Adopting Computer Software Assurance: Breaking Down the Software Validation Barrier to Innovative Technologies

In the past, validating computer software for automated processes has been a cumbersome, paperwork-intensive task with limited practical benefits. Excessive paperwork and inadequate validation methods have often led to inefficiency and ineffectiveness. However, today, the FDA recognizes that embracing digital capabilities enables manufacturers to reduce errors, optimize resources, and enhance patient safety. Here we explore how a shift from traditional Computer Software Validation (CSV) to a more efficient Computer Software Assurance (CSA) approach can break down barriers to innovation and encourage manufacturers to leverage software and automation for improved product safety.

Regulatory Requirements for Non-Product Software

Non-product software used to automate production or quality systems must be validated as required by U.S. FDA and international requirements. The main sources for this requirement for the medical device industry in the United States and internationally are:

• 21 CFR 820.70(i) – Quality System regulation: Automated Data Processing Systems
• ISO 13485:2016* – Sections: 4.1.6, 7.5.6, and 7.6: Validation of software implementing Quality System

Industry interpretation of CSV requirements has evolved over the years based on third-party guidance and standards, such as GAMP5, FDA inspections, third-party audits, and consultants. The main elements typical in a traditional computer software validation are as follows:

• User Requirements Specification (URS)
• Risk Assessment
• Functional Specification
• Master Validation Plan
• Installation Qualification (IQ)
• Operational Qualification (OQ)
• Performance Qualification (PQ)
• Traceability Matrix
• Change Control
• Validation Documentation
• Master Validation Report
• Periodic Review and Maintenance

Shortcomings of Past Compliance Methods

Previously, the industry prioritized compliance over patient safety, relying on an extensive and rigid approach. However, the FDA, in collaboration with industry experts, acknowledges the shortcomings of this approach. Rather than enhancing patient safety, it has resulted in unintended negative outcomes with the following issues emerging:

• Decreased Software Validation Effectiveness: Paper-heavy approaches hamper validation, leaving little room for testers to evaluate software critically. Many deviations result from test script errors instead of genuine software flaws.
• A Barrier to Technology Adoption: Strict validation requirements discourage many, especially smaller companies, from embracing automated processes. They are stuck with outdated systems, missing out on the benefits FDA acknowledges: improved device design, risk monitoring, and product safety over the lifecycle.

New FDA Guidance That Aids in Technology Adoption

Due to the potential for automated process technologies to provide significant benefits for enhancing the quality, availability, and safety of medical devices, FDA has undertaken several efforts to foster the adoption of these technologies. The output of these efforts is the “Computer Software Assurance for Production and Quality System Software” draft guidance. This guidance seeks to provide specific steps on how to ensure computer software functions as intended using an approach that utilizes only the activities commensurate with the risk of software impacting patient safety.

The steps to determine risk and identify assurance activities are defined as follows:

1. Identify the Intended Use of the Software

Determine whether the software is intended for use as part of the quality system or production process.

2. Determine the Risk-Based Approach

• High Process Risk: FDA considers a software feature, function, or operation to pose a high process risk when its failure to perform as intended may result in a quality problem that foreseeably compromises safety.
• Low Process Risk: FDA considers a software feature, function, or operation NOT to pose a high process risk when its failure to perform as intended would not result in a quality problem that foreseeably compromises safety.

3. Determine the Appropriate Assurance Activities

Based on the Process Risk in Step 2, determine the appropriate assurance activities.

• High Process Risk includes activities like the traditional validation approach described in the section above including robust scripted testing.
• Low Process Risk may include reduced activities scaled back as appropriate including unscripted or ad hoc testing.

4. Establish the Appropriate Record

• High Process Risk Software generally requires a more detailed pre-approved test plan and/or protocol(s) and test report(s).
• Low Process Risk Software generally requires either a high-level test plan or no test plan and a test record documenting the results of ad hoc or unscripted testing (no pre-approved test protocol).

The MEDIcept white paper FROM CSV TO CSA: ARENA QMS CASE STUDY provides more detail on the above steps, using Arena PLM as an example to display the computer software assurance approach.

CSV to CSA: A Streamlined Regulatory Future

Computer software validation has been a barrier to adopting innovative technologies that can help medical device manufacturers improve product development and quality processes. Companies like Arena provide software validation to help customers simplify and speed validation. However, collaborative efforts with the FDA have shifted the focus from compliance to prioritizing patient safety, allowing manufacturers to minimize their existing validation efforts even further. This shift reduces validation time, allowing companies to welcome software solutions that streamline processes, enhance efficiency, and create safer products. This evolution empowers organizations to confidently embrace innovation, ensuring swift market entry with the highest standards of safety and quality.

While the FDA’s CSA guidance document remains in draft form, the time is ripe to move from CSV to CSA. Employing a risk-based validation approach has always been an accepted strategy, with the CSA guidance now offering added insights into how to effectively leverage risk to justify your chosen approach.

MEDIcept and Arena, a PTC Business, have partnered to produce a complete Arena Validate package to help apply the computer software assurance approach. In addition, MEDIcept has utilized the CSA approach for many clients; we would love to assist you with your Arena validation needs and help you in your transition toward the CSA approach. Contact us today at [email protected].

About MEDIcept

MEDIcept is an international medical device, IVD, combination product, and biotechnology compliance consulting firm. For over 27 years, our unique consulting practice has assisted thousands of companies of all sizes with cost-effective Regulatory, Quality, Clinical, Auditing, and Educational services. Our experienced team of former FDA, Notified Body, and industry experts will work with you to efficiently develop or remediate a quality system, create a regulatory strategy, or establish a clinical trial, to meet your specific needs.