Computer software assurance (CSA) is a risk-based adoption of IT tools that incorporates critical thinking to establish and maintain confidence that a software system is meeting its predetermined conditions. This is particularly important in manufacturing processes that rely on computers and automated processing systems. CSA determines the risk that a device may be compromised in terms of safety and/or quality and determines the appropriate level of assurance efforts and activities that may be required.
A comprehensive computer software assurance approach provides manufacturers with flexibility and agility by leveraging principles such as risk-based testing, unscripted testing, continuous performance monitoring, and data monitoring. These activities, combined with any software validation services performed by other entities such as developers and suppliers, help ensure that the software remains in a validated state consistent with regulatory requirements.
Software that is fit for its intended use and maintains a validated state should perform as intended, which is critical for ensuring that finished products are safe and effective and comply with regulatory requirements.
A risk-based framework is an effective approach for computer software assurance. It involves identifying and assessing risks associated with the software and determining appropriate controls to manage those risks. This framework should be applied throughout the software development and maintenance life cycle to ensure ongoing software quality and compliance with regulatory requirements.
The first step in adopting a risk-based CSA framework is to identify the intended use of the software. Software that is directly used as part of the production or quality system includes:
Software that supports the production or quality system includes:
To develop a risk-based hedging strategy, the U.S. Food and Drug Administration (FDA) recommends that manufacturers research the intended use of individual software features, functions, and operations. Manufacturers may choose to conduct different assurance activities for specific features, functions, or operations.
The risk-based approach to computer software assurance should be determined by evaluating the potential risks associated with software features, functions, or operations.
The FDA defines a software feature, function, or operation as having high litigation risk if its failure to function properly could lead to a quality issue that may jeopardize safety and increase medical device risk.
Examples of software features, functions, or operations that are generally high process risk:
The FDA considers a software feature, function, or operation to have low litigation risk if its failure to function as intended would not result in a foreseeable quality issue that compromises safety.
Examples of software features, function, or operations that are generally considered to have low process risk include:
Based on the risk result, assurance activities should be performed. These may include, but are not limited to, the following types of actions:
When establishing the objective evidence, the manufacturer must collect sufficient objective evidence to demonstrate that the feature, function, or operation of the software has been evaluated and is working as intended. In general, the record should include the following:
There are four essential phases to adopting a risk-based CSA approach:
In this initial phase, the stakeholders, IT, business, QA, and other teams that are involved in the computer software assurance process are engaged. This includes identifying and involving relevant personnel, teams, or departments who will be responsible for evaluating the software and its intended use. To achieve a successful stakeholder engagement, it is essential to conduct a thorough stakeholder analysis, create a comprehensive communication plan that utilizes various communication channels, maintain transparency throughout the project, actively listen to stakeholder feedback, and provide regular updates to keep stakeholders informed. By implementing these strategies, stakeholders can be effectively engaged and invested in the CSA transformation success.
Once the stakeholders are engaged, the next step is to assess the validation processes thoroughly and make recommendations. This involves conducting a comprehensive evaluation of testing methods, validation process, validation deliverables, standard operating procedures (SOPs), and any other relevant procedures.
After the assessment, the evaluation results should be aligned with the predefined criteria or standards. This step involves comparing the evaluation results with the established benchmarks, guidelines, or regulatory requirements and making necessary updates based on the assessment to the software validation life cycle. For example, updating the risk assessment approach by moving away from the traditional failure mode and effects analysis (FMEA) approach to the modern concept of computer software assurance.
The next step is to provide training or education to the relevant personnel who are impacted by the change in the approach to software validation. This may involve providing additional training on test script authoring guidelines, risk assessment procedures, and change management procedures. This training can be conducted using various methods like training videos or workshops instead of tradational training methods such as SOPs.
Once the stakeholders are trained on the updated software validation process and have gained sufficient confidence, the updated software validation procedures incorportaing the computer software assurance approach can be deployed into the business. It is crucial to establish a robust project management framework to ensure effective implemention of the CSA approach.
Monitoring the change effectiveness of the implemented computer software assurance approach goes beyond just process updates and training. It involves actively listening to members of the organization, acknowledging and addressing feedback and questions raised, and applying lessons learned. Encouraging the adoption of best practices is also essential.
In conclusion, the above roadmap presents a structured approach to implementing the FDA-prescribed computer software assurance approach.
Enjoying this blog? Learn More.
How Necessity Led to a New Validation Methodology and Innovative ToolDownload Now