Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Michael King
Augmenting and empowering life-science professionals
Meg Sinclair
100% real, 100% anonymized, 100% scary
Alonso Diaz
Consulting the FDA’s Case for Quality program
Four data layers that matter
Kari Miller
Regulations and increased complexity are pushing the industry to adopt innovation more quickly

More Features

FDA Compliance News
Recognized among early adopters as a leading innovation for the life sciences industry
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations

More News

Steve Thompson

FDA Compliance

Validation Life Cycle Management Speeds Auditing, Facilitates Regulatory Inspections

An excellent technological tool that improves quality and compliance

Published: Thursday, November 2, 2023 - 11:03

If you’ve ever enjoyed the experience of an audit or inspection, then you know it’s about as much fun as having your wisdom teeth extracted. As painful as audits and inspections may be, they are necessary to bring needed medical products to market and monitor them to protect consumers and patients from unsafe products.

In this article, we won't explore audit management systems (AMS) in detail. Nor will we be determining whether an AMS is needed, since this depends on the number of audits and inspections we face. Instead, we’ll focus on how to modernize audit/inspection readiness, conduct, and closure using existing systems while incorporating a digital validation solution to support the audit/inspection.

Because audits and inspections are vital for public health, we must ensure they’re embraced, supported, conducted, and achieve their objectives. Let’s take a quick look at audits and inspections to understand the differences and challenges they bring to bear.


Regulatory agencies are legally mandated to conduct inspections. These agencies vary by location and government, resulting in geographical inspection variations. While efforts for global harmonization are ongoing, complete harmonization has yet to be achieved.

The U.S. Food and Drug Administration carries out different types of inspections:

Surveillance inspections are conducted to monitor the manufacturing process and the quality of FDA-regulated products on the market. The FDA uses the inspection to evaluate whether a manufacturer is complying with quality manufacturing practices.

For-cause inspections are triggered when the FDA has reason to believe that a facility has quality problems, to follow up on complaints, or to evaluate corrections that have been made to address previous violations.

Application-based inspections are conducted for about 20% of the application reviews conducted by the FDA. These inspections, which are part of the application review process to market a new drug, device, or biologic, determine if new products comply with FDA regulations, ensure consistent manufacturing, and verify accurate and complete data.

The FDA also conducts inspections to verify the reliability, integrity, and compliance of clinical and nonclinical research being reviewed in support of pending applications.


Audits are conducted by entities or individuals not part of any regulatory body. They can be just as stressful as inspections, particularly a for-cause audit that occurs when there’s reason to believe quality problems exist, to address complaints, or to evaluate corrections made to address prior issues. Although annual audit plans should drive audits throughout the year based on priority, they could instantly change if an unforeseen issue arises. This can make audits a bit unpredictable.

Auditors are usually part of the quality assurance function of an organization. But there are also independent auditors who work on contract. We can think of audits as a more frequent and preemptive way to resolve issues. What’s worse than having an audit finding is to receive a finding from a regulatory agency during an inspection.

Yet, it’s essential to take into account that auditors are human and possess unique perspectives. They come from diverse cultural, professional, and educational backgrounds, which can influence their subjective judgement.

Internal audits  

An internal audit is the practice of conducting an audit within an organization, either by an individual or a team. Don’t be fooled into thinking that internal audits are easy just because they are conducted internally. They can often be more challenging to both the auditor and auditee compared to external audits. This is because internal parties are aware of issues and persistent problems the organization has faced recently or throughout the years, and there may be internal politics at play that might affect the internal audit.

External audits and inspections 

A challenge with external audits is that the auditor or inspector might not know an organization’s internal issues and challenges, especially if it’s the first time an external audit is being performed. That doesn’t mean an external auditor will be unable to discover issues. In this scenario we’re dealing with both internal (us) and external (them), which may make it more difficult to come to agreement and resolution because two parties are involved.

Traditional audits  

Traditional audits are paper-based and lack the support of technology. It’s a scramble to gather the binders of documentation, and often requests are made to retrieve documentation potentially relevant to the audit. Carts start getting pushed around full of supporting documentation and objective evidence. Everyone is on high alert, and critical individuals are on call. Stress is high, and everyone is under a microscope. As requests start flooding in, the workload in support of the audit grows exponentially. Regardless of workload, responses to audit requests must provide the supporting data to address the response in a readily accessible manner.

‘Readily accessible’  

It’s a regulatory requirement that the documentation, information, and data requested during an audit or inspection be readily accessible. However, the definition of readily accessible isn’t clear. It’s subjectively determined by the auditor (not the company) based on their discretion. Of course, auditors are savvy, and their intuition will be the litmus test to determine if we responded promptly, with a delay, or didn’t fulfill the request at all.

