The field of Computerized System Validation (CSV) in the life sciences has been recently (re)energized by certain guidelines that introduced the concept of Computer Software Assurance (CSA) for computer systems and software used in organizations that need to comply with CGMP regulations. We have prepared a series of four articles to examine in further detail the new CSA approach.
Specifically, the purpose of the 4-part CSA series is to:
CSA – Part 1: Provide a brief summary of the latest guidelines related to CSA concepts (this article)
CSA – Part 2: Provide a Summary/preview of the historical review analyzed and presented in more detail in the next article (see CSA – Part 3) in the series
CSA – Part 3: Provide a historical review of CSA-related regulations and guidelines and trace early origins of the new CSA approach related to computerized system validation and computer software assurance by reviewing applicable regulations and guidelines
CSA – Part 4: Examine the areas in which CSV is evolving into CSA based on the recent guidelines
Three new guidelines were published in 2022 related to the new Computer Software Assurance (CSA) concept in the life sciences.
i) The first guidance was published in July 2022 by ISPE/GAMP5, which was the second edition of the 2008 GAMP5: A Risk-Based Approach to Compliant GxP Computerized systems. This second edition builds on the existing risk-based approach published in 2008, by:
- adding guidance for, and highlighting the significance of leveraging suppliers of IT services, software, and hardware
- expanding on software development methods
- examining the significance of automated software tools for compliance of GxP computerized systems during testing, validation and assurance.
Furthermore, this guide explores new and evolving topics in the life sciences industry such as blockchain, Artificial Intelligence/Machine Learning (AI/ML), cloud computing, and Open-Source Software (OSS). Finally, this guidance describes elements of the FDA’s CSA concept (mentioned in the 2nd guidance below) along with references to critical thinking, the increased importance of qualifying and leveraging activities performed by the IT software supplier, supplier qualification and data integrity principles.
ii) The second was a draft guidance from the FDA: Computer Software Assurance (CSA) for Production and Quality System Software, issued on 13 September 2022. The goals of this draft guidance were to: “Describe “computer software assurance” as a risk-based approach to establish confidence in the automation used for production or quality systems, and identify where additional rigor may be appropriated, and to describe various methods and testing activities that may be applied to establish computer software assurance and provide objective evidence to fulfill regulatory requirements, such as computer software validation requirements in 21 CFR part 820 (Part 820)“.
This guidance recommended four areas where GxP organizations and software manufacturers could benefit from a risk-based approach for computer software assurance: a) identifying the intended use of the software (direct vs. indirect involvement in the production processes and the quality system, b) determining the appropriate assurance activities based on a risk-based approach (high risk vs. not high risk of a quality problem that foreseeably compromises safety), c) determining the appropriate assurance activities (testing rigor and leveraging strategies to reduce the effort of additional assurance activities) and d) establishing the appropriate records to demonstrate that the software performs as intended (necessary and sufficient evidence).
iii) The third guidance was a concept paper published on 19 September 2022 created by a joint effort between the EMA GMP/GDP Inspectors Working Group and the PIC/S subcommittee on GMDP Harmonization. EU Annex 11 is common to the member states of the European Union as well as to the participating authorities listed here. This concept paper described the need to revise the existing EU Annex 11 guidance for computerized systems due to a number of reasons listed within the document. Some examples were:
- The need to challenge critical parts of computerized systems during system qualification and validation following a risk-based approach (point #10, EU Annex 11 section 4.1)
- New ways to perform software validation, such as using agile methods (point #12, EU Annex 11 section 4.5)
- The need for regulatory guidance for the use of Machine Learning (ML) models and Artificial Intelligence (AI) used in GMP applications (point #32 – New section)
- The intent to consider FDA’s draft guidance for Computer Software Assurance (CSA), described in point ii) above, with regards to regulatory relevance for GMP Annex 11 (point 33 – New section)
Further reasons for the need to update the EU Annex 11 guidance, were the introduction of new terminology and concepts such as digital transformation, multi-factor authentication, firewalls, platform management, security patching, virus scanning and others, due to an “extensive progress in the use of technologies”.
Conclusion
In all three guidelines mentioned above, a common theme emerges. The need to re-think and evolve the way GxP organizations in the life sciences industry assure that their computerized systems perform as intended. This new way of computer software assurance is driven by technological advancements, alternative software development methodologies, and the need to decrease quality costs and enhance efficiencies that aim to improve product quality and patient safety.
Acronyms
| CGMP | Current Good Manufacturer Practices |
| CSA | Computer Software Assurance |
| CSV | Computerized System Validation |
| EU | European Union |
| FDA | Food and Drug Administration |
| GAMP | Good Automated Manufacturing Procedures |
| ISPE | International Society for Pharmaceutical Engineering |
References
- GAMP5: A Risk-Based Approach to Compliant GxP Computerized systems. ISPE/GAMP. 2008.
- GAMP5, Second edition: A Risk-Based Approach to Compliant GxP Computerized systems, ISPE/GAMP, July 2022.
- Computer Software Assurance for Production and Quality System Software, Draft Guidance for industry and Food and Drug Administration Staff. US FDA, USDHHS, CDRH, CBER, 13 September 2022.
- Concept Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products – Computerized Systems. PS/INF 94/2022, EMA and PIC/S, 19 September 2022.
Disclaimers
The information contained in this article is provided in good faith and reflects the personal views of the author. No liability can be accepted in any way. The information provided does not constitute legal advice.
Copyright
© CCG Solutions GmbH 2023 – 24 January 2023
Reproduction prohibited for commercial purposes. Reproduction for internal use is authorized, provided that the source is acknowledged.