Industries whose products impact human life, such as food and beverage and pharmaceuticals, are highly regulated. To achieve compliance with stringent regulations and maintain high product quality, maintenance organizations implement a computerized maintenance management system (CMMS) as part of a larger quality management system (QMS). To protect consumers, regulatory agencies require organizations to demonstrate that their CMMS software has been installed correctly and functions according to its intended use. This process, called software validation, is critical to meeting guidelines for compliance and quality management.
What is Software Validation?
Software validation is a process done to determine if a software program complies with the requirements set by the organization, performs its intended functions, and meets the organization’s needs and goals. The purpose of CMMS software validation is to document that the system meets specifications, has been installed correctly, and can accurately and consistently produce intended results. In addition, software validation makes clear the way you intend to use the CMMS and identifies potential issues that impact other business processes.
The concept of software validation often creates confusion during the CMMS buying process. Validated software is a common software requirement for CMMS buyers. However, it is important to understand that even though the CMMS is purchased from the vendor, it is the organization who is responsible for software validation – not the vendor. Vendors may, however, provide software validation tools or assistance.
Who is Involved in Software Validation?
The CMMS software validation team is typically comprised of someone from the IT department and CMMS power users. The IT department’s role is to confirm that the technical infrastructure is in place to support the CMMS. This includes servers, networking hardware, computers and devices, and applicable software such as supported operating systems and web browsers. IT is also best equipped to document technical problems encountered during validation testing.
CMMS power users play the role of project managers. They identify the scope of what needs to be validated, define what operations are important, create and/or perform tests, and document any hiccups encountered during testing. When problems occur, power users determine the reason for the issue and take the appropriate corrective action. Power users may also assign other users to perform tests and report the results.
Some organizations hire third party companies to perform software validation tests for them. CMMS vendors may also offer validation assistance or services. The cost of these services depends on the amount of functions that need to be tested. The fewer operations there are, the faster and lower cost the validation process will be. Even though validation is performed by someone else, CMMS power users and IT are still valuable for determining technical requirements and project scope.
Does My Organization Need to Validate Its CMMS?
In the United States, software validation is required by organizations that are regulated by the United States Food and Drug Administration (FDA). These industries include businesses who make:
- Food and beverages
- Pharmaceuticals
- Botanicals
- Medical devices and surgical instruments
- Dental, ophthalmic, and orthopedic equipment and supplies
- Diagnostic substances
- Parts or ingredients used to produces the goods listed above
Typically, maintenance organizations are concerned with compliance related to the FDA Code of Federal Regulations Title 21, Parts 11 and 820. FDA CFR 21, Part 11 sets rules related to electronic signatures, which a CMMS may use for features like work order approvals. Part 820 describes the requirements for quality management systems, of which a CMMS is part.
Organizations that seek certification from other nongovernmental standards bodies, such as the International Organization for Standardization (ISO) may also be required to perform software validation. In some cases, organizations require compliance with specific standards, such as ISO 9001 standards, in order to be a business partner.
Even if unregulated, software validation should be considered in any organization that wants to improve quality. Software validation helps organizations establish good practices, standard operating procedures, and software use policies that contribute to higher quality products and processes.
How Do You Validate CMMS Software?
While the FDA requires software to be validated, it does not specifically tell organizations how to perform validation. This is because the FDA cannot predict how your organization intends to use the CMMS, so you must show them via the software validation plan and testing. Software validation boils down to documenting that the CMMS meets specifications, is installed correctly, meets your organization’s needs, fulfills its intended use, and functions properly.
Note: For organizations that are not regulated by the FDA, please refer to the documentation provided by the respective compliance agency for guidance.
When validating software, the FDA recommends taking the least burdensome approach, which is defined as “the minimum amount of information necessary to adequately address a relevant regulatory question or issue through the most efficient manner at the right time.” So, how does one achieve the least burdensome approach? Many organizations follow a basic validation process made up of three sequential stages: Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).
Installation Qualification
Installation qualification (IQ) verifies that the CMMS is successfully installed in the environment in which it is meant to be used and documents the installation procedure. CMMS vendors provide customers with system requirements. It is up to your organization to obtain the hardware (i.e., servers, computers, mobile devices, barcode scanners or other hardware) and software (i.e., operating systems, web browsers, integrated software systems) to support or access the CMMS.
Along with the vendor-provided system requirements, organizations should document what hardware and any other software is being used to access the CMMS. Organizations that host the software locally should create an internal installation guide to document the installation process.
Operational Qualification
Operational qualification (OQ) is a documented testing process that verifies that the system does what it is supposed to do. Tests outline the specific actions a user must takes in the software to perform an action, the expected outcome, and the actual outcome.
If the actual outcome matches the expected outcome, the test is valid. Differences between the expected and actual results must be documented and rectified. Doing so may involve taking different steps to complete the action (which should be documented) or asking the vendor to resolve the issue.
While it may seem burdensome to perform OQ tests, keep in mind that you only need to test the features and functions that you will use.
Performance Qualification
Performance qualification (PQ) determines whether the system performs as intended in real-world conditions. You can think of the previous phase being conducted in a “laboratory setting,” where a limited number of users are testing the software with a small set of data to verify operations. This testing environment is not reflective of real life.
PQ ensures the system is equipped to handle the “live load,” or amount of data, bandwidth, storage capacity, and speed required during peak use within a work shift. Ideally, the software responds promptly without freezing or crashing.
What to Do When Software Fails Validation Testing
What happens if the CMMS fails a software validation test? Any failures must go through a correction process. The validation team determines if the cause of the failure originated from a user, poor test design, incorrect configuration, or even issues with the software itself (such as defects).
The first three causes mentioned can be corrected via training, OQ test rewrites, or vendor technical support. If defect fixes are required by the vendor, the organization must retest the software once an update has been delivered. Any changes to software policies, operating procedures, and training documentation need to be updated as well.
Revalidating Software
Aside from test failure, there are other situations where software requires re-validation. These scenarios include upgrading the CMMS software to a new version, updating operating systems, and updating computer hardware. When these types of changes occur, the organization should: 1) review vendor release notes to see what has changed, 2) determine the impact of software changes on current processes, and 3) update operations and software validation documentation as appropriate. As a reminder, when changes happen, only the affected operations need revalidation – not the entire software package.
Stay in Compliance with FTMaintenance Select
It often feels like new rules and regulations appear every day, especially in FDA-regulated industries. Though CMMS software validation may seem burdensome, the process can be simplified and broken down into smaller pieces. Ultimately, compliance is about how an organization uses their CMMS, not about the software itself. FTMaintenance Select provides an easy-to-use maintenance management platform for documenting, tracking, and managing maintenance activities. Request a demo today.