Posted by Rich Lauwers ● 4/30/20 9:15 AM
FDA Promotes Shift from Software Validation to Computer Software Assurance (CSA)
If you've ever managed a computer software validation project, you're undoubtedly familiar with the notably ambiguous guidance from the U.S. Food & Drug Administration (FDA) on how to ensure your systems are operating as required. For example, take a look an excerpt below from the FDA's Principles of Software Validation (Section 4.7):
“Due to the complexity of software, a seemingly small local change may have a significant global system impact. When any change (even a small change) is made to the software, the validation status of the software needs to be re-established.”
As you can see, this "guidance" is quite vague, which makes the FDA's requirements for validation seem almost impossible.
The FDA has recognized that this ambiguity, along with trying to avoid being too prescriptive, has led organizations to adopt a far too conservative approach with the IT and business systems that support their product development activities.
Enter the Computer Software Assurance (CSA) approach.
What's the latest news from the FDA about computer software assurance?
Recently, I attended a USDM webinar about software assurance and how it will change the approach many organizations employ for software validation. During the webinar, presenters clarified the confusion around testing requirements, IT automation, “quality culture,” risk, and -- last but not least -- the critical-thinking mindset the FDA wants to establish throughout the industry.
Let’s take a look at some of the FDA’s more notable takeaways from the webinar:
- Moving from validation to assurance. As you can see in the slide below, the industry has been focusing on a “compliance mindset,-” -- treating everything equally for the sake of the auditors. This creates significant overhead and potential blind spots. The notion that you ‘should’ be taking a risk-based approach in which you test each requirement appropriately based on its classification should apply. In some cases, a simple test can be appropriate, while in others that are high-risk/high-impact, you might consider “negative testing” to be sure certain processes can account for different failure modes. Finally, the idea that by testing a higher-level process will automatically qualify the underlying systems will save you a tremendous amount of time. Think of all the time spent qualifying server installation, OS installation, application, and database setup.
- Cultural barriers. In my opinion, the cybersecurity callout here might be the most profound, given today’s technology environment. You can only guess what the FDA was thinking back in 1997 when this guidance was first published.
It’s not all bad news, however. Several of the presented FDA-sponsored case studies illustrated that organizations that have implemented the new CSA approach have seen significant time-to-value improvements -- not only in testing, but also in product development.
Also, due to the COVID-19 crisis, a culture shift is starting to take place. We’re more dependent on the Internet, IT, and cloud systems than ever before. This is the perfect opportunity to rethink how things have been done -- not only with regard to software validation but in all aspects of operations.
What is the FDA’s new guidance for computer software assurance?
The new FDA guidance will focus on non-product quality systems such as bug tracking, document management, and lifecycle management systems. The FDA specifically uses the language “any software that is not directly used in a medical device, medical device as a service, or end-product.”
Although the FDA’s new guidance is due for release in September 2020, I’m anticipating that the COVID-19 crisis might delay that date, given the FDA’s resource allocation.
That being said, they’re clearly advocating that an organization can (and should) take these principles into consideration and use them to modernize their legacy quality systems and programs now.
How do vendors fit in?
Vendors play an important role for companies that produce FDA-regulated products. However, it’s important to keep in mind that vendors are not ultimately accountable to the FDA regulations.
It’s important to select vendors that have a proven track record of quality and can support your organization. How mature is their SDLC? Do they have any industry certifications like ISO, SOC, or FedRAMP? Establish a good vendor qualification process to ensure you find one familiar with the operating environment of your specific highly-regulated industry.
The bottom line
The FDA is providing a fresh breeze of new guidance that organizations should immediately embrace. The paradigm is shifting to automated testing and critical thinking, which ultimately will drive better patient outcomes and faster time to market.
AODocs Cloud QMS for Life Sciences
AODocs for Life Sciences is a Quality Management platform for organizations to confidently build their Quality Program and reduce the cost of Computer System Validation & Assurance (CSV&A) while accelerating time to deliver business solutions.
Do you prefer video? Watch the Introducing AODocs for Life Sciences webinar