A Risk-Based Approach to GxP Computer Systems Validation Using Critical Thinking

Preparing for a regulatory inspection can be a daunting task, especially when numerous processes are governed by electronic systems. Of the many components that will be addressed, computer system validation (CSV) stands out as a crucial regulatory requirement for all computerized systems used in regulated environments. The purpose of CSV is to demonstrate strict compliance with 21 CFR Part 11.10(a), a key standard that governs the validation of electronic records. This guidance requires that computerized systems be validated to ensure “accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.1

A variety of articles, industry guidance (ISPE GAMP), seminars, and other events have been created to present various strategies for complying with this regulation. Even with this guidance, drug shortages, quality-related recalls, regulatory actions, and other issues occur, which appear to stem from a failure to meet the minimum expectations outlined in Part 11.10(a). One contributing root cause could be the failure to consider how human and software factors interact in a live GxP environment. This leads to confusion, and to undesired deviations that put patients at unnecessary risk.

CSV as a regulatory requirement for inspection readiness

The traditional approach to CSV has been a static, document-centric process that relies on checklists, templates, and predefined procedures to test and document all components of a system. Because it is such an involved process, efforts to validate systems are often focused only on regulatory compliance for inspection readiness. This caused CSV to be seen as more of a burden, rather than an opportunity to gain knowledge regarding optimal use of computerized systems within a GxP environment, and to translate that knowledge into standard operating procedures and training programs.

As a result, critical thinking tended to be made less of a priority, with users focusing on aspects of the system that could be objectively analyzed. Components that required critical thinking, such as formal test scripts to evaluate the accuracy and completeness of standard calculation formulas, tended to be neglected as part of the process. Interactions between users and computer systems, what FDA calls the “intended use”, were left out of the validation programs.

In 2018, the FDA published their Q&A guidance for data integrity, which states that validation for consistent intended performance includes an evaluation of hardware, software, personnel, and documentation2 – with concepts of a “risk-based approach” being integrated throughout the document. In a risk-based approach, critical thinking is used to prioritize the validation effort based on the level of risk associated with the computer system. These four aspects, together with the concepts outlined in ICH Q9, define a holistic approach to CSV, and include the necessary added ingredient of critical thinking.

Critical thinking to address unknowns

This critical thinking approach goes well beyond objective test scripts to generate knowledge of a system, by taking the uncertainty and unknowns about how the system will function in a live GxP environment into consideration. By acknowledging that there are unknowable factors affecting this process, we can develop more effective monitoring of the system. An example of an unknowable factor might include:

How will an analyst behave when performing a task like manual peak integration while also experiencing significant pressure (personal and/or professional) to get their work done quickly? Will they follow the written procedures without compromise?

This is an example of an “unknowable unknown”, which existing guidelines consider acceptable. ICH Q9 (R1) indicates that when dealing with decision making (like how to validate a system for consistent intended performance) by revealing your assumptions and reasonable sources of uncertainty, you can enhance confidence in your output and/or help identify its limitations3. This guidance confirms that it is okay to have unknowable factors in a process, and that simply revealing uncertainty in our validation processes will guide us toward appropriate decisions (such as the level of control and oversight/monitoring necessary to govern manual integration of chromatography peaks). The FDA calls this approach “vigilant operations management oversight”.

Acknowledging these unknowable factors will help catch issues before they become critical deviations leading to product recall, thereby treating validation as a lifecycle in line with regulatory expectations. The critical thinking approach is not easy, and is not designed to achieve perfection, which is likely the reason why users have been reluctant to fully embrace the guidance.

Develop a CSV strategy

A simple roadmap for success when developing a CSV strategy may look something like this:

Figure 1: CSV strategy using critical thinking

Figure 1: CSV strategy using critical thinking

This approach generates data, and translates that data into knowledge about the system prior to going live, which prepares us with a strategy for monitoring of unknowns within the live GxP environment. Validation is now treated as a lifecycle along with the product, rather than a one-time effort. In doing so, critical thinking and patient safety are brought to the forefront as the leading factors driving the risk-based CSV efforts. With this approach, front-line personnel can visualize and understand that what they do on a daily basis is ultimately for ensuring a consistent supply of safe and effective medicines, rather than just following predefined processes based on vague ideas of best industry practice.

Have management support

When management develops the appropriate framework via CSV governance procedures (through qualitative and agile risk management tools), fosters employee empowerment, and allocates appropriate resources such that cross-functional teams can come together as needed – success and true inspection readiness will come naturally, without extensive disruption to ongoing operations.

By acknowledging the reality of uncertainty and unknowns as part of this new validation strategy using critical thinking, and building critical thinking approaches to considering these unknowns into our processes, true ownership can be achieved on the front line. Companies benefit from a decrease in deviations, possible reduction in personnel turnover, and most importantly, objectively demonstrating to the regulator that we are putting patient safety at the forefront of our culture through true inspection readiness.


Peter Baker, President, Live Oak Quality Assurance LLC
Peter is a former FDA investigator and FDA Investigator of the Year (2013), who has inspected facilities around the world. He found that those sites that stood out as industry leaders were those who had a workforce confident in their interpretation of the regulations and could effectively communicate “why they do what they do” from a patient-centric perspective.

Humera Khaja, Global Software Compliance Program Manager, Agilent Technologies
Humera has 16 years of industry experience specialized in Software Compliance for Instrumentation applications, Data Systems, Clinical Research Technologies, Medical Device, Biotech and Pharmaceutical Companies.