FAQs on CSA & CSV: FDA CSA Regulatory Requirements

faqs-on-csa-and-csv

Article Context:

  1. Computer Software Assurance (vs) Computer System Validation (CSA (vs) CSV)
  2. FDA 21 cfr part 11 requirements
  3. CSV/CSA Assessments
  4. CSV/CSA Methodology
  5. Most Common issues found during evaluation from  CSA to CSV
  6. What are the common issues that result in evolving to CSA from CSV?
  7. Benefits of Quality Management System

FDA (Food and Drug Administration) issued a draft guidance to offer recommendations on Computer Software Assurance (CSA) for automated data processing systems that are used as a part of medical device production and quality system on September 13, 2022. Industry experts to submit comments by November 14, 2022. This draft guidance is also intended to describe various testing activities and methods to establish CSA and offer objective evidence for fulfilling computer software validation (CSV) regulatory requirements in 21 CFR Part 820.

Compliance Group Inc has been implementing and training this risk-based CSA methodologies to our customers for a few years. The FAQs below curate many questions from our customers and attendees of our various webinars.

If you have any other questions that are not answered here, please send us at info@complianceg.com.

What are the major differences between Computer Software Assurance (CSA) and Computer system validation (CSV)?

CSA and CSV serve the same purpose in digitally matured life sciences companies. However, there are some significant differences between these approaches. CSA was once thought to be a futuristic approach to software validation. Still, that perception has shifted since the FDA published its latest draught guidance. As per the 80:20 rule, manufacturers spend 80% of their time documenting actions and the remaining 20% under testing the current CSV methodology. A framework created and designed to assist manufacturers in achieving CSV is CSA.

CSA will provide enough clarity on the stance and methodology used to discover what is of considerable risk and what is not, reducing manufacturer misinterpretation. The CSA approach clarifies the paradigm to focus by following the order i.e., risk based critical thinking, analysis of assurance requirements, testing activities, and finally the documentation.

What do the FDA's 21 CFR Part 11 organizational requirements entail?

The organizational requirements of Part 11 can be divided into five main categories. Here is a description of each one of them:

Validation: Regular system software validation checks must be conducted, and their outcomes should be recorded, to guarantee that all components of your system operate as intended.

Audit history files should be automatically created for each record creation, modification, and deletion. These records should be kept for a while and made accessible to FDA auditors so they can review and copy them, as necessary.

Operational controls: Your company must adhere to a workflow structure for the documents and data it manages. This indicates that personnel are responsible for the creation, review, and approval of your records. The entire process should be documented, and steps cannot be avoided.

Training: All users who have access to your document management system ought to have the knowledge and expertise necessary to conduct their assigned tasks now. An auditor must be able to verify this training through documentation.

What is the meaning of “software not used in a product” (or non-product software)?

Non-product software (NPSW) is custom or off-the-shelf software used in the design, progression, and manufacturing of medical devices, as well as software tools being used to implement the quality system itself. It is not directly used in a medical device, SaMD (Software as a Medical Device), MDaaS, or end-product. The simple truth is that the new CSA framework is not just restricted to medical device manufacturers only. All life sciences industries have many potential applications incorporated in it.

The FDA's Center for Devices and Radiological Health (CDRH) collaborated with the Centers for Biologics Evaluation and Research (CBER) and Drug Evaluation and Research (CDER) to work on this new draft guidance. It is based on a genuinely risk-based approach that should be considered when utilizing non-product, industrial production, operations, and quality system software solutions like:

  • Quality Management System (QMS)
  • Document Management System (DMS)
  • Training Management system (TMS)

Is software as a medical device (SaMD) or software in a medical device (SIMD) subject to the CSA?

CSA intends to suggest life sciences companies on computer system software guarantee and automated data processing systems used in medical device production or the quality system. It does not apply to the design validation or verification for software as a medical device (SaMD) or software in a medical device (SiMD). It also does not apply to technology vendors who use software development lifecycle (SDLC) that conducts a risk-based approach for functional testing. The FDA has no authority over technology vendors.

What is the difference between an indirect and a direct system?

