In regulated industries such as pharmaceuticals, medical devices, and biotechnology, implementing new software or systems—such as an electronic Quality Management System (eQMS), Laboratory Information Management System (LIMS), or Enterprise Resource Planning (ERP)—requires a methodical approach to vendor selection and validation. One of the most critical phases in this process is user requirements testing (URT), where system capabilities are verified against the pre-defined needs of the end users within a regulated compliance framework.

At Quality Systems Now, we specialise in guiding therapeutic goods manufacturers, testing laboratories, and biotech companies through the complex landscape of GMP compliance and ISO standards. In this article, we explore the structured process of working with vendors and managing user requirements testing, with a focus on ensuring compliance with PIC/S Guide to GMP and ISO 13485:2016.

Define the Business and Regulatory Context

Before engaging with a vendor, it is vital to understand and document the business processes, quality objectives, and regulatory requirements that the system must support. For example, a therapeutic goods manufacturer operating under the Therapeutic Goods Administration (TGA) must comply with the PIC/S Guide to GMP, which mandates that computerised systems be validated for their intended use. Similarly, ISO 13485:2016 requires documented evidence that software impacting product quality is planned, verified, and validated.

These obligations form the foundation for developing accurate user requirements and set the stage for structured system evaluation and testing.

Develop User Requirements Specifications (URS)

The User Requirements Specification (URS) is a cornerstone of the system lifecycle. It describes what the users need the system to do, independent of how the system will achieve it. A well-written URS is clear, testable, and prioritised according to business and regulatory risk.

Key elements of an effective URS include:

• Functional requirements (e.g., document control, deviation tracking, audit trail)

• Regulatory requirements (e.g., data integrity, electronic signatures, record retention)

• Security and access control needs

• Interface and integration expectations

• User roles and permissions

• Performance and scalability expectations

Involving cross-functional teams—such as Quality Assurance (QA), Information Technology (IT), Production, and Regulatory Affairs—ensures the URS reflects the needs of all stakeholders and meets compliance expectations.

Vendor Selection and Qualification

Once the URS is finalised, the process of selecting and qualifying a vendor begins. In a GMP-regulated environment, vendor qualification is not simply a procurement exercise; it is a documented evaluation of the vendor’s ability to deliver a system that meets both technical and compliance requirements.

Vendor qualification typically includes:

• Assessment of vendor’s Quality Management System

• Review of development lifecycle processes (e.g., use of GAMP 5 methodology)

• Demonstration of previous successful implementations in regulated environments

• Review of validation documentation and testing practices

• Site audit or questionnaire-based evaluation

• Supplier agreement outlining roles and responsibilities

At Quality Systems Now, we assist clients in conducting vendor audits, performing due diligence, and establishing the traceability of requirements across the system lifecycle.

Establish a Traceability Matrix

A traceability matrix is a critical tool that links each user requirement to corresponding design, configuration, test cases, and verification results. This ensures that all specified requirements are accounted for and validated throughout the system development and testing phases.

A compliant traceability matrix supports:

• Regulatory inspections and audits

• Change control impact assessments

• Simplified troubleshooting and root cause analysis

• Confidence in the system’s ability to support intended use

Maintaining a robust traceability matrix is essential to managing the complexity of validation in a regulated setting.

Plan and Execute User Requirements Testing (URT)

User Requirements Testing (URT), sometimes called User Acceptance Testing (UAT), involves verifying that the system performs according to the user requirements specified in the URS. This phase is critical to demonstrating fitness for intended use under GMP and ISO 13485.

URT must be conducted under controlled conditions with appropriate documentation, including:

• Test protocols based on the URS

• Defined acceptance criteria

• Clear test steps and expected results

• Documentation of actual test results

• Deviation management procedures

• Final test summary reports with sign-off

Test scripts should simulate real-life workflows and use representative data. Where applicable, testing should cover high-risk processes such as batch release, change management, CAPA tracking, and audit trails. Testing must be performed by qualified users and witnessed or reviewed by QA.

Manage Deviations and Resolution

During URT, deviations from expected results may occur. These must be documented, evaluated, and resolved following GMP-compliant deviation management procedures. Root cause analysis should determine whether the deviation results from:

• Misunderstood requirements

• Configuration errors

• Software defects

• Inadequate test cases

Each deviation should be tracked to closure with documented corrective actions, retesting where necessary, and formal impact assessments. These records form part of the system validation documentation package and are subject to regulatory inspection.

Involve Quality Assurance Throughout the Process

Quality Assurance (QA) has a critical role in overseeing and approving the validation process. Their involvement ensures that testing activities are independent, objective, and compliant with applicable standards.

QA responsibilities include:

• Reviewing and approving the URS and validation plan

• Ensuring test scripts are comprehensive and risk-based

• Verifying test evidence and witnessing high-risk test execution

• Managing deviation assessments

• Signing off on the validation summary report

QA must also verify that the system is properly controlled through SOPs, training, and change management before it is released for operational use.

Control Post-Implementation Activities

Successful URT and go-live are not the end of system validation. Ongoing control and monitoring are essential to maintain validated state and ensure continuous compliance.

Post-implementation considerations include:

• Controlled system release procedures

• SOPs for system use, access control, backup, and restoration

• User training and competency assessments

• Periodic review and revalidation triggers

• Change control procedures for system modifications

At Quality Systems Now, we assist clients in establishing post-implementation monitoring plans, defining KPIs, and ensuring that validation activities extend into system maintenance and eventual decommissioning.

Documentation and Audit Readiness

Regulators such as the TGA and notified bodies require comprehensive validation documentation as evidence that computerised systems are fit for purpose. Documentation must be complete, traceable, and readily accessible.

Essential validation documents include:

• URS and functional specifications

• Risk assessments and validation plans

• Test protocols, raw data, and summary reports

• Traceability matrix

• SOPs for system operation and maintenance

• QA approvals and validation certificates

Quality Systems Now helps clients organise and structure documentation according to audit-ready standards, often using the V-model or GAMP 5 framework.

Get in Touch Now to find out more

Working with a vendor and managing user requirements testing in a regulated environment requires careful planning, cross-functional collaboration, and a deep understanding of compliance frameworks. An effective URT process provides not only assurance of system functionality but also demonstrable evidence of regulatory compliance.

At Quality Systems Now, we guide therapeutic goods manufacturers, laboratories, and biotech firms through each phase of system selection, validation, and ongoing compliance. Whether you are implementing your first eQMS or upgrading legacy systems, our team ensures your validation efforts are rigorous, risk-based, and fully aligned with PIC/S GMP and ISO 13485.

System validation is not just a technical exercise—it is a regulatory imperative. Investing in a structured, well-documented URT process is essential for sustaining quality, ensuring data integrity, and supporting long-term operational success.