Risk-Based Validation - How Are We Doing?

Yesterday, I posted a poll on LinkedIn asking the question

"How is Life Sciences industry embracing risk-based computer systems validation? Do we have the balance between risk assessment and risk mitigation right? Are we just rushing to reduce costs...?" 

People's responses are starting to come in and we're already starting to get some interesting comments on the question. If you're interesting in the poll and want to take part you can find it here (once you've answered the question you'll be able to see how everybody else has been voting).

Since I asked the question I guess it's only reasonable that I try and answer it and provide my own opinion. There is of course no single answer and even within a single Regulated Company there are different individuals and departments taking different approaches to risk-based validation. In many cases you have the business, and IT tried to reduce costs against a background of life sciences companies struggling to maintain profitability. At the other extreme you have the quality unit who are used to doing things the old-fashioned way and like to see every 'i' dotted and 't' crossed.

Hopefully, somewhere in the middle, you'll find some pragmatic validation practitioners genuinely trying to do their best to take a risk-based approach to validation and apply the appropriate resources to the highest areas of risk to patient safety, product quality and data integrity.

However, this is often thwarted by two obstacles:

1. The pragmatic practitioners in the middle are seldom the people with control of the budgets or with the power to effect real change. This often means that they'll pull from pole to pole at the behest of the business owners, the IT group and the quality unit who have different perceptions of how things should be done. In many cases these practical practitioners of the validation art are not recognised as true subject matter experts and they guidance, advice - and even wisdom - is ignored, often for the sake of point scoring and political expediency in large organisations.

2. Where practical and experienced practitioners are not available (often in small to medium sized organisations but also in organisations in emerging economies where computerised systems validation is a relatively new discipline) there is a genuine lack of understanding of how to take a practical approach to risk-based validation. in these cases and inability to invest in training and education is an obstacle to adopting risk-based validation.

I think therefore the what we will see is an industry which continues to adopt risk-based validation at a relatively slow pace. While some companies are using risk-based validation as an excuse to do less (and in some cases, too little) I think the majority of companies want to do the right thing but are hampered because of their own organisational structures or lack of experience, training and education.


From my experience as a consultant, and with my experience working with the small number of companies who are doing a good job with risk-based validation I genuinely do believe that taking a risk-based approach to validation has advantages both in terms of cost effectiveness but also in mitigating risk to patients. Regrettably, it's one of those things that most regulated companies will have to see for themselves before they believe, and they were set for themselves until they have gained the necessary experience.


As an industry I believe that we need to do a better job in publishing case studies demonstrating the effectiveness of risk-based validation, that we need to recognise the value of our internal and external subject matter expertsand he must be prepared to invest in training and education.