Every pharmaceutical facility that uses software to create, modify, maintain, archive, retrieve, or transmit maintenance records is subject to computer system validation requirements under 21 CFR Part 11 and GAMP 5 guidance. A maintenance CMMS — which stores work orders, PM records, calibration history, and deviation linkage — sits directly in the scope of these requirements, and gaps in its validation documentation are a predictable FDA observation. This guide walks through the complete CSV process for a pharma maintenance CMMS, with the specific documentation, test evidence, and role-based access controls that regulators expect to see. OxMaint provides validation support documentation to accelerate your CSV effort from project initiation to regulatory-ready closure.
Computer System Validation Guide
Validate Your Maintenance CMMS for GMP Compliance
A practical CSV guide for pharmaceutical teams implementing or revalidating a maintenance CMMS — covering URS, IQ/OQ/PQ, audit trails, e-signatures, and test evidence.
URS
FS
IQ
OQ
PQ
User Req.
Func. Spec.
Install. Qual.
Oper. Qual.
Perf. Qual.
Is Your CMMS in Scope for CSV? The 3-Question Test
1
Does the CMMS create or store records that support GMP decision-making — work orders, PM completions, calibration records, or deviation linkage?
If yes → in scope for 21 CFR Part 11
2
Do users sign or approve records in the CMMS that would otherwise require a handwritten signature in a paper system?
If yes → e-signature requirements apply
3
Are CMMS records referenced in batch records, deviation investigations, or regulatory submissions?
If yes → audit trail and data integrity requirements apply
The CSV Documentation Package: What You Need
| Document | Purpose | Key Content Required | GAMP 5 Phase |
|---|---|---|---|
| Validation Plan (VP) | Defines scope, approach, responsibilities, and acceptance criteria for the entire validation project | System description, regulatory basis, risk category, testing approach, roles | Planning |
| User Requirements Specification (URS) | Defines what the business needs the CMMS to do — traceable to all test cases | Functional requirements, compliance requirements, performance requirements | Concept |
| Functional Specification (FS) | Describes how the system meets each URS requirement — the technical design reference | Feature descriptions, data flow, user roles, audit trail design | Project |
| Installation Qualification (IQ) | Verifies the system is installed correctly per supplier specification | Software version, server configuration, access control setup, network documentation | Operation |
| Operational Qualification (OQ) | Tests that the system functions as designed across all specified use cases | Test scripts for each URS requirement, actual vs. expected results, pass/fail evidence | Operation |
| Performance Qualification (PQ) | Confirms the system performs correctly under real production conditions | End-to-end workflow execution with actual users, performance under load | Operation |
| Traceability Matrix | Maps every URS requirement to its test case(s) and confirms coverage | URS ID, test case ID, test result, any deviations | All phases |
21 CFR Part 11 Requirements Your CMMS Validation Must Cover
§11.10(a)
System Validation
Documented evidence that the system does what it purports to do — your IQ/OQ/PQ package with test evidence is the primary artifact demonstrating compliance with this requirement.
§11.10(b)
Accurate Copies
The CMMS must generate accurate and complete copies of records — OQ tests must include verified export, print, and copy functions with content integrity checks.
§11.10(e)
Audit Trail
A secure, computer-generated, time-stamped audit trail that records operator entries and actions creating, modifying, or deleting electronic records — must be tested and evidenced in OQ.
§11.10(g)
Access Controls
Authority checks to ensure only authorized individuals can use the system, electronically sign, access, or alter records — role-based access matrix must be tested and documented.
§11.50
E-Signature Manifestations
Signed electronic records must display the printed name of the signer, date and time of signature, and meaning of signature — verified in OQ test scripts for all approval workflows.
§11.100
E-Signature Uniqueness
Electronic signatures must be unique to one individual and not reassigned or reused — OQ must test that deactivated user signatures cannot be assumed by another account.
OxMaint Provides CSV Documentation Support for Pharma Clients
OxMaint delivers a validation support package including URS templates, IQ/OQ test scripts, audit trail documentation, and role-based access control evidence — reducing your CSV project timeline by weeks.