A direct distribution channel transports a company's products directly to consumers. An indirect channel outsources distribution to intermediaries who take charge of the product delivery.

Indirect systems have no direct impact on patient safety or product quality. Direct systems necessitate less documentation.

Examples of indirect systems include:

  • Complaint and document management systems
  • Bug tracking, testing, debugging and code control tools/applications

Direct systems, such as electronic device history or adverse event reporting, have a direct impact on patient safety or product quality and may necessitate additional testing based on risk. In other words, the greater the risk that a system impact will have on the product and patient safety, the more testing and documentation will be required.

Examples of direct systems include:

  • Calibration systems that are automated
  • History record of electronic devices
  • Design of automated inspection system with no human checks required further
  • Labelling methods

How should I assess risk in my application?

To determine suitable assurance activities, the FDA (Food and Drug Administration) recommends conducting a risk-based analysis. In general, this risk-based approach entails a systematic way of identifying foreseeable software failures, calculating whether such a failure possess a high process of risk to patient safety, product quality, or data integrity, selecting and performing applicable assurance activities that commensurate with the medical devices. Low-level risks leverage ad-hoc testing mechanisms or vendor testing activities sufficient to demonstrate that the system meets its intended use. Higher-level risks may necessitate unscripted, ad-hoc, scripted testing, or a combination of these activities. There is no requirement to use a specific risk assessment method.

Can you provide examples of ad hoc and unscripted testing? How do you demonstrate that you conducted this type of testing?

As per FDA framework, unscripted testing usually can take two forms i.e., ad-hoc testing and error-guessing. Ad-hoc testing typically consists of happy path testing, whereas error guessing includes testing of failure modes as needed. In either case, a tester simply documents the following items as they perform their testing activities:

  • Evaluated features or functional descriptions and failure modes
  • Details about any failures that occurred during testing, including their resolutions

Additional information, which could be included in other documents or as part of the unscripted testing form, are of:

  • Intended use and percentage of risk assessment
  • As necessary, reviews and approvals

The FDA has begun issuing citations to businesses for insufficient CSV efforts. How will CSA inspectors be trained to overcome this?

The FDA is undergoing extensive auditor training and is implementing an agency-wide Case for Quality programme. Furthermore, the FDA is developing a Digital Center of Excellence, which will encourage manufacturers to contact the FDA before an audit to speak up about their processes and procedures. The goal is to increase collaboration throughout the process and reduce the fear of regulatory observations that have resulted in misinterpretation of the guidance's original intent.

Has FDA contacted other regulatory agencies, such as the MHRA, the EU, and others, to ensure that this approach is acceptable for companies that sell internationally?

Yes, the FDA has been working on the Case for Quality programme in collaboration with its international counterparts.

How can Compliance Group Inc assist my business today?

The most significant barrier to CSA adoption is the mindset and cultural behaviors that your organization has developed. Four out of every five senior leaders are unable to explain WHY they do things the way they do. "We've always done it that way," most people say. Unless you can trace it back to a law or regulation, it is a tradition or legacy of unruly behavior that is holding you back. The most difficult aspect of evolving your validation processes is modifying the internal behaviors and perceptions. Using a third party, such as CG (Compliance Group), can assist your organization in avoiding unnecessary processes and procedures. Compliance Group Inc is at the forefront of technology and compliance, and we always keep a close eye on FDA's CSA guidance.

We have innovative solutions that can save you time and money on your validation programmes. Among the programmes are:

Our company can assist your team with a pilot project, train, and mentor your team on critical thinking, develop a risk-based approach, and consult on automated testing processes. We also provide programmes for organizational change management.

CSV/CSA Assessments – In order to move you to a real, risk-based CSA process based on your present condition i.e., the quality of documentation, testing, SOPs/WIs, automation use, and audit performance, our organization will examine your complete current CSV process holistically and manage all the possible recommendations.

CSV/CSA Methodology - Our company can digitally transform your entire CSV process into a CSA process.

Our company will ensure that your systems are compliant from methodology development to end-user training.

