How to Perform Periodic Reviews of Computerised Systems

A thorough periodic review begins with an evaluation of all changes made to the system since the last review cycle. This includes modifications to hardware, software, configuration settings, infrastructure components, and external interfaces. Even minor upgrades or patches should be considered, especially if they involve security updates or performance improvements.

Documentation must also be scrutinized. Any change to user requirements, functional specifications, operating procedures, or training materials should be reflected in the system's documentation suite. One overlooked area is the cumulative impact of several small changes—individually minor, but collectively capable of significantly altering system performance or risk posture.

It is also important to consider that external factors such as regulatory updates or changes to applicable guidance documents may impact the system's validated state. Regulations evolve over time, and staying aligned with current expectations is a critical component of compliance.

Tip: Use change logs and version control histories to identify changes and cross-check them against documentation updates. Employ configuration auditing tools where possible to detect unauthorized or undocumented changes.

In addition to change reviews, periodic assessments should cover all supporting processes linked to the system. This includes confirming that actions from previous periodic reviews, audits, or CAPAs have been effectively addressed. Audit trail and access reviews are crucial, as is re-evaluating user permissions to detect potential segregation of duty risks or orphaned accounts.

Security incidents and emerging threats must be considered, particularly for internet-connected or cloud-hosted systems. Maintenance activities, service agreements, and vendor contracts should also be examined for continued adequacy. Backup and restore procedures, disaster recovery plans, and archival routines should be tested and verified to ensure data availability and protection.

Finally, it’s critical to assess whether new regulatory requirements or guidance updates (like the proposed revision of Annex 11) have introduced compliance gaps that need to be closed.

Tip: Develop a periodic review checklist tailored to your system’s risk classification, incorporating all these areas to ensure nothing is missed.

A periodic review is typically triggered by a calendar-based schedule or a significant change to the system or its environment. The review team should include representatives from IT, Quality Assurance (QA), and the business process owner. This cross-functional team ensures both technical and regulatory aspects are properly evaluated.

Collect and examine all relevant documentation, including validation deliverables (e.g., URS, test scripts, traceability matrices), change controls, deviations, CAPA reports, and training records. This helps establish a clear picture of what has changed and whether updates were properly controlled and documented.

Perform hands-on or tool-based checks of system configurations, user access rights, backup records, audit trails, and system logs. If applicable, perform a sample audit trail review to check for anomalies or non-compliance. Verify whether restore tests have been executed as per the backup plan.

Tip: Use automated tools for audit trail analysis and log parsing to improve coverage and reduce review time.

Using the documentation and technical findings, reassess the system’s current risk level and determine whether it still aligns with its validated state. Pay special attention to data integrity controls such as ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate). Identify any deviations from current regulatory expectations, especially if new guidance has been published since the last review.

Compile the review findings into a formal report. The report should summarize all reviewed elements, document any required corrective actions, and conclude on the validated state of the system. It should be reviewed and approved by QA and other relevant stakeholders. All actions should be tracked to closure before the review is considered complete.