How to accelerate adoption of FDA’s Computer Software Assurance
This blog is the first of a three-part series focused on FDA’s Computer Software Assurance (CSA). It explains how to accelerate CSA adoption.
What exactly is CSA?
There are two primary things CSA delivers: First, CSA flips traditional validation from upside-down to a new way of thinking that’s right-side up. Second, Computer Software Assurance charts a path through a critical thinking process to ensure appropriate, risk-based, least burdensome validation.
Flipping the paradigm right-side up
With traditional CSV, too much focus is on documentation. The amount of time and effort put into documentation consumes significant resources and sacrifices critical thinking. CSA inverted this upside-down way of thinking whereby focus is placed first on critical thinking, then assurance needs, then finally testing and documentation.
Figure 1 – The old CSV way
Figure 2 – The new CSA way
Charting a CSA path through a critical thinking process
Figure 3 – How to CSA(SOURCE: Cisco Vincenty, FDA Case for Quality Program Manager (FDA))
Identify Intended Use
The new CSA approach starts with identifying intended use. Here it’s determined if a system, feature, operation, or function directly impacts device safety, device quality, or quality system integrity.
ValGenesis’ VLMS accelerates
using System Assessment functionality to
identify the intended use
Determine Risk-based approach
The next step in the Computer Software Assurance process is to determine a risk-based approach, focusing in on safety and quality, specifically high-risk areas that may require the most rigorous assurance effort and objective evidence, which is complete, extensive validation and ensure the high-risk features, functions, or operations reliably perform as intended.
Methods and Activities
Where CSA value shines bright is with leveraging a vendor documentation, ad-hoc testing, and automated testing; this is a risk-based, least burdensome approach. The biggest payoff is with medium and low risk features where little or no rigorous effort is required. Validation cycles are further accelerated by validation leveraging automation, iterative methodologies (e.g., Agile), along with continuous monitoring and verification. In other words, digitize validation and go paperless.
Complete validation with a high degree of rigor is necessary for high-risk. For medium risk, less rigor can be applied. For low risk, little or no validation may be required. If it is in fact low, there should be no impact in the event of failure. If there is a negative consequence for a low-risk failure, then the risk assessment was inaccurate or the process is flawed.
Change Control is necessary to ensure changes to features, functions, or operations follow the CSA process. This maintains the system in its appropriate state (e.g., “Validated”).
Change the culture and process by igniting teams
Culture must change from a compliance-centric mindset to quality focused culture. This will be discussed in more detail in the next blog.
Changing compliance-centric mindsets
(blog 2 of 3)
- (1) FDA COMPUTER SYSTEM & SOFTWARE VALIDATION – WHAT YOU’VE KNOWN FOR 20+ YEARS IS CHANGING, Jon Speer, December 2, 2018, in FDA Regulations and Software Validation and Computer System Validation
About the Author
Director Industry Solutions of ValGenesis
Steve has worked in the life science industry for over 20 years and has experience working for Fortune 50 and start-up pharma, biotech, and medical device companies. As Director of Industry Solutions for ValGenesis, Inc., he helps the life science customers realize the benefits of applied advanced technologies. He is knowledgeable of internal and domestic GxP regulations, was certified as a Parenteral Drug Association auditor and has audited hundreds of companies globally. He’s on the Editorial Advisory Board for the Institute of Validation Technology (IVT), faculty member for Knowledge Exchange Network (KENX), a published author and frequent speaker at conferences