Cloud Assurance - Our company offers a subscription service to ensure end-to-end GxP compliance of your cloud systems. CG can also lighten and manage cloud validation burden from implementation to ongoing validation i.e., final product post release maintenance, including updating the new releases.

How does the FDA describe critical thinking?

As a manufacturer, the company and people who make the product understand the entire business processes. You will also have an insight into how risk is created, where it matters, and what is going on from a process standpoint. Consider where the system could introduce a risk versus what is a product or process risk. This assists you in telling your story, whether to the FDA or an auditor and arbitrary regulator. Demonstrate that you can tell that story while also understanding and controlling your product and processes. We have innovative solutions that can save you time and money on your validation programmes.

Why Is Document Management Necessary?

On a macroeconomic level, document management, if widely adopted, is one of the few technologies that can boost GDP (Good Documentation Practices) without harming the environment. In fact, the entire accounting industry has increased the value of its profession by expanding the skill set of its practitioners through the efficiency provided by document management systems. Furthermore, as security breaches become more common, document management systems play a significant role in simplifying compliance and protecting client and customer information through secure file sharing and role-based permissions. Although paper documents appear to be safer because they are tangible, this is simply not the case because they expose a completely different avenue for breach—the traditional office break-in.

What activities or documents can I obtain from my technology provider?

We recommend that you verify a vendor's software development activities, such as verification and validation, release planning, change control, and so on, whenever possible. We understand that not all suppliers are willing to share this information or provide an auditing mechanism. In those cases, you can evaluate the supplier and leverage their activities by relying on published vendor white papers, the vendor's years of experience in life sciences and health care, their prestige, bug lists, and so on. Through our Cloud Assurance service, CG also conducts annual audits for many best-of-breed technology vendors, which can be used as objective evidence. We also provide SOP (Standard Operating Procedure) services and vendor audits on an as-needed basis. We have innovative solutions that can save you time and money on validation programmes.

What are the common issues that result in evolving to CSA from CSV?

CSA is a risk-based approach promoted by FDA in 2003 and introduced to CSV by GAMP5 in 2008 five years later. CSV is too overburdened with documentation activities which occupy around 60% of the time in completing the validation processes.

Common issues with CSV include the following:

  • Insufficient understanding among business specialists
  • Tendency to maximize testing efforts and excess document reviews
  • Lack of understanding on testing activities and processes
  • These issues do not imply that CSV approach is a failure. But problems usually occur from misunderstanding and validation of entire execution processes.

    To be easily and genuinely leveraged by regulated life sciences companies, how and what is FDA doing to hold software vendors more accountable for standardizing their testing documentation?

    The FDA has no authority over software or cloud vendors. Drug and device manufacturers are responsible for ensuring that the vendor has adequate controls in place or for conducting additional testing to ensure the product is fit for use. In requirements for comprehensive QMS (Quality Management System), supplier qualifications are not considered as the FDA does not regulate these vendors. They only need to have controls in place to ensure that quality applications are produced for your intended use. CG has developed different programmes to recognize technology vendors who meet quality and compliance requirements in the life sciences industry.

    If you are looking for modern technology vendors, we recommend Cloud Assurance Certified technologies because they have passed the rigorous compliance, security, and data integrity assessment performed by the company and demonstrate compliance with the consolidated global health authority statutory and regulatory requirements. In addition, we provide Vendor Assurance Reports for any cloud based certified technologies that can be used as evidence for FDA audits.

    Is CSA certification provided by the FDA for individuals, or how can I become certified in CSA best practices?

    There is no certification program specific to the CSA methodology, but there are many training courses available for Computer System Validation. When used correctly, CSA is simply a more effective and efficient way to ensure that your system meets its intended use. The company provides CSA methodology training and practical, hands-on workshops to assist regulated organizations in implementing this approach.

    What exactly does CSA mean specifically for GAMP? Will GAMP be rendered obsolete? Will it include the second edition of GAMP 5?

    The upcoming CSA guidance will not introduce any new concepts. Its goal is to simplify and clarify the use of non-product software while maximizing the testing efforts and minimizing documentation for lower-risk non-product software systems. It is GAMP 5 compliant and will be updated in future editions. The FDA intended CSA all along, but it lacked clarity, and the misinterpretation finally led to too much documentation rather than quality.

