Skip to content
GXPLearn.io

The Software Validation Lifecycle Explained

Software validation is a life-cycle discipline — not a one-time test event. From defined user requirements and design review through installation, operational testing, intended-use confirmation, and controlled change, FDA GPSV expects documented evidence that automated systems remain fit for intended use.

What the validation lifecycle means

Computer system validation (CSV) is a life-cycle discipline under GMP — not a single protocol signed at go-live. The software validation lifecycle spans planning, requirements, design, build, installation verification, operational testing, intended-use confirmation, maintenance, and controlled change.

FDA's General Principles of Software Validation (GPSV, Document 938) describes validation as establishing documented evidence that software conforms to user needs and intended uses. GXPLearn's public glossary defines CSV as demonstrating fitness for intended use through documented lifecycle activity — the same vocabulary used in Modules 09 and 10.

This page explains the full lifecycle hub. For CSV discipline definition see /what-is-csv; for IQ/OQ/PQ qualification layers see /iq-oq-pq-explained.

FDA GPSV grounding

GPSV applies to software used in medical device production, quality systems, and related regulated automation. Section 2.4 notes that software changes after initial release are a leading cause of validation failures — making lifecycle maintenance as important as initial qualification.

Section 5.1 lists typical software life cycle activities: quality planning, requirements, design, construction, testing, installation, operation, maintenance, and retirement. Verification and validation tasks occur throughout — not only at the end.

Section 6.2 emphasises that validation cannot succeed without defined user requirements documenting intended use and the extent of dependence on the automated system. These GPSV anchors underpin how CSV teams structure V-model artefacts and evidence.

Requirements and specifications

GPSV §3.1.1 and §5.2.2 require clear, testable software requirements. A specification states requirements that can be checked — user requirements, functional requirements, design specifications, and test specifications are design outputs requiring verification.

GPSV §6.2 defines user requirements as documenting intended use and the extent to which the manufacturer depends on the software for a quality product. Requirements should cover inputs, outputs, functions, performance, interfaces, safety-related features, and objective acceptance criteria.

In GXPLearn Module 10, the V-model left side starts at user requirements — e.g. BR-201 temperature hold or URS-14/15 interlock intent in Module 09. Vague requirements that cannot be tested undermine the entire lifecycle chain.

Verification vs validation

GPSV §3.1.2 distinguishes verification (building the product right) from validation (building the right product). Verification confirms outputs meet specifications; validation confirms the system meets user needs and intended use.

Module 10 trains this distinction through the V-model: functional and design specifications on the left map to IQ, OQ, and PQ evidence on the right. Quiz guidance in GXPLearn notes the V-model's primary purpose is tracing every user requirement to test evidence.

Conflating verification with validation is a common gap — passing installation checks does not alone prove operational fitness for every intended-use scenario.

Design review

GPSV §3.5 recommends formal design reviews — especially before committing major resources to a design solution. FDA suggests reviews at the end of each life cycle activity, with particular importance at the end of requirements before design proceeds.

Design reviews ask whether tasks, outputs, and products comply with requirements and whether they satisfy standards and intended use. Problems found before build are cheaper to fix than defects found during OQ or in production.

GXPLearn's V-model training treats design/configuration specification as the bridge between intended behaviour and testable evidence — configuration audit trails and revision control are part of defensible design review outcomes.

Validation lifecycle phases

PhasePrimary activityKey artefactGXPLearn practice
PlanningScope, approach, resourcesValidation planModule 10 orientation; GPSV §4.5
RequirementsIntended use, testable URSURS / requirements specModule 10 URS node; Module 09 URS-14/15
DesignFunctional/design specs, design reviewFRS, design spec, review recordModule 10 FS and design nodes
Build / configureControlled implementationDownload record, revision, audit trailModule 10 build node
Installation verificationBaseline confirmationIQ checklistModule 10 IQ node; /iq-oq-pq-explained
Operational testingFunctional challengesOQ protocol, deviationsModule 09 OQ-INT-001
Intended-use confirmationProduction-like performancePQ / batch evidenceModule 10 PQ node; Module 21 BRR
Maintenance & changeImpact assessment, regressionChange record, retest evidenceModule 24 capstone; change-control module

Execution, IQ/OQ/PQ, and user site testing

The right side of the V-model produces executed evidence: installation checks, operational qualification, and performance confirmation. GPSV §3.1.3 discusses IQ/OQ/PQ terminology for user site qualification; see /iq-oq-pq-explained for detailed qualification guidance.

GPSV §5.2.6 states user site testing is essential — testing outside the developer's controlled environment with actual hardware and software configuration, through actual or simulated intended use.

Module 09 practises OQ execution with deviation handling when OQ-INT-001 Step 2 fails. Module 10 links requirements through design into test evidence. Together they represent the execution phase of the lifecycle, not the whole lifecycle.

How much evidence is enough?

GPSV §6.1 states validation effort should be commensurate with risk posed by the automated operation — considering complexity and dependence on the process. Documented requirements and risk analysis define the scope of evidence needed.

GPSV §4.8 Validation Coverage requires activities commensurate with software complexity and safety risk — not firm size or resource constraints. Lower-risk functions may need baseline activities; higher risk adds depth.

GXPLearn quiz content on the Validation Digital Twin uses ALCOA+ as a lens for whether records would survive scrutiny — evidence quality matters as much as volume. CSA thinking (Module 11) further proportiones depth within the lifecycle structure.

Change control and revalidation

GPSV §4.7 requires re-establishing validation status after any software change — even small changes may have global system impact. Conduct validation analysis for the change and its effect on the entire system, then appropriate regression testing.

