Process Validation Evidence: What Auditors Look for in IQ/OQ/PQ

Process validation is one of the most scrutinized elements of regulatory compliance in pharmaceutical, biotechnology, and medical device manufacturing. Whether the auditor is from FDA, EMA, MHRA, or a notified body, IQ, OQ, and PQ documentation is often the first place they go when assessing the robustness of a quality system.

While most organizations “do” validation, many struggle with presenting convincing, defensible evidence that meets regulatory expectations. Auditors are not simply checking whether protocols exist. They are evaluating scientific rationale, traceability, execution quality, and lifecycle control.

This blog provides a deep dive into what auditors actually look for in Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ), common deficiencies, and practical tips to ensure your validation package stands up to inspection.

The Regulatory Context of Process Validation

Process validation is grounded in global regulatory expectations, including:

• FDA 21 CFR Parts 210 & 211
• FDA Process Validation Guidance (2011)
• EU GMP Annex 15
• ICH Q8, Q9, and Q10
• ISO 13485 (for medical devices)

Across all frameworks, regulators emphasize:

• A lifecycle approach
• Risk-based decision making
• Documented scientific evidence
• Ongoing process verification

Auditors expect validation to demonstrate consistent production of quality products, not just protocol completion.

The Validation Lifecycle: More Than IQ/OQ/PQ

Auditors no longer view IQ/OQ/PQ as isolated events. Instead, they expect alignment with the three-stage lifecycle model:

Stage 1: Process Design

• Development data
• Critical Quality Attributes (CQAs)
• Critical Process Parameters (CPPs)
• Risk assessments (e.g., FMEA)

Stage 2: Process Qualification

• IQ
• OQ
• PQ

Stage 3: Continued Process Verification

• Ongoing monitoring
• Trending
• Statistical process control
• Annual product reviews

Key audit question:

“How does your IQ/OQ/PQ demonstrate that the process you designed consistently delivers a product meeting specifications?”

Installation Qualification (IQ): What Auditors Look For

Purpose of IQ

IQ verifies that equipment, systems, and utilities are:

• Installed correctly
• Installed according to approved design specifications
• Supported by appropriate documentation

Core IQ Evidence Auditors Expect

Auditors evaluate the following key elements to confirm that Installation Qualification activities were properly planned, executed, and documented.

1. Approved Requirements and Design Traceability

Auditors will check:

• User Requirements Specification (URS)
• Functional/Design Specifications (FS/DS)
• Traceability between URS and IQ tests

Red flag: IQ executed without an approved URS.

2. Equipment Identification and Configuration

Auditors expect:

• Unique equipment ID
• Model and serial numbers
• Software and firmware versions
• Drawings (P&IDs, wiring diagrams)

Common finding: Installed configuration does not match approved design.

3. Installation Verification

Evidence should confirm:

• Equipment installed per manufacturer instructions
• Correct utilities (power, air, water, HVAC)
• Materials of construction verified
• Correct location and layout

Auditors often physically walk down equipment and compare it to IQ documentation.

4. Calibration and Preventive Maintenance

Auditors look for:

• Calibration status of critical instruments
• Calibration certificates traceable to standards
• Preventive maintenance plans in place

Key question:

“How do you ensure the equipment remains in a validated state after IQ?”

5. Documentation Completeness

IQ packages should include:

• Executed protocols
• Deviations and resolutions
• Installation checklists
• Approval signatures and dates

Data integrity is critical. There should be no backdating, missing initials, or undocumented corrections.

Operational Qualification (OQ): Where Auditors Focus the Most

Purpose of OQ

OQ demonstrates that the system or process operates as intended across all defined operating ranges.

This is often where audits become most intense.

Key OQ Evidence Auditors Expect

Operational Qualification represents a critical phase of validation where process limits, controls, and failure modes are tested. Auditors review the following evidence to assess compliance and scientific rigor.

1. Clear Link to Risk Assessment

Auditors want to see:

• CPPs identified through risk analysis
• OQ tests covering worst-case conditions
• Scientific justification for test ranges

Red flag: OQ tests that appear arbitrary or copied from templates.

2. Challenge Testing and Worst-Case Scenarios

Auditors expect OQ to:

• Push parameters to upper and lower limits
• Include alarms, interlocks, and failure modes
• Demonstrate robustness, not just normal operation

Examples:

• Temperature extremes
• Maximum and minimum speeds
• Power failure recovery
• Software security and access control

Key audit question:

“How do you know the process will remain in control under worst-case conditions?”

3. Acceptance Criteria That Are Scientifically Justified

Auditors examine:

• How acceptance criteria were defined
• Whether limits are justified by development data
• Consistency with product specifications

Common deficiency: Acceptance criteria copied from SOPs without rationale.

