacturing validation and covers a lot of the same ground as a system development life cycle (SDLC). It is a process that parallels the development and operation of a computer system that ensures the system meets its requirements when placed in production and then continues to meet its requirements during its operational life.
In the table below, I’ve mapped validation activities and deliverables to the SDLC, highlighting those documents that are not typically the concern of business analysts or application developers. In fact, most of the “validation” deliverables are already in the SDLC and produced by the relevant subject matter experts (business analysts, developers, test analysts, and business representatives). Accounting for the differences in terminology between IT and validation (e.g., a plan is equivalent to a protocol), then it should be clear that a validated computer system is a by-product of good practice.
Table 1. Comparison of Validation Steps and Documents to the SDLC
Step Validation Activity Validation Documents SDLC Phase
1 Determine validation activities Validation Plan (VP) Project Planning
2 Specify the system development details User Requirements Specification (URS)
Functional Requirements Specification (FRS)
Specification
Configuration Specification (CON)
System Design Specification (SDS)
Data Conversion Plan (DCP)
Infrastructure Requirements Specification (IRS)
Design
3 Perform Qualification Activities Design Qualification (DQ)
Requirements Traceability Matrix (RTM)
Vendor Audit (VA)
Design Review (DSR)
Installation Qualification (IQ)
IQ Protocol (IQP)
IQ Test Case/Scripts (IQT)
IQ Summary Report (IQR)
Construction
Build physical infrastructure
Build virtual infrastructure
Build virtual machine
Develop custom RICE
Application installation
Application configuration
Testing
Infrastructure verification
Virtual machine verification
Application verification
Unit tests
String tests
Integration tests
Data Conversion Qualification (DCQ)
Data Conversion Protocol (DCL)
Data Conversion Test Case/Scripts (DCT)
Data Conversion Summary Report (DCR)
Verify data conversion
Operational Qualification (OQ)
OQ Protocol (OQP)
OQ Test Case/Scripts (OQT)
OQ Summary Report (OQR)
System Acceptance Test (SAT)
Performance Qualification (PQ)
PQ Protocol (PQP)
PQ Test Case/Scripts (PQT)
PQ Summary Report (PQR)
User Acceptance Test (UAT)
Exception Management (ERF, ERL) Construction and Testing
4 Develop / Review Controls and Procedures Standard Operating Procedures (SOP)
Training Procedures
Training Records
5 Certify the System Validation Summary Report (VSR)
Release to Production Note (RN)
Release
6 On-going Operations Configuration Control
Change Control
Document Control
Record Retention
Security
Backup and Recovery
Disaster Recovery
Business Continuity
Operation & Maintenance
7 Periodic Review Periodic Review Report
In fact, only three documents are produced exclusively by the validation team:
  • Validation Plan
  • Validation Summary Report
  • Periodic Review Report
The balance of the highlighted documents is what differentiates CSV from the SDLC:
Validation Scope
  • Vendor assessment involving additional SME’s outside of IT, e.g., QA and procurement professionals to assist in vendor audits.
  • Standard operating procedures relating to the functions controlled by the computerized systems (and the Quality Management System) are developed or revised by business process owners and/or business analysts.
  • Having evidence that people are trained to perform their roles.
Maintaining the Validated State and Recordkeeping
Demonstrating the validated state is maintained by creating documented evidence (records) from standard operating procedures of the Quality Management System:
  • Configuration Control
  • Change Control
  • Document Control
  • Record Retention
  • Security
  • Backup and Recovery
  • Disaster Recovery
  • Business Continuity
As I’ve said before, validation is more than testing. In fact it’s more than the SDLC. But if you appreciate how it overlaps with good practices you can quickly see how to leverage existing capabilities to achieve and maintain a validated computerized system.

No comments:

Post a Comment