Introduction to Computer System Validation

Chapter 1: Getting Started

In this chapter, we'll explore what Computer System Validation (CSV) is, its applications, and significance.
We will also introduce some important regulations and standards that govern its practice.

1.1 What is CSV?

According to both the American FDA and UK MHRA, Computer System Validation (CSV) is defined as:

“Confirmation by examination and provision of objective evidence that software specifications conform
to user needs and intended uses, and that the particular requirements implemented through software
can be consistently fulfilled”.

In other words, CSV is a documented process that ensures a computer system aligns with user needs,
performs as designed, and maintains trustworthy data and reporting.

However, CSV isn't a one-time check; it's an ongoing process that regularly ensures computer systems
stay reliable, secure, and effective amid evolving technology and regulations.

1.1.2 What systems does CSV include?

CSV covers the validation of all parts within a computerized system. This includes the physical hardware,
software applications, peripheral devices like printers, the people operating the system, and the detailed
documentation outlining specifications and procedures.

The validation process makes sure the entire system is reliable, secure, and effective, taking into account
both the physical parts and how people operate and maintain it.

1.2 A brief history of CSV

The concept of validation stems from engineering principles in the validation of mechanical systems.

During the mid-1970’s, Ted Byers and Bud Loftus, two Food and Drug Administration (FDA) officials, first
proposed adopting validation principles in order to improve the quality of pharmaceuticals.
This idea was solidified in with the FDA publishing a guide to the inspection of Computerized Systems in
Pharmaceutical Processing, also known as the ‘bluebook’ (FDA 1983).

1.3 Why CSV matters in regulated industries

CSV is important in regulated industries for several key reasons:

• Compliance: It makes sure a system conforms to the strict regulations that govern pharmaceuticals,
biotechnology, and healthcare, preventing legal and compliance issues.

• Quality and Safety: It guarantees reliable processes, minimizing the risk of errors with serious
consequences for product quality and patient safety.

• Data Integrity: It maintains the integrity of electronic records in data-centric industries, crucial for
accuracy during audits.

• Risk Mitigation: It helps identify and mitigate risks associated with computerized systems,
proactively reducing the chance of errors harming product quality or data integrity.

• Inspection Readiness: It ensures organizations are prepared for inspections, showcasing

commitment to quality and compliance.

• Public Image: It can act as a shield against negative publicity resulting from system failures or
compliance issues, safeguarding the reputation of organizations in regulated industries.

1.3.1 What could go wrong?

Without proper CSV, the life sciences industry faces many risks. These risks include potential data
inaccuracies, regulatory compliance breaches, and compromised patient safety due to unreliable
information.

For example, a minor software glitch could cause a discrepancy in tablet composition, causing the active
pharmaceutical ingredient concentration to be off by a factor of ten. This discrepancy might arise from a
basic decimal point error, shifting the concentration from 0.5 mg to 5.0 mg.

Additionally, there are challenges like product quality issues in manufacturing, operational inefficiencies,
data security vulnerabilities, and difficulties in meeting audit and inspection requirements. The absence
of CSV can also lead to reputational damage, increased costs for remediation, and hinder the overall
operational efficiency of the industry.
1.4 Regulations, standards, and guidelines

US – FDA 21 CFR Part 11: Electronic Records; Electronic Signatures (ERES)

Purpose: Enforced by the U.S. Food and Drug Administration (FDA), 21 CFR Part 11 establishes criteria for
the use of electronic records and signatures in the pharmaceutical industry.

Scope: Applicable to electronic records required by FDA regulations.

Requirements: Specifies controls for electronic signatures, audit trails, and system validation.

Compliance: Integral for ensuring the reliability and integrity of electronic records and signatures.

Europe – GMP Guide Annex 11: Computerized Systems

Purpose: Part of the European Union's Good Manufacturing Practice (GMP) guidelines, Annex 11 focuses
on the use of computerized systems in pharmaceutical manufacturing.

Scope: Applicable to computerized systems used in GMP-regulated activities.

Requirements: Emphasizes validation, data integrity, and the importance of risk management.

Compliance: Integral for ensuring the reliability and integrity of electronic records and signatures.

GAMP 5 (Good Automated Manufacturing Practice)

Whereas every regulatory authority maintains their own high-level CSV requirements, the industry still
requires more specific instructions and guidelines, which are mainly manifested in the so called GAMP5
Guidelines. „GAMP has emerged through its various editions as the unofficial consensus standard for
computer compliance between regulators, pharmaceutical companies, and suppliers around the world.

Purpose: GAMP 5 is a set of guidelines developed by the International Society for Pharmaceutical
Engineering (ISPE) for the validation of automated systems. We will go into more detail in the following
chapter, but for now:

Key Points:

Risk-Based Approach: GAMP 5 emphasizes a risk-based approach to CSV.

Categories of Software: Classifies software into categories based on the impact on product quality and
patient safety.

Lifecycle Approach: Guides through the entire software lifecycle, from development to
decommissioning.
Chapter 2: GAMP5
Now that you have a grasp of CSV fundamentals, let's delve deeper into GAMP®5, the industry standard
for effective CSV implementation.

