computer software validation, CSV, life sciences, FDA software validation

The term CSV (computer software validation) invokes nightmares and lost sleep for management at medical device, pharmaceutical and biotech manufacturers because it is such an arduous task and a huge cost to the business. But good news is, there’s a new approach – CSA (computer system assurance) – and its benefits are huge. Let’s break it down.

According to a recent Axendia research report, only 37% of life sciences companies have implemented or are currently piloting digital transformation technologies. Why is that? It’s often difficult and costly to change existing processes (or upgrade old disconnected systems) that have already been validated and proven to be effective. So, why change something that’s not broken?

FDA Validation History

Validation of software systems traces back to the mid-1970s when FDA officials proposed the validation concept to govern the quality of pharmaceutical products. In 1987, the FDA published its first “FDA Guidelines on General Principles of Process Validation” with a focus on documented evidence to provide assurances that a specific process would consistently produce a product that meets predetermined specifications and quality attributes.

In its General Principles of Software Validation; Final Guidance for Industry and FDA Staff the FDA calls computer system validation the “confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled.” The validation guidelines relate to hardware, software, peripherals, personnel and system documentation and manuals.

What is the Difference Between CSV and CSA?

In a recent webinar, Francisco Vicenty, Case for Quality program manager at the U.S. Food and Drug Administration, and Sandy Hedberg, Cloud Assurance QA/RA manager at USDM Life Sciences, talked about the differences and reasons behind this new guidance (expected FY22).

If you think of the 80/20 rule, the current CSV methodology has manufacturers spending 80% of their time documenting and only 20% of their time testing. The FDA wants to flip this so that 80% of a manufacturer’s time is spent on critical thinking and applying the right level of testing to higher-risk activities, while only 20% of their time is spent documenting (CSA methodology). This critical thinking should be focused on three questions:  

  • Does this software impact patient safety?  
  • Does this software impact product quality?  
  • Does this software impact system integrity? 

CSA is a framework designed to help manufacturers achieve CSV. CSA will provide clarity on the stance and methodology used to determine what is high risk and what is not, therefore minimizing misinterpretation by manufacturers. The clarification in the CSA approach flips the paradigm to focus on critical thinking (risk-based), assurance needs, testing activities and documentation, in that order.

Why is the FDA Making this Change?

Too much work is done for fear of regulatory punishment instead of fear of putting a poor-quality product on the market. For software not used in a product, manufacturers are referring to burdensome guidance that is more than 20 years old, trying to avoid FDA Form 483 observations and warning letters from FDA investigations and third-party consultants. Nothing should be done for fear of regulatory observations. Instead, the focus should be on testing for higher confidence in system performance and applying the right risk-based assurance rigor for a given level of risk to patient safety and product quality. The new CSA framework also enables manufacturers to “take credit” for prior assurance activity and upstream and downstream risk controls like vendor qualifications.

All eyes are on the FDA for the upcoming release of its new guidance document “Computer Software Assurance for Manufacturing, Operations and Quality System Software” expected in 2022.

FDA’s Current Validation Focus

The goal of the FDA’s current validation guidance is to ensure that medical device, pharmaceutical, and biotech manufacturers produce high quality products and that their manufacturing systems and software systems that support manufacturing will withstand rigorous testing and verification. And once tested and validated, this should not be changed. The qualification focus is on three areas:

  1. Installation qualification (IQ) – the vendor (i.e. QAD) installs and documents the software and trains users in its functionality. Traditionally, manufacturers installed software on local hardware using CDs and were required to write test scripts to validate these processes. However, today with SaaS based solutions, the onus is on software companies to provide “documented evidence” that the cloud-hosted software application(s) have been fully tested and validated to support a manufacturer’s facility, in the right location, and support the right users, etc.
  2. Operational qualification (OQ) – the manufacturer launches the software, users enter credentials and conduct basic business processes (e.g. open an invoice, process a manufacturing transaction, review inventory status, disposition quality events, following functional specifications from the user’s manual). Again, historically, the testing and validation process with regard to OQ is typically configured to support unique business processes and therefore requires custom test scripts. And in this case, on-site manufacturing validation expertise is required. However, as more and more companies move to SaaS platforms, manufacturers depend on software companies to provide more “out of the box” capabilities that leverage industry best practices.
  3. Performance qualification (PQ) – the manufacturer expands the use of the software functionality to support business operations that are unique to their business, and in this case, additional, customized test scripts for validation are required.

Is There Hope for CSA?

The goal for the new guidance is to encourage life sciences companies to accelerate the adoption of digital technologies and, as a result, develop and deliver higher quality medical technologies and therapeutics more quickly.

The good news is that we will see – and we’re already starting to see – an increase in the adoption of digital solutions. In fact, the Axendia report also cited 63% of manufacturers are already leveraging a modern cloud platform.

What’s the Impact for Software Vendors?

On the other side of the equation, it’s putting more onus on software vendors to create and provide more validation support, in the form of pre-validation test scripts, and proof of software testing frameworks and methodologies, security, training, certifications and the like. In addition, as more software applications move to the cloud, and SaaS systems become more common, manufacturers will need less customization and more out-of-the-box solutions.

Best Practices and Recommendations

Medical device and pharmaceutical manufacturers often ask how QAD supports validation of its software given the important role QAD Adaptive ERP, EQMS and Production Execution solutions provide in producing, testing, and delivering regulated medical equipment, diagnostics and therapies. Rest assured, QAD has a rigorous software development life cycle (SDLC) framework it uses to develop, test, and manage security of its software and cloud hosted solutions. In addition, it has a robust list of standard operating procedures (SOPs) that support enterprise wide processes, including:

  • Security
  • Qualification and change controls
  • Electronic records archival
  • Backup and recovery
  • Document controls
  • Employee qualification and training
  • Management controls
  • Supplier controls and qualification
  • New Arrival and Separation (NAS) Policy
  • Data archiving
  • Software installation
  • System change control
  • Disaster recovery

How Can I Validate QAD Digital Solutions?

QAD’s qualified IT environment delivers the infrastructure life sciences customers require to meet their software validation needs both today and for the future. QAD’s computer systems, hardware, software and networks used to operate QAD Adaptive ERP comply with appropriate standards and approved design intentions, and are capable of consistently operating within established limits and tolerances. QAD delivers a demonstrable state of control and regulatory compliance. The benefits of QAD’s cloud environment are many:

  • Reduced operating costs
  • Reduced risk
  • Reduced regulatory compliance burden
  • Increased security and data privacy protection
  • Stability and reliability
  • Rapid deployment

Where Can I Find Resources to Help with QAD Computer System Validation?

QAD works with partners and system integrators like Strategic Information Group (SIG) to deploy and validate their software applications. SIG has worked with hundreds of QAD Life Sciences customers across the globe, of all sizes, to support customer-specific validation requirements and provide validation guidance or turn-key implementation services. Their validation toolkit provides many of the required components including the computer system validation plan, functional requirements, operational and performance qualification protocols and test script, risk assessment, traceability matrix, among other items. 

Learn more about QAD’s digital transformation solutions for life sciences and QAD’s validation partner resources.

4 COMMENTS

  1. Thanks, Jennifer for sharing this info.
    I look forward to continual info on QAD-specific strategies for implementing CSA at Strategic Information Group (SIG).

    Best regards,
    Dr. Satyendra Kaith
    Sr. Business Consultant

LEAVE A REPLY