FDA’s New Computer Software Assurance – Impacted SOPs
- April 29, 2021
- Posted by: Stephen J Cook
- Category: Regulatory
As the FDA New, draft guidance on Computer Software Assurance (CSA) Guidance gains traction, more and more organizations are recognizing the value of a leaner approach and for those that have already implemented CSA, they’re realizing it. Earlier this year I had a two-and-one-half hour discussion with a Validation Manager at a large pharmaceutical manufacturer, responsible for validation at over 50 global sites. At that time, he was very dubious about CSA and risk-adverse in his perceived compliance concerns. Just last week the same Validation Manager contacted me again. He has realized CSA is gaining momentum, regulators are more aware of the new thinking and he is now interested in getting help converting their global procedures to CSA and facilitating the associated training.
So that raises the question, is CSA just a rewrite of the existing SDLC policy or Computer Software Validation (CSV) procedure or are its implications more far reaching? Continue reading as I explore how CSA can be woven into and compliment far broader IT-related QMS topics.
Infrastructure Qualification – The nature of physical or virtual IT assets is, at best, indirect impact to patient safety and product quality, which means that rather than performing detailed verification of “as-built” components, infrastructure qualification may leverage an unscripted testing model. Further, build specifications can focus on the minimums required to support the GxP software. Too often IT is handicapped by validation documentation when it comes to upgrades and patching, including for security. This puts our systems at real risk. When we prioritize document maintenance and detailed testing, we leave systems vulnerable. Let’s let IT protect these assets, which is foundational to CSA, with the priority on system integrity.
Risk Assessment – I like to make this a separate procedure, rather than build it into the IT Validation SOP. CSA-based risk, that is assessing patient safety and product quality impact against the functional complexity may be used by lab and manufacturing systems as well. This allows those different processes to “hook into” a CSA risk framework without following the IT validation procedure. Refer to our CSA White Paper for implementation details.
Defect Management – Consider the spirit of CSA for when requiring defects to be written. Does it really add value or is it a documentation exercise? Always think about the quality of the system and keep moving in that pragmatic direction. CSA applies to retesting as well, both when and how it gets performed.
Data Archival and Migration – Are you still sampling hundreds or even thousands of data points when moving data from system A to system B? Does it really have direct impact on patient safety? Maybe it does, but again, experience tells us that most do not. Use the CSA risk framework and scale sampling appropriately. Consider using ISO 2859.1 Special Inspection levels.
Spreadsheet Assurance – Many of us are still developing a total set of lifecycle documents for a GxP spreadsheet and running it through a Validation Plan with a Report. Does this really add value? Most spreadsheets can use an integrated model with one deliverable, again scaled and tested to the CSA risk framework.
Change Control – Here again, we see how CSA compliments the overall risk analysis, as well as testing of changes. From new functionality to regression testing, leverage the unscripted model as often as possible. Not only will your testers be more likely to find the bugs, but you’ll spend far less time creating test cases and writing deviations for typos.
From Access and Security to Backup and Restore, there are many other IT topics that CSA blends nicely into. Remember that CSA is all about aligning the risk of our systems with the reality of their potential to do harm. Most systems we support as validation or quality professionals have numerous quality checks between them and the patient. So think big! Don’t stop at just a rewrite of your organization’s validation procedure. Instead, leverage CSA for what it is – a risk based assurance methodology for the entire life-cycle of a system or even better, look at the automated e-validation Polarion. The FDA’s New Computer Software Assurance is intended to foster critical thinking and application of appropriate risk, As always, we’re here to help.