FDA’s Transition From Computer System Validation To Computer Software Assurance
Kathleen Warner, Ph.D., RCM Technologies, reports in the recent issue of meddeviceonline.com about FDA`s transition from Computer System Validation to Computer Software Assurance:
“The FDA regulation 21 CFR Part 11 in 1997 and the related guidance of 2003 paved the road to implementation of computer system validation (CSV) by life sciences companies.
As pharmaceutical companies perfected their business processes and became more efficient in validating computer systems, the piles of documentation continued to grow without significant quality benefits. The focus was on speed, documentation accuracy and completeness, inspections, audits, and complying with the regulation.
In 2011 the Center for Devices and Radiological Health (CDRH) initiated the Case for Quality, a new program that identified barriers in the current validation of software in medical devices guidance (released in 2002). Now, CDRH — in cooperation with the Center for Biologics Evaluation and Research (CBER) and the Center for Drug Evaluation and Research (CDER) — is preparing to release new guidance, Computer Software Assurance for Manufacturing, Operations and Quality Systems Software, in late 2020.
This new guidance will provide guidelines for streamlining documentation with an emphasis on critical thinking, risk management, patient and product safety, data integrity, and quality assurance. Even though this guidance is being developed for the medical device industry, the FDA has indicated it should be considered when deploying non-product, manufacturing, operations, and quality system software solutions such as quality management systems (QMS), enterprise resource planning (ERP) systems, laboratory information management systems (LIMS), learning management systems (LMS), and electronic document management systems (eDMS). As such, the guidance will be applicable to research and development (R&D), clinical, laboratory, and other groups within pharmaceutical, biopharmaceutical, and medical device companies that are currently meeting the regulations for electronic records and electronic signatures (ERES)1 and computer system validation (CSV).2
As the digital world evolves, new technologies, including automation and artificial intelligence (AI), are hitting the marketplace and focusing on quality through unscripted and automated testing and smart applications. This paper describes how computer system validation (CSV) is performed today, introduces the concept of computer software assurance (CSA), and discusses how CSA can refocus validation on what’s important in the new world of digital technologies.
Computer System Validation is the process of achieving and maintaining compliance with the relevant GxP regulations defined by the predicate rule.3 Fitness for intended use is achieved by adopting principles, approaches, and life cycle activities. The validation methodology determines the framework to follow in developing the validation plans and reports and applying appropriate operational controls throughout the life cycle of the system.
CSV is typically performed following the standard operating procedures (SOPs) for the software development life cycle (SDLC) and the CSV, respectively. According to GAMP 5, the computerized system validation methodology comprises four distinct life cycle phases: Concept, Project, Operation, and Retirement.
- Concept Phase: During this phase, activities are initiated to justify project commencement.
- Project Phase: During this phase, the overall system is implemented and tested according to preapproved documents. The SDLC includes, but is not limited, to the following: validation methodology and plan, requirements, software documentation and test plans, traceability matrix, and summary reports.
- Operation Phase. During this phase, routine, day-to-day activities associated with the system (as defined in user manuals, SOPs, work instructions, etc.) are performed and include, but are not limited to, the following: backup and restore, disaster recovery, change management, incident/deviation management, access and security management, and periodic review.
- Retirement Phase. During this phase, the system is no longer used, needed, or operational and is at the end of its life cycle. A retirement/decommissioning plan is developed to document the approach and tasks to manage the data and records.”
Please find the complete article here.
Please get in touch with us: