What is Computer System Validation, and which pharma systems require it?
Computer System Validation is the documented proof that a GxP software system consistently performs its intended function within defined specifications. Required under 21 CFR Part 11, EU Annex 11, and GAMP 5, it applies to any system — LIMS, QMS, ERP, MES, CTMS — that directly or indirectly affects product quality, patient safety, or data integrity in a regulated environment.
A pharma organisation with fifty GxP systems needs fifty validation programmes — not one global procedure applied fifty times. That distinction is where most CSV programmes break down, and where FDA inspection findings accumulate.
Regulatory Requirements for CSV
CSV requirements originate from multiple frameworks. A global pharma operation must satisfy all applicable ones simultaneously.
The CSV Lifecycle — All 7 Stages
A validation programme that only covers qualification — IQ, OQ, PQ — and nothing before or after it is structurally incomplete. The full CSV lifecycle has seven stages, each generating documentation that contributes to the overall validation package and inspection readiness.
| # | Stage | Key Output |
|---|---|---|
| 1 | System Inventory & Classification | GAMP 5 category assigned; GxP scope confirmed for every system in portfolio |
| 2 | Risk Assessment & Scope Definition | Critical functions identified; non-critical functions explicitly excluded with documented rationale |
| 3 | Requirements Definition (URS) | User requirements documented; RTM seeded with every testable requirement |
| 4 | Design, Configuration & Build | Configuration documented; vendor evidence assessed for base platform coverage |
| 5 | Qualification — IQ, OQ, PQ | Three-phase testing executed at depth proportionate to GAMP 5 category |
| 6 | Release & Operational Handover | Validation Summary Report approved; deviations closed; system released for GxP use |
| 7 | Change Control, Periodic Review & Retirement | Every change assessed for GxP impact; validation state confirmed at defined review intervals |
GAMP 5 Software Classification
GAMP 5 Second Edition (ISPE, 2022) defines four active software categories. Category assignment at system intake is the single most consequential decision in a CSV programme — it sets documentation scope, test depth, vendor evidence requirements, and change control approach for the system's entire life. Note: Category 2 was removed in the Second Edition — update your VMP if it still references it.
| Category | Software Type | Examples | Validation Approach |
|---|---|---|---|
| Cat 1 | Infrastructure software | Operating systems, database engines, network software | Configuration control and qualification of environment only — no application-level validation |
| Cat 3 | Non-configured commercial software | Off-the-shelf reporting tools, standard office productivity used in GxP context | Vendor evidence for base functionality; installation verification; limited testing of GxP-critical use |
| Cat 4 | Configured commercial software | QMS, LIMS, ERP, CTMS, HRMS with GxP configuration | Vendor evidence for base platform; full testing of configured GxP-critical functions; configuration documentation |
| Cat 5 | Custom / bespoke software | In-house applications, custom automation scripts, bespoke MES | Full SDLC validation: URS, FS, DS, IQ, OQ, PQ — complete lifecycle documentation |
IQ, OQ, and PQ — What Each Phase Requires
The three qualification phases are the most visible part of any CSV programme and the most frequently cited in FDA warning letters when done incorrectly. Each addresses a distinct question about the system.
- Hardware, software, and environment verified against specifications
- Security configuration and baseline recorded
- Vendor certificates and documentation collected
- GxP-critical functions tested including boundary and negative cases
- Access controls, permissions, and audit trail verified
- Error handling and system behaviour confirmed
- End-to-end process testing with real users and realistic data
- Data integrity confirmed across full process cycles
- Integration testing with connected GxP systems
Under FDA's CSA final guidance (September 2025), IQ/OQ/PQ depth scales with GAMP 5 category. Category 3 systems may not require scripted OQ if vendor evidence adequately covers base platform functionality. Category 5 systems require the full three-phase stack regardless.
Most Common CSV Inspection Findings
FDA 483 observations related to CSV frequently cluster around these structural gaps:
- Incomplete audit trails: Missing user identity, timestamps, or failure to capture all data changes.
- Broken traceability: No active link between user requirements and corresponding test evidence.
- Undocumented changes: System patches or upgrades applied without proper GxP impact assessment.
- Missing periodic reviews: Validated systems with no scheduled checks or unretrievable review documentation.
- Uncontrolled spreadsheets: Using Excel or Word for test execution without Part 11-compliant controls.
- GAMP 5 misclassification: Treating configured systems (Cat 4) as non-configured (Cat 3), leading to inadequate testing.
How FDA CSA Changes CSV in 2026
FDA's Computer Software Assurance (CSA) reframes the validation approach for systems where the traditional documentation burden outweighs the actual risk. The core changes include:
- Risk drives scope: Validation effort is scaled based on patient safety impact and GAMP 5 category.
- Vendor evidence accepted: Re-testing base platforms is minimized by leveraging vendor testing for Category 3 and 4 systems.
- Documented critical thinking: The rationale behind scoping decisions must be recorded as a retrievable artefact.
- Unscripted testing permitted: Exploratory and ad-hoc testing is acceptable for lower-risk system functions.
It is important to note that CSA does not eliminate rigour where it matters—Category 5 custom applications still require full lifecycle validation.
Managing CSV with a Validation Lifecycle Management System
A spreadsheet-based CSV programme has a structural ceiling. It can document individual projects but cannot maintain a current, inspection-ready view of the validation state of an entire system portfolio. As portfolio size grows — and as CSA introduces risk-proportionate differentiation across systems — the gap between what the documentation says and the actual compliance state becomes increasingly difficult to manage manually.
GoVal manages every stage of the validation lifecycle in a single environment: GAMP 5 classification, risk assessment, URS management, IQ/OQ/PQ test execution, live RTM, change control, and periodic review triggered by system risk tier. Documentation scope scales automatically to the assigned GAMP 5 category. Documented critical thinking — the risk rationale artefact — is a mandatory, indexed field rather than a free-text note scattered across documents. Every action generates a timestamped, audit-trailed record available instantly when an inspector arrives. Most regulated teams deploy in 3–6 weeks.
Related Topics
Frequently Asked Questions
What is Computer System Validation (CSV)? +
Which regulations require Computer System Validation? +
What are the 7 stages of a CSV lifecycle? +
What is the difference between CSV and CSA? +
What are the most common CSV inspection findings? +
What is GAMP 5 and how does it apply to CSV? +
How does GoVal support Computer System Validation? +
Manage your full CSV lifecycle in one platform
GAMP 5 classification, IQ/OQ/PQ execution, live RTM, change control, periodic review — all in GoVal.