Leanabl Logo
Contact Us
Blog
Back to Blog
eqmsqmsfdacomplianceiso-13485

Computer Software Validation for 21 CFR Part 11 — and How Korea KGMP Reads It

7 min read

CSV is where medical device QMS rollouts get bogged down. GAMP 5 category-based scoping, Part 11 essentials, and the KGMP/FDA/MDR alignment in one guide.

Leanabl Editorial
Computer Software Validation for 21 CFR Part 11 — and How Korea KGMP Reads It

Why CSV Becomes a Roadblock

Most medical device organizations encounter Computer System Validation (CSV) the same way: an eQMS or MES rollout is approved, the vendor starts implementation, and somewhere around month four, someone asks "what about validation?" The answer, typically delivered by an external CSV consultant, is a 6-9 month validation program that doubles the project timeline.

The frustration is real, but it stems from a misunderstanding. CSV is not a phase that gets bolted onto a system deployment. It is a discipline that should shape the deployment from the start — what gets configured, what gets customized, how testing is structured, what evidence accumulates. Organizations that fold CSV into the project plan from kickoff finish faster than those that treat it as a separate workstream.

This guide covers the working CSV framework, with FDA 21 CFR Part 11 essentials and the alignment across FDA / EU MDR / Korea KGMP.

21 CFR Part 11 Core Requirements

FDA's Part 11 regulation governs electronic records and electronic signatures. The essentials, often forgotten in implementation:

Electronic Records (§11.10)

Closed systems used to create, modify, maintain, or transmit electronic records must employ procedures and controls to ensure:

  1. Validation of systems to ensure accuracy, reliability, consistent intended performance
  2. Ability to generate accurate copies of records (paper and electronic)
  3. Protection of records to enable accurate retrieval throughout retention period
  4. Limited access to authorized individuals
  5. Audit trails that record date, time, and user for each entry/change
  6. Operational system checks to enforce sequence of steps
  7. Authority checks to verify users are authorized
  8. Device checks to verify input data sources
  9. Personnel qualifications documented
  10. Accountability and responsibility for system actions
  11. Documentation control for system documentation
  12. Open system additional controls (encryption, digital signatures) if applicable

Electronic Signatures (§11.50–11.300)

Electronic signatures must be:

  • Unique to each individual
  • Verified before use
  • Used only by their owner
  • Linked to their record such that signatures cannot be separated, copied, or transferred

A signed record must include the signer's printed name, date and time of signing, and meaning of signing.

Inspection Implications

The most common Part 11 inspection findings:

  • Audit trail not configured or selectively disabled
  • Generic / shared user accounts
  • Electronic signatures not associated with meaning
  • Inadequate password controls
  • Validation evidence missing or insufficient

Of these, audit trail completeness and shared accounts produce the most consequence — they invalidate the integrity of the record system.

GAMP 5 Category-Based Scoping

The ISPE's GAMP 5 framework provides the practical scoping model that FDA, EU regulators, and Korean MFDS all accept. Five categories with progressively heavier validation:

Category Description Examples Validation effort
1 Infrastructure software Operating systems, databases, virtualization Qualified, not validated
2 (Removed in GAMP 5)
3 Non-configured COTS Commercial software used as-is Risk-based, limited testing
4 Configured COTS Configurable platforms (eQMS, MES, PLM with no custom code) Moderate, configuration-focused
5 Custom applications Bespoke development, custom integrations Full validation

Most medical device deployments today are Category 4 — configurable platforms (Veeva, MasterControl, ETQ, Sparta, Greenlight Guru, Arena, Windchill, etc.) configured to the organization's procedures. Category 5 effort applies only to custom integrations and bespoke applications.

A common scoping error is treating Category 4 deployments as Category 5. That doubles or triples the validation effort without proportional risk reduction.

The Validation Lifecycle

A working CSV lifecycle for a Category 4 deployment:

Validation Plan (Pre-implementation)

Defines what gets validated, against what criteria, by whom, in what sequence. Approved before configuration begins. Common omission: failure to specify which functional areas are out-of-scope (e.g., reporting features not used).

User Requirements Specification (URS)

Captures what the system must do, in user-facing language. Linked to procedures and regulatory requirements. The URS is the source of truth for what gets tested.

Functional Specification (FS) / Configuration Specification

Translates URS into specific system configurations, workflows, fields, roles. Provided by the system implementer; reviewed and approved by the user organization.

Installation Qualification (IQ)

Verifies the system is installed correctly. Server specifications, software versions, configurations match the FS. Typically takes 1-3 days.

