For 20 years, I have been working in medical devices and process validation has always been my main focus. I gave more than 100 external training to guesstimated 1000 engineers and technicians, and if you ask my former colleagues, auditees or my customers, they will probably tell you that I fell in love with that topic way too much.
However, I believe that each one of us needs to challenge themselves, every day. Just because we have been doing something for years, does not mean we should keep on doing it over and over again. For this reason, I wonder if process validation – as we currently know it and as we lived it since the 1990’s – will continue to add value in the future. We are experiencing times where regulations are getting extreme and partially overdone. Some of the revisions may help increase patient safety but there is a chance that not all of them will. What if auditors, inspectors and manufactures are not able to understand all the regulations entirely anymore? Why should we not aim at making things easier, if possible, and justified? Let’s take a look into more details….
Let’s start with the GHTF definition of process validation
“Process Validation is a term used in the medical device industry to indicate that a process has been subject to such scrutiny that the result of the process … can be practically guaranteed” . This GHTF description of process validation is the one I like most. It is simple and easy to understand. No one would argue if the topic makes sense and most of us will agree that the requirement is reasonable.
What the regulators made out of it...
“The organization shall validate any processes for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered. Validation shall demonstrate the ability of these processes to achieve planned results consistently“. I can’t remember how often I wrote and read and taught this definition. Each time, I experience the wondering eyes of those who are new to the medical device industry and try to understand the meaning of it. Was it really needed to define the requirements as complicated as this? Since the regulation came in (probably in 1987, ), interpretations are ongoing, trainings are held and consultants and ghostwriters are kept busy (and well paid) doing something nobody really understands.
A valid background
Every single medical device must be safe. Decades ago, when medical devices were produced manually in small volumes, each of them was subject to inspection and validation was not invented yet. In the 1980’s the regulators were challenged by higher volumes and new technologies. The (withdrawn) FDA Guideline from 1987  concluded that “routine end-product testing alone often is not sufficient to assure product quality”. However, in that guideline, FDA also stated that process “validation and end-product testing are not mutually exclusive”. The current GHTF guideline dated 2004  finally paved the path forward: Verify or validate to keep patients safe. Up to now there is no real alternative in our regulations. Either you validate the process or you will have to fully verify (applying a validated test method for sure) .
The devil is in the detail
If you did validations often enough you will know the difficulties hidden in the details of the regulations. The requirements in ISO 13485 and 21CFR820 are vague [2, 3] and guidance documents reach back to 2004 . Still, there is no consequent baseline for a risk based process validation (like “no risk no validation” because “each medical device always has some risk” ). There is a requirement about the statistical sampling plans which is often not understood (“The organization shall document procedures for validation of processes, including: … as appropriate, statistical techniques with rationale for sample sizes” . There are more issues, like the technical feasibility (and real life meaning) of determining reasonable worst-case situations in OQ and to determine an adequate manufacturing volume in PQ to capture routine manufacturing variability.
The mess about revalidation
One of the biggest mess was probably established when regulators decided not to provide clear requirements for periodical revalidation or revalidation after changes. FDA’s understanding that validated process parameters must be monitored “to ensure that the specified requirements continue to be met”  looks different to the rules of German ZLG. They allowed revalidation in established intervals . Consequently many companies are squeezed between those different interpretations and implemented both monitoring by control charting or destructive in-process testing and (most of the times) non value adding revalidation intervals.
The current expectations
Despite the issues above, the current expectations from regulators are clear to all of us: You will have to write a Validation Master Plan (although not really required by regulations) listing all processes requiring validation. It is expected that each process, if not fully verified, is validated. If not validated, each single medical device must be fully verified by subsequent inspection. Period. But is this really justified? The regulators never really clarified in writing what they meant by “… is not verified by subsequent monitoring or measurement”  or “fully verified by subsequent inspection and test” . After 20 years of deep diving in the sea of process validation I did not get a reasonable answer yet. Does it really mean each device, i.e. 100%? Or would a sampling be allowed? If we listen to the FDA webinar  it would really mean each device in all key dimensions.
The topic to debate
This leads us directly to the topic to be debated: Sampling plans. All process validations I did, reviewed or audited applied some kind of sampling plan. Most of the sampling plans were not really plans and often poorly justified. At least some of them were based on proper rationales. However, all sampling plans allow defects. What I want to say is that passing a process validation protocol will not ensure 100% good products. The validation conclusion will be just as good as the sampling plan applied. If we benchmark the current process validation sampling plans, we will usually see a range of 1% to 10% defects allowed in the processes. There are some requirements given for some products , however most of the products have no given requirements for sampling plans. Regulators seem to be very reluctant specifying clear requirements for sampling.
Let’s take the well-known 95%/95% sampling plan (RQL 5% equals to 95% proportion of good products with 95% confidence, attributive sample size n=59, c=0 as per ISO 16269-6:2014). This plan is, for example, often applied to connectors for intravascular or hypodermic applications as it would be aligned to ISO 80369-7:2016 where n= 60 samples are required. Such sampling plan, if applied to process validation could release a process with up to 5% defectives.
