utilities control systems

Interfaces: integrations between systems where data flows must be verified

Regulatory compliance controls: audit trails, access control, electronic signatures

What an RTM Typically Links

A practical RTM usually links one requirement to multiple validation elements, such as:

• Requirement ID: URS-001, URS-002, etc.
• Requirement text: the “shall” statement (testable requirement)
• Risk/Criticality: critical, major, minor (site-defined)
• Test Case ID: OQ-005, PQ-012, etc.
• Test Evidence: protocol section number, script number, report reference
• Result status: Pass/Fail/Deviations raised
• Deviation linkage: deviation number and closure reference if a test failed

RTM vs Validation Protocol (Simple Clarity)

• Validation Protocol: the planned test approach and execution steps.
• RTM: the mapping that proves every requirement is covered by a test and evidence.

Protocols show what you did. RTM shows you did everything you needed to do for intended use.

Mini Example: RTM for a GMP System Control (Audit Trail)

Requirement (URS-014): “The system shall record audit trails for creation, modification, and deletion of GMP results and approvals, including user ID, timestamp, and reason for change.”

RTM mapping could show:

• URS-014 → OQ-07 (Audit trail capture test) → Evidence: OQ Protocol Section 7.2 → Result: Pass
• URS-014 → OQ-08 (Audit trail security test: cannot be disabled by normal users) → Evidence: OQ Section 7.3 → Result: Pass
• URS-014 → PQ-03 (End-to-end workflow with audit trail review report attached to batch/release pack) → Evidence: PQ Section 5.1 → Result: Pass

This makes it easy to show auditors exactly where and how the control was verified.

What Auditors Commonly Ask About RTM

• “Show me that every URS requirement was tested.”
• “Which tests cover access control and audit trails?”
• “Where are failed tests tracked and how were they resolved?”
• “How do you ensure changes don’t break validated requirements?”

An up-to-date RTM lets you answer these questions fast, without hunting across multiple binders or folders.

RTM and Change Control (Why RTM Must Stay Current)

RTM is not a one-time document. When changes occur (patches, configuration updates, new workflows, interface changes), your requirements coverage may change. A strong system keeps RTM aligned with change control by:

• Assessing which requirements are impacted by the change
• Updating RTM entries (new test cases, revised evidence references)
• Documenting re-testing or regression testing evidence
• Maintaining traceability from change request → impacted requirements → tests

When RTM is outdated, auditors often conclude that the validated state is not maintained.

Common RTM Mistakes (Avoid These Audit Traps)

• Non-testable requirements: vague URS items lead to vague RTM mapping.
• Missing coverage: requirements with no linked test case (gaps).
• Generic vendor scripts: mapping to tests that don’t reflect your configured process.
• No deviation linkage: failed tests not traceable to resolution and acceptance.
• Outdated RTM: system changes made, but RTM not updated.
• No risk prioritization: critical requirements not clearly identified for focused testing.

Audit-Ready Talking Points

• RTM shows complete requirement-to-test coverage for intended use
• Critical requirements (data integrity, security, release decisions) are clearly highlighted
• Failures are linked to deviations and documented resolutions
• RTM is controlled under document control with version history
• RTM is updated as part of change control and periodic review

Simple RTM Template (How It Looks)

Requirement ID	Requirement Summary	Criticality	Test Case ID	Evidence Reference	Result	Deviation Ref
URS-001	User login must be unique and role-based	Critical	OQ-03	OQ Sec 4.2	Pass	N/A
URS-014	Audit trails for GMP data changes with reason	Critical	OQ-07	OQ Sec 7.2	Pass	N/A
URS-020	Controlled report generation for batch review	Major	PQ-05	PQ Sec 6.1	Pass	N/A

FAQs

What is RTM in pharma validation?

RTM is a Requirements Traceability Matrix that maps requirements (URS/functional requirements) to test cases and evidence, proving validation completeness.

Is RTM mandatory?

Many guidelines strongly imply or expect traceability, especially for computerized systems and critical controls. Even if your SOP doesn’t name it “RTM,” auditors expect a clear way to prove requirement coverage.

Who prepares the RTM?

Typically the CSV/validation team prepares it with input from system owners, QA, and IT. QA often reviews/approves it as validation evidence.

What should RTM include for data integrity controls?

Clear mapping for access control, audit trails, electronic signatures (if used), record retention, backup/restore, and any critical processing rules that impact GMP decisions.

What’s the biggest RTM failure in audits?

Outdated or incomplete mapping—requirements not linked to tests, or system changes implemented without updating RTM and re-testing impacted requirements.