In the three earlier CSA-related articles: CSA – Part 1 (recent CSA-related guidelines), CSA – Part 2 (Summary of CSA historical review) and CSA – Part 3 (The journey to CSA and historical review), we listed the three recent guidelines related to CSA and presented a review of regulations and guidelines related to Computer Software Assurance in the life sciences. We also traced CSA concepts to earlier regulations and guidelines.
Highlighted in bold font below is the focus of this 4th article.
CSA – Part 1: Provide a brief summary of the latest guidelines related to CSA concepts
CSA – Part 2: Provide a Summary/preview of the historical review analyzed and presented in more detail in the next article (see CSA – Part 3) in the series
CSA – Part 3: Provide a historical review of CSA-related regulations and guidelines and trace early origins of the new CSA approach related to computerized system validation and computer software assurance
CSA – Part 4: Examine the areas in which CSV is evolving into CSA based on the recent guidelines (this article)
The purpose of this article is to highlight some areas where CSV is evolving into the CSA approach. We could interpret the 2022 CSA draft guidance by the FDA as the evolution of CSV to a more efficient and mature process that prioritizes quality of product and patient safety, rather than it being a sometimes burdensome activity centered primarily on addressing regulations. CSA does not need to be seen as entirely replacing CSV, but rather as complementing it and assisting it to evolve and mature. This idea along with its underlying concepts is depicted in Figure 1 below.
Figure 1. The evolution of CSV to CSA
Below are some areas where CSV is evolving into the CSA approach:
- Understanding better the intended use of the software/system
In CSV, systems are categorized according to the GAMP5 categories (layered software, COTS, configurable, customizable) and system validation is performed according to the V-model and a risk-based approach.
CSA recommends to understand the intended use of the software considering the following: 1. whether the software is directly involved in production activities or the quality system, versus 2. whether the software is used to support production activities or the quality system, versus 3. Whether the software is not used in production activities or the quality system. In the first two options, a further understanding of intended functionalities may take place with the possibility of reducing the validation effort/rigor without compromising patient safety.
The GAMP5 categories for system classification, along with the V-model and a risk-based approach may still be used, and by adding the CSA recommendations, we see an example where CSV is evolving into the CSA approach.
- Applying ‘critical thinking’ in the risk-based approach throughout the CSV and data lifecycles
In CSV the risk-based approach is well followed during the CSV lifecycle (Concept, Operation, Project, Retirement) and the data lifecycle (Creation, Processing, Review/Reporting and Use, Retention and Retrieval, Destruction). The ISPE/GAMP5 2008 guide provided multiple recommendations and examples for this approach, for example assessing for probability, severity and detectability (inversely measured) by assigning a high, medium or low score for each. The resulting risk priority determined the validation effort.
CSA adds to the existing risk-based approach by recommending to use critical thinking in determining/assuring whether certain software functionalities pose high process risk or not, since a failure of these functionalities may contribute to decreased product quality and can foreseeably pose a risk to patient safety.
Risk-based approach forms the baseline in computerized system validation (CSV). Risk-based approach done with CSA’s critical thinking, for example using the new approach of “high process risk” vs. “not high process risk” determination, is an alternative approach that stands out as an example of the evolution of CSV into CSA.
- Applying ‘critical thinking’ in test design and testing approaches
In CSV the testing approach, including the degree of testing, may sometimes be seen as too much testing, unnecessary, or seen as duplicated when placed side by side to the same testing performed by the software vendors.
CSA recommends to apply critical thinking by choosing from a variety of testing strategies presented in the 2022 CSA draft guidance, based on whether a software functionality could lead to severe harm to a patient. CSA distinguishes appropriate testing activities based on whether a software functionality may or may not pose a high process risk. These activities can vary from high-level testing, where no step-by-step procedure is necessary, to robust scripted testing (i.e. step-by step cases), according to the software’s intended use and risk determination. Similar ‘critical thinking’ process may be applied in the case of vendor testing to eliminate duplication effort and therefore reduce the cost of validation activities.
Choosing the appropriate testing strategy, scope and methodology, based on ‘high process risk’ versus ‘not high process risk’ that the software may pose to product quality and patient safety, can be seen as another example of the evolution in thinking from CSV to the CSA approach.
