The FDA requirements and regulations have a long history of many changes as it pertains to Food Safety. In 2014, the FDA established Software “Validation” requirements and issued a guidance document based on the food regulations and mind-set at the time. With some limited exceptions, including produce and previously exempt foods, FSMA then started enforcing the rules.

All food has the potential for contamination if processed and distributed in systems that have not been validated. FSMA has since driven the risk requirements of food to a higher level with Preventive Controls (PCHF/AF). Focused on prevention, PCHF/AF keeps contaminated food from getting to the manufacturing process and in advance of Critical Controls, which remain relevant. The software systems failure of any of these could lead to an outbreak, so today, all systems must be “fail-safe.” Moving forward, systems must be validated and fully functional against any risk.


Continued outbreaks resulting in injury and death with products previously classified as “low-risk” has drawn sharp attention to the fact that in reality there are no low-risk food products. For example, we are seeing cases where Listeria M. spreads and contaminates Leafy greens. This is due to the high bacteria in hydroponic growing and irrigation. Situations such as these should be prevented by specifications that require environmental monitoring and testing to address the contaminants. The specifications must reside in a validated specification system, with processes validated to conform with the determined preventive controls prior to release of product for distribution. Validation can be considered as a final Preventive Control to correct the example as described.

All process, product and material records need to be stored within validated systems. All approvals need validated electronic signatures within the integrated systems. Validation of systems must be based on design, maintenance, testing and verification.

Per the FDA mandate, software used for the design, manufacturing, packaging, labeling, storage, installation, and servicing of all food intended for human and animal use must be validated. Validation ensures no contaminated food be distributed to the US market. As with many aspects of FSMA and preventive controls, the FDA is under-resourced for direct inspection and approval. Nonetheless, companies must prove “validation” or risk the response in the case of an outbreak.


Key Requirements for Validation

  1. Software Validation Protocol
    • A validation plan that ensures full validation of systems, process information and records.
  2. Designed Functionality Testing
    • Software and hardware that is developed, designed, and always monitored, including network, hardware, devices, configuration, programing, and training.
  3. Network Diagram
    • A logical layout of how the systems and controls are configured and networked.
  4. Risk Analysis
    • A document to evaluate the application’s safety with identification of potential hazards to the application and use.
  5. 21 CFR Part 11 Compliance Analysis
    • Electronic signatures that meet systems applicability and requirements.
  6.  Design Specification
    • A verification protocol with any customization or integration that fully assesses all applications based on testing and approval of all processes as scheduled.
  7.  Test Specifications
    • Testing for functional requirements and the specification with Traceability Matrix and requirements ID lined to testing Case IDs.
  8. Final Validation Report
    • Provides a summary of all documentation associated with the validation of the software and test case results. This report should include all the validation activities and define how the system must be managed in production for validation by a qualified independent testing organization.