Let’s make the following audit scenario: What would happen in an audit, if ….
- Manufacturer A would say that he is doing process validation with a sampling plan of 95/95 (attributive sample size n=59, c=0 as per ISO 16269-6:2014), and
- Manufacturer B would say that he is not doing process validation as he is applying an in process inspection to each lot with an AQL 0.65% sampling plan (ISO 2859-1, test level II, N=1500, single sampling, n=125, c=2 defectives would be allowed)?
I would bet that manufacturer A will pass the audit situation and manufacturer B would get written up for not validating a process which is not “fully” verified. Manufacturer B would also be scrutinized for applying a sampling plan that allows 2 rejects. Agreed?
No, not agreed. In reality it is both pretty much the same: Both sampling plans are roughly equivalent (A=4.87% RQL (0.05), B=4.95% RQL (0.05)). Each sampling plan allows defectives. The process could deliver up to 5% defectives into the market in both cases and manufacturer B is actually not worse than manufacturer A.
From the above it must be clear that there should not be a discussion about “verify or validate” but a discussion “if the manufacturer has knowledge that the results of the manufacturing process will be capable and stable”. As a consequence of current expectation and enforcement practices, we all shifted away from the initial idea of having the process scrutinized so much “that the result of the process … can be practically guaranteed” towards an attitude of just providing some evidence that the “process was validated”. But patients and users will not care if the 5% defectives entered the market via a validated process or via a verified process. Patients or users do not want to have a defective product!
Let’s retire the “verify or validate paradigm”
Do we need the current paradigm that a process is either verified or validated? Would it not be easier to say that the manufacturer must have documented knowledge that any manufacturing process achieves the required level of capability and that the level of capability must be suitable for the impact to the patient and user if the process fails and the product does not meet specification? We should retire the “verify or validate paradigm” in the regulations and rewrite it towards a requirement more suitable to ensure safety of patients and users. The medical device industry should aim to recapture the freedom to choose methods and tools establishing capable and stable process results. Manufactures may continue to do OQ/PQ, however, other tools like an adequate combination of process inspections, control charting or any other suitable method providing evidence of capable and stable process results should be allowed as well. This was already indicated and intended in the annex to the GHTF guideline from 2004  but it was probably not really understood. The question should not be about the process being validated or not, the question should be about the process results being known to be capable and stable. Having that in mind, the awful discussion on revalidation may be obsolete as well.
Is there anybody out there having influence?
If you are in the position to influence the process validation regulations (ISO committee, ZLG, MDCG, FDA, IMDRF, whatever….), I would be very happy to discuss the above in detail. Please keep in mind that regulations are there to increase patients and users safety. Regulations should not intend to make things just complex and expensive for their own sake. Too often I see validations which were done to satisfy auditors only (as a German I would call it “kind of dragon food”) not increasing safety of the products. Let’s aim for simple and sustainable regulations. I am convinced that such regulations will provide better safety for patients as they will be understood and followed more often compared to current regulations.
 GHTF/SG3/N99-10:2004 Process validation guidance
 ISO 13485:2016, clause 7.5.6
 ISO 9001:1987
 ZLG 3.9 B18, 2007
 Statistical procedures for medical device industry, STAT-09, Appendix E, Dr.Wayne A.Taylor, 2017
 FDA Guidelines on general principles of process validation, 1987
 FDA Webinar: Purchasing Controls and Process Validation for Supply Chain Management, 2017
About the author
Quality Management & Regulatory Affairs,Medical Devices
I am a mechanical engineer by training and working in medical devices since 2001. After gaining several years of experience in development and manufacturing for balloon catheters and cardiac stents, I got responsible for quality engineering and applied six-sigma tools to develop and manufacture drug eluting stents both in Germany and Ireland. After joining a manufacturer for dialysis devices, I was responsible for pre-production quality management and regulatory affairs, including design controls. In the area of urology catheters and airway management products I took over full responsibility for QA/RA at two manufacturing sites. Since 2014, I am self-employed as expert for Quality Management Systems and Regulatory Affairs for Medical Devices.
I am a specialist on Quality Systems, CAPA, Design Control, Product Risk Management and Process Validation including Statistical Techniques. My philosophy is to install and live robust and sustainable quality systems where risk management and quality engineering is providing the link between Development, Manufacturing and Post-Market-Surveillance.
I am giving external trainings, e.g. for the new Medical Device Regulation (MDR), Design Control, Process Validation, CAPA, Risk Management, QSR, Internal Audits, and Technical Documentation. I received authorization as a notified body Lead Auditor for ISO 13485, MDD, MDR and MDSAP.
Elemed's expert corner
We love to showcase content by
What is Elemed’s expert corner?
It is a hand-selected group of individuals that have been identified as top
voices/thought leaders in their space.
Why should you take part?
This is a great opportunity for you to raise your personal brand awareness, your company’s reach in the market, but also to provoke wider discussion. It will establish yourself as an authority in the space and enhance your professional image.
Get in touch with Mathilde at firstname.lastname@example.org to find out more and/or take part.