Computer software assurance (CSA), the FDA's new framework for computer system validation (CSV), is being heralded as a game-changer. While the promise of simplified, less costly validation is exciting, many pharmaceutical companies are confused about how to interpret and adopt the new methodology. After all, computer system validation regulations haven't changed in over two decades, and we're still waiting for the official CSA guidance. If you're concerned, intimidated, overwhelmed—or all of the above—don't be. The truth: CSA isn't all that different from CSV. And if you're performing CSV as intended, there's a good chance you are already aligned with the CSA methodology.
The FDA introduced the framework for computer system validation in 1997 with 21 CFR Part 11, then further refined it in its 2002 guidance document (General Principles of Software Validation). Despite good intentions, many companies struggled (and still struggle) with CSV. The traditional CSV methodology focuses on producing accurate, approved documentation to present to auditors, then testing, then assurance needs, and finally critically thinking. The CSA methodology flips the paradigm, emphasizing critical thinking, assurance needs, testing and documentation, in that order.
While this seems like a seismic shift, in reality, the FDA has promoted a risk-based, least burdensome approach (the cornerstone of CSA) to validation since the 2002 guidance. CSA is not intended to replace CSV; it's intended to improve it. CSA encourages us to think critically and take advantage of technology that wasn't available 20 years ago, like cloud computing, mobile apps and validation management software.
Here's how to tell if you're already applying CSA principles without even realizing it.
You're already using critical thinking to assess risk.
Risk-based critical thinking is the driving force behind CSA. Misinterpreting how to assess risk properly accounts for many CSV issues. When we perform validation, we must comply with regulatory requirements, our company's quality system and standard operating procedures (SOPs). Critical thinking ensures that we effectively analyze the situation and validate high-priority items to the highest degree of rigor and lower priority items to the appropriate level. ValGenesis' computer system validation solution features built-in critical thinking functionality, which allows you to perform more accurate risk assessments using decision tree logic and other empowering features, ensuring you execute the appropriate level of validation for each computer system.
You're already taking the least burdensome approach to testing and documentation.
Unfortunately, over-testing and exhaustively documenting every step of the testing process "just to be sure" has become the typical approach to CSV testing. Maximizing testing efforts, regardless of risk, burdens resources and can compromise patient safety. Testers often neglect—or entirely miss—high-risk issues when attempting to "test everything." The CSA approach encourages us to take a least burdensome approach to testing by using less formal (and far less time-consuming) unscripted testing methods and automated validation planning tools.
You're already focusing on quality, not compliance.
CSA was born out of the need to reclaim the quality-centric mindset lost in the industry’s typical CSV approach of gathering documentary evidence for auditors. But focusing too much on regulatory requirements and compliance can cause (and has caused) life sciences professionals to lose sight of quality. One of the main findings of the FDA's Case for Quality initiative was that the industry's heightened focus on meeting regulatory requirements versus adopting best quality practices could actually jeopardize patient safety. The document-centric, compliance-based approach impedes the use of risk-based critical thinking in the validation process. It also discourages investment in digital technologies that dramatically streamline validation efforts, leading to reduced project costs and faster time to market. Regulators and leading CSV subject matter experts (SMEs) recognize this and envision that CSA will bridge the gap between technology and compliance.
As you can see, there is no need to fear CSA or to delay its adoption until the guidance is released. CSA concepts are already acceptable, achievable and compliant under current regulation. Companies that have already digitized their CSV process and procedures are essentially already performing CSA—or at least well-poised to pivot in that direction.
Lisa Weeks, the marketing communications director at ValGenesis, writes extensively about technology, the life sciences and other regulated environments. Her work has appeared in many industry publications, including Life Science Leader, Quality Digest, Medical Product Manufacturing NEWS (MPMN), MedTech Pulse, Risk Insights, Medical Device and Diagnostic Industry (MD+DI), Medical Product Outsourcing (MPO), MedTech Intelligence, Pharmaceutical Processing, Pharma Manufacturing, Genetic Engineering & Biotechnology News (GEN) and Pharmaceutical Technology (PharmTech).