News and Views

Case Study: Implementing a Computer System Validation Policy for a Pharmaceutical Company

by | 17 Jun, 2024

Implementing a robust Computer System Validation (CSV) policy is crucial for ensuring compliance in pharmaceutical manufacturing and laboratory operations. Effective CSV policies also enhance operational efficiency, quality, and productivity.

Regulators like the FDA require the validation of computer systems and they provide guidance on CSV and other validation approaches, including Computer Software Assurance (CSA). However, this guidance is high-level and doesn’t give specifics. The specifics are left to individual pharmaceutical organisations themselves.

This case study outlines how our team successfully developed and implemented a comprehensive CSV policy for a pharmaceutical industry customer.


The Problem

Our customer is a large pharmaceutical industry organisation with facilities in the US and Ireland. It wanted to develop a formalised and consistent CSV policy to help with compliance, reduce risks, and improve operational efficiencies.

It also wanted to make improvements in cybersecurity, disaster recovery, business continuity, and data integrity. This included optimising backup procedures and protocols for user access management, as well as conducting a review and making improvements to laboratory controls

Westbourne was engaged by the customer to deliver solutions under four main headings:

  • Develop and implement a comprehensive CSV policy
  • Implement validation deliverables based on the new CSV policy to ensure compliance and alignment with industry guidelines, especially those provided by the FDA
  • Ensure system backup, data backup, and access management procedures are robust and fit-for-purpose
  • Review and enhance laboratory system controls


What We Did

Our team at Westbourne adopted a structured and phased approach to deliver on the customer’s requirements, with four main stages:

  • Assessment and planning
  • Policy development
  • Implementation
  • Training and support


Assessment and Planning

We conducted a thorough assessment of the company’s existing systems and processes before defining the project scope. We then developed a detailed project plan outlining the key milestones and deliverables.


Policy Development

Our team drafted a comprehensive CSV policy tailored specifically to the customer’s operations. Data integrity controls and audit trails were established as part of this process, and the policy included all required templates and deliverables.

The policy was also structured so it could be scaled and adapted in the future according to business needs, and it included detailed processes for validation reviews and revalidation to ensure ongoing compliance. A roadmap for validation was also created to ensure a structured approach to compliance.

We also developed updated procedures and protocols for backup, access management, and laboratory controls based on industry, business continuity, and cybersecurity best practices. This process involved making recommendations to the customer such as restricting internet access and USB connectivity within the company’s laboratories.

With our recommendations approved, we moved on to the implementation stage.



For each computer system used by the organisation, we created detailed validation plans and protocols. Necessary documentation was created as part of this process using the well-established DocuWare platform. The documentation we created included:

  • Validation Master Plans
  • Initial Risk Assessments
  • User Requirement Specifications
  • Functional Specifications
  • Configuration Design Specifications
  • Functional Risk Assessments
  • Installation Qualification
  • Operational Qualification
  • Performance Qualification
  • Requirement Traceability Matrix
  • Validation Summary Reports
  • System Retirement Documents
  • Periodic review plans
  • Periodic review reports
  • Specification Assessments
  • Installation Qualification Assessments
  • Operation Qualification Assessments
  • Test Discrepancy Reports

In addition to the implementation of the new CSV policy, we implemented a new backup and recovery solution using the Veeam Backup platform. The revised access management protocols and laboratory controls were also put in place.


Training and Support

Full training was provided to staff on the purpose and importance of the new CSV policy, as well as training on its practical implementation. Training was also provided to relevant employees on the new access management and backup procedures. Post-implementation, our team provided ongoing support.


The Results

The implementation of the CSV policy and deliverables had a significant positive impact on the customer’s operations. It ensured compliance and reduced compliance risks, while improving operational efficiency, not least through enhanced data integrity.

Confidence in the reliability and accuracy of the company’s systems also improved, and security was enhanced with the new backup, access management, and laboratory controls procedures and systems that we put in place.

Westbourne’s Mayank Sharma, said: “This project and case study highlights the importance of a structured approach to implementing Computer System Validation in the pharmaceutical industry. By developing a tailored CSV policy, executing comprehensive validation deliverables, and enhancing system security, we successfully bridged the compliance gap for our customer while also enhancing operational efficiency.”