background image for GxP Lifeline
GxP Lifeline

Embracing and Implementing Computer Software Assurance Guidance

Computer software assurance best practices.

Computer software assurance (CSA) is a risk-based adoption of IT tools that incorporates critical thinking to establish and maintain confidence that a software system is meeting its predetermined conditions. This is particularly important in manufacturing processes that rely on computers and automated processing systems. CSA determines the risk that a device may be compromised in terms of safety and/or quality and determines the appropriate level of assurance efforts and activities that may be required.

A comprehensive computer software assurance approach provides manufacturers with flexibility and agility by leveraging principles such as risk-based testing, unscripted testing, continuous performance monitoring, and data monitoring. These activities, combined with any software validation services performed by other entities such as developers and suppliers, help ensure that the software remains in a validated state consistent with regulatory requirements.

Software that is fit for its intended use and maintains a validated state should perform as intended, which is critical for ensuring that finished products are safe and effective and comply with regulatory requirements.

A risk-based framework is an effective approach for computer software assurance. It involves identifying and assessing risks associated with the software and determining appropriate controls to manage those risks. This framework should be applied throughout the software development and maintenance life cycle to ensure ongoing software quality and compliance with regulatory requirements.

The Computer Software Assurance Risk Framework

The first step in adopting a risk-based CSA framework is to identify the intended use of the software. Software that is directly used as part of the production or quality system includes:

  1. Software designed for automating production processes, inspection testing, or collection and processing of production data.
  2. Software intended for automating quality system processes, collection, and processing of quality system regulation.

Software that supports the production or quality system includes:

  1. Software intended as development tools for testing or monitoring software systems or automating testing activities for software used in production or quality systems, including the development and execution of scripts.
  2. Software for automating general recordings that are not part of quality recording.

To develop a risk-based hedging strategy, the U.S. Food and Drug Administration (FDA) recommends that manufacturers research the intended use of individual software features, functions, and operations. Manufacturers may choose to conduct different assurance activities for specific features, functions, or operations.

Determine the Risk-Based Approach

The risk-based approach to computer software assurance should be determined by evaluating the potential risks associated with software features, functions, or operations.

The FDA defines a software feature, function, or operation as having high litigation risk if its failure to function properly could lead to a quality issue that may jeopardize safety and increase medical device risk.

Examples of software features, functions, or operations that are generally high process risk:

  • Maintain process parameters (e.g., temperature, pressure, or humidity) that affect the physical properties of product or manufacturing processes that are identified as essential to device safety or quality.
  • Measure, inspect, analyze and/or determine acceptability of product or process with limited or no additional human awareness or review.

The FDA considers a software feature, function, or operation to have low litigation risk if its failure to function as intended would not result in a foreseeable quality issue that compromises safety.

Examples of software features, function, or operations that are generally considered to have low process risk include:

  • Collecting and recording data from the process for monitoring and review purposes, which do not directly impact production or process performance.
  • Being used as part of the quality system for routing corrective actions/preventive actions (CAPAs), automated logging/tracking of complaints, automated change control management, or automated procedure management.

Determine Appropriate Assurance Activities

Based on the risk result, assurance activities should be performed. These may include, but are not limited to, the following types of actions:

  1. Unscripted Testing: This involves dynamic testing where the tester’s actions are not strictly guided by written test cases. It can include ad-hoc testing, error-guessing, and exploratory testing.
  2. Scripted Testing: This involves dynamic testing efforts where the tester’s actions are guided by instructions written in test cases. Scripted testing can be further categorized into robust scripted testing and limited scripted testing.

Establish the Proper Record

When establishing the objective evidence, the manufacturer must collect sufficient objective evidence to demonstrate that the feature, function, or operation of the software has been evaluated and is working as intended. In general, the record should include the following:

  1. The intended use of the software feature, function, or operation.
  2. The determination of risk of the software feature, function, or operation.
  3. Documentation of the assurance activities conducted.

4 Steps to Implementing a Computer Software Assurance Approach

There are four essential phases to adopting a risk-based CSA approach:

  1. Engage
  2. In this initial phase, the stakeholders, IT, business, QA, and other teams that are involved in the computer software assurance process are engaged. This includes identifying and involving relevant personnel, teams, or departments who will be responsible for evaluating the software and its intended use. To achieve a successful stakeholder engagement, it is essential to conduct a thorough stakeholder analysis, create a comprehensive communication plan that utilizes various communication channels, maintain transparency throughout the project, actively listen to stakeholder feedback, and provide regular updates to keep stakeholders informed. By implementing these strategies, stakeholders can be effectively engaged and invested in the CSA transformation success.

  3. Assess and Align
  4. Once the stakeholders are engaged, the next step is to assess the validation processes thoroughly and make recommendations. This involves conducting a comprehensive evaluation of testing methods, validation process, validation deliverables, standard operating procedures (SOPs), and any other relevant procedures.

    After the assessment, the evaluation results should be aligned with the predefined criteria or standards. This step involves comparing the evaluation results with the established benchmarks, guidelines, or regulatory requirements and making necessary updates based on the assessment to the software validation life cycle. For example, updating the risk assessment approach by moving away from the traditional failure mode and effects analysis (FMEA) approach to the modern concept of computer software assurance.

  5. Training
  6. The next step is to provide training or education to the relevant personnel who are impacted by the change in the approach to software validation. This may involve providing additional training on test script authoring guidelines, risk assessment procedures, and change management procedures. This training can be conducted using various methods like training videos or workshops instead of tradational training methods such as SOPs.

  7. Release and Continuous Improvement
  8. Once the stakeholders are trained on the updated software validation process and have gained sufficient confidence, the updated software validation procedures incorportaing the computer software assurance approach can be deployed into the business. It is crucial to establish a robust project management framework to ensure effective implemention of the CSA approach.

    Monitoring the change effectiveness of the implemented computer software assurance approach goes beyond just process updates and training. It involves actively listening to members of the organization, acknowledging and addressing feedback and questions raised, and applying lessons learned. Encouraging the adoption of best practices is also essential.

    In conclusion, the above roadmap presents a structured approach to implementing the FDA-prescribed computer software assurance approach.

Uday Veera headshot

Uday Veera is the director of CSV/CSA at Namo Solutions. Uday is well renowned for leading the development, execution, modification, and practice of computer system validation standard operating procedures (SOP) and information technology (IT) GxP procedures based on current regulations and industry standards. Uday’s applications and implementation expertise of GxP Systems includes: LIMS (Thermo Fisher, LabVantage), QMS (ETQ, Trackwise, MasterControl, Compliance Quest), MES (POMSnet, Apriso), CDM (Veeva), eDMS (Opentext, Oracle), Business Intelligence (Power BI, Cognos, Microstrategy), JIRA, and HPLM.

Free Resource
How Necessity Led to a New Validation Methodology and Innovative Tool

Enjoying this blog? Learn More.

How Necessity Led to a New Validation Methodology and Innovative Tool

Download Now
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]