What is Computer System Validation (CSV)?

Computer System Validation (CSV) is a process used to ensure (and document) that a computer-based system will produce information or data that meets a set of predefined requirements. If a system meets these requirements, it can be assumed that it is consistently performing in the way it was intended.

The CSV process is necessary when replacing paper records with electronic systems within highly regulated environments that directly impact public health and safety, such as pharmaceutical and medical device manufacturing. Its use makes sure that the system is completely transparent, robust, and tamper proof.

These industries use computer systems to operate and record a range of manufacturing processes so it’s critical that they can be relied upon to produce data consistently and store electronic data in a safe and secure way.

Computer System Validation Course

Go rapidly from total beginner to an advanced level CSV expert.

Check out our 10 week Computer System Validation course

SALARY RANGE of US$35,000 – 80,000 based on US job data.

Take this course and start learning how to apply CSV to your projects immediately. Build on your industry experience and transform yourself into a highly specialized CSV professional.

Why Do We Need Computer System Validation?

Regulated industries, such as pharmaceutical manufacturing, have to adopt many compliance procedures to make sure their final product is safe for distribution or sale. CSV is one of those compliance requirements and is part of the Quality Management System within pharmaceutical manufacturing.

So what exactly does CSV deliver to these industries?

  • Safely – helps ensure the medical products do no harm to your patients
  • Accuracy – when test outcomes are routinely checked against predetermined expected results, the accuracy of computer systems within the manufacturing process can be relied upon
  • Security – CSV processes make clear when entries to the system have been altered
  • Reliability – the process ensures that system outputs can be relied upon throughout the lifecycle
  • Consistency – it also ensures that the system output is consistent across its lifecycle
  • Optimisation – following the process also means that computer systems can be more easily optimized. Optimisation is a key feature of an effective and efficient manufacturing site.

CSV is applied to all computer-based systems used at any point in the manufacturing process. Examples might include:

  • Laboratory Information Management System (LIMS)
  • Laboratory Instrument Systems (LIS)
  • Clinical Trial Monitoring Systems
  • PLC for Controlled Packaging Equipment
  • Supervisory Control and Data Acquisition (SCADA)
  • Distributed Control System (DCS)
  • Chromatography Data System (CDS)
  • Enterprise Resource Planning (ERP) Systems
  • Manufacturing Execution System (MES)
  • Batch Record System
  • Building Management Systems (BMS)
  • Spreadsheets

Computer System Validation Regulation

Computer system validation is required by the Food and Drug Administration (FDA)  The FDA regulation is covered under the Code of Federal Regulations (CFR) under FDA 21 CFR 11 and deals with electronic records and signatures. Part 11 mandates the requirements for electronic records and signatures to be accurate, reliable, readily retrievable, and secure and to be able to replace paper records and handwritten signatures legally. 

The FDA also requires medical device makers to validate the software and systems used in manufacturing medical devices using 21 CFR 820. 

Within the EU, medical device makers are required to validate their software and systems. This is regulated under EudraLex Volume 4 Annex 11 on Computerized Systems. 

Computer System Validation is also required in ISO 13485 standard 2016 – For Medical Devices

GAMP Guidelines

Good Automated Manufacturing Practice (GAMP) is a set of guidelines for manufacturers and users of automated systems in the pharmaceutical industry and describes a set of principles and procedures that help ensure that pharmaceutical products have the required quality. GAMP has enjoyed the support of numerous regulatory authorities and is now a recognised good practice worldwide.

Computer System Validation Process Overview

Computer system validation is a multistep process and the approach you take to validate a system during its life cycle will vary considerably depending on whether it is a new system, an upgrade to an existing system, the range of activities the company performs, the type and size of system, novelty, complexity, business impact, and the sector in which the company operates. 

For a new system, you would typically start with a blank page. For an existing system that needs an upgrade or is expanding the scope of its intended use, you need to keep the system in a validated state by rigorously testing the upgrade before releasing it for use. 

The validation process ends when you retire the system and successfully migrate its data to a new system or archive it.

How to do Computer System Validation

One way of approaching the CSV process is to break it down into its life cycle phases.There are four life cycle phases of a computer system according to the GAMP 5 guidelines. (See diagram below) These are:

  1. Concept 
  2. Project 
  3. Operation 
  4. Retirement

In addition, there are a lot of supporting processes or activities that take place across all phases of the life cycle and you should include them when visualizing the CSV process.

Let’s take a look at the entire process viewed through the project life cycle phase of computerised systems.

Concept Phase


In the concept phase, you typically defined the following.

