Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
along with its associated hardware. This testing needs to GENERAL TESTING ALL SYSTEMS
include the actual operation of the field instruments
(valves, etc.), as well as the recording and storage of the All computers or automated controllers that are used in
data generated. Any changes to the set points of the or for the production of pharmaceuticals or medical
instruments needs to be recorded and logged. devices require qualification prior to their use in the
As discussed in this chapter, software qualification is process. Computers need qualification just as any other
usually separated into two distinct activities: the struc- system or component of the manufacturing process
tural testing and the functional testing. The structural does. The main difference between general equipment
testing includes the vendor audit, review of the code and qualification and CSV is that, as mentioned above, there
checks on the integrity of the code so that there is no dead are two stages for the completion of a computer or
code (i.e., nonoperational code that may cause a “crash” computer system. These include the software and hard-
or data error). ware aspects of the system. The first part of any CSV
program is the qualification referred to as structural; the
second phase of the qualification is the functional aspect
SCOPE of the systems. The structural qualification and portion
of the program is focused on the development of the
This chapter will cover the qualification of various types software, while the functional qualification focuses on
of computer systems that includes automated devices the actual operation or function of the system. Chapter
used in the control of pharmaceutical/medical devices. 46 deals with the structural qualification aspect, this
While Chapter 46 covered the background and software chapter will concern itself primarily with the functional
validation/qualification aspects of CSV, the hardware aspects of the qualification program.
still needs to be qualified. This chapter will deal with As with software qualification, the hardware can be
the qualification of the various types of computer or divided into various stages. Each stage requires a quali-
automated control system qualification. fication phase in order to demonstrate that it is complete.
The intent is to provide the reader with an appreci- These stages can be divided as follows:
ation of the complexity and the similarities of all types of & Development—establishing system requirements
computer or automated system qualifications. It is a & Build—obtaining the correct components
general guide as to what is required to qualify/validate per specifications
the controlling systems used in pharmaceutical, bio- & Implement (this is where the full qualification program
technology or the medical device industry. is required)
As stated in the introduction, all computer or & Operation (part of the full qualification program where
automated controllers require qualification; the level of a qualified state needs to be maintained)
qualification is dependent upon its function. The industry & Retirement—decommissioning the system for replace-
generally has adopted the GAMPa levels of software ment by another system
systems. There are five levels of systems according to Functional qualification follows the same pattern as
the guide; these are: any other pharmaceutical equipment or systems qualifi-
& Firmware—This is the microchip type of system
cation. Thus, in order to perform a functional
& Operating System—The software performing the
qualification as described in chapter 9 of this book, an
underlying operation of the system (e.g., Windows IQ and an OQ are necessary (Refer to chapter 9 for general
XPw) IQ and OQ requirements).
& Standard Software Package—Non-configurable, also
The IQ provides verification that the system is
called “off-the-shelf” installed according to a written preapproved plan. The
& Configurable Software Package—Standardized same is true for the OQ. All pharmaceutical systems
packages that the owner can configure to fit their should have the following:
specific needs or operations. These can perform a & Vendor qualification via an audit
general function, e.g., blending, these are termed & User specification
“COTS” or “configurable off-the-shelf” & Design specifications
& Custom Software—Prepared specifically for the
However, in addition to the “usual” requirements
operation (usually prepared by specialty firms or for IQs and OQs the qualification of computer systems
in-house programmers). requires some additional items. Some of these are:
Each level above requires its own level of qualifica- & Verification of system security
tion, increasing as the level goes up (the highest level is & Controlled access to the program
the custom system). Notice that the levels are related to & Levels of access—e.g., an operator is allowed to
the software and not the hardware. This is because the input data but the supervisor is allowed to
hardware serves as the framework in which the software approve the data
performs its function. The interaction of the software and & Protection of the system from outside interference
hardware needs to be qualified. It is not possible to do (e.g., no access via phone lines or the internet)
qualify one without the other. Note: Usually an intranet connection will
be allowed.
& Ability to track all entries (audit trail) into the
a
system—this includes the date, the person making
GAMP Guide for Validation of Automated Systems, Ed. 4, ISPE
the entry and why the entry is made or changed.
2001.
47: VALIDATION OF CONTROL SYSTEMS 621
BLACK BOX VS. WHITE BOX TESTING After the documents are prepared and or collected,
you are ready to begin the qualification program itself.
There are two methods of testing automated control (Note: this is assuming that the structural qualification
systems. These are referred to as “white box” and has been completed and is acceptable). As with all
“black box” testing. Both means of qualification are qualification programs the commissioning phase
used for systems at or above Level 2 of the GAMP usually is the first “field” effort undertaken. (Note: This
classification of computer systems. The difference follows the FAT and SAT portion of the program.) The
between “white” and “black” box testing is in the level commissioning portion of the qualification can be
of testing of the software. Black box testing is primarily performed, at least in part, during the installation of
functional testing while white box testing includes a the system. For example, while the lines are being run
review of the source code (of the software program) as to the field instruments the loop checks can be performed.
well as the means of code development. A loop check is a check of continuity (and thereby
When doing black box testing the operation of each function) of the connection between a field instrument
portion of the software is tested. In addition, the testing and the controller. It is far simpler to perform and
establishes that each function necessary for the correct document the loop check as each loop is being installed
operation of the unit(s). Typically, the black box testing rather than after the system is intact and ready to operate.
grows exponentially with the amount of I/O while the Other items that can be performed during the installation
white box testing grows linearly. or as part of the commissioning phase are:
& Instruments adjusted/calibrated (loop checks)
& Ambient conditions
GENERAL DOCUMENTATION & Temperature
When beginning a CSV program, as with other qualifica- & Humidity
tion programs, certain documents need to be either & Alarms and events (general testing—operational
prepared or collected. Since the qualification will testing is left to the OQ phase of the qualification)
involve components not usually seen and usually not & Graphics
accessible having the correct documents at the very & Data base location
beginning of the project will help assure its success. The & Network configuration
list below covers the main documents to be prepared or The next phase of the qualification is the IQ. As
collected: pointed out in Chapter 9 this may be done at the same
time or before the commissioning phase of the program.
Prepare: Either during or even before the IQ is started the
1. CSQMP structural phase of software testing is completed. Since
2. User requirements the structural testing includes items such as the vendor
3. Functional specifications audit, the code review, this part of the qualification must
4. Traceability matrix (Note: To be prepared AFTER all be completed prior to any functional or OQ testing as
specifications and protocols have been collected and discussed below.
developed but BEFORE protocol execution). The general IQ consists of the following verifica-
5. SOPs (to include the “How to Prepare” SOPs) tions. Specific tests will be pointed out later for each of the
a. System setup/installation types of automated systems.
b. Data collection and handling 1. List all components
c. System maintenance a. Input devices—HMI and/or MMI
d. Backup i. Keyboard
ii. Mouse
e. Recovery
iii. External devices
i. Backup
& Field instruments,
ii. Crash
& External drives,
iii. Jam/freeze
& Monitors, etc.
f. Contingency plans (emergencies)
b. Output devices
g. Security
i. Screen
h. Change control
ii. External data device—hard drive
i. Storage
iii. Printer
6. Protocols
iv. Filed instruments
a. Commissioning
c. Data storage devices
b. IQ
i. Hard drives
c. OQ
ii. MP3
d. PQ (as necessary)
iii. Floppy drives
iv. Flash cards
Collect: v. Tape/CD/DVD (backup)
1. Ladder logic—As necessary for PLCs 2. List type of hardware
2. Design or Vendor specifications for each com- a. Mother board—chip type
ponent—part of the system (network interfacing, b. Controller cards
MMI) i. Video
3. Software version to be installed ii. Sound
4. Software source code (or 3rd party agreement) iii. I/O
622 VIII: COMPUTERIZED SYSTEMS
From a black box testing perspective, this is very example, Microsoft Excelw spreadsheet program can
difficult to catch. You must, in fact, black box test all neither be validated nor qualified. However, the appli-
possible combinations of the interlock conditions in each cation of each spreadsheet must be qualified. Specifically
of the four states (good, going into alarm, alarming, going each calculation needs to be verified from both its
into good). For our example, the black box testing would algorithm to its data input and output.
