In the pharmaceutical industry, computerized systems (hardware, software, processes) play a critical role in creating and managing data, producing products, and ensuring compliance with regulatory requirements. 21 CFR Parts 210 and 211 contain aspects which drive the need for computer system validation (CSV). Of course, there is 21 CFR Part 11 (electronic records and signatures) which also requires validation for the use of electronic records.
Often seen as a time-consuming and bureaucratic process that does not add value to the development or implementation of new software, computer system validation has long been a challenge for FDA regulated organizations. As a result, many manufacturers may not take CSV seriously and often cut corners. This can lead to serious problems, such as software errors that can impact the quality of products or the safety of patients.
In September 2022, the FDA released the Computer Software Assurance for Production and Quality System Software (CSA) guidance. The draft guidance provides recommendations for implementing risk-based CSA in the pharmaceutical industry. It emphasizes the importance of implementing CSA measures to ensure the security, availability, and reliability of computer systems and software used in GxP-regulated activities. It’s worth noting that this guidance was issued from the Center for Devices and Radiological Health but that the life science industry consensus is that the guidance can be leveraged by all “GxP” industries / organizations.
Applying a risk-based approach to validating a computer is easily the best way to meet the FDA’s requirement to validate a system for its intended use and the draft CSA guidance offers great information and examples on how to implement a process. The guidelines recommend that manufacturers adopt a risk-based approach to CSA, which involves identifying and assessing risks to computer systems and software and implementing appropriate controls to mitigate these risks.
One point on “CSV vs. CSA”: validating your computer system for its intended use is still the law. CSA should not be misinterpreted as a “get out of jail free” card for manufacturers who do not take CSV seriously. CSA still requires manufacturers to take steps to ensure the quality of their software. If manufacturers do not take CSA seriously, they could still be subject to FDA enforcement actions.
Let’s briefly consider an automation system – perhaps a Building Management System (BMS) – and how CSA concepts might be used. At Performance Validation, we use CSA concepts in automation CSV regularly. The process must start by developing a plan based on system risk and criticality. Without going into specifics on risk assessment, we can assume that the BMS is, overall, GxP applicable. However, there are likely functions that have direct impact, indirect impact, or no impact. One way to handle this scenario is to assign GxP applicability categories (direct, indirect, no impact) to the user requirements / functional requirements specification. This allows for separation to place sets of requirements into “buckets” for appropriate testing. One’s approach for an indirect requirement, for example, might be quite different than one that is direct impact. Further – assessing and identifying requirements / functions that are critical to product quality is a great way to scale the validation effort. For testing – one should definitely “take credit” for testing already being done by the software implementation team. For configuration and setup, there will be extensive testing performed to verify monitoring points are functional – for example. We will often find ways to use this testing as validation testing. An organization might call this testing commissioning but still leverage this commissioning testing in their overall qualification and validation effort. Certainly, utilizing CSA may require a paradigm shift in an organization; we have seen the need for procedural updates, for example to implement CSA. But the effort is most definitely worth it because of the efficiency gained by implementing CSA.
For those of us in the pharmaceutical industry that have used ISPE’s GAMP 5 for many years it’s good to know that CSA and GAMP 5 are very much aligned. In fact, ISPE has made it clear that the 2nd edition published in July 2022, explicitly addressed the FDA CSA guidance. The key differences in the GAMP second edition are:
- Risk-based approach. The second edition emphasizes a risk-based approach to computerized system validation, which means that companies should focus on validating the systems that pose the greatest risk to patient safety and product quality.
- Evolving approaches to software development. The second edition recognizes that software development is an evolving process, and it encourages companies to use iterative and incremental methods when appropriate.
- Increased use of software tools and automation. The second edition encourages companies to use software tools and automation to improve the quality and efficiency of computerized system validation.
- Increased importance of service providers. The second edition recognizes that many companies now outsource the development and maintenance of their computerized systems, and it provides guidance on how to manage these relationships.
- Emphasis on critical thinking. The second edition emphasizes the importance of critical thinking in computerized system validation. Companies should use their knowledge and experience to determine the appropriate level of validation for each system.
Overall, the second edition of GAMP 5 is a more flexible and risk-based approach to computerized system validation than the previous edition. Also, it provides companies with more guidance on how to use modern software development methods and tools, and it emphasizes the importance of critical thinking.
At Performance Validation, we have used CSA concepts for several years with our pharmaceutical clients. The guidance began surfacing in trainings, webinars, and articles around 2019. Immediately it became clear to us that the FDA was embracing a leaner method to CSV. From serialization, to building management/automation, to electronic quality management systems – putting greater focus on critical thinking and risk assessment has led to significant time and cost savings for pharmaceutical manufacturers we’ve worked with. CSA is a positive development that leads to more efficient and effective CSV programs.