Computer System

Validation (CSV)
Guidelines &
Documents
Table of Content
1. Introduction to Computer System Validation
(CSV)
2. Why Do We Require Validation?
3. What Should We Validate?
4. Regulatory Overview for CSV
5. Key Phases of Computer System Validation
6. Essential CSV Documentation
7. Approach to CSV
8. Best Practices for Good Documentation
Introduction to Computer System
Validation (CSV)
 Purpose of Validation is to
• Generating Documentary evidence
• Compliance of requirements
• Provide high degree of assurance accordance with expected results

Validation is not just a regulatory requirement — it is an integral part of

ensuring that Patient Safety, Product Quality, and Data Integrity
(ALCOA++).

We Qualify the System and/or Equipment

and Validate the Process
Why Do We Require Validation?
Ensure Guarantee Achieve Maintain Build Trust
Consistent Patient Regulatory Data and
Quality Safety Compliance Integrity Confidence

What Should We Validate?

• Critical Processes: From manufacturing to testing, ensure everything runs as expected.
• Key Equipment: Machines and instruments that shape the quality of the product.
• Materials that Matter: APIs, excipients, and raw materials that ensure product integrity.
• Smart Systems: Software and computerized systems that track and secure data.
• Every Activity: From quality control to documentation—nothing should be left unchecked
Regulatory Overview for CSV
In the pharmaceutical industry, regulatory agencies impose strict guidelines to ensure that
computerized systems do not compromise the quality, safety, and efficacy of pharmaceutical
products.
Code of Federal Regulation (CFR)
 CFR is Codification of General rules & regulation by Federal government.
 CFR Divided into 50 titles (Represent Broad Subject Area)
 Each Title divided into Chapter (Represent Name of Issuance agency)
 Each Chapter divided into Parts (Represent Specific Regulatory areas)
 Large parts may sub-divided into sub-parts
Example: 21CFR Part11
Title Chapter I (Part 11 – Subpart A (General provision), B (ER) & C (ES))
21 CFR Part 11
 Title 21 of CFR Reserved for rules of Food and Drug Administration. There is electronic
 It is divided into three Chapters. way to access CFR
• Chapter I – Food and Drug Administration (FDA)
i.e. e - CFR
• Chapter II - Drug Enforcement Administration (DEA)
• Chapter III – Office of National Drug Control Policy (ONDCP)
 In All, 21 CFR Consist of 1499 Parts.
Like:
• Part 11- Electronic Record and Electronic Signature
• Part 210 - Current Good Manufacturing Practice in Manufacturing, Processing, Packing, or Holding of Drugs
• Part 211 - Current Good Manufacturing Practice for Finished Pharmaceuticals
 Parts 11 Sub Divided into Sub- Parts
Part 11.1 – Scope
Sub Part A
Part 11.2 – Implementation
General Provision
Part 11.3 – Definition
Part 11.10 – Controls for Closed System
Subpart B Part 11.30 – Controls for Open System
Electronic Record Part 11.50 – Signature manifestation
Part 11.70 – Signature/ Record Linking
Part 11.100 – General Requirement
Subpart C
Part 11.200 – Electronic Signature Components & Controls
Electronic Signature
Part 11.300 – Controls For Identification codes/ Password
EU ANNEX - 11
 European Union
• Founded – 1951 after second word war by Six Country (Belgium, France, Germany., Italy,
Luxembourg & Netherlands)
 Current Member State – 27 Countries
 Annex 15: Part of the EU GMP guidelines, dealing specifically with Qualification & Validation
 Annex 11: Part of the EU GMP guidelines, dealing specifically with computerized systems.

EU Annex 11 outlines requirements for managing computerized systems in regulated

environments, emphasizing validation, data integrity, and security.

Consist of four sections

• The first section provides general guidance on topics such as risk management, personnel,
suppliers, and service providers.
• The second section provides guidelines for the project phase , including best practices for
validation.
• The third segment covers best practices for the operational phase and maintenance of
computerized systems: accuracy checks, data storage, printouts, audit trails, change and
configuration management, periodic evaluation, security, incident management, electronic
signature, batch release, business continuity, and archiving.
• The fourth section covers key definitions in the glossary.
 Data Integrity
 Data integrity refer to completeness, consistency & accuracy of data.
 The Data Should be ALCOA, ALCOA+ & ALCOA++.

ATTRIBUTABLE LEGIBLE CONTEMPRENEOUS ORIGINAL ACCURATE

Who Perform & Easily readable Record at the time the Original & Certified free from error
When activity is performed True Copy
(Online)

A L C O A
COMPLETE CONSISTENT
Data must be complete without any Data should be in Sequential manual
deletion, manipulation with sign & date and follow GDP

TRACEABLE
Easy to traceable any type of
data

AVAILABLE ENDURING
Available for review at any time Make Sure Records for the entire
period
GAMP
 Good Automated Manufacturing Practices (GAMP) Published by International Society of Pharmaceutical
Engineering (ISPE)
 Evolution of GAMP

