CSV to CSA: the evolution of digital life science quality

Qualio

/@QualioHQ

Published: February 2, 2023

Open in YouTube
Insights

This video provides an in-depth exploration of the evolution of software validation in the life sciences industry, specifically focusing on the shift from Computerized System Validation (CSV) to Computer Software Assurance (CSA). Presented by Kelly Stanton, Director of Quality at Qualio, and featuring Sion Wyn, a GAMP 5 editor, the discussion highlights how regulatory bodies like the FDA are encouraging the adoption of digital tools by streamlining validation processes. The core message revolves around moving away from a fear-based, checkbox approach to compliance towards a critical thinking, risk-based methodology that prioritizes patient safety and product quality.

The presentation begins by establishing the historical context of computerized systems in drug establishments, tracing back to the "blue book" in 1983 and the General Principles of Software Validation guidance in 2002. It then critically examines the shortcomings of traditional CSV, which often led to redundant efforts, excessive documentation (like IQ/OQ/PQ), and ultimately stifled innovation due to the perceived time-consuming and laborious nature of validation. A poll revealed that nearly half of the audience was unfamiliar with CSA, underscoring the need for this discussion. The speakers emphasize that the old CSV approach often resulted in "mountains of paperwork" that did not necessarily improve quality, citing an example where 24% of medical device recalls are triggered by software faults, despite extensive validation efforts.

CSA is introduced as a paradigm shift that encourages critical thinking and a risk-based adoption of computerized tools. Sion Wyn clarifies that CSA is not a new set of requirements but rather a return to the original spirit of GAMP (Good Automated Manufacturing Practice), focusing on ensuring a system is "fit for intended use" and managing residual risks to patients and product quality. The FDA's 2022 guidance on Computer Software Assurance for Production and Quality System Software, along with the updated GAMP 5, are presented as key enablers of this change. The speakers detail a practical approach to CSA, which involves clearly defining intended use, performing a thorough risk assessment, determining appropriate assurance activities (which may include leveraging vendor documentation), and maintaining concise records of these activities. This methodology aims to reduce the burden of validation, especially for cloud-based, multi-tenant software, and allows companies to focus resources on high-risk systems that directly impact patient safety or product quality, rather than low-risk administrative tools.

Key Takeaways:

  • Shift from CSV to CSA: The industry is moving from traditional, often burdensome Computerized System Validation (CSV) to Computer Software Assurance (CSA), which emphasizes critical thinking, risk-based approaches, and efficiency in validating software for life sciences.
  • Regulatory Imperative for Digitization: Regulators like the FDA actively encourage life science companies to adopt modern digital tools and software, recognizing their potential to improve patient outcomes and product quality, provided they are appropriately assured.
  • Problems with Traditional CSV: CSV often led to redundant documentation (e.g., IQ/OQ/PQ), fear-driven compliance, stifled innovation, and a focus on "checkbox" adherence rather than genuine quality and patient safety.
  • CSA Aligns with GAMP's Original Spirit: CSA is not a new set of prescriptive rules but a re-emphasis of GAMP's foundational principles: ensuring a computerized system is fit for its intended use and managing risks to patients and product quality.
  • Focus on Patient and Product Quality: The primary objective of software assurance should be to protect the patient and ensure product quality, not merely to satisfy auditors or generate excessive documentation.
  • Risk-Based Approach is Paramount: Companies must differentiate between high-risk software (e.g., manufacturing controls, vigilance reporting) and low-risk software (e.g., document control, training systems) and tailor assurance activities accordingly, applying a "least burdensome" approach.
  • Intended Use as the Starting Point: The first step in CSA is to clearly define the software's intended use within the company's specific processes, which forms the basis for subsequent risk assessments and assurance activities.
  • Leverage Vendor Documentation: For commercial off-the-shelf or cloud-based, multi-tenant software, companies should heavily rely on the vendor's robust software development lifecycle (SDLC) documentation and automated testing results, rather than repeating tests.
  • IQ/OQ/PQ are Often Obsolete: The traditional IQ/OQ/PQ framework is often inappropriate for modern, agile software development and cloud environments, leading to non-value-added documentation. It remains suitable only for simple, linear computerized tools.
  • Global Applicability: While the discussion heavily features FDA guidance, the principles of CSA and GAMP are globally recognized, with European regulations (e.g., Annex 15, not Annex 11 for QMS tools) also aligning with a risk-based approach.
  • Automated Testing and Modern SDLC: Reputable software vendors utilize automated testing and modern SDLC processes (like agile), which provide continuous assurance far beyond a single, static validation effort by the customer.
  • Choose Forward-Thinking Vendors: Companies should partner with vendors who understand and advocate for CSA principles, providing relevant documentation and guidance, rather than those who perpetuate outdated, paper-heavy validation practices.
  • Eliminate Fear-Based Compliance: Moving to CSA allows auditors to focus on high-risk systems and value-added quality activities, fostering greater confidence in a company's quality management system.

Tools/Resources Mentioned:

  • GAMP 5: Good Automated Manufacturing Practice, updated in July (presumably 2022 or 2023).
  • GAMP Good Practice Guide: Enabling Innovation: A recommended document for re-tooling thinking about software risk.
  • FDA Guidance on Computer Software Assurance for Production and Quality System Software: Released September 13th, 2022.
  • ICH Q9: Guidance on Quality Risk Management.
  • Qualio: An EQMS (Enterprise Quality Management System) software tool supporting the life sciences industry.
  • Jira: Mentioned as an example of a system used for detailed documentation in modern software development lifecycle processes.

Key Concepts:

  • Computerized System Validation (CSV): The traditional, often prescriptive process of ensuring that computerized systems used in regulated environments meet their intended use and regulatory requirements.
  • Computer Software Assurance (CSA): A modern, risk-based approach to software validation that emphasizes critical thinking, efficiency, and focusing assurance efforts on areas that directly impact patient safety and product quality.
  • GAMP (Good Automated Manufacturing Practice): A series of guidelines for validation of automated systems in the pharmaceutical industry.
  • 21 CFR Part 11: FDA regulations on electronic records and electronic signatures.
  • GxP: Good "X" Practices (e.g., Good Manufacturing Practice, Good Clinical Practice, Good Laboratory Practice) – a set of quality guidelines for regulated industries.
  • IQ/OQ/PQ (Installation Qualification, Operational Qualification, Performance Qualification): Traditional validation phases often associated with CSV, borrowed from process validation.
  • Intended Use: The specific purpose and manner in which a software system is used within an organization's processes, forming the foundation for risk assessment in CSA.
  • Risk-Based Approach: A methodology that prioritizes and allocates resources for assurance activities based on the potential impact of software failure on product quality and patient safety.
  • Multi-tenancy: A software architecture where a single instance of the software serves multiple customers, with data logically segregated.
  • Agile Software Development: An iterative and incremental approach to software development, which often clashes with the linear nature of traditional CSV.

Examples/Case Studies:

  • Fatal Radiation Dose Incident: A historical case where a computer system issue led to fatal radiation doses in therapy, highlighting the critical need for software assurance.
  • Medical Device Recalls: Approximately 24% of medical device recalls are attributed to software faults, underscoring the ongoing challenges in software quality.
  • High-Risk Software Examples: Building management systems controlling cross-contamination, manufacturing equipment with software controls, in-process monitoring systems, product release/recall systems, pharmacovigilance/Adverse Event reporting systems, and systems central to regulatory submissions.
  • Low-Risk Software Examples: Quality Management System (QMS) tools for document control, training management, and general CAPA systems, where issues typically have an indirect rather than direct impact on patient safety or product quality.