Validation and Verification Compliance Requirements

Validation and verification (V&V) represent two distinct but interdependent compliance obligations that govern whether a product, process, system, or service meets its specified requirements and performs its intended function under real-world conditions. Across regulated industries — including aerospace, medical devices, pharmaceuticals, food safety, and software — failure to satisfy V&V requirements exposes organizations to enforcement actions, product recalls, and loss of certification. The regulatory frameworks governing V&V are issued by agencies including the FDA, FAA, and ISO, and are enforced through audit, inspection, and corrective action processes.

Definition and scope

Verification answers the question: Was the product or system built correctly according to specifications? Validation answers: Was the correct product or system built — one that performs its intended purpose? The quality-assurance-definitions distinction is codified in ISO 9000:2015, which defines verification as "confirmation, through the provision of objective evidence, that specified requirements have been fulfilled," and validation as "confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled" (ISO 9000:2015, Clause 3.8.12–3.8.13).

The scope of V&V obligations varies by sector:

• Medical devices: FDA 21 CFR Part 820 (Quality System Regulation) mandates both design verification and design validation, with validation requiring testing under actual or simulated use conditions.
• Pharmaceuticals and biotech: FDA 21 CFR Parts 211 and 820, along with ICH Q10, specify process validation requirements across three lifecycle stages.
• Aerospace and defense: AS9100 Rev D and MIL-STD-1521 impose V&V gates within systems engineering reviews.
• Software: IEEE 1012 defines a complete V&V process standard applicable to software of any criticality level.
• Food safety: FDA 21 CFR Part 117 (FSMA Preventive Controls) requires validation that preventive controls are effective.

How it works

V&V compliance operates through a structured sequence of documented activities, not a single point-in-time test. The following phases are standard across ISO 9001:2015 (Section 8.3) and sector-specific frameworks:

1. Requirements definition — Establish measurable, testable acceptance criteria against which verification will be performed. Underdefined requirements are among the leading sources of V&V nonconformances cited in FDA Warning Letters.
2. Verification planning — Document the methods (inspection, analysis, demonstration, or test — commonly abbreviated as IADT) and responsible parties for each requirement.
3. Verification execution — Conduct and record testing or analysis. Results must be traceable to specific requirements through a Requirements Traceability Matrix (RTM) or equivalent controlled record.
4. Validation planning — Define intended use conditions, user populations, and performance criteria. For FDA-regulated products, this plan is often submitted as part of a 510(k) or PMA package.
5. Validation execution — Conduct testing under actual or simulated conditions of use. Protocols must be approved prior to execution; retrospective validation is generally not accepted under 21 CFR Part 820.
6. Review and approval — Designated authority reviews objective evidence, approves records, and authorizes release. Under AS9100 Rev D Clause 8.3.6, design validation records must be retained as part of the design history.
7. Ongoing monitoring — Post-market or post-deployment monitoring confirms continued validity, particularly when process inputs or use conditions change.

Documentation requirements throughout this sequence are governed by quality-assurance-documentation-requirements, including record retention obligations tied to product lifecycle.

Common scenarios

Medical device design validation: A manufacturer developing a surgical instrument must demonstrate, under simulated surgical conditions using representative operators, that the device performs as intended for its labeled use. FDA Guidance "Design Considerations for Pivotal Clinical Investigations for Medical Devices" (November 2013) outlines the evidentiary standard.

Software validation in regulated environments: Under FDA's General Principles of Software Validation (2002), software used in quality systems or device production must be validated before use, with the extent of validation scaled to risk. A 21 CFR Part 11-compliant electronic records system requires IQ (installation qualification), OQ (operational qualification), and PQ (performance qualification) protocols — the three-stage model also used in pharmaceutical manufacturing.

Process validation in food manufacturing: FSMA regulations at 21 CFR Part 117.160 require that the scientific validity of each preventive control be established. For thermal processing, this typically means referencing published kill-step studies from sources such as the USDA or rigorously evaluated food science literature.

Aerospace systems verification: Under AS9100 Rev D and FAA Order 8110.4, aircraft systems must pass formal verification reviews at defined program milestones. A single unresolved verification requirement can block airworthiness certification.

Decision boundaries

The determination of whether an activity constitutes verification, validation, or both is not always self-evident. Three classification boundaries are encountered frequently in compliance practice:

Verification vs. validation: If a test confirms a product meets a dimensional drawing, it is verification. If a test confirms the product functions correctly in the hands of an end user under operational conditions, it is validation. The same physical test can satisfy both if the acceptance criteria address both the specification and intended use simultaneously.

Design validation vs. process validation: Design validation confirms the design output meets user needs. Process validation confirms that a defined manufacturing or production process consistently produces a conforming product. Under 21 CFR Part 820.75, process validation is mandatory where process results cannot be fully verified by subsequent inspection — a condition that applies to welding, sterilization, and software compilation, among others.

Initial validation vs. revalidation: A process validated under one set of input conditions requires revalidation when those conditions change materially — including equipment changes, raw material supplier changes, or facility relocation. The threshold for revalidation is governed by quality-assurance-change-control procedures and must be defined in the organization's quality management system prior to any change event.

Organizations subject to ISO 9001:2015 audits should reference Clause 8.3.4 (design and development controls) alongside sector-specific overlays published by IATF, IAQG, or equivalent standards bodies when determining the full scope of applicable V&V obligations.