Lab Manager | Run Your Lab Like a Business
Scientists go over a checklist in a laboratory
iStock, anyaivanova

A Risk-Based Approach to GxP Computer Systems Validation Using Critical Thinking

Computer system validation is a key part of meeting regulatory requirements—how can you best ensure that your systems are compliant?

by Agilent Technologies
Register for free to listen to this article
Listen with Speechify

Preparing for a regulatory inspection can be a daunting task, especially when numerous processes are governed by electronic systems. Of the many components that will be addressed, computer system validation (CSV) stands out as a crucial regulatory requirement for all computerized systems used in regulated environments. The purpose of CSV is to demonstrate strict compliance with 21 CFR Part 11.10(a), a key standard that governs the validation of electronic records. This guidance requires that computerized systems be validated to ensure “accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.” 1

A variety of articles, industry guidance (ISPE GAMP), seminars, and other events have been created to present various strategies for complying with this regulation. Even with this guidance, drug shortages, quality-related recalls, regulatory actions, and other issues occur, which appear to stem from a failure to meet the minimum expectations outlined in Part 11.10(a). One contributing root cause could be the failure to consider how human and software factors interact in a live GxP environment. This leads to confusion and undesired deviations that put patients at unnecessary risk.  

CSV as a regulatory requirement for inspection readiness

The traditional approach to CSV has been a static, document-centric process that relies on checklists, templates, and predefined procedures to test and document all components of a system. Because it is such an involved process, efforts to validate systems are often focused only on regulatory compliance for inspection readiness. This caused CSV to be seen as more of a burden, rather than an opportunity to gain knowledge regarding optimal use of computerized systems within a GxP environment, and to translate that knowledge into standard operating procedures and training programs.

As a result, critical thinking was often made less of a priority, with users focusing on aspects of the system that could be objectively analyzed. Components that required critical thinking, such as formal test scripts to evaluate the accuracy and completeness of standard calculation formulas, tended to be neglected as part of the process. Interactions between users and computer systems, what FDA calls the “intended use”, were left out of the validation programs. 

In 2018, the FDA published their Q&A guidance for data integrity, which states that validation for consistent intended performance includes an evaluation of hardware, software, personnel, and documentation, with concepts of a “risk-based approach” being integrated throughout the document.2 In a risk-based approach, critical thinking is used to prioritize the validation effort based on the level of risk associated with the computer system. These four aspects, together with the concepts outlined in ICH Q9, define a holistic approach to CSV and include the necessary added ingredient of critical thinking. 

Critical thinking to address unknowns

This critical thinking approach goes well beyond objective test scripts to generate knowledge of a system by considering the uncertainty and unknowns about how the system will function in a live GxP environment. By acknowledging that there are unknowable factors affecting this process, a lab manager can develop more effective monitoring of the system. An example of an unknowable factor might include: How will an analyst behave when performing a task like manual peak integration while also experiencing significant pressure (personal and/or professional) to get their work done quickly? Will they follow the written procedures without compromise?

This is an example of an “unknowable unknown”, which existing guidelines consider acceptable. ICH Q9 (R1) indicates that when dealing with decision making (like how to validate a system for consistent intended performance) by revealing your assumptions and reasonable sources of uncertainty, you can enhance confidence in your output and/or help identify its limitations.3 This guidance confirms that it is okay to have unknowable factors in a process, and that simply revealing uncertainty in validation processes will guide the lab toward appropriate decisions (such as the level of control and oversight/monitoring necessary to govern manual integration of chromatography peaks). The FDA calls this approach “vigilant operations management oversight”. 

Acknowledging these unknowable factors will help catch issues before they become critical deviations leading to product recall, thereby treating validation as a lifecycle in line with regulatory expectations. The critical thinking approach is not easy, and is not designed to achieve perfection, which is likely the reason why users have been reluctant to fully embrace the guidance. 

Develop a CSV strategy

A simple roadmap for success when developing a CSV strategy may look something like this:

CSV strategy using critical thinking
CSV strategy using critical thinking
Credit: Agilent

This approach generates data and translates that data into knowledge about the system prior to going live, which prepares the lab with a strategy for monitoring of unknowns within the live GxP environment. Validation is now treated as a lifecycle along with the product, rather than a one-time effort. In doing so, critical thinking and patient safety are brought to the forefront as the leading factors driving the risk-based CSV efforts. With this approach, front-line personnel can visualize and understand that what they do on a daily basis is ultimately for ensuring a consistent supply of safe and effective medicines, rather than just following predefined processes based on vague ideas of best industry practice.

Have management support

When management develops the appropriate framework via CSV governance procedures (through qualitative and agile risk management tools), fosters employee empowerment, and allocates appropriate resources such that cross-functional teams can come together as needed—success and true inspection readiness will come naturally, without extensive disruption to ongoing operations.

By acknowledging the reality of uncertainty and unknowns as part of this new validation strategy using critical thinking, along with building critical thinking approaches to considering these unknowns into processes, true ownership can be achieved on the front line. Companies benefit from a decrease in deviations, possible reduction in personnel turnover, and most importantly, objectively demonstrating to the regulator that the lab is putting patient safety at the forefront of the culture through true inspection readiness.


  1. U.S. Department of Health and Human Services Food and Drug Administration. Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope
    and Application 2003.
  2. U.S. Department of Health and Human Services Food and Drug Administration. Data Integrity and Compliance With Drug CGMP.
  3. European Medicines Agency. ICH guideline Q9 (R1) on quality risk management, 2021.


Peter Baker, President, Live Oak Quality Assurance LLC

Peter is a former FDA investigator and FDA Investigator of the Year (2013), who has inspected facilities around the world. He found that those sites that stood out as industry leaders were those who had a workforce confident in their interpretation of the regulations and could effectively communicate “why they do what they do” from a patient-centric perspective.

Humera Khaja, Global Software Compliance Program Manager, Agilent Technologies

Humera has 16 years of industry experience specialized in software compliance for instrumentation applications, data systems, clinical research technologies, medical device, biotech and pharmaceutical companies.