For several years now, the U.S. Food and Drug Administration (FDA) and the life sciences industry have collaborated to develop guidelines for improving quality best practices in the validation of computer systems and to harmonize with international standards.
The FDA’s draft Computer Software Assurance for Manufacturing and Quality System Software (CSA) designates patient safety and product quality as the basis for risk assessment and provides mechanisms for reducing the effort of computer system validation (CSV).
The International Society for Pharmaceutical Engineering’s (ISPE) Good Automated Manufacturing Practice (GAMP) endorsed CSA in 2020. GAMP recently formed the Global Computer Software Assurance Special Interest Group (GAMP CSA SIG) to empower the industry to use CSA and critical thinking within the GAMP CSV paradigm and to promote local CSA discussions and harmonized global messaging. This SIG group includes the FDA and companies from the FDA/Industry CSA team.
The hidden cost of CSV: lack of innovation
CSV is an integral part of the software development life cycle (SDLC) in life sciences. The FDA’s regulation for applying CSV, 21CFR Part 11, was published in 1997 with the last related guidance released in 2003. Since then, life science companies have become very competent in validating computer systems, but not without a price—hampered innovation. The ever-increasing costs in time and resources for validating software has caused companies to avoid implementing new and innovative systems that could accelerate development of quality drugs and products.
The industry’s adoption of software as a service (SaaS) and infrastructure as a service (IaaS) and the desire to move to agile development also have been hindered by the current CSV approach.
With the recent release of the Draft Guidance on September 13th, the FDA encourages companies to innovate and digitize processes now. They want companies to move away from generating burdensome test documentation, regardless of the function’s importance to the system.
New approach streamlines testing and improves product quality
The CSA guidance provides a new (and preferred) way to interpret the current regulation that represents a paradigm shift to validation and to the risk analysis methodology used. To reduce the validation effort, CSA shifts from testing centered on documentation toward testing based on critical thinking. It shifts from failure modes and effects analysis (FMEA) to risk analysis based on impact to patient safety and product quality. The more flexible CSA methodology also supports the move to agile development.
Comparison of CSA and Current Validation Approach
Centers on creating documentary records for compliance and securing evidence for auditors
Emphasizes critical thinking and testing to achieve higher confidence in the quality of the system
Risk is based on failure mode affects analysis (FMEA) business risk and meeting regulatory requirement
Risk is based on impact to patient safety, product quality (intended purpose) and data integrity
Validation involves testing all functionality (and potentially misses higher risk areas)
Validation is based on applying the right amount of diligence to a given level of risk to patient safety, product quality and data integrity
Ignores previous assurance activity or related risk controls
Takes credit of prior assurance activity, risk controls and any documentation that exits with the vendor and others
All testing is scripted
Uses unscripted and ad-hoc testing in addition to scripted testing and employs least burdensome approach to documentation
80% of time spent on documentation / 20% time spent on testing
20% of time spent on documentation / 80% time spent on testing
Although the CSA guidance is designated for validating software development used for medical devices, the FDA is encouraging the life sciences industry to adopt the new approach for all Good X Practice (GxP) software, including: Non-Product Customized Software, out-of-the-box software and configurable out-of-the-box software (COTS).
Transitioning to CSA
Transitioning to this new methodology requires developing an understanding of the guidance and learning how to apply it to your environment. It also requires acceptance and support from business, IT, validation, quality assurance at all levels, as well as support from the software vendor. Doing this in a single undertaking can be daunting. We recommend these steps to ensure a successful transition:
- Identify and address cultural barriers
- Develop and provide training for those directly and tangentially involved in validation
- Review and update standard operating procedures (SOPS) as required
- Create a transition plan that includes a pilot. Pilot projects are an effective strategy for running through the CSA methodology, allowing the company to acquire valuable metrics and assess the effectiveness of the CSA approach.
I invite you to learn more about CGI in life sciences.