contain eight tests alone! On the other hand, white box All aspects of the PC need to be qualified, just as any
testing could be done on six of those states, leaving two other process or laboratory equipment. All I/O devices
for black box. (e.g., keyboards, disk drives, USB inputs of outputs,
A typical protocol for the average PLC should be mouse control and other pointers, screen displays, prin-
about 90% white box (Ladder logic or code review) and ters, etc.) need to be tested and demonstrated to be
10% black box (functional). The number of total tests is functioning correctly. This means that the data being
exponentially proportional to the amount of I/O and input is the same as the data coming out. For example,
code. Therefore, for 50 I/O, there may be 2500 tests. when typing the letter “M,” the keyboard should respond
That is, there may be 2500 interactions between inputs, only to the M from the designated key and the screen
outputs, and internal conditions. A test protocol with should display only an M from that designated key. The
white box testing would examine dozens of these same holds true for any data storage device, whether
interactions in a few test cases, using the duplicity of internal or external.
the structure with which they were created (if there was a One difference between PCs and other automated
structure). controllers is that very often the data is taken off the PC
The testing for all network-rung paths and all and stored in an external device (tape drive, external hard
possibilities, as well as questioning the operating disk, etc.). In this case the data transfer to the devices used
system integrity, would take longer than the testing of for storage as well as the recovery of the data from the
inputs, outputs, and screens in a black box fashion. device needs to be qualified. Storage time of the data on
For another example, assume we have a system of the external device as well as the environmental con-
five inputs and five outputs. For the short term, we will ditions it is stored under are factors in this qualification.
ignore the complexities that can be built into the operator Code review for vendor-supplied programs is not
interface. Given an input, or combination of inputs, some required. This includes the operating system. A word of
outputs happen. Let us say that input 1, vessel pressure caution here is that the last statement assumes that there
high, causes output 1 vessel vent valve, to actuate. The are many hundreds of units of the same program on the
requirements and design documents will probably state, market and thus errors in the code have been readily
“Open the vessel vent valve when the vessel pressure is observed and corrected. Thus, if one purchases or
high.” Most protocols would include a single test— prepares a new operating system, specific for the appli-
stimulate the input, observe the response output. This cation, then this would require full qualification as
must be done for each of the I/Os. determined by the GAMP4 approach.
Continuing with the 5!5 example, if the system is There are other areas that extra caution is needed
such that the position of the outputs will not feed back in when using PC for control operations. One of the biggest
to how the system responds (meaning that the PLC does areas of concern in the use of PCs is their ability to
not care that the vessel vent valve is open as it goes on to connect to the “Internet.” The Internet is an outside
do its other tasks), then each input should have 32 tests link, i.e., opening the system to other computers, and
(on or offZ2 positions, with five inputs, 32Z2 5). should be avoided. Data security and integrity are key
Assuming that the protocol is written such that the issues in dealing with any automated control system.
other output expected results are inclusive in the 32
tests, there should be 32 tests for five inputs to generate Items to verify on a PC:
& All input devices
five outputs. The argument is that this is more than the
& All output or data storage devices
number of tests necessary for white box testing. By
& Data integrity both in and out of the PC
following the code in the white box analysis, then there
& PC calibration
will be only one path to test for each input and one path
& Software:
for each output, for a total of 10 tests.
