The Purpose of Computerized System Validation (CSV)

Understanding CSV’s Distinct Purposes: Infrastructure Equipment vs. IT Applications

The purpose of Computerized System Validation (CSV) differs significantly between infrastructure equipment (manufacturing equipment with embedded computerized systems) and IT applications (standalone software systems). Understanding these distinctions is essential for implementing appropriate validation strategies aligned with current regulatory expectations.

CSV for Infrastructure Equipment (Manufacturing Equipment)

Regulatory Foundation

PIC/S GMP Annex 11 “Computerised Systems” establishes fundamental principles for implementing computerized systems in GMP environments. The principle section states:

“When introducing a computerised system to replace a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.”

This principle emphasizes that when manual operations are automated through computerized systems, three critical aspects must be preserved or enhanced: product quality, process control (including quality assurance), and overall process risk management.

Historical Context and Practical Understanding

To illustrate this principle, consider the evolution of rice cooking technology. Traditionally, rice was cooked manually in a pot over a fire, requiring constant human oversight and adjustment. Today, computerized rice cookers (utilizing microcomputers/microcontrollers) have replaced this manual process. The microcomputer program now controls temperature, timing, and cooking sequences that were previously managed by human judgment.

In this transition from manual to automated operation, several quality requirements must be maintained:

• The quality of cooked rice must not deteriorate
• Consistency between batches must be ensured (quality assurance must not degrade)
• New risks, such as foodborne illness from improper cooking, must not be introduced

This same principle applies to pharmaceutical manufacturing equipment. When a manual manufacturing process is computerized, the automated system must deliver product quality and process control equal to or better than the manual operation it replaces.

Primary Objectives of CSV for Infrastructure Equipment

The primary objective of CSV for infrastructure equipment is twofold:

First objective: To verify and document that when a manual operation is replaced by a computerized system, the product quality and quality assurance capabilities are maintained at or above the level achieved by the previous manual operation.

Second objective: To verify through Operational Qualification (OQ) that risks associated with equipment failure, malfunction, or abnormal operating conditions are appropriately controlled and do not compromise product quality or patient safety.

Integration with Qualification Framework

CSV for infrastructure equipment cannot typically be performed in isolation. In most cases, it must be integrated with the broader process validation framework (also known as qualification) and conducted in conjunction with hardware qualification activities. The typical qualification sequence includes:

Qualification Stage	Purpose	CSV Integration
Design Qualification (DQ)	Verify design meets GMP requirements and user requirements	Review computerized system design specifications
Installation Qualification (IQ)	Verify system installed correctly per specifications	Verify software installation and configuration
Operational Qualification (OQ)	Verify system operates as intended across operating ranges	Test computerized system functions and failure scenarios
Performance Qualification (PQ)	Verify system consistently produces acceptable product	Verify integrated system performance under production conditions

Note on Regulatory Integration: Current regulatory frameworks present a significant challenge: the relationship between process validation (Qualification per Annex 15) and CSV (per Annex 11) is not explicitly defined in regulatory guidance. Specifically, CSV requirements are issued as separate guidelines (such as the Japanese “Computerized System Proper Management Guideline”), without clear integration guidance with equipment qualification requirements found in Annex 15 “Qualification and Validation.” This creates practical implementation challenges that manufacturers must address through risk-based approaches.

Important Update (2025): The revised draft Annex 11 (currently under consultation) now explicitly references Annex 15, stating that qualification and validation activities for computerized systems should follow Annex 15 requirements with additional computer-specific considerations. This represents a significant improvement in regulatory clarity.

CSV for IT Applications (Software Systems)

Fundamental Differences from Equipment CSV

IT applications (standalone software systems) differ fundamentally from infrastructure equipment in their validation approach. Modern IT applications typically possess extensive functionality to support large-scale, complex business processes. For these computerized systems to effectively support GMP operations, they must completely fulfill user requirements.

Primary Objective of CSV for IT Applications

The primary objective of CSV for IT applications is to verify and document that the computerized system completely fulfills user requirements and maintains fitness for its intended use throughout its lifecycle.

Testing Methodology

Unlike infrastructure equipment that undergoes IQ, OQ, and PQ, IT applications do not manufacture pharmaceutical products and typically do not involve physical hardware qualification. Instead, IT application validation relies on a comprehensive testing hierarchy:

Testing Phase	Purpose	Typical Activities
Unit Testing	Verify individual software components function correctly	Test individual modules, functions, or classes
Integration Testing	Verify components work together correctly	Test interfaces, data flows between modules
System Testing	Verify complete system meets functional requirements	End-to-end functional testing, performance testing
User Acceptance Testing (UAT)	Verify system meets business needs and user requirements	Real-world scenario testing by end users

These testing phases are iteratively executed throughout the software development lifecycle. Modern approaches, particularly those aligned with agile methodologies recognized in GAMP 5 Second Edition (2022) and FDA’s Computer Software Assurance (CSA) guidance (finalized September 2025), emphasize continuous testing and risk-based validation.

