Computerized system validation

Computerized system validation (CSV) (Computerised system validation in European countries), is the process of testing/validating/qualifying a regulated (e.g., US FDA 21 CFR Part 11¹) computerized system to ensure that it does exactly what it is designed to do in a consistent and reproducible manner that is as safe, secure and reliable as paper-based records. It is often incorrectly referred to as "Computer Systems Validation", however the PIC/S: GUIDANCE GOOD PRACTICES FOR COMPUTERISED SYSTEMS IN REGULATED “GXP” ENVIRONMENTS ² clearly distiguishes between a computerised system that is composed of the computer system and the controlled function or process and the computer system which is composed of all computer hardware, firmware, installed devices, and software controlling the operation of the computer and therefore is only a part of the computerized system. CSV is widely used in the Pharmaceutical, Life Sciences and BioTech industries and is a cousin of Software Testing but with a wider scope and more formal and documented approach. The validation process begins with validation planning, system requirements definition, risk assessment, testing and verification activities, and validation reporting. The system lifecycle then enters the operational phase and continues until system retirement and retention of system data based on regulatory rules.

Similarly, The Rules Governing Medicinal Products in the European Union, Volume 4, Annex 11: Computerised Systems applies to all forms of computerized systems used as part of a GMP regulated activities and defines Computer System Validation Elements ³

Best practices for CSV are described in the GAMP 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition) and associated guides.

CSV is typically a complex process that requires planing. A Validation Plan typically covers the following areas:³

• Scope & Validation Strategy
• Risk-Based Approach
• Requirements & Intended Use
• Validation Lifecycle
• Validation Deliverables & Documentation
• Test Strategy & Acceptance Criteria
• Data Integrity & Compliance Controls
• Supplier & System Assessment
• Infrastructure & IT Environment
• Roles, Responsibilities & Governance
• Change Control & Configuration Management
• Deviation & Issue Management
• Release & Validation Conclusion
• Periodic Review & Maintaining Validated State
• Archiving & Retirement

Documented system requirements are required for CSV as they clearly stipulate the intended use of a computer system application (Annex 11: Computerised Systems; Section 6)³ of . System requirements are gathered and documented in the system definition phase. System definition artifacts that reflect these requirements can include, but are not limited to, the following:

• User Requirements Specification: Contains the functional and non-functional requirements of the system to enable and support the intended use. The User Requirements are typically prioritized to distinguish between important functionality and "nice-to-haves".
• Functional Specification: Specifies the functions/features of a software or application. The Functional Specification is typically established by the software provider/supplier or the Software Development team.
• Hardware Requirements Specification: Minimum hardware required to support the system.

The defined and documented system requirement must be verified following a risk.based approach considering the potential risk to data integrity, (medicinal) product quality and patient safety. This can be achieved through risk-based testing or review/assessment activities. Functional Requirements are typically testable while non-functional requirements (e.g. system availability) are often verified through reviews and assessments by subject matter experts.⁴⁵

As part of the CSV life cycle activities, the release of the system for productive use needs to be documented including all potentially required handover activities:⁴⁵⁶

• Transfer of system ownership to business / system owner
• Formal QA approval and system release to GxP use
• Completion and approval of Validation Summary Report
• Handover of validated documentation set (
• Establishment of system SOPs (operation, maintenance, administration)
• Definition of system responsibilities
• Training of end users, administrators, and support personnel
• Knowledge transfer from project team to operations
• Transfer of configuration and system baseline
• Setup of change control and configuration management processes
• Setup of deviation / incident management procedures
• Establishment of periodic review process
• Establishment of backup, restore, and archiving procedures
• Verification of data integrity controls (e.g. audit trails, access control)
• Supplier/vendor handover (support agreements, SLAs, escalation paths)
• Infrastructure handover (IT environment, hosting, security controls)
• Definition of monitoring and performance management (KPIs / logging)
• Setup of access management and user administration procedures
• Establishment of business continuity / disaster recovery processes
• Transfer of validation traceability
• Definition of revalidation / change impact triggers
• Go‑live readiness confirmation (release criteria fulfilled)
• Transition to lifecycle operation (validated state maintenance)
• Setup of continuous verification / monitoring