Site Acceptance Test

A Site Acceptance Test (SAT) is the formal verification, performed at the owner’s facility, that a configured MES and its connected components (e.g., PLC/SCADA interfaces, printers/scanners, labelers, LIMS/WMS/ERP integrations) operate as intended in the actual production environment. SAT is executed against user and regulatory requirements with predefined acceptance criteria, controlled test data, and contemporaneous evidence. It typically follows FAT and commissioning, and precedes or runs in parallel with qualification (IQ/OQ) depending on the project strategy under EU GMP Annex 15.

For GxP use, SAT evidence supports the overall validation package required by EU GMP Annex 11/15 and 21 CFR expectations for validated computerized systems, including Part 11 controls where electronic records/signatures are used. Under FDA’s CSA guidance, SAT emphasizes risk-based, assurance-focused testing of features that impact patient/product safety and data integrity, rather than exhaustive, low-value scripting.

The SAT proves that the MES, its infrastructure, and site procedures collectively deliver intended performance under real utilities, networks, security, and operator workflows. It exercises end-to-end scenarios representative of routine and critical operations and confirms that integrations exchange correct data with appropriate controls. Outcomes should be traceable to URS, risk controls, and regulatory expectations for validated computerized systems and data integrity.

• Functional fit: recipes/procedures, material handling, eBMR/eDHR flows, holds/releases, label/print jobs, and role-based approvals.
• Integration fit: master data synchronization, lot/serial events, inventory status, QC sampling/results, equipment state, and scheduling across ISA‑95 Levels 2–4.
• Data integrity and Part 11/Annex 11 controls: audit trails, electronic signatures, time synchronization, user/role management, backup/restore, and business continuity.
• Operational readiness: SOP alignment, training completion, access provisioning, and support procedures (incident/Change Control/CAPA) for sustained compliance.
• Performance and reliability: response time at the HMI/terminal, network latency tolerance, printer/scanner throughput, basic failover, and recovery behaviors.
• Acceptance and closure: deviation management, punch list tracking, and a final SAT report with go/no-go recommendation feeding IQ/OQ/PQ.

SAT is distinct from Factory Acceptance Testing (FAT) and from qualification (IQ/OQ/PQ), yet it can generate evidence re-used in the qualification dossier if executed under change-controlled, approved protocols. The table contrasts common purposes and deliverables. Annex 15 allows leveraging commissioning or other verification work when it is appropriately defined, reviewed, and meets validation standards.

An SAT protocol should be requirements- and risk-driven (per GAMP 5 and FDA CSA), prioritizing functions that could impact product quality, patient safety, and data integrity. It includes scope, prerequisites (infrastructure, master data, trained users), roles, test cases with unambiguous steps and expected results, objective acceptance criteria, data sets, evidence capture instructions, and deviation handling rules. Where practical, it should employ a mix of scripted, scenario-based, and unscripted/exploratory testing to maximize assurance for critical risks.

• Traceability: URS-to-test-case (and risk) mapping so that each critical requirement is tested in context; maintain a living RTM.
• Negative and boundary tests: failed logins, expired materials, over-tolerance weighs, duplicate serials, and forced network loss to confirm controls.
• Pre-conditions: software version/build IDs, configuration baselines, time sync status, and clean test environment/data.
• Evidence: contemporaneous screenshots, system logs, barcode labels, printouts, executed e-signatures, and key database queries where permitted.
• Acceptance: explicit pass/fail with objective criteria (including performance thresholds and error-handling behavior).
• Deviations: severity classification, impact assessment, interim risk controls, owner, and closure criteria, culminating in a final SAT summary report.

Because MES sits at ISA‑95 Level 3, SAT must demonstrate reliable, secure information exchange between Level 2 (SCADA/PLC) and Level 4 (ERP/enterprise), as well as peer L3 systems (e.g., LIMS, WMS, CMMS). Tests should cover data mapping, sequencing, retries, idempotency, and error-handling so that material genealogy, equipment status, quality holds, and electronic records remain consistent across systems.

• Message integrity: correct schemas, field-level validation, and rejection handling for malformed messages.
• Transactional robustness: guaranteed delivery, retries with back-off, duplicate suppression, and reconciliation reports.
• Security: authenticated endpoints, least-privilege service accounts, certificate management, and audit trails of interface operations.
• Time coherence: NTP synchronization to ensure audit trails/events order correctly across systems.

