Is Your Company Ready for the FDA’s Upcoming Guidance on Computer Software Assurance?
Technology and computerised systems have evolved greatly over the past 20 years. In that time, cloud computing has become mainstream, and big data is here. When you also add the fourth industrial revolution (Industry 4.0), it’s clear that new manufacturing and business technologies will be truly transformative in the coming years.
Yet, in the Life Sciences industry, the uptake of new automated solutions and technologies has been slow relative to other manufacturing industries. It is a trend that regulators have been seeking to fix.
The FDA’s Case for Quality initiative was set up to promote industry collaboration and encourage innovation, automation, and digital technologies. By working with those in the industry, the FDA was able to identify best practices and learn the barriers that exist for manufacturers.
It quickly became apparent that CSV, as it is applied today, is perceived as a barrier to technology implementation, where companies produce excessive, non-value-adding documentation that is driving longer validation cycles and increasing expenses.
Manufacturers are reluctant to invest in highly automated technologies as the validation cost is so high. It has become clear that the approach to validating such computer systems has not kept pace with technology advancements.
Enter Computer Software Assurance (CSA), the FDA’s upcoming guidance that aims to place critical thinking at the centre of the CSV process.
What is CSA?
Computer Software Assurance is a risk-based approach to computerised systems that is product quality-focused and patient-centric. It encourages critical thinking based on product knowledge.
The FDA, recognising that CSV has become a barrier to technology, is releasing the new guidance to tackle the issues faced by manufacturers, while also offering greater flexibility in achieving software assurance.
The guidance highlights new ways of approaching non-product software, i.e., QMS, ERP, PLM, MES, LIMS, etc. It states that assurance activities should be value-driven, patient-focused, and streamlined using existing technologies such as automated testing tools.
Here are some areas that the new guideline seeks to address.
A risk-based approach to validation is not a new concept. However, regulated companies have struggled with balancing the overall validation effort based on the software risks identified. As a result, companies fall into the trap of applying a one-size-fits-all CSV approach, where lower-risk systems are evaluated to the same scrutiny as high-risk systems. This approach produces a burdensome level of documentation, drives longer validation cycles, and increases expenditure.
The new guidance advocates a risk-based validation approach and also switches the focus from validation to assurance.
How will this affect you? One of the main areas is that there will be a significantly reduced validation requirement for software applications that have no direct impact on product quality or safety. In this situation, the recommendation from the FDA is to use current processes like the qualification of suppliers, as well as risk-mitigating process controls.
Even with an audited or trusted vendor, regulated companies still tend to reproduce documentation and test out-of-the-box software functionality that has already been tested by the vendor. Under the new guidance, if a vendor’s documentation is deemed to be of good quality, efforts should focus on ensuring the software meets its intended use rather than reproducing documentation for the sake of audit readiness.
With traditional CSV, regulated industries have adopted a conservative approach to testing, where too much focus is on documentation, manual testing, and evidence gathering. It is common to see this robust and scripted test approach applied to every system and function, regardless of its associated risk classification.
There is more flexibility with the assurance approach that CSA facilitates, as well as flexibility with acceptable records of results. There is also the introduction of the terms Scripted, Unscripted, and Ad Hoc Testing.
Scripted testing is widely used today in traditional CSV. It contains test objectives, step-by-step test procedures, expected results, independent review, and approval. CSA guides companies to continue using Scripted testing but only for high-risk features of a system that directly impact the product or patient safety.
An Unscripted test is testing without detailed instructions but with a clear objective and pass/fail criteria. Unscripted testing is to be used to test lower risk features of a system. Importantly, Unscripted testing still means you have to test, and details of test failures should be recorded as normal.
Ad Hoc Testing
Ad Hoc testing is similar to Unscripted Testing but does not require pre-approved protocols. This assurance approach may be in the form of exploratory testing, and it is considered the least-burdensome assurance option. It should be used for low-risk systems.
Efficiency Savings that Will Increase Innovation
By applying critical thinking and a risk-based approach, these assurance processes can be easily implemented on a feature-by-feature basis, as shown by the simple example illustrated below.
Unscripted and Ad-Hoc testing are seen as the right level of documentation for medium to low-risk features. CSA will consider these approaches to be an acceptable record or results. It is expected this new approach will result in a 30 – 50% reduction in time and costs, so it will therefore increase and accelerate innovation.
Preparing for CSA
The new CSA guidance is expected to be released in the coming months. The FDA has stated that companies can (and should) proactively take these principles into consideration. The recommendation is to create a transition plan and to pilot new methodologies on a subgroup of systems before rolling out to your entire organisation.
For some companies, moving to CSA will be a cultural shift compared to the current way of doing things. It is therefore critical the quality leadership team embrace CSA to enable its adoption throughout the organisation.
Now is also the perfect time to leverage automated testing and continuous data monitoring tools to streamline assurance activities that the new guidance supports.
Digital transformation is gathering pace in the life sciences industry due to Industry 4.0. The COVID-19 crisis is also spurring on innovation.
Traditional CSV practices are no longer compatible with emerging automation and digital technology solutions. It is time to implement a streamlined validation approach based on critical thinking that will support Industry 4.0 and will ultimately drive better patient outcomes and faster time to market.