- Establishing the appropriate software assurance deliverables, evidence, and records
In a Waterfall/V-model approach, as mostly takes place during CSV activities, documentation is usually outlined from the beginning of the project, so that project deliverables are known and agreed upon.
By applying more agile approaches and with critical thinking, less documentation may be required and previously-planned documentation may be found to be unnecessary. In terms of evidence required, the CSA approach recommends to use critical thinking to decide which assurance activities and recorded evidence are necessary to assure and document that the software performs as it is intended to. In other words, CSA is offering the possibility of reduced amount of ‘paperwork’ and documentation to establish computer software assurance. This can be seen as another example of the evolution in thinking from CSV to the CSA approach.
In combination with the areas mentioned above, additional efficiencies and benefits for GxP organizations may arise from the evolution of CSV into the CSA approach. These include:
- Applying a ‘necessary and sufficient’ approach to computer software assurance activities
- Reducing unnecessary quality and compliance activities
- Allowing flexibility when interpreting applicable regulations
- Reducing the cost of quality and becoming more efficient
- Applying alternative project management and software development methodologies
- Leveraging and qualifying software vendors in more efficient ways
- Ensuring good data integrity practices and quality by design mindset
- Catching-up with technological advancements and enabling innovation, including the use of automated tools for computer software assurance
Conclusion
This article concludes the 4-part series on CSA. We have previously presented the guidelines supporting the new thinking in the computer software assurance (CSA) field and we have taken a historical and traceable view of regulations and guidelines relevant to CSA concepts. In this fourth article in the CSA-series we have proposed the case for the evolution of CSV into CSA and provided certain areas were CSA can be beneficial to GxP organizations.
Technology, along with the life-sciences industry and regulators, are evolving collectively to improve product quality, reduce unnecessary quality-related costs and improve patient safety. We look forward to apply and see the benefits of the new CSA approach realized in practice in our validation projects within the GxP-regulated industry.
How CCG Solutions can help your GxP organization
At CCG Solutions, we apply our extensive experience in computerized systems validation with our thorough understanding of CGMP regulations combined with our commitment to the new CSA approach, to provide efficient solutions for computer software assurance to our GxP-regulated customers.
We provide our consulting services to GxP-regulated organizations that manufacture products for human use (e.g. pharmaceutical drugs, medical devices, cosmetics, vitamins and dietary products). We also provide our services to manufacturers (i.e. vendors, suppliers) of computer software whose products are supplied to their GxP-regulated customers (e.g. pharmaceutical companies). In both cases, our services aim to assure that computer software performs as it is intended to, with minimal risks to product quality and patient safety, while ensuring compliance with applicable regulations.
For more information on CSA and on the consulting services we provide, please visit our Services web-page, or call us directly for an initial consultation.
Acronyms
| CCG Solutions | Computerized System Validation (CSV) and Computer Software Assurance (CSA) Consulting in the GxP area |
| CGMP | Current Good Manufacturing Procedures |
| COTS | Commercial Off The Shelf |
| CSA | Computer Software Assurance |
| CSV | Computerized System Validation |
| FDA | Food and Drug Administration |
| GAMP | Good Automated Manufacturing Procedures |
| ISPE | International Society for Pharmaceutical Engineering |
References
- CSA – Part 1. Recent guidelines related to Computer Software Assurance.
- CSA – Part 2. Summary of historical review of applicable regulations and guidelines for Computer Software Assurance.
- CSA – Part 3. The journey to CSA: A historical review of applicable regulations and guidelines for Computer Software Assurance.
- GAMP5: A Risk-Based Approach to Compliant GxP Computerized systems. ISPE/GAMP. 2008.
- GAMP5, Second edition: A Risk-Based Approach to Compliant GxP Computerized systems, ISPE/GAMP, July 2022.
- Computer Software Assurance for Production and Quality System Software, Draft Guidance for industry and Food and Drug Administration Staff. US FDA, USDHHS, CDRH, CBER, 13 September 2022.
Disclaimers
The information contained in this article is provided in good faith and reflects the personal views of the author. No liability can be accepted in any way. The information provided does not constitute legal advice.
Copyright
© CCG Solutions GmbH 2023 – 31 January 2023
Reproduction prohibited for commercial purposes. Reproduction for internal use is authorized, provided that the source is acknowledged.