Regulatory agencies, such as the Food and Drug Administration (FDA) and the European Medicines Agency (EMA), require life science companies to have controls on computer systems that are used to manage CGxP electronic data and records.  As part of the implementation and maintenance process of these controls, the expectation is that Good Automated Manufacturing Practices (GAMP) will be followed which includes Quality-governed Risk Management and Computer System Validation (CSV).

Quality Risk Management is a systematic process for the assessment, control, communication, and review of risks. It is an iterative process used throughout the entire computerized system life cycle — from concept to retirement. Assessment of the risks includes impact of the computerized system on patient safety, product quality, and data integrity.

To meet regulatory requirements, CSV can be used to establish documented evidence that provides a high degree of assurance that a specific process will consistently produce a product that meets the pre-determined specifications while mitigating documented risks.

The best practice approach for CSV, and the approach used by Kymanox, is a risk-based and business process-focused validation.

Four Key Considerations for a Risk-Based and Business Process-Focused Approach

  1. Perspective
    The computer system is part of the CGxP process, but it is not the process. As significant as the computer solution may be, it is not the focus of the process. A challenge with computer systems is establishing and maintaining a CGxP perspective when validating the system.
  2. System
    Software, no matter how pervasive or comprehensive, is not a “computer system,” and, therefore, cannot be validated.  A misconception is that software functionality, in particular out-of-box functionality, is the subject of validation – or that the vendor has already “validated” it. Per regulations, software cannot be validated. Systems are validated.
  3. Responsibility
    The life science company (not the software vendor) is responsible for defining the “system” through best practices which include well documented, company specific, User Requirements, Functional Requirements, and Standard Operating Procedures (SOPs) that are approved by the system owner and quality assurance.
  4. CGxP Process
    The CGxP process governs what the computer system needs to do and hence what needs to be validated. The key is a well-defined CGxP process that usually necessitates using process definition techniques such as process maps and having formalized  SOPs, which are a regulatory requirement.

The Kymanox Approach to Computer System Validation (CSV)

At Kymanox we take a process-oriented approach to CSV that is fully integrated with a risk assessment where CGxP standards are required. Our method ensures that the solution is validated and implemented while reducing or eliminating risks concerning product quality, patient safety, and data security. Most importantly, this approach guarantees that the GAMP 5 goal of a Risk-Based and Business Process-Focused approach for compliant CGxP computerized systems is fulfilled and the entire implementation is aligned along process-driven business objectives.

Validation activities are often viewed as separate to the overall computer system initiative. The Kymanox view is contrary to this belief. We support validation activities being integrated into the standard phases of the system roll out. This approach requires a risk assessment that is dependent upon well-defined, compliant specifications and business processes.

When you partner with Kymanox, we provide the following during a Gap Assessment of your CSV system:

  • – Collaborate to review existing operations, software systems, key personnel, and governing quality systems. Review will include process maps (or equivalent), identifying system touch points, CGxP data touch points, control of CGxP data, interfaces to software systems, interfaces to devices, and data migration.
  • – Perform gap identification with a view toward conveying both the gaps and risks between the current state and proposed future state of the computer system environment. This phase evaluates risks relative to the computer system package as it relates to CGxP process functions.
  • – Qualify the specific risks identified during the gap assessment exercise.
  • – Draft and finalize a detailed gap assessment report that identifies the compliance gaps, risks, and definitive mitigations.
  • – Draft and finalize a solution set to mitigate uncovered gap assessment risks.


Learn more about Kymanox CSV abilities and services

Get More Done.

Contact the Kymanox CSV Team for more information on a risk-based and business process-focused validation approach for your CGxP computerized system. Call us at 919.246.4896 or send an email to