Streamlining Medical Device Validation: A Risk-Based Approach to Computer Software Assurance

Computerized systems (hardware, software, and processes) play a critical role in the medical device industry. They are used to create and manage data, produce products, and ensure compliance with regulatory requirements. 

Computer system validation (CSV) is the process of ensuring that computerized systems meet their intended requirements and can consistently produce accurate and reliable results. CSV is a critical part of ensuring the quality and safety of medical devices. In September 2022, the FDA released the Computer Software Assurance for Production and Quality System Software (CSA) guidance for non-product software in the medical industry. One way to think of CSA is that it is an input to or a part of CSV. The guidance provides recommendations for implementing a risk-based approach to CSA. The guidance emphasizes the importance of implementing CSA measures to ensure the security, availability, and reliability of computerized systems used in medical device manufacturing and quality assurance. 

Here are some tips for implementing a risk-based approach to CSA: 

  • Identify the criticality of your computerized systems. Not all computerized systems are created equal. Some systems are more critical to the safety and quality of your products than others. Identify the critical systems and focus your CSA efforts on those systems. 
  • Assess the risks to your computerized systems. Once you have identified your critical systems, you need to assess the risks to those systems. Consider the potential impact of a system failure on the safety and quality of your products. 
  • Implement appropriate controls to mitigate risks. Once you have assessed the risks to your computerized systems, you need to implement appropriate controls to mitigate those risks. The controls you implement will depend on the specific risks to your systems. 
  • Monitor and review your CSA program. Your CSA program is not a one-time event. You need to monitor and review your program on an ongoing basis to ensure that it is effective. 

There is a wide range of product and non-product computerized systems that need to be validated, such as Manufacturing Execution Systems (MES), equipment control systems Quality Management Systems (eQMS), and Enterprise Resource Planning Systems (ERPs). Let’s look at how we approach an ERP CSV project at Performance Validation using CSA.  

The project can be divided into a few steps: Assess, Plan, Design/Build, Test, Deploy, Support, and Retirement/Decommissioning. The most important step in the CSA process is assessment and planning. This is when the system is risk assessed, and the path forward for the validation project is determined. All the benefits that come from adopting a risk-based CSV approach like CSA come from performing a comprehensive risk assessment. The assessment drives the need for validation and how to approach the validation. The FDA CSA guidance is clear that greater emphasis needs to be placed on critical thinking here so that the right amount of testing and evidence is performed and gathered here. One needs to gather the right stakeholders and subject matter experts to fully explore the risks and intended use of the system. Remember that we are validating the organization’s intended use of the system based on risk to product quality/patient safety. Keep this in mind as you set forth a CSA process and then use it in a CSV project.  

In an ERP implementation, the Design/Build phase is a good opportunity for gathering evidence of testing to satisfy the overall validation project. The FDA wants organizations to take credit for testing and evidence that is already being performed and gathered. Try to figure out ways to use your design and build testing. This is also the phase where requirements specifications are developed. At a minimum, a User Requirements Specification is good to create for documenting the intended use of the system and set forth acceptance criteria for the ERP validation. However – don’t hesitate to use your risk assessment results to put “weight” on user requirements. That is – some requirements are simply more critical or high-risk than others. One can assign risk to requirements themselves – or sets of requirements – to help scale the testing aspect of the validation. Testing then should focus on the intended use of the ERP. If CSA was truly used, time that once was not available in a traditional CSV project should be gained to allow for more testing. Using only scripted testing in a CSV project because of antiquated CSV procedures limits the benefits gained by CSA. For example, a test script or Performance Qualification (OQ) traditionally only focuses on the “happy path”. But CSA allows for leveraging ad-hoc and unscripted testing, based on risk and criticality of a function. Employing these testing tools will allow for more software issues/bugs and/or business process issues to arise to the surface. Thus – more overall value will be garnered from the CSV project when using CSA.  

The FDA’s CSA guidance is a positive development for the medical device industry. The guidance provides manufacturers with a framework for implementing a risk-based CSA approach aligned with industry best practices. The guidance also guides manufacturers on how to comply with FDA regulations. 

If you manufacture medical devices, you should consider implementing CSA. Doing so can help improve the quality and safety of your products, reduce your risk of product recalls, and improve your compliance with FDA regulations. 

Previous Finding the Perfect CQV Partner: Establishing Data Governance for Pharma Manufacturing
Next Existing Building Commissioning – A Low-cost Path to High Energy Savings