Demystifying Computer Software Assurance

2 Feb 2024

Life sciences organizations rely on computer systems to ensure the safety and quality of therapies, medical devices, and other products throughout their development, trial, production, and distribution. Traditionally, this has been done through Computer System Validation (CSV), but now the U.S. Food and Drug Administration (FDA) is advocating for a new approach.

The FDA produced a draft guidance on Computer System Assurance (CSA) in September 2022 to help companies adapt CSV activities into streamlined, risk-based analysis that will speed up validation and encourage further innovation to benefit patients and customers.

At its core, CSA is a recommended process or set of processes that will streamline compliance to requirements currently met through CSV protocols. It is a more efficient risk-based approach to computer system validation aimed at reducing the burden of validation complex new technologies to foster increased technological adoption.

It focuses on:

  • Risk-Based approach to testing
  • Leveraging vendor tests and evidence in validation
  • Scaling testing to meet the need (i.e., unscripted or ad-hoc testing)

On-Demand Webinar: Leveraging Supplier Activities and Testing Under CSA

Watch this webinar to hear Kneat’s CSA expert, Darren Geaney, explain how to effectively leverage Supplier Activities so you can take advantage of CSA’s benefits without exposing your company to risk.


Why the FDA Recommends Computer Software Assurance

Computer Software Assurance for Production and Quality System Software draft guidance comes from a multi-year collaboration between the FDA and industry.

Following the launch of their ‘Case for Quality’ initiative in 2011, the FDA was uncertain why so few companies were investing in automated solutions and why so many continued to run long-outdated versions of software.

The initiative, which set out to study quality best practice in medical device manufacturing, found that a combination of the perceived regulatory burden of Computer System Validation (CSV), a lack of clarity, and outdated compliance approaches deterred investment in new technologies and the implementation of automated systems and as a result, inhibited quality best-practice.

In short, traditional CSV required too much testing and too much documentation to warrant increasing the digital footprint in manufacturing. CSA is intended to foster adoption of technology so life sciences manufacturers can be efficient while still ensuring product quality and patient safety.

Requirements Under CSA

It’s important to note that CSA does not replace CSV, it’s simply a recommended approach to CSV that will be faster and less resource-intensive on already stretched compliance teams. At a high level, CSV is a regulatory requirement necessary to enter the U.S. market and CSA is the new proposed method of ensuring it. However, much of CSA is left up to individual company’s decision making, relying on critical thinking, subject matter expertise, and vendor engagement.

The CSA guidance was prepared by the Center for Devices and Radiological Health (CDRH) and the Center for Biologics Evaluation and Research (CBER) in consultation with the Center for Drug Evaluation and Research (CDER), Office of Combination Products (OCP), and the Office of Regulatory Affairs (ORA). This represents a meaningful cross-section of the life sciences industry. The International Society of Pharmaceutical Engineering (ISPE) has also updated its GAMP 5 guidance in relation to the FDA’s CSA guidance. The ISPE is a non-profit body of pharmaceutical engineering professionals. Its GAMP 5 guidance is the industry standard approach to computer system validation in pharmaceuticals.

What does all this mean? It suggests that CSA is positioned to become the industry standard for CSV but isn’t likely to be legally enshrined.

CSA Vs. CSV

Versus is the wrong way to look at comparing CSA and CSV. CSA compliments the requirement of Computer System Validation with a tailored approach designed to make life easier for validation teams without sacrificing compliance and safety. Still, it’s important to know how the two processes differ:

CSA represents a step-change in computer system validation, placing critical thinking at the center of the CSV process, as opposed to a traditional almost one size fits all approach, that has morphed into an activity that is being done primarily to secure evidence for auditors, rather than to assure the quality of systems being validated.

CSV (Computer System Validation) CSA (Computer Software Assurance)
A focus on creating documentary records for compliance A focus on testing for higher confidence in system performance
“Validate” everything (and miss higher risk areas) Risk-based “assurance”, applying the right level of rigor for a given level of risk to patient safety and/or product quality
Ignoring previous assurance activity or related risk controls “Take credit” for prior assurance activity and upstream/downstream risk controls
Focus on testing, not scripting. Use unscripted testing for not high-risk components

With the new approach, upwards of 80% of validation time is spent testing systems with a larger impact on quality and less time documenting all testing (regardless of risk to quality.)

CSA


How to Implement Computer Software Assurance

The FDA guidance is still considered in draft form and final guidance is expected. Steps may change based upon the final version, however, companies can begin implementing what we do know of CSA using the following steps:

1.

    • Identify the intended use of the in-scope software

2.

    • Determine the risk

3.

    • Determine the appropriate assurance activities

4.

    Establish the appropriate record

You can learn more about how to adopt Computer Software Assurance at your company in our guide.


About the Author

                                      

Darren Geaney, BEng, Kneat
A Computer Systems Validation specialist, Darren has over 23 years’ experience in software validation, providing right-sized computer system validation solutions to medical device companies. Knowledgeable in regulations FDA 21 CFR Part 820, 21 CFR Part 11, ISO 62304 and ISO 14971, Darren is ‘Lead Auditor’ accredited and experienced in supporting both internal and external audits (including FDA, IMB, TUV, and BSI).

Sign up to our Newsletter

Contact

Talk to us

Find out how Kneat can make your validation easier, faster, and smarter.
Start your paperless validation revolution by speaking to our experts.

Europe: +353-61-203826
U.S: +1 888 88 KNEAT
Canada: +1 902 706 9074