The Reality of Software Defects

It is critical to understand that, except for extremely simple software, completely eliminating all software defects (bugs) is practically impossible. This reality is acknowledged in modern validation approaches including:

• GAMP 5 Second Edition (2022): Emphasizes risk-based approaches where validation effort is proportionate to the risk posed to patient safety, product quality, and data integrity
• FDA CSA Guidance (September 2025): Promotes risk-based assurance focusing on “fit for intended use” rather than attempting to test every possible scenario
• ISO/IEC/IEEE 29119 Software Testing Standards: Recognize that exhaustive testing is generally impossible and that risk-based testing strategies are necessary

The goal of iterative testing in IT application validation is therefore to:

1. Identify and eliminate critical defects that could impact patient safety, product quality, or data integrity
2. Reduce residual defects to an acceptable level based on risk assessment
3. Ensure the software completely fulfills user requirements and remains fit for intended use

This final point represents the ultimate objective of CSV for IT applications: delivering documented assurance that the system meets all user needs and maintains a validated state throughout its operational life.

Modern Validation Paradigm: From CSV to Computer Software Assurance (CSA)

Evolution of Validation Approach

The pharmaceutical and medical device industries are experiencing a significant paradigm shift from traditional Computer System Validation (CSV) to Computer Software Assurance (CSA). This evolution is driven by:

FDA CSA Guidance (Draft 2022, Final September 2025): Introduces a risk-based approach emphasizing:

• Critical thinking by qualified subject matter experts
• Focus on patient safety, product quality, and data integrity over documentation volume
• Leveraging supplier documentation and quality systems
• Appropriate use of both scripted and unscripted testing based on risk

GAMP 5 Second Edition (2022): Updates industry best practices to include:

• Recognition of agile and iterative development methodologies
• Enhanced guidance on cloud computing, AI/ML, and emerging technologies
• Emphasis on computer software assurance over traditional validation terminology
• Alignment with FDA CSA principles

Revised Annex 11 (Currently Under Consultation, Expected 2026): Represents the most significant update since 2011, including:

• Mandatory application of Quality Risk Management principles throughout the system lifecycle
• Enhanced requirements for cloud services, SaaS, and AI/ML systems
• New sections on identity and access management, audit trails, and electronic signatures
• Explicit linkage to Annex 15 qualification requirements
• Introduction of companion Annex 22 on Artificial Intelligence

Key Principles of Modern Validation

The modern validation paradigm, whether termed CSV or CSA, emphasizes:

1. Risk-Based Approach: Validation effort should be commensurate with risk to patient safety, product quality, and data integrity
2. Lifecycle Thinking: Systems must remain validated throughout their entire lifecycle, from concept to retirement
3. Critical Thinking: Qualified subject matter experts should apply judgment rather than following rigid, prescriptive procedures
4. Leveraging Supplier Evidence: Appropriate use of vendor documentation, certifications (ISO 13485, ISO 27001), and testing results
5. Focus on Intended Use: Validation should concentrate on how the system is actually used in the GMP environment, not every theoretical capability

Conclusion

Understanding the distinct purposes of CSV for infrastructure equipment versus IT applications is fundamental to implementing effective, compliant validation strategies. Infrastructure equipment CSV focuses on demonstrating that automation maintains or improves upon manual processes while controlling failure risks. IT application CSV emphasizes confirming complete fulfillment of user requirements through comprehensive testing strategies.

Both approaches are evolving toward more risk-based, efficient methodologies that emphasize assurance over documentation burden, while maintaining the fundamental goal: ensuring computerized systems are fit for their intended use and consistently deliver safe, high-quality pharmaceutical products to patients.

As regulatory frameworks continue to modernize—particularly with the finalization of FDA CSA guidance and the anticipated publication of revised Annex 11—organizations should embrace these principles while maintaining vigilance for patient safety and product quality. The future of validation lies not in producing voluminous documentation, but in applying critical thinking, risk-based approaches, and leveraging appropriate technologies to ensure computerized systems remain validated and suitable for their intended purposes throughout their lifecycle.

Regulatory References:

• PIC/S GMP Annex 11 “Computerised Systems” (2011, revision expected 2026)
• PIC/S GMP Annex 15 “Qualification and Validation” (2015)
• PIC/S GMP Annex 22 “Artificial Intelligence” (Draft consultation 2025)
• FDA Computer Software Assurance for Production and Quality System Software (Final September 2025)
• GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems, Second Edition (2022)
• ICH Q8, Q9, Q10, Q11 Guidelines
• ISO/IEC/IEEE 29119 Software Testing Standards