Why validate software?
25 February 2013: Edgar Dietrich, Stefan Weber & Berthold Lebert, independent consultant
People generally assume that software systems always provide correct results. However, these programs are highly complex and complexity causes errors. You can never exclude errors having a dramatic impact on the results.
It is not possible to imagine companies that do not apply software today. Nowadays, software is kind of the “central nervous system“ of a company. Thus the correctness of such systems is of utmost importance, especially in case of calculated quality indices major corporate decision processes are based on. People became more and more aware of this problem and paid more attention to software validation. Software validation is even obligatory for officially regulated companies (pharmaceutical and medical engineering).
What is software validation?
If you want to put it simply: By validating an installed software system you want to furnish proof that the system delivers the performance it is supposed to deliver.
In accordance with ISO 9000:2005, validation is the “confirmation through the provision of objective evidence that the requirements for a specific intended use or application have been fulfilled“. You may provide this evidence based on conformity assessments by observation or evaluation and, in case of conformance, validate the software by means of measurements, tests and comparisons.
Where are software validation requirements specified?
The certification of a quality management system also includes the auditing of the applied software system, especially systems processing quality information. ISO 9001:2008 or ISO TS 16949:2009 demands in clause 7.6:
”When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary.“
Since the Q-DAS software processes measurement results of measurement processes, the requirements of ISO 10012:2003 clause 6.2.2 also apply:
“Software used in the measurement processes and calculations of results shall be documented to ensure suitability for continued use. Software, and any revisions to it, shall be tested and/or validated prior to initial use, approved for use and archived.“
How can you meet software validation requirements?
You cannot “touch“ software systems like you can touch other products and thus is it not possible to evaluate them based on common test processes. In order to validate the software you first need to install the software program in the environment it will be applied to. After implementing the software successfully and completely, the software must be tested according to the definition mentioned before. Release the software after completing the test successfully. This test is based on scenario testing tailored to the important factors included in the requirements specification and, if possible, covering all relevant applications and potentials of risk.
Q-DAS verify their software products based on standard scenarios and release the products before delivering them to the customer. Since the exact application at the customer‘s is un-known to Q-DAS, the company is not able to guarantee an absolute freedom from error. However, customers can act on the assumption that most applications and especially com-puter operations work properly and provide correct results. Customers now face considerably less effort to test the software since they only require inspections ensuring that the software verified by Q-DAS also works properly in their system environment (computer hardware, operating system, network, database, interfaces, etc.) and for their specific application(s).
It is recommended to prepare an own scenario testing that will be applied every time the Q-DAS software is installed. This procedure helps to meet official validation requirements and to release the software for application. If customers change the validated system, the change management has to guarantee that the validated state of the software remains.
How can you validate software?
Referring to the Q-DAS software, there are two different test phases in general:
- Testing the calculation of statistics based on defined reference data sets (see “Eligibility statement” on the Q-DAS website at https://www.q-das.de/fileadmin/mediamanager/Software/Eignungserklaerung/Eligibility_Statement.pdf).
- Testing the input of data and the correct processing based on a specified data flow and the general program control. The user has to define the main test scenarios.
A well-structured validation process is based on a released process description. The main components are the description of the requirements specification, of the risk analysis and of scenario testing. You record the single qualification steps and release the software in case there are not any relevant deviations.