Maintaining Validation State in Computerized System Validation

Introduction

In Computerized System Validation (CSV), one of the most critical aspects during the operational phase is maintaining validation state. Understanding this concept and implementing it effectively is essential for ensuring continuous compliance with regulatory requirements and protecting patient safety, product quality, and data integrity.

The Fundamental Concept of CSV

Computerized System Validation is fundamentally about “aligning system specifications with user requirements.” In other words, CSV ensures that a computerized system performs exactly as intended by the user and meets all applicable regulatory requirements.

During the project phase, suppliers conduct requirements definition activities, determine system specifications to match user requirements, build the system, and perform comprehensive testing. Upon completion of the project phase, the computerized system’s specifications should be in full alignment with user requirements, and the system should be in a validated state.

Why Validation State Changes During Operations

However, after release and during the operational phase, user requirements may change for various reasons. When user requirements change, the previously validated system specifications may no longer align with the new requirements, potentially compromising the validation state.

Common scenarios where user requirements typically change include:

1. Changes in Regulatory Requirements

Regulatory agencies periodically update GMPs, GCPs, GLPs, and other regulations to reflect advances in science, technology, and industry best practices. For example, the introduction of Annex 11 to EU GMP in 2011, or updates to FDA 21 CFR Part 11, have required organizations to modify their computerized systems to maintain compliance.

2. Changes in Regulatory Requirement Interpretation

Even when regulations themselves remain unchanged, their interpretation may evolve based on regulatory authority inspections, internal audits, or industry guidance. For instance, when a quality management system (QMS) receives findings during an inspection, organizations may need to revise standard operating procedures (SOPs), which in turn may affect user requirements for supporting computerized systems. Recent emphasis on data integrity by regulatory authorities worldwide (including FDA, EMA, MHRA, and PMDA) has led many organizations to reinterpret existing requirements and enhance their systems accordingly.

3. Organizational Changes

Business restructuring, mergers and acquisitions, changes in organizational structure, or modifications to roles and responsibilities can significantly impact user requirements. These changes may necessitate modifications to access controls, approval workflows, reporting structures, or audit trail requirements within computerized systems.

4. Product Changes

When products are modified, added, or discontinued, the associated risk profile may change substantially. For example, introducing a high-risk biologic product may require enhanced environmental monitoring, more stringent batch release testing, or additional quality control checks compared to a low-risk product.

CSV and other validation approaches typically employ a risk-based approach to determine validation criteria and the level of rigor required. This approach, strongly advocated in international guidance documents such as GAMP 5 Second Edition (published in July 2022) and the FDA’s Computer Software Assurance (CSA) guidance (finalized in September 2025), requires that validation efforts be commensurate with the risk to patient safety, product quality, and data integrity.

When products change, the risk assessment must be revisited to determine whether the current validation level remains appropriate or whether enhanced controls are necessary.

5. Process Changes

Manufacturing process improvements, technology upgrades, changes in analytical methods, or modifications to quality control procedures can all trigger changes in user requirements. For instance, implementing a new analytical instrument or transitioning from manual to automated processes may require corresponding changes to the computerized systems that support these activities.

Understanding the Risk-Based Approach in Modern CSV

The risk-based approach has evolved significantly with the publication of GAMP 5 Second Edition in 2022 and the FDA CSA guidance. These documents emphasize:

• Critical Thinking: Applying knowledgeable, experience-based judgment to determine appropriate validation approaches rather than following prescriptive, one-size-fits-all methods
• Process Risk Assessment: Evaluating the risk that software features or functions pose to production or quality systems
• Proportionate Controls: Implementing validation activities commensurate with the identified risk level
• Leveraging Supplier Information: Maximizing the use of vendor documentation, certifications, and testing to reduce duplication of effort

This modern approach recognizes that not all computerized systems or system components present equal risk, and validation efforts should be focused where they provide the greatest value in protecting patient safety and product quality.

The Concept of Maintaining Validation State

During the operational phase, organizations must continuously ensure that system specifications remain aligned with user requirements through effective change management. This ongoing process is called “maintaining validation state.”