GAMP 5 (2008):
It is a risk-based
GAMP 4 (2008): approach for the
Focused on IT implementation,
systems, including operation, and
GAMP 3 (2001): integrated systems and validation of GxP
Introduced a risk- databases. It promoted Computer Systems in
based approach to integrating validation regulated industries –
validation, categorized with software including the Life
systems by development life Sciences.
GAMP 2 (1995): complexity, and cycles and
strengthened risk GAMP 5 2nd
Expanded on emphasized system
management Edition, published in
GAMP 1, providing lifecycle management
practices. July 2022
more detailed and documented
guidance on the evidence of system
GAMP 1 (1991) validation of performance.
Introduced the need for automation and
systematic validation of control systems,
software and hardware and introduced the
in pharmaceutical concept of
manufacturing, laying computerized
the foundation for systems
GAMP principles. validation.
GAMP 5
 GAMP categories classify computerized systems by complexity, allowing validation efforts to focus on
the highest-risk areas.
 The more complex a system is, the greater its risks will be. These risks primarily involve data integrity,
product quality, and patient safety.
 Software Categories

CATEGORY 1 CATEGORY 3 CATEGORY 4 CATEGORY 5

INFRASTRUCTURE NON-CONFIGURED CONFIGURED CUSTOMIZED
SOFTWARE SOFTWARE SOFTWARE SOFTWARE

Operating System
These applications
Default Configuration can are customized to
configuration can be be done to meet the meet specific needs
used user specific needs of regulated
company

Firmware, TLC,
Windows, Database LIMS, SCADA, Custom Build
Empower, Lab
Manager, Linux DCS Amazon, Flipkart
Solution
 Hardware Categories

Hardware

Category 2
Category 1
Custom Build Hardware
Standard Hardware Components
Components

Record model, version, serial

As for Standard Components but
number, verify
also require a design Specification
installation/Connection
and acceptance test
e.g. Hard drives, monitors, CPU.
e.g. PCB, Finger print machine
Scanner & Printer
Key Phases of Computer System Validation

Here's a brief summary of the key phases and concepts:

 Concept Phase:
• Define the system's purpose, scope, and users.
• Identify risks, including GxP-related risks.
 Project Phase:
• Planning: Determine activities, timelines, and responsibilities, scaling according to
system impact on patient safety, product quality, and data integrity.
• Specification, Configuration, and Risk Assessment: Define system
specifications, configure the system according to controlled processes, and perform
risk assessments.
• Verification: Confirm that the system meets specifications through testing at
various levels.
• Report and Release: Approve the system for use through documented processes
and verify traceability to demonstrate compliance.
 Operation Phase:
• Handover: Transition the system from the project team to operational users.
• Service Management & Performance Monitoring: Ensure continuous monitoring and
management of the system’s performance.
• Incident Management, CAPA, and Change Management: Address issues through
incident management and root-cause analysis with corrective and preventive actions.
• Configuration Management and Maintenance: Track changes to system configuration
and ensure updates and repairs are done according to process.
• Periodic Reviews: Ensure the system remains compliant and effective through scheduled
assessments.
• Security and Administration: Ensure that data and systems are secure and that appropriate
user access is controlled.
 Retirement Phase:
• Withdrawal, Decommissioning, and Disposal: Safely retire the system, decommission it,
and ensure secure disposal of data and components.
• Data Migration: When replacing systems or updating data, ensure migration is accurate
and verified to preserve integrity.
Approach to CSV
V- Model Approach The V-model is a graphical representation of software development and testing activities, including its verification and validation process.
 Validation Deliverables Category 1 Category 3 Category 4 Category 5

User requirement specification (URS) √ √ √ √

System Requirement Specification (SRS) - - √ √

Initial risk assessment (IRA)/GxP Assessment (GxPA) √ √ √ √

Electronic Record/ Electronic Signature (ER/ES) - - √ √

Validation Plan (VP)/
- √ √ √
Project Validation Plan (PVP)
Functional Requirement Specification (FRS)/
- - √ √
Functional Specification (FS)
Design Specification (DS)/
Functional Design Specification (FDS)/ - - √ √
Detailed Design Specification (DDS)
Configurational Specification (CS) - - √ √

Functional Risk Assessment (FRA) (Pre) - - √ √

Design Qualification (DQ) - √ √

Installation Qualification (IQ) √ √ √ √

Installation Operational Qualification (IOQ) √ √ √ √

Operational Qualification (OQ) - √ √ √

Operational Performance Qualification (OPQ) - √ √ √

Performance Qualification (PQ) - √ √ √

Functional Risk Assessment (FRA) (Post) - - √ √

Requirement Traceability Matrix (RTM) - √ √ √

Validation Summary Report (VSR) - √ √ √

System Release Certificate (SRC) - √ √ √

Best Practices for Good
Documentation
• Consistency: Use consistent language, formatting, and terminology across all documents to avoid
confusion and ensure a smooth reading experience.
• Clarity and Detail: Ensure that all documentation is clear, detailed, and unambiguous. This will aid in
audits, inspections, and any future changes to the system.
• Audit Readiness: Ensure all validation documentation is readily available, organized, and easy to
retrieve for regulatory inspections or audits.
• Compliance Focus: Always stay informed about changes in regulations to keep your documentation
aligned with industry standards and legal requirements. Regularly update documents to reflect the latest
compliance rules, ensuring everything is in line with current regulations.

“Good documentation is key for

audits and risk management.”
 THANK YOU

ANY QUESTION