Software Validation Master Plan – Path to Success
Software Validation Master Plan
Part 2 in our Part 11 Compliance and Validation Blog Series
In this post, we will be exploring the 1st Essential Building Block of our Part 11 Compliance and Validation Framework. You might be asking yourself what a Software Validation Master Plan (SVMP) is and how it is it different from a Software Validation Plan that you might create for a specific piece of software. You might also be wondering how you go about putting one in place. Let’s start with what it is and, more importantly, what it isn’t.
The Software Validation Master Plan (SVMP) is a formal, controlled document that outlines the company’s general policies on software acquisition, validation, implementation, use, and decommissioning. The policy and procedural part of the Software Validation Master Plan (SVMP) should include the top-level requirements for how your company will control software used as part of the manufacturing processes or the quality system. It should also briefly describe and reference other procedures that are specific to each of the areas listed above. For example, under the section titled “software acquisition” you might generally describe the overall controls your company has in place to prevent software systems and applications from being purchased or created in-house and subsequently used without formally placing those systems and applications on the SVMP. Your company may also have a specific step-by-step procedure that must be followed and you can reference it here without going into every detail. Think of the Software Validation Master Plan as your overall control that will drive all of your requirements around software. Once an application makes it onto the list, the appropriate process takes over to make sure everything gets done before it is put into use (or decommissioned).
The Software Validation Master Plan (SVMP) also provides, as an attachment, a comprehensive list of the software systems or applications used in the facility. The SVMP list should include pertinent details about the software like:
- Software name,
- Software description,
- Intended use,
- Software type (OTS, configured OTS, Custom, etc.),
- Current version (or versions if more than one is active),
- Previously active validated versions (leading back to the base validation)
- Re-validation conditions,
- E-signature use,
- Overall current status (pending review, pending validation, development, released, etc.)
Think of this list as your software map for what you have, where it is, how its validated, and a pointer to all the detailed records you’ll need to prove that it is validated and suitable for use. Some companies find it helpful to also have a list of software systems and applications that were determined to be out of scope for this level of software control with the justification for the decision. This is a great practice and will help you tremendously during an FDA inspection or other compliance audit.
Ok, now that you know what a Software Validation Master Plan is, let’s talk about what it isn’t … It’s not the validation plan that you create for a specific system. This plan is a necessary and important piece that validation and business teams will follow for an individual piece of software and not the overall company plan for how you will control the life cycle of software within your facility.
It’s never too late to put your SVMP in place. The larger the company and the longer you’ve been working without it, the more effort it will take. The good news is that, if done correctly, the costs associated with pulling everything together, will be one-time costs with a rapid return on the investment. Having a healthy and accurate SVMP in place drastically reduces the resources spent every day chasing down problems with software applications that are not being formally managed, tracked, and monitored on a regular basis. Many of my clients cite lack of monitoring and oversight of software changes as key causes of significant production loss due to downtime and delays not to mention compliance issues that surface during audits and inspections. No one wants this to happen and with a little bit of diligence, maintenance, monitoring and enforcement you will greatly reduce, if not eliminate, these situations.
The maintenance, care, and enforcement of the SVMP should not be underestimated. This hefty responsibility should be formally given to someone (or a group) who is highly organized, detail oriented, and motivated. The person or group should also be bestowed the authority in the organization (not just the responsibility) to enforce the policies it contains. This will ultimately prevent any unapproved applications from being purchased and installed (or developed in house) without going through the appropriate steps necessary for that software system. This step alone will at least begin to ensure that software is being evaluated properly and put on the appropriate path for validation and implementation.
Although the Software Validation Master Plan (SVMP) is the critical first step, the other six (6) building blocks are essential for the framework to have strength and, ultimately, ensure success.
You have just read the second part in an 8 part series. If you missed the first part, you can read it here: Part 11 Compliance and Validation.