Audit and inspection modernization

By now, it should be evident that (a) traditional audits are demanding; (b) not leveraging technology burdens manual, paper-based activities; and (c) prompt responses to information requests are challenging.

With this in mind, let’s consider the modern approach to audits and inspections, which leverages technology and current best practices.

Technologies that support and conduct audit and inspection readiness include:
Document management system (DMS)
Learning management system (LMS)
Corrective and preventive action (CAPA) system
Change control/change management system
Ticketing and tracking systems (e.g., ServiceNow and Jira)

Purpose-built audit management system

Commercially available audit management systems (AMS) that are purpose-built to address all aspects of the audit life cycle may be the best option. We’ll need to decide whether an AMS provides a return on investment (ROI). Here are some factors to consider.

AMS features and functions 

Each organization will need to determine volume and see whether there’s a compelling reason to invest. If the decision is to proceed, then the following areas of functionality should be considered as requirements for an AMS: audit planning, audit execution, audit follow-through, audit closure, tracking, trending, and key performance indicators (KPIs).

Audit/inspection volume and demand 

A quick way to determine the value and ROI in procuring an AMS is to quantify the volume of audits and inspections that occur annually. Here are some examples:
Pharmaceutical, biotech, and medical device (i.e., sponsor): There are two common situations. New drug/device product seeking regulatory approval will involve a high inspection/audit demand; and an established sponsor with no new drug/device products pending regulatory review and approval, typically medium to low audit demand, provided there are no known issues that may increase audits/inspections.
Contract research organization: typically high audit demand coming from sponsor
Contract development manufacturing organization: typically high audit demand coming from sponsor
Contract lab (typically high inspection/audit demand)
Consultants and contractors: typically low unless there’s an issue that prompts an audit, such as for-cause audits, but this isn’t common

How digital validation facilitates inspections and audits 

A robust digital validation management tool can facilitate audits and inspections. This isn’t intuitive initially because an audit or inspection involves more than validation. Therefore, we may conclude that a validation life cycle management system (VLMS) only addresses one aspect of an audit, e.g., validation. When we give it more consideration, then it becomes apparent.

The ValGenesis VLMS addresses all aspects of an entity’s validation life cycle. The term entity applies to anything that can be validated, not just a computer system. This is why the term system isn’t used. An entity can be a computer-related system, infrastructure, equipment, instruments, and even a process such as cleaning or method validation. All these types of validation are effectively managed in a reputable VLMS. So we’re discussing more than just a computer system.

When we look at what’s required to validate an entity, we’ll normally see a package that includes: validation plan; requirements (e.g., user, functionality, and design); test/qualification protocols (installation, operational, and performance qualification—IQ, OQ, PQ, respectively); deviations; execution summaries; change control; and validation summary report.

This is, of course, based on our validation procedures, risk management program, and the standards we’ve established for validation requirements based on risk. As we know from regulation, the purpose of validation is to demonstrate that the system performs as intended.

The FDA’s 2003 guidance document, Part 11, Electronic Records: “Electronic Signatures—Scope and Application—September 2003” states, “You have documented evidence and justification that the system is fit for its intended use (including having an acceptable level of record security and integrity, if applicable).” Because this is a guidance document, it isn’t binding. However, 21 CFR Part 11 is a regulation and is binding. Consider 21 CFR Part 11—“Subpart B, Section 11.10(a),” which states, “Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”

One of the key points to highlight here is “consistent intended performance.” This directly relates to user requirements that constitute intended performance of the system. When validation is performed, the performance of the system is tested in the performance qualification (PQ) protocol, and the PQ typically is designed to test user requirements. Then of course the operational qualification (OQ) protocol tests functional requirements and the installation qualification (IQ) on the design specifications. This has been considered a good practice, at least thus far.

The FDA’s computer software assurance and GAMP 5 

It’s noteworthy that the FDA’s computer software assurance (CSA) guidance encourages a least burdensome, risk-based approach that challenges established practices that have, to date, been less than optimal. As a result, certain validation deliverables may not be needed (unnecessary) because of a lower-level risk assessment outcome. When extraneous deliverables are identified, and their removal is justified, then you end up with a less burdensome approach. The International Society of Pharmaceutical Engineers also released its GAMP 5 Edition 2, which incorporated CSA guidance and is aligned with the aforementioned.

Validation’s holistic view and system health 

As evident from above, validation encompasses much more than writing test scripts. It ensures accuracy, reliability, consistent intended performance, and the ability to detect any invalid or altered records. A VLMS encapsulates all of this in, essentially, a package based on an entity-by-entity, system-by-system basis. Accessing VLMS records for an entity should provide a holistic view of the system, prior to, during, and after validation, when the system is released into production and maintained in a validated state.

