Published on 07/12/2025
Maintaining the Validated State in Pharma: How to Manage Periodic Reviews, Change Control, and Compliance
Validating a computerized system is only half the battle in the pharmaceutical lifecycle. The real challenge lies in maintaining that validated state throughout the system’s operational life. Regulatory bodies like the FDA, EMA, and WHO expect pharmaceutical companies to ensure their GxP systems remain compliant, effective, and under control — even years after the initial validation.
This article outlines a robust strategy for maintaining the validated state of computerized systems, with emphasis on periodic reviews, change management processes, revalidation triggers, and regulatory documentation practices. It aligns with GAMP 5, 21 CFR Part 11, EU Annex 11, and WHO expectations.
What Does “Maintaining Validated State” Mean?
According to GAMP 5 and Annex 11, maintaining the validated state refers to ensuring a system continues to perform as intended after its initial qualification. This means:
- All GxP functionalities remain intact
- Any changes are properly evaluated and controlled
- System performance is periodically assessed
- Documentation remains up-to-date
- Data integrity and security are preserved
Failure to maintain validated state can result in audit observations, regulatory warnings, or compromised product quality.
Regulatory Expectations and Global Guidance
- 21 CFR Part 11 (Subpart
Core Elements of Maintaining a Validated State
1. Periodic Review
A Periodic Review is a documented, risk-based assessment of a system’s current validated status. It is typically performed annually or every two years, depending on system criticality and complexity.
Periodic Reviews include:
- Review of change controls and deviations since last validation
- Assessment of incident and CAPA history
- Review of audit trails and access logs
- Assessment of software/hardware obsolescence
- Confirmation of disaster recovery testing
- Check for current SOPs and training records
Template Output: Periodic Review Report (PRR)
2. Change Control
Every change — from a simple configuration update to major code releases — must be evaluated for impact on the validated state. A robust Change Control system ensures:
- Risk assessment of proposed changes
- Approval by Validation, QA, and System Owners
- Definition of required testing (e.g., regression OQ, full PQ)
- Linkage to validation deliverables (URS, TM, protocols)
- Documentation in Change Control Log
Examples of changes needing revalidation:
- Software version upgrade (e.g., from v3.2 to v4.0)
- Introduction of new data fields or workflows
- Modification of user access roles
- Integration with new equipment or systems
3. Configuration Management
All GxP-relevant configurations (user access roles, audit trail settings, e-signature rules, alarm thresholds, etc.) must be controlled and version-tracked. The Configuration Specification (CS) document must be updated following any system change and verified during OQ testing.
4. Audit Trail Review
Audit trails must be periodically reviewed to detect unauthorized or unexpected activities. This includes:
- Login/logout failures
- Deleted or modified records
- Signature or approval rejections
FDA 21 CFR 11.10(e) requires the ability to produce a secure, computer-generated audit trail for every GxP action.
5. Revalidation Triggers
Revalidation may be partial or full and is triggered by:
- Significant changes (new modules, updated workflows)
- Software patches or upgrades
- Change in intended use
- Non-compliance observations during audits
- System failure or recurring deviations
For each change, revalidation requirements must be documented within the Change Control Form and reviewed by QA.
Example of Change Control Decision Tree
| Change Type | Risk Level | Validation Action |
|---|---|---|
| User interface color update | Low | No validation needed |
| Addition of new report filter | Medium | OQ regression only |
| Upgrade from v2.0 to v3.0 | High | Full PQ with URS mapping |
Documentation Package to Maintain Validated State
- Periodic Review Report (PRR)
- Change Control Log
- Validation Summary Report (updated with each change)
- Updated Configuration Specs
- Current SOPs and training records
- Backup/restore test documentation
- Audit Trail review records
Maintaining Validation of Cloud-Based Systems
For SaaS or cloud systems, validated state maintenance includes:
- Review of vendor’s release notes and change history
- Assessment of GxP impact from vendor updates
- Documentation of risk analysis for each release
- Execution of regression scripts as needed
- Periodic vendor audits or certificate reviews (SOC2, ISO 27001)
Training & Awareness
System users, administrators, and QA should be trained annually on:
- Maintaining validated state concepts
- How to raise a change request
- Recognizing GxP impact of changes
- Reviewing audit trails
Common Mistakes and Audit Gaps
- No documented periodic review strategy
- Change Control forms lack impact analysis
- Validation Summary Reports not updated after change
- No revalidation after critical system update
- No linkage between deviation and system qualification
Real Example – Periodic Review Findings
During an internal review of a validated QMS system, the following issues were noted:
- 5 change controls not linked to updated validation documents
- Backup and restore test not repeated in 3 years
- CAPAs were closed but not linked to audit trail evidence
- Decommissioned user accounts still had active roles
Corrective actions included execution of retrospective PQ, update to user access logs, and revision of Change Control SOP.
Conclusion
Maintaining the validated state is not just about compliance — it’s about ensuring that your systems continue to produce reliable, high-integrity data and support safe product release. Periodic reviews, change management, audit trail assessments, and configuration control must all work in concert to ensure your validated systems remain inspection-ready year after year.
Download maintenance templates, PRR checklists, and change control forms at PharmaSOP.in. For expert support in periodic requalification and post-go-live CSV management, visit PharmaValidation.in.