Commissioning & Decommissioning

Commissioning is the planned, documented process that brings facilities, utilities, equipment, software (e.g., MES), interfaces, and master data into controlled operation under GMP/GxP. It confirms installation and operation against specified requirements, typically leveraging vendor FAT/SAT, executing risk-based IQ/OQ, and producing evidence that the system is fit to enter PQ or routine use. Decommissioning is the controlled retirement or replacement of those assets and computerized systems, ensuring data integrity, compliant record retention, validated data migration or archiving, and containment of residual risks to product quality, patient safety, and traceability.

Both processes sit within a lifecycle approach (Annex 11/15; GAMP 5 2nd ed.) that links user requirements to verification, documentation, training, SOPs, and ongoing monitoring. In MES contexts, commissioning/decommissioning must coordinate across ISA-95 Levels 2–4, including recipes, equipment states, role-based access, integration endpoints, and data flows used to generate eBMR/eDHR and release decisions under 21 CFR 211/820 and Part 11.

EU GMP Annex 15 frames commissioning/qualification as lifecycle activities that may leverage supplier testing and risk assessments to focus verification on critical aspects. Annex 11 requires a lifecycle for computerized systems, including specification, verification, data migration, archiving, security, and system retirement. In the U.S., 21 CFR 211 expects suitable equipment, validated processes, and accurate/retained records; 21 CFR 820 requires adequate installation, process validation (as applicable), and document/record control for devices. 21 CFR Part 11 governs the trustworthiness of electronic records and signatures used during commissioning and routine use, including audit trails and retrieval throughout retention.

These obligations extend beyond equipment to master data (materials, specs), recipes, electronic forms, audit trails, and system interfaces that impact product quality or regulatory records. Decommissioning must not compromise the availability, integrity, or authenticity of records needed for investigations, APR/PQR, complaint handling, or postmarket surveillance. NIST SP 800-82 complements GMP controls with ICS/OT hardening and sanitization practices that matter when retiring PLCs, HMIs, or servers storing regulated data.

GAMP 5 (2nd ed.) promotes a scalable, risk-based lifecycle aligned to Annex 11/15. Commissioning typically starts from URS and risk assessments (e.g., FMEA), supplier documentation (FAT/SAT), design reviews, configuration and integration specifications, and traceability matrices. Verification activities include IQ (installation), OQ (functional/operational testing under defined ranges with negative/abnormal scenarios), and targeted performance checks sufficient to enter PQ (process verification in the intended context of use). Configuration baselines, cybersecurity hardening, backup/restore, disaster recovery, and time-source synchronization are core commissioning deliverables for MES.

• Core commissioning outputs: approved URS, risk assessment, design/configuration specs, traceability matrix, FAT/SAT leverage report, IQ/OQ protocols and reports, data migration plan/tests, access model, backup/restore test, SOPs, training, release-to-use memo.
• Decommissioning outputs: change control, deactivation plan, data inventory/map, read-only freeze, validated migration or archival with retrieval tests, cryptographic/hash checksums where viable, sanitization certificates, retirement report, SOP updates, training, risk acceptance/closeout.

Throughout, data integrity (ALCOA+), audit trails, and controlled contemporaneous documentation are required. Evidence must demonstrate that the verified controls adequately mitigate risks to product quality, patient safety, and record integrity. Where appropriate, supplier assessments and pre-existing qualification can be used with justification; however, the regulated entity remains ultimately accountable for fitness-for-intended-use and compliant records.

Commissioning and decommissioning span ISA-95 Levels 2–4. At Level 2 (control), equipment modules and control modules (ISA-88) must be installed, configured, and verified, including interlocks and permissives. At Level 3 (MES), master recipes, equipment models/states, materials, specifications, role-based access, e-signature rules, and interfaces to LIMS/ERP/WMS must be baselined and tested. At Level 4, ERP integrations that influence batch genealogy, release, or regulatory records are brought under change control, including message schemas and transaction idempotency.

This mapping emphasizes that MES commissioning cannot be isolated from automation, master data, and upstream/downstream systems that contribute to final regulatory records and release decisions.

For MES, the critical objective is to demonstrate that configured processes reliably produce complete, accurate, attributable, and retrievable eBMR/eDHR and support compliant operations. Key areas include master data integrity (materials, specs, equipment), recipe control (versioning, approvals, release status), user/role/e-sign configurations, workflow logic (branching, holds, rework), device integrations (weighing, barcode, PAT), and interfaces (LIMS, ERP, WMS) that determine genealogy and release. Part 11 requires validated controls for audit trails, electronic signatures, record copies, and long-term retrieval.

• Data migration/initial load: qualify mappings and transformations; reconcile counts and critical attributes; test report/record comparability.
• Audit trail challenge tests: verify event capture, timestamps, user attribution, reason-for-change prompts, and review/export.
• Exception handling: demonstrate holds, deviations, rework loops, and batch abort behaviors are controlled and traceable.
• Security: RBAC, least privilege, SoD checks for recipe approval vs execution; time-source synchronization; backup/restore drills.
• Integration: idempotent message handling, retries, duplicate detection, schema version pinning, and error queues with audit trails.

Evidence is collected via risk-based OQ protocols tied to URS through a traceability matrix. Supplier FAT/SAT is leveraged with documented assessment and any gap testing. Release to PQ requires training completion, SOPs, maintained configuration baselines, and confirmation that record retention/archival pathways are in place.

