|

User Requirements Specification for Computerized Systems

The User Requirements Specification defines what a computerized system must do to support intended business processes while maintaining compliance with regulatory expectations. It is the primary reference for all subsequent design, configuration, and verification activities.

For computerized systems, the URS must address not only functional behavior but also data integrity, security, and regulatory controls. It defines expected system behavior in a controlled GxP environment.

1. Purpose and Role in Validation

The URS establishes the foundation for validation. It drives:

  • system design and configuration
  • risk assessment and validation scope
  • development of test scripts and acceptance criteria
  • traceability across the lifecycle

All qualification activities must demonstrate that the system meets the requirements defined in the URS.

2. Scope and System Context

The URS must clearly define the system context to ensure that requirements are interpreted correctly. This includes:

  • system name and description
  • intended use and business processes supported
  • system boundaries and interfaces
  • identification of GxP-relevant functions
  • identification of external systems and integrations

The context defines where the system operates and what functions must be controlled.

3. Structure of URS for Computerized Systems

URS for computerized systems must be structured to support traceability and testing. Typical sections include:

  • functional requirements
  • data integrity requirements
  • security and access control requirements
  • electronic records and electronic signatures requirements
  • system interface requirements
  • reporting and data output requirements
  • performance and capacity requirements
  • infrastructure and environmental requirements
  • regulatory and compliance requirements

Each requirement must be uniquely identified and testable.

4. Functional Requirements

Functional requirements define what the computerized system must do to support intended use and controlled business processes. They describe system behavior from the user and process perspective, independent of how the system is technically implemented.

For computerized systems, functional requirements must cover all GxP-relevant operations that affect data generation, processing, review, and approval. The focus is on how the system controls activities and ensures consistent, compliant execution. Functional requirements typically include:

  • definition of user interactions with the system, including data entry, modification, and review
  • execution and control of business workflows, including sequencing of activities and status transitions
  • enforcement of process rules, including mandatory fields, data validation, and calculation logic
  • management of records throughout their lifecycle, including creation, modification, review, approval, and closure
  • control of system-driven actions such as automated calculations, data processing, and status changes
  • generation of outputs such as reports, summaries, and data exports required for decision-making
  • handling of exceptions, including error messages, rejection of invalid inputs, and controlled correction processes

Functional requirements must clearly define:

  • what triggers an action
  • what the system does in response
  • what constraints or rules are applied
  • what outputs are generated

Requirements must be written in a way that allows direct verification during testing. Each requirement must be testable, unambiguous, and aligned with intended use. Functional requirements must not include:

  • system design details
  • database structures
  • software architecture
  • configuration parameters or field names

The objective is to define expected behavior, not how the system is built.

5. Data Integrity Requirements

Computerized systems must ensure that data is complete, consistent, and protected. URS must define:

  • secure and computer-generated audit trails: The system must automatically record all relevant actions without user intervention. Audit trails must capture who performed the action, what was changed, when it occurred, and the reason for the change where applicable. Audit records must be protected from modification or deletion and must be available for review.
  • protection of original data and metadata: Original records, including raw data and associated metadata such as timestamps, user IDs, and processing parameters, must be preserved in their original form. The system must prevent overwriting or loss of original entries and ensure that any subsequent changes do not obscure the initial record.
  • traceability of data creation, modification, and deletion: The system must maintain a complete history of each record from creation through all subsequent changes. Every addition, update, or deletion must be linked to a specific user and timestamp, allowing full reconstruction of the data lifecycle.
  • control of data reprocessing and recalculation: The system must control any reprocessing of data, including recalculations or reanalysis. Original results must be retained, and any reprocessed results must be clearly identified, justified, and traceable. The system must prevent silent overwriting of previously generated results.
  • prevention of unauthorized data changes: The system must restrict the ability to create, modify, or delete data based on defined user roles and permissions. Critical actions must require appropriate authorization, and unauthorized attempts must be blocked and recorded.

Requirements must support ALCOA and ALCOA+ principles.

6. Security and Access Control

URS must define how system access is controlled. This includes:

  • unique user identification
  • role-based access control
  • restriction of critical functions to authorized users
  • password and authentication controls
  • session management and inactivity timeouts

Security requirements must prevent unauthorized access and ensure accountability.

7. Electronic Records and Signatures

Where applicable, URS must define requirements for electronic records and signatures. This includes:

  • linkage of electronic signatures to records
  • signature components such as username and password
  • meaning of signatures such as approval or review
  • prevention of record alteration after signature
  • compliance with 21 CFR Part 11

These requirements ensure that electronic records are legally and scientifically reliable.

8. System Interfaces and Data Exchange

URS must define how the system interacts with other systems. This includes:

  • data inputs and outputs
  • interface types and communication methods
  • data transfer controls and validation
  • error handling and data reconciliation

Interfaces must ensure complete, accurate, and secure data transfer.

9. Reporting and Data Output

URS must define expectations for system-generated outputs. This includes:

  • report content and format
  • data accuracy and calculation verification
  • controlled report generation and approval
  • export controls and data traceability

Outputs must be reliable and suitable for decision-making.