Operational Qualification (OQ)

Verifies the system operates as specified across its functional range. Each requirement in the URS has corresponding OQ test cases. This is the heaviest testing phase — typically 4-12 weeks depending on system complexity.

Performance Qualification (PQ)

Verifies the system performs as intended in the production environment with real users, real data, real workflows. Often runs in parallel with user acceptance testing.

Validation Report

Summarizes all validation activities, links to evidence, documents any deviations and their dispositions. Signed before the system goes live.

Ongoing Validation Maintenance

Configuration changes, vendor releases, environment changes — each triggers a re-validation decision (full, partial, no re-validation). This is where most organizations under-invest, leading to "validated at go-live, drifted by year 3" situations.

How FDA, EU MDR, and Korea KGMP Align

The validation framework is largely harmonized, but with subtle differences worth noting.

FDA 21 CFR Part 11. The most prescriptive on electronic records and signatures. Audit trail completeness is the highest-emphasis area.

EU MDR Annex IX (Quality Management System). Validation is required for "processes that affect product conformity." Software systems supporting design, production, post-market activities fall in scope. Less prescriptive than Part 11; risk-based emphasis stronger.

Korea KGMP. Adopts ISO 13485 §4.1.6 requirement for validation of software used in QMS. KGMP audits specifically check that:

  • The QMS includes a validation procedure for QMS software
  • Each validated system has documented validation evidence on file at the site
  • Validation evidence is available for KGMP audit (not in remote cloud-only storage)
  • Korean-language access to validation evidence (full English is acceptable; Korean summary recommended)

Practical consequence: A single CSV program with FDA-aligned evidence typically covers all three. The Korean addition is ensuring evidence is locally accessible and that critical procedures have Korean translations or summaries.

CSV for Cloud-Based eQMS

Most modern eQMS deployments are SaaS / cloud-based. CSV scoping shifts:

  • Vendor-provided validation evidence covers infrastructure, base software, vendor-controlled configurations. Reduces validation effort substantially.
  • Customer-controlled validation covers organization-specific configurations, integrations, user testing, and operational procedures.
  • Shared responsibility model documents what vendor validates vs. what customer validates.

The vendor's validation evidence package is the input. Customer validation builds on it rather than replacing it. Organizations that ignore vendor evidence duplicate work without adding assurance.

Six Practical Recommendations

  1. Plan CSV from project kickoff, not month four. Update the project plan with validation milestones aligned to configuration milestones.
  2. Categorize correctly. Most configurable platforms are Category 4. Resist the urge to treat them as Category 5 — it adds validation work without proportional risk reduction.
  3. Leverage vendor validation evidence. Get the vendor's validation package, identify what it covers, scope customer validation to fill the gap.
  4. Audit trail is non-negotiable. Verify it is configured, complete, and tested before go-live. Findings here have the most consequence.
  5. For Korea, ensure validation evidence is locally accessible and that procedure-level documents have Korean translations or summaries.
  6. Plan ongoing validation maintenance. Vendor releases, configuration changes, integration changes — each needs a re-validation decision. Build the cadence into the QMS.

Where Leanabl Plugs In

The eQMS service includes CSV planning and execution for medical device deployments. For Platform eQMS specifically — where the deployment scope and CSV scope are determined together — the work runs as one integrated program. Korean-specific CSV coverage for KGMP audit readiness is handled through Korea QMS Foundation.

Have a regulatory question?

Talk to a Korea regulatory specialist about your device, your timeline, or your next submission.

Talk to a specialist

You might also like

Regulatory Intelligence for Korea: MFDS, HIRA, NECA Monitoring Strategy
regulatory

Regulatory Intelligence for Korea: MFDS, HIRA, NECA Monitoring Strategy

Korean medical device regulation publishes through four channels, three languages, and irregular cadence. A working monitoring strategy that catches what matters.

Post-Market Surveillance Under MFDS: PMS, Vigilance, and License Maintenance
pms

Post-Market Surveillance Under MFDS: PMS, Vigilance, and License Maintenance

Korea's post-market obligations are split across three regimes with different timelines and reporting channels. A working guide for foreign manufacturers and their KLH partners.

FDA eMDR Vigilance Reporting: Form 3500A and the 5-Day / 30-Day Decision
vigilance

FDA eMDR Vigilance Reporting: Form 3500A and the 5-Day / 30-Day Decision

FDA medical device adverse event reporting is well-documented but operationally tricky. A practical guide to Form 3500A, eMDR submission, and reporting timeline judgment.