Decommissioning begins under change control with a comprehensive data and interface inventory: what records exist (batches, audit trails, attachments), where they reside (DB, file shares, historian, backups), legal retention requirements, and dependencies (CAPAs, complaints, stability, APR/PQR). Freeze write access; shift to read-only; and maintain controlled user access for a defined period. Validate either a migration (to a successor system) or an archive (immutable, queryable, and human-readable copies) with documented retrieval tests and checksums where feasible to demonstrate completeness and authenticity per Part 11 and Annex 11.

• Select archival format(s): PDF/A for human-readable records plus structured exports (CSV/XML) for data re-use; document rendering fidelity.
• Prove data integrity: sampling or 100% reconciliation of critical records; cryptographic hashes for tamper-evidence; audit trail preservation.
• OT/ICS sanitization: securely wipe or destroy storage media; retain sanitization certificates; consider NIST SP 800-82-aligned procedures.
• Retain environment metadata: application versions, configuration baselines, report templates, and time-source details to support future inquiries.
• Update SOPs/training and retire interfaces/endpoints; monitor residual risks until final closeout and formal retirement report approval.

Annex 15 and GAMP 5 endorse leveraging supplier/vendor testing (e.g., FAT/SAT, vendor OQ) where quality system maturity and traceability are adequate. The regulated organization evaluates the supplier’s documentation, maps it to URS/design requirements, and identifies gaps requiring site-specific testing. This reduces duplication while preserving assurance on patient/product-impacting functions. For MES, focus verification on high-risk logic (e.g., material identity checks, calculation of yields, exception paths), e-sign configurations, and data flows that determine official records.

• Use risk ranking (severity, detectability, occurrence) to prioritize tests.
• Demonstrate coverage with a bidirectional traceability matrix linking URS → design/config → test → objective evidence.
• Document supplier assessment outcomes and rationale for test reduction or acceptance.
• Plan negative testing where feasible (invalid signatures, out-of-range values, failed integrations) to exercise controls.

The goal is to create a defensible, lean package that withstands inspection by clearly relating critical risks to the strength of verification applied and avoiding unnecessary re-testing of well-controlled, non-critical functions.

Commissioning must verify that electronic records are attributable, legible, contemporaneous, original, and accurate (ALCOA+). Part 11 requires validated systems, secure and computer-generated audit trails, e-signature controls, and readily retrievable copies for the full retention period. Annex 11 adds expectations on data migration, archiving, periodic review, and system retirement. For MES, this includes confirming audit trail scope (master and transaction data), time synchronization, identity management (individual accounts; two-person e-signatures where required), and controlled rendering/export to preserve meaning and context.

• Audit trail review: define frequency, roles, and reportability thresholds in SOPs; verify reports are complete and filterable.
• Backup/restore: perform representative restores; verify hash integrity and completeness; document RTO/RPO and alignment to QA needs.
• Admin controls: segregate duties (no single admin can create/approve/execute recipes); log privilege changes; require justification e-signs.
• Print/Export controls: watermarking, versioning, and controlled templates; verify that printed or exported copies are true copies.
• Periodic review: schedule reviews of users, roles, configurations, and patches; document outcomes and remediation under change control.

Frequent issues include inadequate mapping of legacy records before decommissioning, incomplete audit trail capture during commissioning, orphaned integrations, and untested backup/restore pathways. Another pitfall is retiring systems before finalizing investigations or APR/PQR data extractions, leading to unavailable context or broken cross-references. Overly granular testing of low-risk features can also derail timelines without adding assurance. A structured risk-based plan, robust traceability, and rehearsal of archival retrievals significantly reduce inspection risk.

• Lagging indicators: audit observations on data integrity, missing installation records, failed retrieval during inspection, reconciliation gaps after migration.
• Leading indicators: percentage of high-risk requirements with negative testing, successful restore drill rate, periodic review closure time, supplier assessment quality score.
• Practice: execute a mock recall using archived records post-decommissioning to validate end-to-end accessibility and completeness.
• Practice: freeze legacy system changes early and switch to read-only mode with monitored access logs until final archival acceptance.

A practical approach unifies change control, validation evidence, configuration baselines, training, and runtime data so that release-to-use and retirement are both traceable and auditable. MES configuration, e-sign rules, integrations, and master data should be versioned and linked to their verification evidence; decommissioning should preserve that linkage in an immutable archive with tested retrieval procedures and controlled user access.

Commissioning essentials (MES-focused)

1. Approve URS and risk assessment; define data flows and record types subject to retention.
2. Baseline configuration (recipes, equipment states, materials/specs, roles, e-sign rules) under change control; document versions.
3. Leverage FAT/SAT with gap analysis; author risk-based IQ/OQ tied to URS via traceability.
4. Verify audit trails, security (RBAC, SoD), time sync, backup/restore, and exception handling.
5. Qualify integrations (LIMS/ERP/WMS), device interfaces, and idempotent messaging with error handling.
6. Qualify data migration/initial load; reconcile critical attributes and counts; verify report comparability.
7. Train users; approve SOPs; issue release-to-use; start PQ with QA oversight.

Decommissioning essentials

1. Open change control; inventory data, interfaces, legal retention, and dependencies (complaints, CAPA, APR/PQR).
2. Freeze to read-only; maintain controlled access; capture environment metadata and baselines.
3. Execute validated migration or archive strategy; test retrieval and completeness; apply checksums where feasible.
4. Retire integrations; sanitize media per SOP; retain sanitization certificates and chain-of-custody.
5. Update SOPs/training; risk review and final closeout; maintain support plan for archived access.