CSV

Is Computer System Validation Required for All Computer Systems?

The author frequently receives inquiries from individuals who wish to implement Computer System Validation (CSV) because they have begun managing Good Practice (GxP) data electronically. Additionally, many inquiries arise regarding the substantial costs vendors quote when requested to perform CSV implementation.

However, it is important to understand that merely digitalizing data does not necessarily mean that rigorous CSV must be implemented for all computerized systems. The rationale for this lies in the risk-based approach announced by the FDA in 2003.

Understanding the Risk-Based Approach

When adopting a risk-based approach, implementing CSV is critical for systems that handle data directly affecting patient safety, product quality (including active pharmaceutical ingredients), and data integrity. Examples include systems managing manufacturing records, quality testing records, release decision records, validation records, and calibration records.

Conversely, even though data is defined in regulatory requirements such as Good Manufacturing Practice (GMP) and Standard Operating Procedures (SOPs), and record retention is mandated, CSV implementation is not as critical for systems handling data that only indirectly affects patient safety, product quality, and data integrity. Such data includes access records, training records, and SOPs themselves.

It should be noted that “critical data” and “critical systems” must be defined in procedures, and risk assessment (risk evaluation) must be performed in advance for each process to establish these definitions.

Regulatory Foundation: FDA’s 2003 Guidance

The FDA’s August 2003 publication, “Guidance for Industry: Part 11, Electronic Records; Electronic Signatures – Scope and Application,” contains an important message from the FDA. The guidance states that the FDA’s recommended approach involves documented and justified risk assessment, with decision-making focused on systems that have the potential to impact product quality, safety, and record integrity.

PIC/S GMP Annex 11: Risk Management Requirements

In response to this FDA guidance, the PIC/S GMP Annex 11 on Computerised Systems, which was revised in January 2011 (not 2013 as stated in the original), includes the following requirement in Chapter 1 on Risk Management:

Risk management should be applied throughout the lifecycle of the computerised system, taking into account patient safety, data integrity, and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.

Note on Timeline: The original column referenced a January 2013 revision of Annex 11, but the current version was actually issued in January 2011. In 2025, draft revisions of Annex 11, Chapter 4 (Documentation), and a new Annex 22 (Artificial Intelligence) were released for public consultation, representing significant updates to the regulatory framework.

Important Clarification: CSV is Still Required

However, it is crucial not to misunderstand this approach. As long as a system handles GxP data, it remains subject to CSV requirements. This does not mean that CSV can be completely omitted; rather, it means that the extent of CSV implementation should be appropriately scaled based on the assessed risk.

For example, suppose regulatory authorities such as the FDA were to cite deficiencies in CSV implementation for training management systems or access control systems. Since regulatory authorities must apply standards equally to pharmaceutical companies worldwide, this would result in enormous compliance costs being borne by pharmaceutical companies globally. These compliance costs would be passed on to drug prices, ultimately becoming a burden on patients.

Spending excessive compliance costs on CSV implementation for computerized systems that handle data with no (or only indirect) impact on patient safety or product quality merely increases the burden on patients without creating any value. Going forward, pharmaceutical companies will need to develop the capability to conduct appropriate risk assessments.

Recent Regulatory Developments

FDA’s Computer Software Assurance (CSA) Approach

In September 2022, the FDA issued draft guidance on “Computer Software Assurance for Production and Quality System Software,” which was finalized in September 2025. This represents a significant evolution in the FDA’s approach to software validation. Computer Software Assurance (CSA) is described as a risk-based approach to establish confidence in automation used for production or quality systems.

The CSA approach features four key steps:

  1. Identify intended use – Clearly define what the software is meant to do
  2. Determine risk-based approach – Assess whether features are “high process risk” or “not high process risk”
  3. Determine appropriate assurance activities – Apply validation rigor commensurate with risk
  4. Establish appropriate record – Document activities proportionate to risk

This guidance emphasizes critical thinking over documentation volume, focusing validation efforts where they matter most for patient safety and data integrity. The approach allows manufacturers to leverage vendor documentation, certifications (such as ISO 13485), and digital records (system logs, audit trails) to reduce manual documentation burden.

Alignment with ICH Q9(R1)

The pharmaceutical industry has seen increased emphasis on Quality Risk Management, particularly with the release of ICH Q9(R1). This updated guideline strengthens the foundation for risk-based approaches across the pharmaceutical quality system, including computerized systems validation. It emphasizes scientific rationale, proportionality in risk assessment, and evidence-based decision-making.

Emerging Technologies and AI

The draft Annex 22 on Artificial Intelligence, released for consultation in July 2025, establishes requirements for the use of AI and machine learning in pharmaceutical manufacturing. This new annex addresses the selection, training, and validation of AI models, with emphasis on defining intended use, establishing performance metrics, ensuring training data quality, and implementing continuous oversight including change control and performance monitoring.

