The FDA vision is that all patients have access to high-quality, safe, effective medical technologies. For this to happen, the regulatory framework has to adapt and respond to enable medical devices manufacturers to innovate quickly and
continuously improve.
Currently, the life science industry awaits the publication of the FDA’s guidance document on ‘Computer Software Assurance for Manufacturing and Quality System Software’.
The new guidance for medical device manufacturing will shift the primary focus from regulatory compliance to quality assurance, patient and product safety, and data integrity.
Why the FDA wants to change from CSV to CSA?
Historically, companies regulated by the U.S. Food and Drug Administration (FDA) have had to undertake extensive validation to prove their software and systems are performing correctly and are compliant with regulatory requirements – a process known as Computer System Validation (CSV).
However, following the 2011 ‘Case for Quality’ initiative, the FDA’s Center for Devices and Radiological Health (CDRH) revealed that the FDA’s compliance requirements did not ensure uniformity in device quality across the industry.
For instance, a device could be regulatory compliant and low quality; conversely, it could be high quality yet non-compliant and therefore non-marketable. It became clear to the FDA that compliance was not enough to ensure quality.
In addition, CSV, as it is applied today, with its primary focus on compliance, has slowed the uptake of and investment in new automated solutions and technologies within Life Sciences compared to other manufacturing industries. CSV has become a tool to create excessive documentation purely for audit purposes leading to lengthy validation cycles and increased costs.
To balance the degree and complexity of its regulations, promote automation, and value-added CSV activities, the FDA’s upcoming guidance aims to place critical thinking at the centre of the CSV process – an approach known as Computer Software Assurance (CSA)
What is Computer Software Assurance (CSA)?
Computer Software Assurance is a risk-based approach to computerised systems that is quality-focused and patient-centric. It encourages critical thinking based on product knowledge and the direct or indirect risks to the patient.
The new CSA approach aims to reduce unnecessary documentation (created solely for the sake of audit readiness), ensure the software is fit for purpose, and focus on the primary patient risks with concise testing.
Historically, regulated companies reproduced documentation and functionality testing on out-of-the-box software when an audited or trusted vendor had already completed it
The new guidance accepts good quality vendor validation documentation and focuses on testing areas that directly impact patient safety and device quality.
The CSA risk-based approach will also be more flexible regarding what constitutes acceptable records of test results. The type of documentation required will depend on the patient risk level and hence the level of testing:
| Risk-based Assurance Process | ||
|---|---|---|
| Risk | Impact | Assurance Method |
| High | Directly impacts product quality or patient safety (e.g., product inspection and disposition; product labelling) | Scripted testing (similar to CSV today) |
| Medium | Indirectly impacts product quality (e.g., complaint management, lifecycle management tools, document control) | Unscripted testing |
| Low | Not high or medium risk (e.g. potentially a business risk rather than product or safety) | Ad-hoc testing |
How do the different levels of testing and documentation differ from traditional CSV?
As we have already mentioned, traditional CSV focuses on documentation, manual testing and evidence gathering. This robust, scripted test approach has been applied to everything regardless of whether it was a high (direct), medium (indirect) or low-risk system or feature. A process that is not only time consuming but expensive.
CSA Testing
Scripted testing is what we recognise as traditional CSV testing. It contains test objectives, step-by-step test procedures, expected results and a pass/fail. Scripted testing will continue to be used for high-risk systems where the software directly impacts the product or patient safety.
It may seem obvious, but a detailed test script does not drive unscripted testing. There is more freedom to set test objectives and no set procedure to follow. Unscripted testing is used for medium-risk systems where the software does not directly impact the product or patient safety but impacts product quality.
Ad-hoc testing is similar to unscripted testing but may take the form of exploratory tests that don’t require any pre-approved protocols. This type of testing is ideal for low-risk systems.
What does this mean for Life Sciences?
Could this be the end of arduous validation processes for life sciences?
CSA aims to:
- reduce validation cycle time,
- critically analyse the need for testing and detail of documentation based on level of risk
- reduce the amount of scripted testing
- reduce the overall amount of documentation
- focus testing on the assurance of quality and safety
- utilise trusted vendor validation
- support companies to develop automation
The new guidance could see the uptake of and investment in new automated solutions and technologies. Innovation could be reborn. And with the support and advocacy of the FDA, industry stakeholders will be able to develop high-quality products, ultimately benefiting the patients who use them.
How can you prepare to transition from CSV to CSA?
As we wait for the new CSA guidance to be published, the FDA advises companies to consider the new CSA principles proactively:
Develop a Transition Plan – Identify the way forward and document this, along with roles, responsibilities, deliverables, and measured outcomes. Establish metrics, data collection, and risks.
Perform CSV Assessment – Adapt your CSV assessment using the FDA’s future CSA guidance to ensure you focus on assuring quality, patient and product safety, and data integrity. Pilot new methodologies on a small scale.
Develop your team – Moving to CSA could be a cultural change compared to your current CSV approach. Help your team to understand and embrace CSA:
- a) Critical thinking
- b) Risk-based approach
- c) Validation framework and documentation
Leverage automated testing /continuous data monitoring tools – streamline assurance activities that the new guidance supports to help you focus on quality assurance, patient and product safety, and data integrity.
If you would like further information or help to get the ball rolling, give us a call or drop us an email