top of page
  • Hao

Fundamentals of Computerized Systems Validation (CSV)

Initial Assessments: Part 2

Quality Assurance - CSV - Software Validation

This is the second one in a series of posts on general aspects of Computerized Systems Validation (CSV). In this post we will be looking at the process of selecting whose products and/or services you would like to buy. Together with the Impact Assessment, the Supplier Assessment should form one of the pillars of your risk based approach.

Size Doesn't Matter

If you are reading this article then the chance is big that you have already selected suppliers before based on technical and commercial aspects, looking at the size of the company, weighing off the price, the functionalities and the support options. However, from our experience working with various big IT companies and also smaller, medium-sized ones, if the people, who are going to work with you to implement the system, have no experience with CSV in a GxP environment, it is going to be a long cumbersome journey. We always recommend to have your own CSV specialist or an external consultant talk with the supplier's specialist to get an idea of their quality standards. A recurrent issue with bigger companies is also that they probably have a CSV specialist but the chance that you would be dealing with this person is rather on the low side. The size and geographical spreading of various teams, following various standards, if any, makes it even trickier to control where the quality and the compliance will be heading during and after the project.

Types of Audits

There are in general 3 types of audits and the type that you choose should be consistent with the impact and risks of using the system. For low risk systems, you can choose to do just a research on publicly available information. For medium risk systems, you can choose to send a postal questionnaire to be filled in by the quality responsible of the supplier. For high risk systems, an onsite audit would be required. Note that the criteria for determination of the audit type should be clearly defined in a supplier assessment SOP.

SaaS Providers

Software as a Service (SaaS) is becoming more and more the standard allowing life science companies to outsource the maintenance of their application so they can focus on their core business. On the other side, the SaaS provider probably relies on a big tech company like Amazon or Microsoft or Google as cloud service provider. The challenge here is to get a clear oversight of who is responsible for what. A supplier who has experience with CSV in a GxP environment will provide you with an overview of CSV activities and deliverables. A supplier who doesn't know about CSV and GxP will refer you to the cloud service provider hoping that you will trust that it is a big player in the field. While it might be true that these big tech companies have a whole library of every possible certificate for information security, there are, depending on the services that are being used, always additional aspects to consider. The amount of responsibilities the supplier will take is again proportional to the risk and you would want to increase assessment effort.


With the current pace of technological innovation, it also becomes more convenient to outsource IT services and solutions to focus on the own core business. The more responsibilities a supplier takes, the higher the risk of that supplier not complying with the own company's standards to achieve quality and compliance. The type of supplier assessment should be consistent with this risk and the criticality of the system. Contact us for a free first consultation session.

16 views0 comments

Recent Posts

See All

Test Automation

Agile Software Development Software Development - Quality Assurance - Regulatory Compliance Test automation offers numerous benefits that can significantly improve the software development and testing

Standard Operating Procedures

Computerized Systems Validation (CSV) Part 10 Quality Assurance - CSV - Software Validation - SDLC Once a system is validated it needs to be maintained and kept in a validated state. In this last post

Data Migration

Computerized Systems Validation (CSV) Part 9 Quality Assurance - CSV - Software Validation - SDLC Data migration, the transfer of data from one system to another, is a crucial step in computer systems


bottom of page