FDA’s transformation towards CSA
The pharmaceutical industry is currently undergoing an exciting transformation areas. Medical and biotechnological innovations happen very fast, research and development processes are under constant investigation for improvement and business and sales models are changing.
In this array of changes, existing validation and verification processes and practices are also being challenged. What validation specialists and experts have known and believed about Computerized Systems Validation (CSV), software validation and 21 CFR Part 11 compliance, is about to change noticeably.
By the end of this year, the FDA plans to release an updated guidance on the transition from the traditional framework of Computerized System Validation to Computerized System Assurance (CSA) for Manufacturing, Operations and Quality System Software. Somewhere in the middle of the Covid-19 outbreak (May 2020), our Rescop colleague Adriaan Wanner has already written a blog about the future of Computerized System Validation (you can find this blog here).
FDA’s draft guidance on Computer Software Assurance has emphasized ‘critical thinking’ to be a crucial asset while implementing automated systems. In brief, it is a paradigm shift from document oriented computerized system validation practices to critical thinking focused assurance practices. The FDA is driving this shift towards Computer Software Assurance. The pharmaceutical industry should take notice of this change and be prepared to adapt it.
In a rapidly changing digital landscape, the guidance on Computerized System Validation is already dating back to 2003 and is lagging behind to catch up with the latest technologies. This makes it no longer clear in terms of effectiveness and efficiency of the validation effort, how much testing is enough and where to focus on testing.
The FDA believes the use of innovative thinking, automation methods, Information Technology and Data solutions throughout the product life cycle can provide significant benefits to enhance quality and patient safety. These substantial benefits in increasing quality, is shown in other industries utilizing thorough innovative automation but also embracing risk-based approaches and solutions for cloud computing.
At this moment, CSV has become more and more an obstacle in the process to move to an automated environment. This is evident due to the required extensive testing and comprehensive documentation to prove the validated state of the computerized system.
To support the use of these new technologies, FDA is drafting a new guideline for Computer Software Assurance (CSA) that will tackle the issues life-science manufacturers have at the moment with CSV.
The new guidance will provide clarity on the process to be used to determine what is marked as high-risk and therefore what should be verified more thoroughly to eliminate flaws and failures earlier. The intent is to improve quality, reduce validation and verification costs and time, decrease testing issues and deliver value faster.
This approach includes a shift from the emphasis on compliance, allowing manufacturers to focus on enhancing quality and patient safety. Furthermore, implementing automated systems and new technologies faster and more vastly. A risk-based approach is not new and is used for decades in many principles and frameworks for product and IT system development within pharma industry. The risk determination of software remains focused on the following principles:
- Does the software impact patient safety?
- Does this software impact product quality?
- How does the software impact the system’s data integrity?
The above approach remains applicable to all regulated organizations. No doubt about that. But what exactly does the shift to CSA mean? The CSA approach will contain elements of:
- Critical Thinking: Contained risk assessment for each software product feature
- High Assurance: Demonstrate the functionality or feature is working as desired
- Testing Activities: Define and leverage from different test methods like formal (hence scripted) testing and informal (unscripted) testing
Below figure explains in brief the differences between CSV and CSA:
- “Focus on creating documentary records for compliance” versus “Focus on testing for higher confidence in system performance”;
- “Validating everything with the chance to miss higher risk ranked functionality” versus “Risk-based assurance, applying the right level of risk to patient safety and/or product quality and data integrity”;
- “Avoiding previous assurance activities and/or related risk controls” versus “Taking prior assurance activities into account and pre-assessed risk controls”.
- The new FDA guidance intends to focus on more direct and tangible system testing and considerably less documentation generation.
Having introduced the above three CSA principles, let us zoom in more closely by explaining the last principle of informal or unscripted testing. This is a type of software (product) testing in which the validation engineer (hence software developer/tester) has relatively degree of freedom to select any possible methodology to test the software.
As per the typical definition of informal, unscripted testing, software developers, testers and end user stakeholders use their skills and abilities to test the software developed by themselves with less predefined and detailed scenarios and techniques such as error guessing and exploratory testing. Let’s take an example of scripted and unscripted testing:
When considering for example a learning management system environment and applying the critical thinking principle, one can outline that:
A training requirement generation as part of a curriculum can be considered as unscripted testing.
The scenario where a production specialist is working in a critical area, but has failed to renew his/her certification. In this scenario the individual should automatically barred from entering the production area. Since this has an impact on product quality, we need to classify this feature as high risk including a proper test script and testing evidence. This scenario will be considered as scripted testing.
To support unscripted testing, FDA is also considering proposing the adoption of the smarter techniques in software delivery. Research firms like Gartner predicts that by 2024, low-code application development will be responsible for more than 65% of application development activity. Low-code development entails a development platform that support the efficient use of code by high programmed command’s for system code writing.
Together with the Critical Thinking and High Assurance principles, life-science manufacturers should take notice of CSA as the FDA is releasing an updated guidance for computerized validation and verification practices. And they can apply and share the experiences of the CSA principles to build up the learning curve in effective product development and enhancing the life cycle of their products.
Please contact us for more information via firstname.lastname@example.org
FDA Computer System & Software Validation - What you’ve known for 20+ years is changing, By Jon Speer, December 2, 2018 , in FDA Regulations and Software Validation and Computer System Validation
Data Integrity and Compliance with Drug CGMP Questions and Answers Guidance for Industry - Guidance for Industry, April 2016, (FDA-2018-D-3984)