User Roles and Access Control: The OxMaint Model
| User Role | Permitted Actions | E-Signature Required | Audit Trail Scope |
|---|---|---|---|
| Technician | Create, execute, and complete work orders; log time and parts; upload evidence | Work order completion sign-off | All entries and edits to assigned work orders |
| Maintenance Supervisor | Create and assign work orders; review completions; manage PM schedules | PM schedule approval; work order closure | All scheduling and approval actions |
| QA Reviewer | View all records; approve GMP-critical work orders; link to deviation records | GMP work order approval; deviation linkage | All review and approval actions with meaning of signature |
| Calibration Technician | Execute calibration work orders; record as-found and as-left values; flag OOC | Calibration completion; OOC event notification | All calibration record entries and result declarations |
| System Administrator | Configure users, roles, and access levels; manage asset register | User account creation and modification | All administrative configuration changes |
Expert Review
CSV
The most frequent gap I see in CMMS validation packages is not missing IQ evidence — it is an incomplete traceability matrix that leaves URS requirements untested, and an audit trail that was never formally verified to capture all the right events. Regulators have become significantly more sophisticated about CMMS validation scope; a system that stores GMP maintenance records needs a complete Part 11 assessment, not just a software installation record. Facilities that invest in a rigorous OQ with full test scripts and evidenced results have consistently cleaner inspection outcomes.
Computer System Validation Consultant
Former FDA Senior Investigator, GAMP 5 Working Group contributor, 20 years pharma CSV experience
Frequently Asked Questions
What GAMP 5 category does a pharma maintenance CMMS fall into?
Most modern maintenance CMMS platforms — including OxMaint — are classified as GAMP 5 Category 4 (Configured Products). This means the software is a commercial off-the-shelf product that has been configured for the specific pharmaceutical site's requirements. Under GAMP 5, Category 4 systems require a vendor audit or supplier assessment, a full URS, configuration specification documentation, and IQ/OQ testing of all configured workflows. PQ is typically required for GMP-critical functions including work order approval, audit trail, and e-signature. Book a demo to review OxMaint's supplier qualification documentation.
What test evidence is required for an OQ of a maintenance CMMS?
An OQ for a maintenance CMMS must include executed test scripts with actual vs. expected results documented for every URS requirement. Key test areas include: work order creation, editing, and closure workflow; PM schedule triggering and assignment; audit trail capture and immutability (including attempts to alter records); role-based access control verification (each role attempting actions outside their authority); e-signature functionality with all three required manifestations; and report and export accuracy. Test scripts must be pre-approved before execution and deviations documented and resolved. OxMaint provides pre-built OQ test script templates for pharma clients.
Does OxMaint's audit trail meet 21 CFR Part 11 Section 11.10(e) requirements?
OxMaint's audit trail captures all record creation, modification, and deletion events with user ID, timestamp, and before/after values for any changed field — meeting the core requirements of 21 CFR 11.10(e). The audit trail is computer-generated, cannot be disabled by standard users, and is protected from modification. System administrators can view but not alter audit trail records. OxMaint's OQ test scripts include specific test cases for audit trail integrity, including attempted unauthorized modification scenarios, and the results are provided as validation evidence.
How often does a pharma CMMS need to be revalidated?
A maintenance CMMS requires revalidation when significant changes are made to the system — including major version upgrades, changes to GMP-critical workflows, addition of new user roles with access to regulated records, or infrastructure changes (server migration, cloud transition). A formal change control and impact assessment procedure should govern all system changes, with revalidation scope determined by the risk level of the change. OxMaint provides change notification documentation to support impact assessments and provides updated validation support documentation for releases that affect GMP-critical functionality.
Accelerate Your CMMS Validation with OxMaint's CSV Support Package
OxMaint provides URS templates, IQ/OQ test scripts, audit trail documentation, and role-based access matrices — giving your validation team a structured head start.