Where electronic records and signatures are used, SAT must verify technical and procedural controls consistent with 21 CFR Part 11 and EU GMP Annex 11. This includes unique user accounts, enforced password rules, role-based access, e-signature manifestation and linking to records, secure audit trails of creation/modification/deletion, system time synchronization, and controlled print/label outputs. Backup/restore, archival, and business continuity testing should be in scope to the extent risk-justified.

• Audit trail checks: verify that critical data changes are fully captured with who/what/when/why, are non-editable, and are reviewable.
• Electronic signature checks: ensure dual-authentication where required, proper meaning codes, and signature-to-record binding.
• User lifecycle: provisioning, role updates, suspension/termination; confirm access removal is timely and logged.
• Backup/restore: demonstrate restoral of a controlled subset of records to a test environment without data loss or integrity breach.
• Print and label controls: test issuance logs, reprint authorization, voiding, and reconciliation to prevent mix-ups.

SAT execution typically runs in controlled windows (e.g., prior to start-up or during a scheduled shutdown). Lock configuration baselines; control test data; and assign qualified testers, witnesses, and QA oversight. Exercise representative equipment, terminals, and peripherals; simulate realistic concurrency; and capture evidence that meets ALCOA+ principles (attributable, legible, contemporaneous, original, accurate, plus complete, consistent, enduring, and available).

• Environment controls: disable background jobs that could corrupt test data; snapshot configurations; document software build IDs.
• Data sets: seed master data and orders with traceable IDs; mark all test labels and printouts to prevent use in production.
• Peripheral checks: printers, scanners, scales, labelers—verify drivers, templates, and calibration status where applicable.
• Concurrency and load: parallel order execution, multiple terminals, and interface spikes to observe degradation modes.
• Defect triage: classify as vendor defect, configuration error, or SOP gap; log impact assessments and interim controls.
• Reporting: daily status, defect burn-down, and a final SAT report with residual risk rationale and go/no-go recommendation.

Pharmaceutical and radiopharmaceutical sites often emphasize weigh-and-dispense controls, eBMR review-by-exception, sampling triggers, hold/release logic, and time-critical workflows. Medical device environments focus on eDHR completeness, label/UDI accuracy, and integration to PLM/ERP. Food and cosmetics plants emphasize HACCP/CCP enforcement, allergen/cleaning verifications, and lot genealogy. Each context drives different SAT risks and test depth.

• Single-use/bioprocess: frequent equipment changes and disposable tracking—verify rapid equipment/recipe association and line clearance checks.
• Hybrid brownfield: coexistence with legacy L2 systems—validate protocol fallbacks, interface retries, and manual entry controls.
• Cloud/SaaS MES: network dependency, identity federation, and data residency—test offline behaviors, SSO, and latency tolerance.
• Edge components: store-and-forward buffers—verify durability during network outages and robust reconciliation on reconnect.
• Label governance: template change control, preview/approval workflows, and reprint restrictions to prevent mislabeling.

• Replicating FAT rather than testing site realities (utilities, networks, SOPs, master data).
• Omitting integration negative tests (bad data, dropped connections, duplicate events) that reveal data integrity risks.
• Inadequate time synchronization checks, leading to misordered audit trails and problematic batch review.
• Uncontrolled test data that leaks into production inventory/genealogy.
• Under-testing print/label controls and reprint authorization workflows.
• Skipping backup/restore and business continuity checks despite Part 11/Annex 11 expectations.
• Poor evidence quality (no attribution, missing timestamps), limiting reuse in IQ/OQ.
• Failure to involve QA early, resulting in rework of protocols or invalidated evidence.

SAT efficacy improves when requirements, configuration, test execution, deviations, and CAPAs live on the same controlled record. Evidence must be attributable to specific configuration states, and interface behaviors must be verifiable across MES, QMS, LIMS, WMS, ERP, and equipment.

At completion, compile the SAT evidence pack and summary report: scope covered, deviations with dispositions, residual risks, and a clear acceptance recommendation. Ensure traceability from URS/risk controls to test cases and results. If SAT was designed under the site’s validation procedures, selected results may be reused within IQ/OQ to avoid duplicate testing, consistent with Annex 15’s leveraging of prior verification when justified.

Close open actions or define interim controls with owners and due dates; place configurations under change control; and confirm readiness (training records, SOPs, support model). The handoff into IQ/OQ/PQ formalizes qualification, after which controlled release to GxP use occurs. Maintain SAT artifacts as part of the validation package for inspections, aligned to 21 CFR Part 11/211 and EU GMP Annex 11/15.