  • the overall requirements of the system
  • what critical functions it will be controlling
  • what are the available options for hardware and software platforms 
  • what is the overall regulatory impact of the proposed system
  • what is the novelty of the system and its complexity
  • what is the requirement for document control
  • what testing is required, what are our considerations for operations and maintenance
  • what data and records are generated that will subsequently need to be retained

System Software Categorization

The range of activities required to validate a computerized system are hugely affected by the type of software you are using and will determine the validation approach and the deliverables: 

The GAMP 5 guidelines categorise software into 4 types. These are:

Software Category 1 –  Infrastructure software

This is layered software upon which applications are built and used to manage the operating environment. Examples: Operating Systems, Database Engines, Middleware, Programming languages, Statistical packages, Network monitoring tools, Scheduling tools,  Version control tools

Software Category-3 – Non-Configured Software 

Run-time parameters may be entered and stored, but the software cannot be configured to suit the business process. 

Examples: Firmware-based applications, Configured Off-The-Shelf (COTS) software, Instruments

Software Category-4 – Configured Software 

This software is often very complex. It can be configured by the user to meet the specific needs of the user’s business process. But the software code is not altered. Much of the software you come across in the Pharma/Medtech sector is category-4

Examples: Laboratory Information Management System (LIMS), Enterprise Resource Planning (ERP), Clinical Trial Monitoring, Distributed Control System (DCS),  Chromatography Data System (CDS), Building Management Systems (BMS), Spreadsheets

Software Category-5 – Custom Software 

This software is custom designed and coded to suit the business process. 

Examples: Internally and externally developed IT applications, Internally and externally developed process control applications, Custom firmware, Spreadsheets (macro) 

Note: There is no Category 2 anymore as it was discontinued.

Quality Risk Assessment 

A risk assessment is carried out to determine if the computer system has an impact on product quality, patient safety or data integrity. 

Electronic Records and Electronic Signatures (ERES) Assessment

You should assess your company or organization’s system for handling electronic data and electronic signatures and ensure it meets the regulatory requirements. You need to figure out what electronic records are created by the system, how those records are maintained and how the records will be signed, either by hand or electronically.

Project Phase

System Overview

In order to satisfy the regulatory inspectors, you would need to give a brief description of the system.

It’s best to take a top-down approach and start with its operating environment. This would include other networked, or standalone computerised systems, other systems, media (how you store your electronic records), people, equipment and procedures.

In addition, you need to describe:

  • Hardware Firmware 
  • Software 
  • Computer System (Controlling System) 
  • Operating procedures and people 
  • Data managed by the system
  • Equipment Controlling Function or Process

During this phase, you take the V-model approach where the v-model controls the specifications and the verification and testing deliverables. 

Computer System Validation Process V-Model

In pharmaceutical manufacturing, most companies and organisations follow the Good Automated Manufacturing Practice V-Model (GAMP®5) V-Model to validate their systems as it meets the requirements of the industry regulators. The model is used to visualize the relationship between requirements and specifications and the verification and testing performed on them (see diagram below). 

You start at the top left (planning), proceeding down to (configure and/or coding) and then back to the top right, ending at (reporting).  The left-hand side of the V represents what the computer system does (i.e. what you use the software controls for), along with how the computer system works. The right-hand side of the V represents how you test the system to confirm that the system is fit-for-purpose, i.e. will make safe medicines for patients.


This defines what will be validated and what approach you will use. It also defines the roles and responsibilities and the acceptance criteria. This is typically completed by the end-user.

User Requirements Specification (URS)

The user requirements specification maps out what the user needs from the software and how they will use it. It also contains any constraints such as regulations, safety requirements, operational requirements. 

Functional Specification 

The functional specification document describes the functions necessary to achieve that particular requirement such as:

  • how the software works
  • what data needs to be captured
  • user interfaces

Design Specification 

The design specification describes in detail how each function is to be designed or configured.

Configuration and/or Coding

In this step, you build, develop or purchase the software (depending on the software category and then configure it to the previous specification documents. This is typically completed by the vendor.

Installation Qualification (IQ) 

Installation qualification, also referred to as “configuration or integration testing” confirms that the software or system is installed and set up according to the design specification. 

Operational Qualification (OQ)

Operational qualification, also referred to as “functional testing” confirms that all functionality defined in the functional specification is present and working correctly, and in the case of bespoke software, that there are no software bugs. 

Performance Qualification (PQ) 

Performance qualification, also referred to as “user requirement testing” confirms that the software will meet the users’ needs and is suitable for their intended use, as defined in the user requirements specification. 

Final Report

The last step in this validation method is to write the summary report declaring that the system is fit for its intended use and that every deliverable that was planned has been delivered. 

In the V-model you see a link with both sides of the V. For example, the reporting stage verifies the planning stage, the performance qualification stage verifies the user requirement specification stage and ensures that the specifications have been achieved. 

Data Migration 

You need to create a data migration plan if you are uploading data from an existing system into a new system

Standard Operating Procedures 

Standard Operating Procedures (SOPs) are a key part of CSV documentation. They outline how the computer system should be used. Any staff that use a particular system will be thoroughly trained on the relevant SOPs to ensure they are using the system correctly, in the way it was intended.


