Development of the user requirements specification (URS)

The user requirements specification (URS), is a formal document that defines the requirements for use of the software system in its intended production environment.

URS and the functional specification define the characteristics of the equipment, rooms, support systems or other systems. At this stage, it is necessary to lay down the basic elements of quality and to reduce any GMP risks to an acceptable level. The User Requirements Specification should be a point of reference throughout the validation life cycle.


The computerized system URS should define critical data, data life-cycle controls that will assure consistent and reliable data throughout the processes by which data is created, processed, transmitted, reviewed, reported, retained and retrieved and eventually disposed.

The computerized system URS should include requirements to ensure that the data will meet regulatory requirements such as ALCOA principles and WHO guidelines on good documentation practices. Other aspects that should be specified include, but are not limited to, those related to:

  • the data to be entered, processed, reported, stored and retrieved by the system, including any master data and other data considered to be the most critical to system control and data output
  • the flow of data including that of the business process in which the system will be used as well as the physical transfer of the data from the system to other systems or network components. Documentation of data flows and data process maps are recommended to facilitate the assessment and mitigation and control of data integrity risks across the actual, intended data process
  • networks and operating system environments that support the data flows
  • how the system interfaces with other systems and procedures
  • the limits of any variable and the operating programme and test programme
  • synchronization and security control of time/date stamps
  • technical and procedural controls of both the application software as well as operating systems to assure system access only to authorized persons
  • technical and procedural controls to ensure that data will be attributable to unique individuals (for example, to prohibit use of shared or generic login credentials)
  • technical and procedural controls to ensure that data is legibly and contemporaneously recorded to durable (“permanent”) media at the time of each step and event and controls that enforce the sequencing of each step and event (for example, controls that prevent alteration of data in temporary memory in a manner that would not be documented)
  • technical and procedural controls that assure that all steps that create, modify or delete electronic data will be recorded in independent, computer-generated audit trails or other metadata or alternate documents that record the “what” (e.g. original entry), “who” (e.g. user identification), “when” (e.g. time/date stamp) and “why” (e.g. reason) of the action
  • backups and the ability to restore the system and data from backups
  • the ability to archive and retrieve the electronic data in a manner that assures that the archive copy preserves the full content of the original electronic data set, including all metadata needed to fully reconstruct the GXP activity. The archive copy should also preserve the meaning of the original electronic data set, including its dynamic format that would allow the data to be reprocessed, queried and/or tracked and trended electronically as needed
  • input/output checks, including implementation of procedures for the review of original electronic data and metadata, such as audit trails
  • technical and procedural controls for electronic signatures
  • alarms and flags that indicate alarm conditions and invalid and altered data in order to facilitate detection and review of these events
  • system documentation, including system specifications documents, user manuals and procedures for system use, data review and system administration
  • system capacity and volume requirements based upon the predicted system usage and performance requirements
  • performance monitoring of the system
  • controls for orderly system shutdown and recovery
  • business continuity

In the case of chromatography data system (CDS), it is further important to define the requirements for the basic functions of taking into account following details:

  • requirements for hardware, workstations and operating systems
  • system requirements such as number of users, locations
  • compliance requirements, i.e. open or closed system, security and access configuration, data integrity, time and date stamp, electronic signature and data migration
  • workflow of CDS
  • information technology (IT) support requirements
  • interface requirements


We will develop URS for:

  • facilities
  • process equipment
  • laboratory equipment
  • computerized systems
  • utilities