GPSV §5.2.7 addresses maintenance and software changes. The public glossary defines change control as formal assessment of GxP impact with traceable approval before implementation — a core maintained validated state activity.

Module 24's Validation Digital Twin workspace practises change-to-closure: stage changes, assess impact, execute tests, review evidence, close deviations, and generate a validation summary with scored feedback.

Ten GPSV validation principles

FDA GPSV Section 4 summarises principles that should guide every validation programme. The following digest maps each principle to practical CSV lifecycle thinking.

  1. Requirements (§4.1) — A documented software requirements specification is the baseline for validation and verification; validation cannot complete without it.
  2. Defect prevention (§4.2) — Focus on preventing defects during development; testing alone cannot establish fitness for intended use.
  3. Time and effort (§4.3) — Build a case for confidence with a mixture of methods appropriate to risk, size, and environment.
  4. Software life cycle (§4.4) — Validation spans birth to retirement; activities iterate as the project evolves.
  5. Plans (§4.5) — A validation plan defines what will be accomplished — scope, approach, resources, and schedules.
  6. Procedures (§4.6) — Procedures define how validation activities are executed with repeatable sequences.
  7. Validation after a change (§4.7) — Any change re-establishes validation status; analyse system-wide impact and regression scope.
  8. Validation coverage (§4.8) — Activities must match complexity and safety risk, not documentation habit.
  9. Independence of review (§4.9) — Independent evaluation improves objectivity, especially for higher-risk applications.
  10. Flexibility and responsibility (§4.10) — Manufacturers choose how to apply principles but retain ultimate responsibility for demonstrated validation.

Practise the lifecycle in GXPLearn

Module 09 (CSV Validation) — execute OQ-INT-001, document deviations, and close with targeted re-test evidence. Module 10 (V-Model) — trace requirements through design to IQ, OQ, and PQ evidence layers.

Module 20 (Validation Digital Twin) — launchpad for the end-to-end validation chain. Module 24 capstone workspace — nine-chapter guided scenario with role switching, CSV/CSA lenses, and audit-style scoring from change through validation summary.

Modules 11–12 add CSA assurance and CSV vs CSA comparison. Explore /csv-csa-training for the guided path, or start free foundation Modules 01–03 for system and batch context.

Module 10 · V-Model Module 09 · CSV Validation Module 20 · Validation Digital Twin Start learning free

GXPLearn.io provides independent educational content only. FDA General Principles of Software Validation (GPSV) guidance cited here is nonbinding and describes principles for the software validation lifecycle in regulated contexts. This page does not constitute regulatory advice. Consult your quality organisation and applicable regulations for site-specific validation decisions. GXPLearn.io is an independent educational platform. Not affiliated with Emerson. Not a real DeltaV emulator. Not validated GMP training software.

Frequently asked questions

What is the software validation lifecycle?

The software validation lifecycle is the full sequence of planned activities demonstrating software fitness for intended use — from quality planning and requirements through design, build, testing, installation, operation, maintenance, and retirement. FDA GPSV §5.1 lists these activities.

What is the difference between verification and validation?

Verification confirms the product meets specifications (building it right). Validation confirms the product meets user needs and intended use (building the right product). GPSV §3.1.2 harmonises with ISO 8402 on this distinction.

What are defined user requirements in software validation?

Defined user requirements document intended use and how dependent the manufacturer is on the software for product quality (GPSV §6.2). They must be clear, testable, and cover functions, performance, interfaces, and acceptance criteria.

What is a design review in software validation?

A formal design review evaluates whether life cycle outputs meet requirements before proceeding — especially critical at the end of requirements before design commitment (GPSV §3.5). It prevents expensive downstream defects.

What validation tasks does FDA GPSV describe?

GPSV §5.2 lists typical tasks: quality planning, requirements, design, construction/coding, developer testing, user site testing, and maintenance/change handling — with verification and validation throughout.

How does the V-model relate to the validation lifecycle?

The V-model maps specification layers (left) to verification and validation evidence (right). It is the structural diagram most CSV teams use to organise lifecycle artefacts. GXPLearn Module 10 practises traceability across the model.

What is user site testing?

User site testing is validation testing outside the developer environment with the actual installed configuration — through actual or simulated intended use (GPSV §5.2.6). It supplements developer testing.

How much validation evidence is needed?

Evidence depth should be commensurate with risk, complexity, and dependence on the automated process (GPSV §6.1). Higher-risk or more complex systems require more extensive testing; lower-risk functions may use baseline activities.

When is revalidation required after a software change?

GPSV §4.7 requires re-establishing validation status after any change. Analyse impact on the entire system, not only the changed module, then conduct appropriate regression testing before returning to validated state.

What is maintained validated state?

Maintained validated state means documented evidence continues to support fitness for intended use across changes, periodic review, and operations. Change control and regression testing preserve that state after modifications.

How is the validation lifecycle different from IQ, OQ, and PQ?

The lifecycle is the full journey from requirements through change control. IQ, OQ, and PQ are qualification layers within execution — primarily on the V-model right side. See /iq-oq-pq-explained for qualification detail.

Where can I practise the full validation lifecycle?

GXPLearn Module 10 traces the V-model; Module 09 executes OQ with deviations; Module 20 launches the Validation Digital Twin; Module 24 capstone practises change-to-closure. Visit /csv-csa-training or /resources for guided paths.

Ready to practise regulated workflows?

Choose the path that fits — start with free foundation modules or discuss a team licence for your organisation.

For individuals

Start with the free foundation modules and upgrade when you are ready for simulation labs and professional scenarios.

For businesses

Request a business demo or pilot discussion for team/site licensing, standalone export, and onboarding use cases.