July 26, 2022

Software validation is historically one of the most difficult compliance activities for life sciences companies. It’s also the single largest expense for many companies when they automate or upgrade their quality management systems (QMS).

While regulations and guidance documents define the components of computer system validation, they don’t actually say how to conduct validation. There are many schools of thought about QMS validation. The prevalent approach is to test all features of the system and document every detail of the effort. For many companies, this old-school approach is unsustainable.

In this article, we’ll discuss how you can dramatically reduce validation time, cost, and effort. In other words, how to utilize a sustainable validation approach that you’ll be able to perform each time you upgrade your system.

QMS Validation: Regulations & Guidance

To understand validation, we have to start with regulations and guidance documents that serve as the foundation for product quality and safety. The FDA’s 21 CFR Part 11 established the criteria for the use of electronic records and electronic signatures. Under Part 11, FDA-regulated companies that use computer systems to “create, modify, maintain, or transmit electronic records” must employ controls that would ensure the integrity of those records. The controls include software validation.

In addition to Part 11, 21 CFR Part 820 for medical device firms addresses the importance of computer system validation. It requires manufacturers to validate software for its intended use according to an established protocol. In both Part 11 and Part 820, validation is meant to ensure that the software is functioning as intended.

The following FDA guidance documents provide the baseline interpretation of the regulations as far as QMS validation is concerned:

The FDA is not the only agency that requires validation. The European Union’s “Annex 11: Computerised Systems” is part of the Good Manufacturing Practice (GMP) guidelines for the pharmaceutical industry. Like the FDA’s Part 11, it’s concerned with the integrity of electronic records and software validation.

Likewise, ISO 13485, an international quality standard for medical device firms and their suppliers, specifies the need for software validation.

5 Tips for Sustainable Validation

In the past, regulated companies validated everything for fear of noncompliance. It became the norm even though existing guidance documents advise against senseless testing.

The FDA clearly states in its software validation guidance that it believes in “the least burdensome approach” when it comes to compliance. The agency is expected to release a new guidance document this year, Computer Software Assurance for Production and Quality System Software, which embodies the approach.

Based on the FDA’s preferred strategy, here are five ways that can help you develop a sustainable computer system validation strategy.

#1 Follow a risk-based approach in QMS validation.

The key to the least burdensome approach lies in risk-based validation, a commonly misunderstood concept. The FDA’s Part 11 guidance and software validation guidance both emphasize the importance of conducting validation commensurate with a system’s risks. In other words, the riskier the process, the more testing and validation it requires.

Here’s a best practice tip: Assess your QMS configuration and usage for risk-based validation. Validate only those features that you’re using.

#2 Focus on validating your critical business processes (also known as critical business functions).

CBPs are essential functions that can’t be interrupted for more than a certain time frame without jeopardizing your operations. Concentrate on identifying and defining your CBPs as those are the processes you need to spend more time validating. Further, when you’re tempted to validate anything not on your CBP list—just say no.

#3 Leverage your software provider’s validation documentation.

The FDA encourages companies to use their software vendor’s documentation and validation assets. If your vendor provides a full validation package, leverage it. The materials should include a risk assessment, validation plan, a test protocol, IQ/OQ, traceability matrices, and validation summary report.

Don’t reinvent the wheel; there’s no need to duplicate your software provider’s efforts. Instead, focus on your actual configuration, the aspects of the software you’re using, and how you’re using them.

#4 Leverage your software provider’s best-practice configurations.

Most software providers recommend configurations designed for ease of use.  The closer you stay to recommended configurations, the less lot of time and effort you’ll spend on both software implementation and validation. However, best practice workflows will ultimately depend on what works best for your business. Speak to your vendor in advance to understand how configuration will impact validation. Most importantly, validate from the start to pave the way for more sustainable validation.

#5 Use a change control methodology for validating upgrades.

Software needs periodic updates and therefore periodic revalidation. Many companies that successfully validate their QMS the first time have trouble in revalidation without the right strategy. To sustain your validation effort, focus on the important changes. Use a change control method to capture the pertinent validation information with every upgrade. Collaborate with your vendor to evaluate the potential risk and impact of the update. Often, you don’t need a full revalidation for minor upgrades.

Faster and easier validation is one of the biggest advantages of a cloud-based enterprise QMS. Furthermore, the very nature of cloud technology makes it suitable for revalidation. With a cloud EQMS, the upgrades are regular but smaller. Likewise, revalidation becomes routine. To dramatically reduce your validation burden and cost, choose an EQMS with a validation service that takes care of the bulk of IQ, OQ, and PQ tasks.


Computer system validation is one of the most misunderstood aspects of regulatory compliance. The misconception of validation as a complex, expensive, and time-consuming effort stems from the manual, old-school approach of testing every single feature in a system.

Fortunately, the practice has evolved in the past two decades. The focus has shifted to risk-based assurance – meaning applying the level of rigor that matches the level of risk to product quality and safety. Regulators want you to focus on validating your CBPs, not the hundreds of non-critical functionalities in your system. It’s time to leave the “traditional” concept of validation behind and adopt a new, risk-based strategy for sustainable compliance.

About the Author

Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.

Related Reading: Computer Systems Assurance: Making the Transition from Computer Systems Validation