Quality and compliance are all about consistency and repeatability. Change is often seen as a risk. These are times of dramatic change, with a new digital manufacturing paradigm and ongoing pandemic both accelerating the rate of transformation. Compliance and change, however, don’t need to be in conflict. Quality can in fact gain much from emerging digital manufacturing technologies and concepts.

This begs the question: What does it look like to embrace revolutionary technologies in a regulated space?

I propose we look at quality and validation as important areas that can accelerate the adoption of new technologies in regulated industries. Quality and validation processes are important aspects of demonstrating control and assuring we put safe and effective products out to the market. But there are also substantial bottlenecks in our current approaches to each. Maybe they are the heavy documentation practices adopted by the industry? Or how about how the industry interacts with technology suppliers? Or maybe it’s the fundamental way that validation is performed, the methodology? Probably a bit of all three.

For the rest of this article, I’ll look at how embracing new approaches to these bottlenecks in quality and validation can speed that adoption of new technologies and accelerate the transformation of regulated spaces.

Let’s take a look at each.

Documentation practices

The term “document” creates an illustration in most minds: an app with a blue icon with the letter “W” on it. Or if we need to ensure it is un-editable we might envision a red icon with “pdf.”

Before we congratulate Microsoft or Adobe on their marketing, let’s challenge ourselves. What is documentation, really? What counts as documented information? Adapted from ISO 9001:2015, documented information is any information (“meaningful data”) that may communicate a message, provide evidence, or share knowledge, and as such must be controlled and maintained. It is crucially important that we note there are no specifics on format.


From Paper to digital documentation

Rather than just translating what we previously wrote on paper into a word processor or making static views of digital data in a computerized system (referred to as “paper on glass”), we should take the next step and use digital assets to capture information or evidence. 

Here a definition is in order. Digital assets are any content, in any format that are stored digitally. Digital assets can be anything from simple data like a temperature to a video. With that these technologies also capture data at a very high level of granularity. For quality and compliance this presents a rich opportunity to more effectively assure quality and compliance can be automated.

There is both intrinsic and extrinsic value to digitally documented information. The intrinsic value is obvious. Digital documentation is easier to access, faster to route, and can’t be lost. But the extrinsic value is really where big gains can be made in today’s world. Metadata (data about data) such as categories, key words, and linking make the data searchable and navigable, enabling much faster access to information so that the user can turn it into knowledge quicker. By nature, digital documentation can be transacted by a computer, further enabling the capabilities and possibilities of utilizing it. As such, the documentation that quality relies on can take a different, digital-first format, moving beyond the PDFs and flat files we’re accustomed to. Regulated industries need a faster mode of processing quality documentation. We have to become more agile in our ways of working. The faster and better equipped we are to change, the better we can support the needs of all clients. In terms of the traditional data, information, knowledge, wisdom pyramid, you can see the time saved in decision making!


Industry / Supplier Interface

Suppliers have made strides toward supplying solutions that are compliant with regulations such as those associated with electronic record, electronic signatures, and access management. And they’ve also provided functionality that supports the technical controls expected from regulated industry to help support, identify, and act upon potential data integrity vulnerabilities. Many are certified to a quality management system standard such as ISO 9001. Most importantly, they are following good software and hardware development life cycles that can reliably demonstrate consistently meeting features specified by industry.


Toward closer supplier-industry collaboration

The engagement of industry and supplier representatives should be more collaborative with an objective of minimizing any overlap of work and only added value activities. The industry teams should evaluate potential suppliers to confirm the supplier’s solutions and development and release processes can meet their business process needs. This then allows the industry teams to focus on implementing the solution in their own environment/ecosystem, connected to their data sources, and verifying the overall business process meets the intended use. Qualifying the vendor’s functionality does not add value to the end user. The value is gained when you can demonstrate the connected environment provides the specified output.


Methodology; the Fundamentals

GAMP 5 Guide: Compliant GxP Computerized Systems is a widely accepted approach to computerized system validation. It is utilized throughout the GxP space. GAMP 5 prescribes a detailed, fully-loaded model with many steps and specific deliverables in a serial fashion.

It also describes risk based approach and scalability, neither of which have been fully embraced.

Historically, risk based approaches have focused on functional risk assessments, spending countless hours utilizing many resources to assess each function that a computerized system might provide, then testing everything anyway. Instead, we should focus on value added risk assessment and the fundamentals of validation.

The objective of validation is demonstrating fitness for intended use. This requires knowledge of our intended use-cases, perhaps via process and data mapping. Applying risk assessment here at the business process level can help identify real risks to data and process flows. It can also help highlight where data integrity vulnerabilities are, such as those associated with human or machine interfaces where data manipulation occurs. Then by identifying these risks, we can factor mitigations right into the digitization efforts. Validation in these terms shifts focus toward assuring the identified risks to the process are mitigated and the executed process meets the target outputs.

Scalability is another aspect that has been left out to pasture. Like implementing a risk-based approach, prioritizing scalability requires that we focus on the specific project. This starts with identifying the aspects of the fully loaded scenario prescribed by GAMP5 that are important for each specific project. For example, it adds no value to a regulated user to develop functional specification documents that the supplier has already done. The assessment of the supplier’s solution should already have been done at this point. Each step in the validation process should be evaluated for what value is being created with the objective of demonstrating that the process meets our needs.



There’s no argument that quality and validation practices need to evolve in order for regulated industries to keep up a competitive edge, and more importantly meet the ever changing client needs. Embracing the functionality of digital aspects in our quality and validation practices can enable us to be more efficient with visibility and decision making. Working more effectively with suppliers by letting them focus on their core competency of designing great solutions and enabling regulated users to focus on mitigating the risks associated with their processes (regardless of digital tool) we all focus on value added work. And finally, utilizing the digital aspects as part of our risk based and scaled methodologies we can all focus on value added work: quality assurance, not compliance for compliance’s sake! Q