Navigating regulatory compliance: Understanding the impact of FDA's new Computer Software Assurance (CSA) draft guideline

Life sciences companies have been conducting Computerized System Validation (CSV) in accordance with the Food and Drug Administration (FDA) validation guidance. The objective is to ensure that systems employed in the manufacturing of regulated drug products and medical devices fulfill their intended purposes and adhere to data integrity requirements. For regulated companies, ensuring that computer systems meet the criteria for functionality, patient safety, product quality, and data integrity is imperative.

With the Computer Software Assurance (CSA) draft guideline the FDA expands on the outlined principles for software validation from the FDA’s Software Validation guidance and urges the industry to focus on the most relevant and thus risky items in their validation efforts. This is also true when it comes to assuring the reliability, security, and compliance of software systems used in the manufacturing process. Manufacturing execution system (MES) orchestrates and monitors various manufacturing processes (e.g., pharma, biotech, advanced medicine) and any software malfunction or security breach could result in severe quality control issues, regulatory non-compliance, and potentially harm to patients.

There are several key points that can be taken from the new guidance:

CSA: Streamlining safety and quality in software validation for regulated users

CSA encourages the regulated user to focus on the intended use of the software and consider the suppliers’ testing. This in turn should reduce their own tests to functionalities that are of high risk and are not fully covered by supplier testing , which means that these functions are required to ensure patient safety, product quality or data integrity of the process. CSA was created by the FDA together with the industry once it was determined that the currently used Computerized System Validation (CSV) interpretation was hindering innovation due to the high efforts applied for documentation and testing.

Streamlining Validation approach with Risk and Critical Thinking

The CSA guideline emphasizes a risk-based approach, urging the application of critical thinking to enhance the prioritization of potential hazards. Although the risk-based approach is not introduced with the CSA , it was seldom genuinely applied during validations , necessitating its renewed emphasis. Prioritizing risks enables a clearer distinction between hazards and minimizes the requirement to test every software function individually. This holds particularly true when considering change complexity (standard product vs. configured vs. customized) and process complexity in the risk calculation . The risk approach is, however, not exclusive to the testing, but should be applied to other aspects of the software lifecycle and documentation, e.g., documentation, formality.

Testing evolution: Partnering and critical thinking in compliance shift

The new guidance does not eliminate testing but redirects the regulated user's focus to the key aspects. It encourages increased reliance on supplier testing to minimize the necessity for independent testing . Critical thinking should guide the strategic use of vendor documentation. The guidance underscores that exhaustive testing is unnecessary, especially if the vendor has conducted thorough testing. Building a robust partnership with the supplier is crucial for effectively leveraging their testing efforts.

CSA's testing paradigm: Unscripted testing for enhanced software validation

The CSA guidance suggests a tailored approach to testing documentation, advocating flexibility based on risk levels. While documented scripted tests can be reserved for critical functions with impact on process and patient safety, a significantly reduced documentation approach - unscripted testing - is recommended for other identified hazards. Unscripted testing does not imply randomness but rather an open-ended, target-oriented approach, allowing for more focus on actual test execution over script creation and maintenance. This shift can draw the tester's attention to the real functionality , verifying the intended software use without need for the rigid and high maintenance test sequences. Unscripted testing provides flexibility and the potential to discover issues that would not have been identified with the pre-defined scripted tests. This should not imply that unscripted testing should fully replace scripted testing. It should be used in conjunction, so that the benefits of both types of testing can be used. The nature of the unscripted testing would require more highly skilled or experienced testers, as well as a detailed system use description with predefined acceptance criteria. Such an approach aligns successfully with agile frameworks across industries.

New technologies and the power of automated testing

Use of automated testing tools can be considered for the validation routines by the regulated users. However, careful consideration of the benefits is essential, where the implementation and maintenance efforts against the efficiency gained during execution are carefully assessed. Software suppliers rely heavily on automated testing and the advantage lies in the repeatability. Test automation is playing its strength in the re-execution of regression testing, e.g., for customizations. This underscores the importance of a robust internal change control process.

Körber's approach: CSA-aligned strategies, automated testing for efficient system changes

At Körber, we have aligned our recommended best practice validation strategies, validation documentation package, and project methodologies with the CSA guidance. We increasingly deliver our projects with the help of automated testing for customer specific system changes. In addition, we recommend leveraging our qualification testing, in order to reduce the need for functional testing by the regulated user and reduce their own testing and documentation efforts.

In our opinion, applying the CSA principles would mean using a risk-based assurance, in other words applying the right level of rigor for a given level of risk to patient safety, data integrity and product quality. This therefore reduces the efforts for script generation and maintenance, as only the high-risk aspects would require scripted testing. Less scripts would also mean a lower number of deviations related to script errors and incorrect configurations. As there are fewer documents to be created, released, and generally maintained, the subject matter experts can focus their attention on other aspects of the system implementation.

In order to facilitate our customers’ efforts for the validation of their MES solutions, Körber Pharma Software offers a holistic validation documentation package and validation services. The validation documentation package offers templates with pre-filled information that can be used as the basis for all needed validation documents. Our services range from turn-key to individual support. This offering can further reduce the overhead needed for the validation process of the MES.

Get in touch