We’ll cover its scope, processes, roles and responsibilities, as well as software categorization.

2.1 Understanding GAMP5

GAMP5, developed by the International Pharmaceutical Society for Pharmaceutical Engineering (IPSE),
offers a standardized method for qualifying and validating automated systems. Its main goal is to
guarantee that computerized systems align with regulations, preserve data integrity, and consistently
deliver top-notch products. This framework extends to various systems like manufacturing equipment,
control systems, lab instruments, and software applications.

Every system requires a customized validation approach and GAMP provides the required tools,
procedures, and guidance to create individual validation strategies.

2.1.1 Recommendations and best practices

GAMP®5 outlines several best practices for the validation of automated systems in the pharmaceutical
industry. Here are some key GAMP5 best practices:

• Develop Clear and Precise Functional and User Requirements

• Perform risk-based CSV.
• Create a detailed Validation Plan.
• Create a Team with knowledge of regulatory guidelines/compliance, validation procedures,
laboratory processes, and the technology.
• Document thoroughly.
• Audit third-party Providers.
• Maintain a continuous validation life cycle of the system.

2.2 The Validation V

The GAMP5 V-model is a way of organizing and understanding the steps involved in developing a
product. Picture it like a letter "V." In the first part, we start at the top and work our way down (planning,
specifying, preparing) with input from the user. This helps the validation team understand and put in
place what the user needs.
Then, in the second part, we go back up the other side of the "V" (configuring, verifying, reporting). Here,
we check that what we built matches was planned. It's like a loop – going back and forth between how
things should be and what has been created or configured to make sure everything aligns correctly. This
way, we make sure the final product meets the initial user’s requirements.

Below are descriptions of each stage:

What How
Planning During the planning phase of the Validation V, the
project team outlines responsibilities, the general
approach and strategy for the validation activities,
establishing the groundwork for subsequent
activities.
User Requirements The URS phase involves gathering and documenting
Specification (URS): the specific needs and expectations of the end-users,
forming a comprehensive guide for the validation and
development team. The URS are often also called
“Business Requirements”.
Functional specifications Functional specifications detail how the system will
meet the user requirements on a more technical level,
outlining its features and capabilities.
Design Specifications: Design specifications delve into infrastructure and
more technical specifics of how the system will be
built, translating functional requirements into a
detailed blueprint.
Risk Assessments Every User Requirement, Functional Specification,
Configuration Plan, or similar requirement document
must be analysed through a Risk Assessment. The
identified risks must be mitigated through measures
or extra testing on the “right side” of the validation V
through the verification steps.
System Build: The system build phase involves the actual
development and construction of the system based
on the design specifications.
Installation Qualification Installation qualification tests ensure that the system
Tests: is correctly installed and configured according to
specifications.
Operational Qualification Operational qualification tests verify that the system
Tests: modules or base functionalities operate as intended in
their intended environment. This is also called
“Module testing”.
Performance Qualification Performance qualification tests assess the system's
Tests: performance under various conditions to ensure it
meets defined criteria based on the initial User
Requirements. The PQ is considered as final test by
the End Users.
 Reporting: The final reporting phase involves documenting and
communicating the entire validation process,
providing a clear record of the development activities
and their outcomes. The final signature of the
“Validation Report” also means that the system or its
update is ready for usage.

2.3 GAMP5 categories

GAMP5 classifies computerized systems into four complexity categories, guiding the validation
process. These categories determine the validation route and necessary documents for demonstrating
system suitability and GxP regulation compliance.

Below is a summary of the GAMP5 categories:

Category Description Examples

Category 1: Infrastructure This includes platforms on
which computer
applications or elements
are necessary to operate
and manage information
technology environments
run
Category 3: Non- This includes "Off the Shelf"
configurable software Software without
configurable functions,
used as purchased.
Category 4: Configurable This includes software that
software. allows you to run a specific
business process with
configurable parameters
E.g. Operating systems,
firewall, antivirus.
E.g. Tools for statistical
calculation, software for
data acquisition without
configuration capacity,
control panel viewers,
spreadsheets used as
databases.
E.g. ERP (Enterprise
Resource Planning), L.I.M.S,
Spreadsheet applications
with formulas and or input
data linked to specific cells,
production equipment
control systems associated
with the process.

Category 5: Custom or This includes customized or E.g. add-ons for categories

bespoke software. customer-specific software 3 and 4, spreadsheets with
solutions tailored to meet scripts, unique and
specific organizational dedicated systems, ERP
needs. systems or developments
 made to meet the specific
needs for an organization.

2.3.1 Why is there no category 2?

GAMP5 category 2 is no longer used because, in GAMP version 4, firmware had unique traits
distinguishing it from other categories. As firmware evolved, it now falls into categories 3, 4, or 5. During
the transition from GAMP 4 to GAMP 5, category 2 was removed, maintaining the numbering as
categories 1, 3, 4, and 5.