& Operating and off-the-shelf programs do not
Of course, as more interlocks, sequences, and other
rules are added to the complexity of the PLC logic, the usually require qualification
& Application software and applications on off-the-
advantages are harder to see—though they are still there.
shelf programs do require qualification (e.g.,
Items to verify for PLCs: COTS—Commercial off-the-shelf software)
& Review the ladder logic & Environmental conditions—Temperature/humidity/
& Correct version installed liquids
& Inputs and outputs
& Environmental conditions Networks
& Point-to-point testing—Loop checks PLCs and PCs may be linked together to form a
“Network.” Simply, a network is a group of individual
Personal Computers units (PCs or PLCs) linked together so that information
PCs are relatively easy to qualify. The reason for this is can be easily shared. There are two basic types of
that most of the software used on a PC is off-the-shelf networks, open and closed. In the pharmaceutical
non-configurable. That is, the software cannot be industry, the closed network is the preferred type. As
changed. Only the application is configurable. For described above with the PCs, the internet represents an
47: VALIDATION OF CONTROL SYSTEMS 625
open system and thus the greater possibility of the network is “qualified” to be able to handle all the
data corruption. other client–server systems it has to carry (that is,
Networks come in many formats. In the early days bandwidth and capacity are evaluated).
of networking, two or more computers were connected
by regular wires between the units. The next stage was Items to consider for network qualification:
& All major components of the network (e.g., PCs,
the use of “twisted pair” wiring. This made use of part of
the telephone wires for connecting the computers. This routers, switches)
& Point-to-point testing
gave way to the Ethernet and now the wireless network.
& Qualify networks that are related to predicate
Each of these earlier types of networks still exists,
although some to a much lesser degree. Each requires rule data
their own special approach to qualification. & Use the risk assessment approach to determine the
is, regardless of any printouts of this data, the active data & Application layers
that the company uses is this electronic record—like a & Commissions to specifications
maintenance log for a piece of equipment used in drug & Validates to requirements
manufacture. The security needs to be tied to the record, & Security (refer also to Part 11)
and typically, the record is tied to a database system. In & Open system
this case, if users were transmitting this data over the & Closed systems
network, then the network should be validated. However, & Collision reconciliation
database system (with tests that make sure clients can talk Larger automated systems such as discussed below
to servers and so forth). In addition, there is typically are similar to the smaller systems described above. All of
some platform validation performed to ensure that the the same type of testing needs to be done for these larger
network has appropriate bandwidth and can handle systems. The difference is in the complexity of the system
traffic flow correctly. and the amount of time required completing the qualifi-
A risk assessment should truly answer when to do cation program. In general, the larger the systems the
network validation. For example, if the network is only more time it will require to qualify since there are an
used for backing up servers, then the firm would develop increased number of variables to test. With more compli-
a set of requirements, specifications, and tests regarding cated systems, it is more important to follow a full
how servers are backed up (in this case a worst-case qualification program starting with the development of
scenario would involve data quantity as opposed to a Validation or Qualification Master Plan. This plan
network loading). If the network were only used for should be specific for the system(s) involved, its intended
client interaction to the server, then the firm would use and the type of hardware and software to be used.
develop requirements, specifications, and tests around
network loading, response speed, and server time-outs— Supervisory Control and Data Acquisition
packet “sniffer” software will typically analyzes this. SCADA systems are made up of several components.
Let us assume for a minute that the firm has a large Each of these components may be qualified as separate
multiuser database system that is being tested prior to units or combined into one large qualification program. A
plant roll out. In the test room, there are a couple of clients, SCADA system is made up of:
the server, and a network switch that are all tested and & HMI—The screen is often a touch screen
validated. Now the system is placed on the plant network. & Control Units—Controlling the field devices
The firm discovers from an investigation that there & Main Processor—Interprets the information form the
are a number of differences: some of the clients PCs on the field units/PLCs and the operating instructions from
network are using older operating systems. The network the HMI
itself is larger and more complex and uses hubs, routers, As with all automated or computerized systems,
and firewalls. Will it be necessary to retest all the aspects security and data integrity are primary issues. Each of the
of the application? No. Is the application still validated? components needs to be secure from outside interference
Yes. What is needed is to resolve and test aspects of as well as internal problems resulting from adjacent
the network. equipment or component problems. Alarms are key to
If “Yes” start by analyzing the test network and the the functioning of a SCADA system. They alert the
live network. A good packet sniffer available for free is operator of problems in carrying out the instructions
Ethereal (1). Based on where packet collisions occur it can inputted by the operator or the recipe.