    What is 21 CFR Part 11 of the FDA?

    CFR Part 11 is defined by FDA as the criteria for determining whether electronic signatures and records are reliable, equivalent and trustworthy to paper records. It is a guidance on how companies based in the United States can submit documentation in electronic form, as well as the criteria for approved electronic signatures. CFR is an abbreviation for "Code of Federal Regulations," and Part 11 specifically refers to electronic signatures submitted to FDA. In general, if your organization meets all the Part 11 requirements, and can demonstrate effectively the validity of e-signs to an auditor, then FDA will accept those electronic signatures in lieu of traditional paper-based ones.

    What about audit logs?

    Part 11, the audit trail, is simply a set of requirements that must be fulfilled in the best way possible. Determine when more robust testing of those requirements is required and when you can simply ensure that your vendor built that in. Overall, audit trails do not necessitate a significant investment of time and effort.

    What is the operation of a training management system?

    Consider being able to manage your entire training business from a specific location. This is entirely feasible rather than piecing together a patchwork system of programmers to manage various tasks, a TMS (training management systems) provides a unified solution. Training management software allows you to schedule courses and presenters, track payments and business growth, and provide relevant marketing with all under one roof. As all aspects are already connected and coordinated with one another, having a single software as the top option indicates your data stays fresh, responsive to real-time changes, and automating manual processes like the ones which are seamless and stress-free. Time saved on administration can be used to transform your training company. With TMS at the heart of your operations, you can gain valuable insights that will give you a competitive advantage.

    What’s ISO 13485 standard?

    As quality and safety are non-negotiable in medical device industries, ISO developed ISO 13485 standard. Even though it is published in 2016, this standard was last reviewed and confirmed in the year 2020. ISO 13485 specify requirements for a QMS (quality management system) where an organization/company demonstrates their abilities to provide medical devices and related services that consistently meet applicable and customer regulatory requirements.

    MDSAP (Medical Device Single Audit Program) vs ISO 13485?

    ISO (International Organization for Standardization) 13485 and MDSAP (Medical Device Single Audit Program) are two different audit programs with similar requirements. But they do not duplicate with each other. MDSAP has strict and precise requirements out of the two and the organizations or products that are certified to ISO 13485 will see an increase in audit days number once they attempt for certification to MDSAP.

    What is a quality management system? What are its benefits?

    A formalized system that records processes, procedures, and roles for conducting quality policies and objectives is known as a quality management system (QMS). A QMS aids in effectively directing and taking care of an organization's operations to satisfy customer regulatory requirements and enhancing the overall effectiveness and efficiency.

    Benefits of Quality Management System:

    Every aspect of an organization's performance is impacted by the implementation of a quality management system. A formalized quality management system has the following advantages:

    Meeting the needs of customers fosters confidence in the organization, encourages more business retention and attracts new customers.

    Meeting the organization's needs ensures compliance with regulations and the most cost- and resource-effective delivery of goods and services, allowing for expansion, growth, and profit.

    These advantages in addition provide further advantages, such as:

    • Determining, enhancing, and managing processes
    • Assists in lowering wastage, reducing expenses, and preventing errors

    What exactly does installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) processes mean? What about UAT (User Acceptance Test)?

    The goal of CSA is to emphasize critical thinking, conduct more business testing of the process and its intended use, and conduct fewer functionality tests. Installation qualification: Although the vendor usually does a decent job of installation testing, it is still an innovative idea to turn on the equipment, login, and make sure it works. That is a minimal risk because failure will be obvious. Additional responsibilities include ensuring you have all the necessary user manuals, vendor qualifications, and so on.

    Focus on your business processes, how they work within the system, and how you want them to work within the system during user acceptance testing (UAT). This is where we expect to see far more testing and far less testing of out-of-the-box functionality.

    If having any other questions that are not mentioned here or would like to have a demo/consultation on current CSV/CSA processes, please email us at info@complianceg.com .