Maintaining validation state means ensuring that:

1. The system continues to meet its intended use as originally defined and validated
2. All changes to user requirements are properly evaluated through impact assessment
3. System modifications are validated before implementation when required
4. Documentation remains current and accurate reflecting the actual state of the system
5. Periodic reviews confirm that the system continues to perform as intended and remains fit for purpose

Key Elements of Maintaining Validation State

Change Management

A robust change management process is the cornerstone of maintaining validation state. This process should:

• Clearly define what constitutes a change requiring formal assessment
• Establish a systematic approach to evaluating the impact of proposed changes on validation status
• Determine the appropriate level of re-validation or re-testing required
• Ensure proper documentation and approval before implementation
• Verify that changes perform as intended after implementation

Periodic Review

Regular periodic reviews (also called system reviews or validation maintenance reviews) should be conducted to:

• Verify that the system continues to meet user requirements
• Assess whether changes in regulations, organizational structure, products, or processes affect the system’s validation status
• Review the effectiveness of change management and incident management processes
• Identify opportunities for continuous improvement
• Confirm that documentation remains accurate and current

The frequency of periodic reviews should be risk-based, with higher-risk systems reviewed more frequently.

Deviation and Incident Management

When systems do not perform as expected, organizations must:

• Promptly investigate and document deviations or incidents
• Assess the impact on product quality, patient safety, and data integrity
• Implement appropriate corrective and preventive actions (CAPA)
• Determine whether the deviation indicates a loss of validation state
• Re-validate the system if necessary to restore confidence in its operation

Continuous Monitoring

Modern approaches to maintaining validation state increasingly emphasize continuous monitoring of system performance through:

• Automated alerts and notifications for system errors or unusual activities
• Regular review of audit trails and system logs
• Performance metrics and key performance indicators (KPIs)
• Trending analysis to identify patterns that may indicate emerging issues

This proactive approach, aligned with the FDA CSA guidance concepts, helps organizations detect potential problems before they impact product quality or patient safety.

Alignment with Current Regulatory Expectations

Maintaining validation state is not merely a best practice but a regulatory expectation embedded in multiple requirements:

• FDA 21 CFR Part 211.68 requires that automatic, mechanical, and electronic equipment be routinely calibrated, inspected, or checked according to a written program
• EU GMP Annex 11 states that “computerised systems should be periodically evaluated to confirm that they remain in a valid state”
• ICH Q7 requires that computerized systems be validated and maintained in a validated state
• ISO 13485 (for medical devices) emphasizes the importance of validation maintenance throughout the product lifecycle

The FDA’s Computer Software Assurance guidance, finalized in September 2025, further reinforces the importance of ongoing assurance activities throughout the operational phase, emphasizing that manufacturers should establish confidence that software maintains a validated state through appropriate monitoring and change management.

Practical Implications for Organizations

To effectively maintain validation state, organizations should:

1. Establish clear policies and procedures for change management, periodic review, and continuous monitoring
2. Implement a risk-based approach to determine the frequency and extent of validation maintenance activities
3. Train personnel on the importance of maintaining validation state and their roles in the process
4. Leverage technology such as validation management systems or quality management systems to streamline and standardize processes
5. Foster a quality culture that recognizes maintaining validation state as a shared responsibility across the organization
6. Stay informed about evolving regulatory expectations and industry best practices
7. Apply critical thinking as emphasized in GAMP 5 Second Edition, focusing validation efforts where they provide the most value

Conclusion

Maintaining validation state is an essential aspect of CSV that extends throughout the operational lifetime of a computerized system. It requires vigilant attention to changes in regulatory requirements, organizational structure, products, processes, and system performance. Through effective change management, periodic reviews, deviation management, and continuous monitoring, organizations can ensure that their computerized systems remain validated and continue to support patient safety, product quality, and data integrity.

As the regulatory landscape continues to evolve with the adoption of risk-based approaches like those described in GAMP 5 Second Edition (2022) and the FDA CSA guidance (2025), organizations must adapt their validation maintenance practices to align with modern expectations while maintaining the fundamental principle that systems must remain fit for their intended use throughout their operational life.

Understanding and implementing effective practices for maintaining validation state is not just a compliance obligation—it is a critical component of quality assurance that directly impacts the safety and efficacy of pharmaceutical products and medical devices that patients depend upon.

References:

• ISPE GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems, Second Edition (July 2022)
• FDA Guidance: Computer Software Assurance for Production and Quality System Software (September 2025)
• EU GMP Annex 11: Computerised Systems
• FDA 21 CFR Part 11: Electronic Records; Electronic Signatures
• ICH Q7: Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients
• 厚生労働省: 医薬品・医薬部外品製造販売業者等におけるコンピュータ化システム適正管理ガイドライン (2012)