10. Performance and Capacity

The URS must define how the computerized system is expected to perform under both routine operating conditions and peak load scenarios. Performance requirements ensure that the system supports business processes without delays, failures, or degradation of data integrity.

These requirements must be measurable and based on realistic use conditions rather than theoretical limits. This includes:

  • system response time: The URS must define acceptable time limits for critical system actions such as data entry, record retrieval, calculations, and report generation. Response time expectations must reflect actual operational needs. Delays that impact user actions, batch processing, or decision-making must be identified and limited.
  • concurrent user capacity: The system must support the expected number of simultaneous users without performance degradation. The URS should define typical and peak user loads and require that system performance remains stable under these conditions. This is particularly important for shared systems used across multiple departments or locations.
  • data volume handling: The system must be capable of storing, processing, and retrieving the expected volume of data over time. The URS should define anticipated data growth, transaction volumes, and record sizes. Performance must remain acceptable as data accumulates, without excessive delays in queries, reporting, or system operations.
  • system availability: The URS must define required system uptime and acceptable downtime limits. This includes expectations for system availability during business hours, maintenance windows, and recovery following failures. Requirements should consider the criticality of the system and its role in operations.

Performance requirements must ensure that system behavior remains reliable and predictable under all defined conditions. Degraded performance must not result in data loss, incomplete processing, or uncontrolled system behavior.

11. Infrastructure and Environmental Requirements

URS must define requirements for system operation environment. This includes:

  • operating system compatibility
  • database requirements
  • network requirements
  • backup and storage infrastructure

These requirements ensure that the system operates within a controlled technical environment.

12. Regulatory and Compliance Requirements

URS must define applicable regulatory expectations. This includes:

• compliance with 21 CFR Part 11: The URS must define that the system supports controls required for electronic records and electronic signatures. This includes secure, computer-generated audit trails, unique user identification, controlled access, and enforcement of electronic signature requirements. The system must ensure that electronic records are trustworthy, reliable, and equivalent to paper records where applicable.

• adherence to data integrity principles: The system must ensure that all data is attributable, legible, contemporaneous, original, and accurate, with additional controls to ensure completeness, consistency, and durability. The URS must require that data is recorded at the time of activity, protected from unauthorized changes, and maintained in a manner that preserves its integrity throughout its lifecycle.

• audit trail review capability: The system must allow audit trail data to be readily accessible, searchable, and reviewable. The URS should require filtering, sorting, and reporting capabilities to support routine review of critical changes. Audit trail review must be practical to execute as part of operational or quality processes, not just technically available.

• record retention requirements: The system must retain electronic records and associated metadata for the defined retention period based on regulatory and business requirements. The URS must define controls to prevent premature deletion, ensure secure archival, and allow retrieval of records in a readable format throughout the retention period.

Regulatory requirements must be explicitly stated to ensure they are verified during validation.

13. Requirement Attributes and Quality

Each requirement must be:

  • clear and unambiguous
    uniquely identified
    testable and measurable
    traceable to verification activities
    aligned with intended use

Poorly defined requirements lead to weak validation and audit findings.

14. Common Deficiencies

Typical URS issues include deficiencies that reduce clarity, testability, and regulatory defensibility of the system.

  • vague or non-testable requirements: Requirements are written in general terms such as “system should be user-friendly” or “system must be efficient” without measurable criteria. These statements cannot be verified during OQ or PQ and lead to subjective interpretation.
  • mixing requirements with design or configuration details: The URS includes technical solutions such as database structures, field names, screen layouts, or specific software configurations. This restricts flexibility, shifts the document away from intended use, and creates conflicts if the design changes.
  • missing data integrity and security requirements: Critical controls such as audit trails, user access management, and protection of electronic records are not defined. This results in gaps during validation and potential noncompliance with regulatory expectations.
  • lack of interface definition: Interactions with other systems are not described or are only partially defined. Data flows, transfer mechanisms, and reconciliation controls are unclear, leading to integration risks and incomplete verification.
  • incomplete regulatory coverage: Applicable regulatory requirements such as electronic signature controls, audit trail review expectations, or record retention are not explicitly included. This leads to missed verification during validation.
  • ambiguous scope and intended use: The URS does not clearly define what the system is intended to do or where its boundaries are. This creates confusion in design, testing, and validation scope.
  • inconsistent level of detail: Some requirements are overly detailed while others are too high-level. This inconsistency makes traceability and testing difficult.
  • lack of unique identification and traceability: Requirements are not uniquely numbered or structured, making it difficult to link them to specifications, risk assessments, and test cases.
  • absence of acceptance criteria: Requirements do not define expected outcomes or measurable limits. Without acceptance criteria, verification becomes subjective.
  • duplication and conflicting requirements: Similar requirements are repeated in different sections or contradict each other. This creates confusion during implementation and testing.
  • failure to consider real operational conditions: Requirements do not reflect how the system will be used in practice, including user roles, data volumes, or workflow complexity. This leads to gaps identified late during PQ or after go-live.

These deficiencies weaken the validation framework and increase the risk of audit findings, rework, and system failures.

15. Approval and Control

The URS must be reviewed and approved prior to design and validation activities. This includes:

  • approval by system owner and quality unit
  • version control and document management
  • control of changes through change control

Approved URS establishes the baseline for validation.