Is CSV Implementation Really That Critical? (Revised Edition)
On a daily basis, I receive consulting requests regarding CSV (Computerized System Validation) implementation from pharmaceutical companies, medical device manufacturers, and vendor companies. In most cases, they cite reasons such as preparing for regulatory inspections, avoiding findings from customer audits, or simply stating that regulatory requirements must be absolutely complied with.
This represents what is known as blind compliance.
However, the fundamental purpose of healthcare-related regulatory requirements is to ensure patient safety, guarantee product quality, and assure product efficacy. Preparing a complete set of CSV documentation solely for inspection purposes (inspection-oriented documentation) is putting the cart before the horse. What exactly are they focusing their efforts on?
The Essential Purpose of CSV Implementation
The purpose of CSV implementation is not inspection response. The objectives and means are frequently reversed. CSV is imposed when computer systems are used in processes subject to regulation. However, computer systems indirectly influence the fulfillment of predicate rule requirements (GLP, GCP, GMP, GVP, GQP, GPSP, etc.). Since they do not directly impact patient safety, product quality, or product efficacy, CSV implementation cannot be considered the highest priority.
To implement CSV, companies must expend compliance costs. However, the costs incurred by companies are not absorbed internally but rather transferred to drug prices and product prices. In other words, they become a burden on patients. Therefore, compliance costs should not be spent without limit. To state it somewhat dramatically, healthcare could become accessible only to high-income individuals.
CSV should not be implemented indiscriminately, and compliance costs should not be expended simply because it is a regulatory requirement or because there will be an inspection.
Risk-Based Approach and Critical Thinking
First and foremost, one should determine the extent to which the computerized system in question impacts patient safety, product quality, and product efficacy. This is the so-called risk-based approach.
In recent years, this concept has evolved further. The ISPE GAMP 5 Second Edition, published in July 2022, introduced a new concept called Critical Thinking as a core pillar. This emphasizes that knowledgeable and experienced subject matter experts (SMEs) should define appropriate validation strategies by considering risk and actual intended use.
Additionally, the FDA (U.S. Food and Drug Administration) guidance “Computer Software Assurance for Production and Quality System Software,” issued as a draft in September 2022 and finalized in September 2025, clearly indicates a transition from traditional CSV (Computer System Validation) to CSA (Computer Software Assurance). CSA is a risk-based approach to establishing confidence that software is fit for its intended use. This concept focuses on patient safety, product quality, and data integrity, recommending a departure from excessive documentation and concentration on truly value-adding activities.
Japanese companies, in particular, tend to establish uniform standards in advance. However, the risk-based approach fundamentally does not involve predetermined standards. Validation for each computer system should establish criteria based on the extent to which it impacts patient safety, product quality, and product efficacy.
Flexible Approaches Based on System Characteristics
When I receive inquiries regarding CSV implementation, I always ask what kind of product is involved and which business area (non-clinical studies, clinical trials, CMC, manufacturing, post-marketing safety management, etc.). This is because risk varies depending on the product, and risk also varies depending on the process.
For example, sterile products, anticancer drugs, psychotropic drugs, blood products, and vaccines would carry high risk. On the other hand, gastrointestinal medicines and nutritional supplements would carry lower risk. Company personnel are experts on their products compared to regulatory inspectors. They should also be thoroughly familiar with what risks lurk in each process and the degree of risk involved.
Adaptation to Modern Validation Methodologies
GAMP 5 Second Edition explicitly supports not only traditional linear development methodologies (Waterfall, V-model) but also iterative and incremental development methodologies (Agile development, etc.). Appendix D8 “Agile Software Development” has been newly added, providing guidance adapted to modern software development methodologies, such as validation implementation on a sprint-by-sprint basis.
Additionally, appendices addressing new technologies have been added, including Appendix D9 “Software Tools,” Appendix D10 “Distributed Ledger Technology (Blockchain),” and Appendix D11 “Artificial Intelligence and Machine Learning (AI/ML).” Detailed guidance on the use of cloud services (IaaS, PaaS, SaaS) is also provided, strongly recommending maximum utilization of supplier assessments and documentation.
Professional Responsibilities
I encourage you to aim for professional activities. Creating CSV procedures and forms that anyone can produce is nonsensical.
True professionals are those who understand risk, practice critical thinking, and can plan and implement the most efficient and effective validation strategies to ensure patient safety, product quality, and data integrity. Rather than spending time on excessive documentation, focus should be placed on what is truly important.
As recommended by the FDA’s CSA guidance, the least burdensome approach is to leverage system logs, audit trails, and other electronic records generated by software, reducing unnecessary manual documentation and paper-based records. By utilizing vendor assessments, certifications (such as ISO 13485), and digital records, the burden of manual documentation can be reduced.
International regulatory trends are clearly shifting toward the practice of risk-based approaches and critical thinking. Japanese companies should also adapt to this trend and advance reforms to achieve true quality assurance.
Comment