You need to train key users of the system on how to use the system software, applications and procedures. 


You need to write a handover plan to define when the application will move into the operation phase and how any disruption will be managed and make sure that the system can be used and supported in a controlled manner. 

Operation Phase

The computer system is now in operation. You must keep all aspects of the system and the operating environment under a state of documented control to maintain its validated status.

On-Going Projects

In the operation phase of the life cycle, you manage changes like mini-projects using the V-model approach. 

Backup and Restore 

Backup and restore is a mechanism to protect electronic information and records against loss of original data and subsequent accurate restoration when required. To do this, you must copy the software, data and electronic records to a separate, safe and secure area where this information is available and protected so you will be able to restore it in its original format if required.

Business Continuity Management 

You need to develop a detailed plan to regain access to an IT system and its data following a disaster. The plan must outline how you will restore critical business processes following a disruption while continuing to provide products or services.

Periodic Review 

You need to conduct periodic reviews to ensure a computerized system remains compliant with regulatory requirements throughout its operational life, remains fit for intended use, and continually satisfies company policies and procedures.

Electronic Data Archiving 

You need to develop a suitable data archiving strategy for moving data that is no longer actively used in the active environment where it was created to a separate data storage area for long-term retention.


Retirement Phase

In the retirement phase, you need to assess what data needs to be retained, what data needs to be migrated from the existing computerised system and what data needs to be destroyed. 


You need to develop controls that need to be in place when removing a computerized system from day-to-day use through obsolescence or replacement.

Electronic Data Archiving

You need to develop a suitable data archiving strategy for moving data that is no longer actively used in the active environment where it was created to a separate data storage area for long-term retention.

Supporting Processes

Risk Management 

You need to apply risk management throughout the lifecycle of a computerized system and decide how to manage the process for various categories of systems. You should also look at an approach to conducting risk assessments on computerized systems based on their impact on product quality, patient safety and data integrity.

Traceability Matrix

You need to develop a traceability matrix which is an important project document for tracing all user requirements to design specifications and appropriate verification tests.

Operational Change and Configuration Management

You need to develop a plan to manage the configuration of a computerized system in a regulated environment during the operation and maintenance phase and keep it current and relevant where you are in a period of continuous change and upgrading.

Repair Activity

You need to develop a process by which non-functional systems are returned to a functional state under the control of a repair activity procedure.

Document Management 

The documentation associated with CSV is extremely detailed. Someone reading through it should be able to repeat the steps involved simply by following the document. The language used must be clear and concise.

Before any computer system is used, documents will outline specifics such as:

  • Defining the purpose of the computer system in question
  • The features it needs
  • The hardware it needs
  • When it will be used
  • The requirements that it is expected to meet

The specifications defined here will then be used throughout the CSV process – this continues throughout the life of the computer system.

In addition to this, the system will continue to be tested throughout its lifecycle. Rigorous routine testing will be used to show that the system continues to meet the predefined requirements that were laid out in the design phase.

All CSV documentation can be called for review and audit at any point of the system life cycle. It would be expected that the documentation meets appropriate standards at all points.

Even after a company has stopped using a particular computer system, the documentation showing that it was correctly validated while in use, is kept.

Security Management 

You need to define the controls required for securing a computerized system in an operational environment.

Check out this video from INTERPHEX 2015 for a great introductory conversation about CSV and how it’s implemented within the pharma industry:

The Growth of Computer System Validation Opportunities

As manufacturing processes become increasingly automated, the need for CSV professionals is growing. This trend is only expected to continue.

There is also an acute shortage of trained CSV professionals in certain geographic areas, including Ireland. For this reason salaries for these roles are extremely attractive.

One of the single biggest misconceptions of the CSV role is that you need to be able to code. This is usually not the case. However, we do some times see a requirement for the ability to code in some roles where the job description overlaps with automation engineering. And you do need a solid understanding of the computer process you will be validating.

If you have the relevant skills, as well as the experience of pharmaceutical or medical device manufacturing, you might be closer than you think to being a great candidate for CSV roles within pharmaceutical companies.

Next Steps

Computer System Validation Course

Go rapidly from beginner to an advanced level CSV.

Check out our 10-week Computer System Validation course

This program will teach you how to apply CSV to your projects immediately and turn your work experience into an Advanced Certification.

Ideal for:

  • Anyone with an understanding of GMP rules and regulations
  • Validation Engineer or Specialist
  • Senior Validation Manager
  • Automation Engineer
  • Control/Instrumentation Engineer
  • Process Engineer or Project Engineer
  • Quality Assurance or Quality Control Specialist
  • Maintenance Engineer or Technician

…who want: to get their  CSV projects using GAMP®5 and 21 CFR Part 11 projects under control!

Duration: 10 weeks
Delivery: Completely Online
Awarding body: GetReskilled

Computer Systems Validation Course