4. Software and Automation Controls (If Applicable)

For automated systems, auditors expect:

• Access control testing
• Audit trail verification
• Data integrity controls (ALCOA+)
• Backup and recovery testing

Failure here often leads to major or critical findings.

5. Handling of Deviations

Auditors will scrutinize:

• OQ deviations
• Root cause investigations
• Impact assessments
• Corrective actions

Key principle:

Unresolved or poorly justified deviations undermine the entire validation.

Performance Qualification (PQ): Proof of Real-World Consistency

Purpose of PQ

PQ demonstrates that the process performs consistently under routine manufacturing conditions using trained personnel, approved procedures, and real materials.

Auditors view PQ as the ultimate proof of process capability.

Core PQ Evidence Auditors Expect

Auditors review Performance Qualification documentation to confirm that the process consistently performs as intended under routine manufacturing conditions using approved procedures, trained personnel, and representative materials.

1. Use of Commercial-Scale Conditions

Auditors check:

• Actual production equipment
• Qualified operators
• Approved SOPs
• Representative raw materials

Red flag: PQ executed under “special” or non-routine conditions.

2. Number of Batches and Statistical Justification

Auditors expect:

• Clear rationale for number of PQ runs (commonly three, but not always sufficient)
• Statistical justification when fewer runs are used
• Consistency across batches

Key question:

“How did you determine this was enough data to demonstrate control?”

3. Critical Quality Attribute (CQA) Evaluation

PQ must demonstrate:

• All CQAs consistently meet specifications
• In-process controls are effective
• Process capability indices (if applicable)

Auditors increasingly expect basic statistical analysis, not just pass/fail results.

4. Deviations During PQ

Auditors carefully assess:

• PQ deviations and excursions
• Whether they were process-related
• Whether they invalidate the PQ

Critical risk: Reclassifying serious deviations as “minor” without justification.

5. Final PQ Report and Conclusions

Auditors look for:

• Clear summary of results
• Statement of validated state
• Defined operating ranges
• Recommendations for ongoing monitoring

A weak or vague conclusion often triggers deeper investigation.

Continued Process Verification: The Often-Missed Expectation

Modern auditors expect validation to continue after PQ.

They look for:

• Trending of CPPs and CQAs
• Control charts
• Periodic review of process performance
• Defined triggers for revalidation

Key audit question:

“How do you know the process remains in control today, not just during PQ?”

Failure here may result in findings even if IQ/OQ/PQ were executed well.

Common Audit Findings in IQ/OQ/PQ

Frequent Deficiencies

• Poor traceability between URS, risk assessment, and testing
• Copy-paste protocols with no process-specific rationale
• Inadequate worst-case testing
• Weak deviation investigations
• Lack of statistical justification
• Incomplete or missing approvals
• Validation not aligned with current process configuration

Supplier technical capability directly impacts product quality and process validation. How to Conduct a Technical Evaluation of a New Supplier in Mexico provides guidance on evaluating suppliers within the local regulatory and operational context.

Best Practices to Withstand an Audit

The following best practices help ensure that validation activities are defensible, well documented, and capable of withstanding regulatory inspection.

1. Think Like an Auditor

Ask:

• Is the rationale clear?
• Is the data convincing?
• Can we defend this decision scientifically?

2. Strengthen Traceability

Ensure clear links between:

• Development → Risk → OQ → PQ → Monitoring

3. Focus on Science, Not Templates

Templates help structure documents, but auditors want process understanding, not paperwork.

4. Train Teams on Validation Intent

Operators and engineers should understand why tests are performed, not just how.

5. Maintain a Validation Master Plan (VMP)

Auditors often start with the VMP to understand:

• Validation strategy
• Responsibilities
• Revalidation triggers

Supplier selection plays a critical role in maintaining validated and compliant processes. Our blog, Essential Questions to Ask a New Supplier Before You Start, outlines the key questions organizations should address before engaging a new supplier.

AMREP Mexico’s Approach to Audit Ready Process Validation

IQ, OQ, and PQ are not just regulatory checkboxes; they are evidence of process knowledge, control, and maturity, and auditors evaluate validation packages to answer one fundamental question:

“Can this company consistently manufacture safe, effective, and high-quality products?”

Strong validation evidence tells a clear story:

• The process was thoughtfully designed
• Risks were identified and mitigated
• Equipment and systems perform reliably
• Product quality is consistently achieved
• Performance is continuously monitored

Organizations that treat validation as a living lifecycle, rather than a one time event, not only pass audits more easily but also build stronger, more resilient manufacturing operations.

At AMREP Mexico, we understand that successful process validation is built on scientific rigor, regulatory alignment, and practical execution. Through our Supplier Quality services, our approach helps organizations present clear, defensible validation evidence that withstands regulatory scrutiny and supports long term compliance.