detect what part of the networks are having an issue and
resolve it. The firm can use the test system to develop data Items to verify for a SCADA qualification:
transmission requirements (based on what the sniffer & Alarms
reveals) and then validate to those requirements on the & Loop checks
live system. & Point-to-point are unique
Validate the network with the application & Field unit verifications
(assuming that both the application and the network & Input devices
relate to predicate rule records or processes), and then & HMI
“qualify” the network platform for all the systems that & Access levels
use it. So, for example, a database client–server system is & Supervisor
validated with the network structure in place, and then & Operator
626 VIII: COMPUTERIZED SYSTEMS
identification and a password). On the other hand, a FDA Guide to Inspection of Computerized Systems in Drug
biometric identification would include fingerprint iden- Processing, February 1983.
tity, retinal scans of the eye, or voice recognition. General Principles of Software Validation; Final Guidance for
Biometric identification is becoming easier and less Industry and FDA Staff, U.S. Department Of Health and
Human Services, Food and Drug Administration Center for
expensive, and is available on some PCs now.
Devices and Radiological Health Center for Biologics
As can be seen from this short discussion of Part 11, Evaluation and Research—January 11, 2002.
the regulations are not difficult; however, some aspects of Good Automated Manufacturing Practice (GAMP) Guide for
the rules may be harder to implement. All control systems Validation of Automated Systems, ISPE, 2001, GAMP 4.
have, or should have, limited access to both the system Good Practice and Compliance for Electronic Records and
and the various levels of data (e.g., operator, supervisor, Signatures—Parts 1 and 2, ISPE and PDA, 2002.
and administrator). Any change in the data needs to have Guidance for Industry Part 11, Electronic Records; Electronic
a “trail” indicating “who” made the change and why the Signatures—Scope and Application. U.S. Department of
change was made (similar to changes in paper records). Health and Human Services Food and Drug Adminis-
Thus, compliance to Part 11 has become achievable and, tration Center for Drug Evaluation and Research (CDER)
Center for Biologics Evaluation and Research
with the new Guidelines from the FDA, it has become
(CBER) Center for Devices and Radiological Health
more understandable. However, care needs to be taken (CDRH) Center for Food Safety and Applied Nutrition
with all computerized systems to be sure that all of the (CFSAN) Center for Veterinary Medicine (CVM) Office of
Part 11 regulations are implemented. Regulatory Affairs (ORA), August 2003.
Guidance for Industry PAT—A Framework for Innovative
ACKNOWLEDGMENT Pharmaceutical Development, Manufacturing, and
Quality Assurance—U.S. Department of Health and
The author acknowledges the assistance and input from Human Services Food and Drug Administration Center
John Hannon on several of the topics in this chapter. for Drug Evaluation and Research (CDER) Center for
Veterinary Medicine (CVM) Office of Regulatory Affairs
(ORA) Pharmaceutical CGMPs, September 2004.
BIBLIOGRAPHY ISPE C & Q.
IVT article on PLCs.
Code of Federal Regulations 21 CFR Part 11, 2006. King JH. A Practical Approach to PLC Validation, Institute of
Code of Federal Regulations 21 CFR Part 211, 2006. Validation Technology. Special ed. Computer Validation II,
Code of Federal Regulations 21 CFR Part 211 (21 CFR Part 11), 2005.
2006. Technical Report No. 18, Validation of Computer-Related
FDA Computerized Devices/Process Guidance, May 1992. Systems, PDA, V49, number S1, 1995.
FDA General Principles of Software Validation; Final Guidance http://www.ethereal.com/
for Industry and FDA Staff, January 11, 2002. http://www.pacontrol.com/PLC.html
FDA Guidance for Industry—PAT:A Framework for Innovative http://www.pacontrol.com/SCADA.html
Pharmaceutical Manufacturing and Quality Assurance http://www.pacontrol.com/DCSystem.html
(draft guideline), August 2003.