IQ, OQ & PQ Validation of CERF ELN

CERF Installation Qualification (IQ)

Installation Qualification uses objective, documented measures to verify that the right version of CERF has been installed correctly to Lab-Ally specifications. Our Installation Qualification process is best performed at the time of the initial installation — and Lab-Ally technicians can perform IQ concurrently with the installation itself — but IQ can also be performed at any point after installation, or at the time of a CERF update.

The IQ process covers:

• System Hardware — Is the server hardware appropriate for the CERF deployment? Does it meet minimum system requirements?
• Installation Package Integrity — Is the installation package undamaged and unmodified? Has it been correctly downloaded from Lab-Ally's distribution source?
• Installation Process and Documentation — Was the installation performed with the appropriate documentation? Were all steps completed correctly and in the prescribed order?
• Configuration and Initial Start-up — Can the CERF server be correctly configured and started? Do all services initialize as expected?
• Server Folder Hierarchy and Structure — Did the installation result in the correct CERF server folder structure and file store layout?
• Backup Capability — Can a complete backup of the CERF database and file store be performed? Is the backup restorable?

The entire IQ process is extensively documented, giving organizations the flexibility to choose how they wish to proceed: Lab-Ally's technicians can perform IQ on your behalf during installation; your own technical team can follow our IQ procedures independently; or a qualified and independent third-party validation specialist can conduct the process — overseen by Lab-Ally or by the customer. The level of involvement, stringency, and third-party oversight can be calibrated to your organization's specific regulatory requirements and budget.

The CERF Installation Qualification flow chart summarizes the IQ validation activities and decision points. Each decision point is governed by acceptance criteria defined in the Validation Plan. See the legend for shape meanings.

CERF Operational Qualification (OQ)

CERF is a sophisticated system with many interacting components and a wide range of configuration options. Even with a correct installation, how can you be sure that CERF will continue to operate exactly as required months or years after deployment? Operational Qualification answers that question by objectively testing CERF against its functional specifications — from its most basic functions through its deepest and most layered capabilities.

OQ tests CERF to its Software Requirements Specifications (SRS) and to the 21 CFR Part 11 FDA regulatory requirements for Electronic Records and Electronic Signatures. Some of the items tested in the CERF Operational Qualification include:

• Desktop Client (Windows, Mac & Linux) — Login, multi-factor authentication (TOTP/MFA), resource tree and file system navigation, metadata editing, tags and annotations, resource editing (documents and images), round-trip check-out and check-in, controlled documents, and compliant digital signature workflows.
• Web Administration Client — Admin user management, user activity reports, business policy configuration, and server administration functions.
• CERF Automaton — Automated data ingestion from monitored network folders; Email-to-CERF ingestion via POP3; instrument data capture configuration.
• 21 CFR Part 11 Compliance Functions — Audit trail completeness and immutability, PKI digital signature behavior, access control enforcement, session security, and SOP enforcement workflows.
• Search and Data Retrieval — Full-text search, metadata search, Boolean queries, saved searches, and search result accuracy.

OQ is also an excellent training opportunity for administrators and power users — walking through the full OQ procedure builds deep familiarity with CERF's capabilities and configuration. Although OQ is primarily intended for use immediately after installation, it can be run at any time to verify that your server is functioning as specified — for example, following a software update, a hardware change, or a significant change in your network environment.

The CERF Operational Qualification flow chart shows the three qualification paths — Desktop Client, Web Client, and Automaton — each tested against the CERF Functional Specifications Document and governed by the Validation Plan.

CERF Performance Qualification (PQ)

Performance Qualification validates that CERF performs correctly within your specific in-situ working environment — under real-world conditions, with real users, and against the actual workflows your organization depends on. Unlike IQ and OQ, which test to objective engineering specifications, PQ is tested against user requirements that vary from organization to organization. PQ cannot be a one-size-fits-all operation.

Lab-Ally works directly with each customer to define a PQ procedure that validates the specific CERF functions that are most critical to their organization. Typical PQ validation activities include:

• User management and password workflow validation — confirming that user creation, role assignment, password aging, and MFA enrollment work correctly for your organization's specific configuration.
• Organization-specific signature workflow validation — verifying that your custom signature workflow (e.g., Submitter → Peer Reviewer → Manager → Legal) functions correctly end-to-end with your actual users.
• Controlled document workflow validation — testing your SOP acknowledgment, expiry notification, and training record workflows against your specific document set and procedures.
• Business Policy validation — confirming that your organization's business policies (session timeout, password complexity, MFA enforcement, file export permissions, etc.) are correctly enforced.
• Instrument data ingestion validation — for organizations using the CERF Automaton, verifying that instrument data is correctly captured, attributed, and indexed from your specific instruments and network locations.

A PQ package is not pre-defined — it must be built in collaboration with the customer. Lab-Ally will work with your team to ensure that your PQ procedure is complete, appropriate to your regulatory environment, and genuinely useful to your organization.

Validation Plan and Validation Report

A complete software validation record requires documentation of every activity that was planned, performed, and concluded. Lab-Ally's IQ/OQ package includes both a Validation Plan — created at the beginning of the validation process — and a Validation Report — produced at its conclusion.

Validation Plan

The Validation Plan is the governing document for the validation process. It is created before validation activities begin and typically includes:

• The date and scope of validation activities
• Personnel responsibilities — who performs which activities, and in what order
• Acceptance criteria for each IQ, OQ, and PQ test
• What gets documented and how defects, anomalies, and deviations are recorded and resolved
• References to User Requirements Specifications (URS), Functional Specifications, and/or System Requirements Specifications (SRS)

The Validation Plan pulls from relevant specification documents to ensure that the validation activities are aligned with the actual requirements of your CERF deployment.

Validation Report

After IQ, OQ, and PQ testing has been completed, the results are collected, analysed, discussed, and formally reported in the Validation Report. The Validation Report typically includes:

• A complete record of all defects, anomalies, and issues discovered, along with their resolution or planned resolution
• A summary of which personnel performed which activities, when, and how long each took
• A requirements trace — a clear mapping showing how each item from the functional specifications or URS has been tested and verified
• A formal conclusion: a clear statement of whether or not the CERF server deployment is validated, and any conditions or limitations on that conclusion