Operation Phase

After a successful Project Phase a Validated system is available. The Operation Phase of Validation will ensure that the validated state of the system is maintained during the life cycle of the system. ISPE published a separate Good Practice Guide on this subject.

Major activities and information flows are shown in the diagram below. The diagram divides the processes into the groups Handover, Service Management and Performance Monitoring, Incident Management and CAPA, Change Management, Audits and Review, Continuity Management, Security and System Administration and Records Management.

V model



















In the Handover step the responsibility of the system is transferred from the project team to the system owner.

Deliverables for this step are:

  • System Handover protocol


Service Management and Performance Monitoring


  • Establishing and Managing Support Services
  • Performance Monitoring

Establishing and Managing Support Services

The process for establishing and managing support services (internal or external) is managed through the use of Service level Agreements (SLA).

Performance Monitoring

Provides trends and data for:

  • reduce application
  • system down time
  • change management
  • risk & impact assessment
  • periodic review
  • evaluation of system performance


Incident Management and CAPA


  • Incident Management
  • CAPA

Incident Management

The primary objective for incident management is to address unplanned issues before serious harm occurs. The process must be designed to return the system or service to the users as quickly as possible.

Corrective Actions and Preventive Actions

In case of discrepancies, Investigate, understand & correct the issues to prevent recurrence. Meanwhile recognize potential discrepancies to prevent occurrence by looking at the performance monitoring.


Change Management


  • Change Management
  • Configuration Management
  • Repair Activity

Key requirement is that all changes should be reviewed, impact & risk assessed, authorized, documented, tested and approved before implementation.  Each change has to follow the V-model.

Change Management

Change management controls life cycle of changes end enables beneficial changes made  without compromising regulated  processes with minimum disruption to services.

Configuration Management

 Hardware & software configuration must be documented throughout system life.

Repair Activity

Activities to repair or replace failed or defective component are implemented following a defined, approved & verified procedure.


Audits and Review

A Periodic Review is essential to ensure the validated state of an automation system. In general a periodic review is scheduled every two years.

Subjects for review are:

  • Documentation (complete, correct, up to date)
  • Change of use
  • Level and nature of changes
  • Outstanding actions
  • Previous reviews, reports, audits
  • Prove of unstable or unreliable operation
  • Changes in circumstances
  • Regulations, environment, product, business, best practices, personnel
  • Procedures, incident logs
  • Software and data backups

 A Periodic Review may be part of an internal audit. The results of the Periodic Review can be used for external audits.


Continuity Management



  • Backup and Restore
  • Business Continuity Planning
  • Disaster Recovery Planning

Backup and Restore

Processes and procedures must be available and used to ensure that copies of software are made on a regular base and maintained in a safe and secure environment.  Restore procedures should be available. Restores must be tested and tests result must be available. To test a system restore an extra system may be required, to avoid damaging a system with a corrupt backup.


Business Continuity Planning


A Business Continuity Plan (BCP) must be in place to describe continuation of the business when the system is out of use. A documented rehearsal session must be performed.


Disaster Recovery Planning

To restore business processes a Disaster Recovery Plan must be in place.


Security and System Administration


  • Security Management
  • Systems administration

Security Management

Security Management ensures confidentiality, integrity and availability of organization's regulated systems. It Includes:

  • Establishing & maintaining security roles & responsibilities, policies, standards & procedures
  • Performing security monitoring & periodic testing
  • Implementing corrective actions for identified security weakness or incidents

Systems administration

A standard administration procedure must be in place ensuring routine management and support of systems. Key requirements for the support process is that appropriate resources are available and that all system administration tasks are Identified and documented.


Records Management


  • Retention
  • Archive and Retrieval


Policies for retention of regulated recors should be in lace, based on clear understanding of the regulatory requirements and company regulations..

Archive and Retrieval

Procedure must be in place for taking records off line to a different location. Key requirements are: Taking records off line to a different location Key requirements GxP records secured against willful or accidental damage during retention period Initially and periodically checked Content and meaning preserved
  • GxP records secured against willful or accidental damage during retention period
  • Initially and periodically checked (documented)
  • Content and meaning is preserved
  • Reasonable access by regulators possible