Practical Risk Assessment Framework

To effectively implement a risk-based approach to CSV, pharmaceutical companies should consider the following framework:

System Risk Level Data Impact Examples CSV Rigor Required
High Risk Direct impact on patient safety, product quality, or data integrity Manufacturing execution systems, Laboratory information management systems (LIMS), Electronic batch records, Quality management systems for release decisions, Clinical trial data management systems Full CSV with comprehensive documentation, extensive testing, and rigorous change control
Medium Risk Indirect impact or supporting critical processes Document management systems for SOPs, Calibration management systems, Complaint handling systems, Supplier quality management systems Scaled CSV with risk-appropriate testing, focused on critical functionalities and data integrity controls
Lower Risk Minimal impact on product quality or patient safety Training management systems, Access control systems, Meeting room scheduling, General office productivity tools (when not used for GxP records) Lightweight validation focusing on essential controls, leveraging vendor documentation, simplified testing protocols

Key Considerations for Risk Assessment

When performing risk assessment for computerized systems, companies should evaluate:

  1. Patient Safety Impact – Could system failure or data errors lead to harm to patients?
  2. Product Quality Impact – Does the system directly control or influence product specifications, manufacturing processes, or quality decisions?
  3. Data Integrity – Is the data used for regulatory submissions, release decisions, or other critical determinations?
  4. Regulatory Significance – Are records from this system subject to regulatory inspection or submission?
  5. Business Criticality – What are the consequences of system downtime or malfunction?

The Cost-Benefit Balance

It is essential to recognize that while compliance is mandatory, the approach to compliance should be intelligent and risk-proportionate. Over-validation of low-risk systems diverts resources from areas where they are most needed and ultimately increases costs without corresponding benefits to patient safety or product quality.

The pharmaceutical industry’s responsibility is to produce safe, effective medicines at reasonable costs. A properly implemented risk-based approach to CSV supports this goal by ensuring that validation resources are focused where they provide the greatest value—protecting patient safety and ensuring product quality—rather than being distributed equally across all systems regardless of their actual risk.

Best Practices for Implementation

For successful implementation of a risk-based CSV approach:

  1. Establish clear definitions – Document in procedures what constitutes “critical data,” “critical systems,” and risk levels
  2. Conduct systematic risk assessments – Use structured methodologies (such as FMEA, HACCP, or ICH Q9 principles) consistently across all systems
  3. Document risk decisions – Maintain clear records of risk assessment rationale and validation strategy decisions
  4. Leverage vendor documentation – For commercial off-the-shelf (COTS) software, utilize vendor testing and documentation appropriately
  5. Apply critical thinking – Focus on understanding the intended use and potential failure modes rather than generating documentation for its own sake
  6. Implement proportionate testing – For high-risk features, use rigorous scripted testing; for lower-risk features, consider unscripted methods such as exploratory testing
  7. Enable continuous improvement – Regularly review and update risk assessments as systems evolve and technology advances
  8. Build organizational capability – Invest in training personnel to conduct effective risk assessments and make sound validation decisions

Conclusion

The risk-based approach to CSV represents a mature, scientifically sound method for ensuring computerized systems are fit for their intended use while avoiding unnecessary burden. As regulatory expectations continue to evolve with initiatives like CSA and updated GMP annexes, pharmaceutical companies must develop strong capabilities in risk assessment and critical thinking. This enables them to make appropriate, defendable decisions about validation rigor that ultimately serve the interests of patients, public health, and sustainable pharmaceutical manufacturing.

The key message is clear: CSV remains essential for GxP systems, but the extent and rigor of validation should be commensurate with the risk posed by the system to patient safety, product quality, and data integrity. This risk-based approach, supported by both FDA and PIC/S guidance, represents the current best practice for pharmaceutical quality systems in an increasingly digital manufacturing environment.

Document Information

  • Original Column: Japanese text on CSV risk-based approach
  • Translation and Update: January 2026
  • Key References:
    • FDA Guidance “Part 11, Electronic Records; Electronic Signatures – Scope and Application” (August 2003)
    • FDA Guidance “Computer Software Assurance for Production and Quality System Software” (Final, September 2025)
    • PIC/S GMP Annex 11 “Computerised Systems” (January 2011, with draft revision 2025)
    • ICH Q9(R1) “Quality Risk Management”
    • Draft Annex 22 “Artificial Intelligence” (July 2025)

Why Pre-Sterilization Cleaning and Drying Are Necessary Previous post Beyond Blind Compliance: Critical Thinking in Pharmaceutical Quality Management Next post

Related post

Comment

There are no comment yet.