This is vital information, especially if we’re performing an audit. We will be able to determine whether an entity (i.e., system) was developed and tested properly prior to release into production. We will also be able to see whether issues (e.g., deviations, incidents, exceptions) occurred. Once an entity is validated and under change control, any updates to it will be identifiable. Couple this with a ticketing system, and a comparison can be made to determine if changes were authorized, vetted properly, applied appropriately, and released into production accordingly. Any cracks in this validation armor should be a reason for pause and may merit a deeper dive into the issue.

The bottom line is that validation is more than just validation, and a VLMS can bring all this to light during an audit/inspection to reveal both the good and the areas of concern.

How VLMS reduces auditing time

A good VLMS can reduce audit and inspection time and improve overall efficiency. Armed with a holistic view of any entity that may come under audit/inspection scrutiny, auditees will be able to accomplish a few key objectives.

• Quickly assess the validated state of an entity (system) and access all associated records related to that entity.
• Identify the validated state of the entity.
• Validation deliverables, including plans, requirements, tests, protocols, and summary reports
• Deviations/exceptions/incidents
• Periodic review(s), revalidation activities
• Review all entities in the inventory, not just a single system.

• Respond to auditor/inspector requests immediately and thus fulfill the regulatory requirement to make documents, information, and data readily accessible to the auditor/inspection in human-readable format.
• Provide the ability to monitor requests made of auditor/inspector as the audit is performed.

• Schedule periodic review(s) and/or revalidation activities as deemed necessary, under observations and findings resulting from the audit/inspection.
• Effectiveness checks via a scheduler (set it and forget it), using periodic review functionality

A VLMS is a comprehensive repository of records (data, information, documents, and all related content) associated with an entity, along with its status (validated state), a chronology of events, and the overall evolution of the system up to the current point in time. Having all this information available online, in near-real time, is extremely powerful. Not only does this give the auditee the ability to assess and respond accurately and promptly, but it also reassures auditors and inspectors that were in control of all of our systems. This is true for the entire team, whether auditees or auditors, provided access is granted.

Virtual and remote audits and inspections

Requirements for a virtual or remote audit/inspection are the same as for onsite. The difference is that requests will need to be fulfilled virtually rather than handed off in person to the auditor/inspector. A good VLMS is ideally suited because the system is designed for collaboration across teams and geographies for internal and external parties.

VLMS system access can be provided to an auditor/inspector so they can review the responses to their requests online and in real time. Furthermore, access can not only be granted but also revoked. In fact, best practice is to establish a timeline for system access, then cut off access immediately when the time has expired. How much access is provided depends on us and our organization, along with consideration for the auditor/inspector.


Traditional validation approaches rely on manual resources and are burdened with paper documents that are not only prone to loss or misplacement but also difficult to share, particularly with original, source-of-truth artifacts. Technologies were considered to augment audits and inspections (e.g., DMS, LMS, CAPA).

This article highlighted the power a VLMS brings in support of audits and inspections. We learned that validation is more than just validation. A VLMS, along with all the supporting documentation and information, provides immediate access to all information. The intuitive and intelligent nature of a VLMS makes sense of the documentation, establishing relationships and dependencies among all the artifacts. This means that one doesn’t have to search for one-off documents in a DMS, for example, to respond to an auditor/inspector request. Everything is presented, holistically, in an inventory for all entities managed in the VLMS.

A VLMS can be used before, during, and after an audit/inspection. A VLMS can also support remote and virtual audits. It is an excellent technological tool that can be leveraged to raise the bar on quality and compliance, in addition to responsiveness, accuracy, and completeness in fulfilling auditor and inspector requests.

A VLMS is purpose-built for validation. However, given the fact that validation proves a system performs as intended, consistently, accurately, and securely, and the fact that all data are logically managed in an intuitive and intelligent manner, the VLMS stands out as an integral, holistic technology. Organizations can use it to attain and remain in a constant state of inspection readiness, with information readily accessible in human-readable format.


About The Author

Steve Thompson’s picture

Steve Thompson

Steve Thompson has worked in life sciences for over two decades in both information technology and quality assurance roles. He’s a certified systems auditor and has audited hundreds of companies globally. Steve is a published author, a frequent speaker at industry conferences, former PRCSQA board director, editorial advisory board for ISPE, elite faculty member for KENX, and adjunct lecturer at Temple University’s School of Pharmacy RA/QA graduate program. He was honored with an APEX 2020 award of excellence for a peer-reviewed article he co-authored for Pharmaceutical Engineering on blockchain. Currently, as director of industry solutions at ValGenesis, Steve helps life science organizations realize the potential benefits of advanced technologies and inherent risks.