2.4 GAMP5 roles and responsibilities

Below is a list of roles and their responsibilities:

Role Responsibilities
Process Owner: The Process Owner oversees a specific business process,
defining requirements for the automated system supporting
their process. They collaborate to ensure alignment with
organizational goals and regulatory standards.
For Example: Global Deviation Management Process Owner.
System Owner: The System Owner manages the entire lifecycle of an
automated system, leading in validation, design, and
ongoing management. They work with stakeholders to
ensure functionality and compliance.
For Example: The person responsible for the Deviation
Management Software in the company.
Subject Matter Experts SMEs bring specialized knowledge to the validation process,
(SMEs): providing insights on system functionalities, requirements,
and risks. They ensure alignment with industry best
practices.
For Example: Deviation Process responsible from a
production facility or a Laboratory Manager responsible for
Quality procedures.
Quality Unit: The Quality Unit ensures processes and systems comply with
quality standards and regulations. In GAMP5, they review and
approve validation documentation, overseeing compliance
and providing assurance.
For Example: The department or person responsible for the
general Quality Management System of a company. In some
cases, the Process Owner can also be from Quality
Assurance.
 Supplier: Suppliers provide hardware, software, or services for the
automated system. They are crucial in the validation process,
involved in development, configuration, or maintenance.
Organizations must manage suppliers in line with GAMP5
principles.
For Example: the company that developed a software now
used for your company.
End User: End Users interact with the automated system daily. In
GAMP5, their involvement is vital for capturing user
requirements, validating the user interface, and ensuring
practical operational needs are met. They provide feedback
to enhance usability and effectiveness.
For Example: a laboratory employee using the software to
save records.

Chapter 3: CSV Prerequisites

Now that you understand the basics of CSV and GAMP®5, let's focus some prerequisites for successful
implementation. Without these prerequisites, you won't be able to carry out the GAMP®5 process
effectively and meet the needs of end users.

3.1 The Quality Management System:

A strong Quality Management System (QMS) based on GMP requirements is vital for effective CSV in the
life sciences industry. It helps the company plan, control, and improve its processes to ensure that users
get reliable and high-quality products. Think of it as a roadmap that guides the company in delivering
the best possible results, keeping everything in check to maintain quality and user satisfaction. The QMS
should include:

• Document Management System: Ensures organized creation, review, and distribution of crucial
validation documentation, maintaining compliance and traceability.

• Change Management: Handles modifications to systems or processes, systematically evaluating

their impact, updating documentation, and re-validating as needed.

• Non-Conformance Management: Facilitates systematic documentation, investigation, and

resolution of deviations during validation activities, ensuring transparency and integrity.
 • Risk Management: Identifies, assesses, and mitigates risks associated with computerized
systems, focusing validation efforts on high-risk areas.

• CAPA Management: Implements corrective and preventive actions, contributing to continuous

improvement in CSV processes and preventing recurrence of issues.

• Computer system Validation Procedures: This includes the implementation of a CSV SOP in the
company.

3.2 System Deployment Practices

Validating a system isn't sufficient; proper deployment within your company and thorough training for
end users are essential. System deployment practices for CSV may include:

• Change Acceptance: Right from the start of the project or early on, aim to get a statement or a brief
video interview from a higher-up in the company. This should declare the company's support or
decision regarding the upcoming change.

• News and Project Updates: Keep your company and end users informed by regularly sharing
project updates and providing dependable timelines.

• Training Strategy: Before using the system, it's important to properly train end users or groups. To
achieve this, develop an effective training strategy that includes tools like Pharmuni, e-courses,
documents, or videos.

3.3 The Validation Manager

A Computer System Validation Manager is crucial to ensure GxP computerized systems meet quality
standards. This role oversees the CSV strategy, managing validations for new systems and changes to
existing ones. It requires both knowledge and practical experience to address unforeseen issues.
Unfortunately, some companies mistakenly hire inexperienced candidates with theoretical knowledge
but lacking practical expertise which leads to an incomplete validation strategy and a lot of

troubleshooting and deviation management at a later state, including a reduced End User acceptance.
Make sure that at least one experienced Validation Manager is part of your team.
SUMMARY

• CSV is critical in regulated industries as it ensures compliance with regulations, maintains quality
and safety, preserves data integrity, mitigates risks, prepares for inspections, and safeguards
public image by preventing negative publicity.

• Regulations you need to know include US – FDA 21 CFR Part 11: Electronic Records; Electronic
Signatures (ERES), Europe – GMP Guide Annex 11: Computerized Systems, and GAMP5 (Good
Automated Manufacturing Practice)

• The GAMP5 V-model organizes product development steps in a visual "V" shape. The first part
involves planning and configuring with user input, and the second part verifies and reports,
ensuring alignment between what the user wants and what is created, creating a loop for quality
assurance.

• GAMP5 classifies computerized systems into four complexity categories: Category 1:

Infrastructure, Category 3: Non-configurable software, Category 4: Configurable software,
Category 5: Custom or bespoke software. Essential roles include the Process Owner, the System
Owner, SMEs, the Quality Unit, Suppliers, and End Users.

• CSV prerequisites include having a strong Quality Management System (QMS), consistent System
Deployment Practices, as well as an experienced Validation Manager.