Only a small number of information technology (IT) projects are completed entirely successfully; approximately a third are cancelled and more than half significantly exceed deadlines and budgets (Figure 1). This is often because software suppliers have little or no experience of the validation required for the programs. However, validated software is important because good IT projects can help to reduce costs.

Figure 1: The success and failure of IT projects.

Pharmaceutical manufacturing process quality is governed by the requirements of the European Union's (EU's) EU-GMP Guideline, which covers implementing both hardware and software systems in production areas. The area concerning computer systems is described in Annex 11 "Computerized Systems," part of which requires that computer systems are validated from an early stage.

EU requirements The principle of Annex 11 is that "when a computerized system replaces a manual operation, there should be no resultant decrease in product quality or quality assurance. Consideration should be given to the risk of losing aspects of the previous system, which could result from reducing the involvement of operators." Additionally, it is essential that there is close co-operation between key personnel and those involved in implementing the system.

Annex 11 details how personnel responsible for computerized systems must be appropriately trained to manage and use such systems. This includes ensuring that relevant expertise is available to advise on aspects of design, validation, installation and operation of computerized systems.

According to the annex guidelines, the system requirements can be summarized as follows:

• The system should be in a stable environment, eliminating interference from extraneous factors.
• There must be a detailed written description of the system, which needs to be kept up to date.
• A computerized system should be thoroughly tested before it is used. If a manual system is replaced, the two should be run in parallel for a time as part of the testing and validation procedure.
• Data should only be entered or amended by authorized persons, and suitable methods of
• preventing unauthorized entry must be in place. When critical data are entered manually, there should be an additional check on the accuracy of the record; this may be done by a second operator or by validated electronic means.
• It should be possible to obtain clear printed copies of electronically stored data. Data should be regularly backed up and stored at a separate, secure location.

• A procedure should be established to record and analyse system errors, and to enable corrective action to be taken.

Generally, it is the company using the computerized systems that must ensure validation and compliance with Annex 11 requirements. It also has to ensure that its supplier works in accordance to the requirements.

Figure 2: Each phase must be validated throughout the project life cycle.

Validation, however, is a continuous process that includes stages such as planning, specifying, programming, testing, commissioning, documenting, operation, monitoring and modifying. Each stage must be validated to comply with Annex 11 requirements. It is essential that if a system is modified, all stages must be validated again (Figure 2). For example, if a user requirement specification (URS) document is not validated at every stage, it cannot be compared with the completed computerized system. More work will be required to bring the URS up to date.

If each stage is validated, the result is a comprehensive document. The relationship between the effort needed to produce the documentation and the actual system development work is frequently misjudged - the ratio is approximately 8:1 (Figure 3).

Figure 3: The relationship between documentation and system development and Figure 4: Quality decreases without documentation.

Critical factors Successful validation is based on a quality assurance (QA) system that encompasses all the departments involved in an IT project. Standard operating procedures (SOPs) must be provided for the work, and only by working to the SOPs will the implemented system achieve the required validation and quality.

If quality is to be maintained, this principle has to be adhered to. If, for example, a URS is produced according to a particular SOP then all further work on the document must be performed according to the same SOP. It is also important to maintain traceablity during the life cycle of the system. This procedure leads to complete documentation and is a requirement for successful audits.