08 Feb CSA vs CSV: FDA’s New Guidance for Software Assurance
A guidance topic currently in draft from the Center for Devices and Radiological Health (CDRH) titled ‘Computer Software Assurance for Manufacturing, Operations, and Quality System Software’ aims to change the paradigm on how computer system validation is performed. Many people and organisations in the industry speculated regarding the way to decrease the needed compliance work and starting to advocate for “critical thinking”.
The regulated users have to find adequate answers for many challenges regarding the required digital transformation: e.g. from electronic document workflow using electronic signatures until the implementation of artificial intelligence and Pharma 4.0 solutions, over better integration of automation in both production as well as laboratory areas and the use of Agile project approaches.
When validating a system, in some cases, a simple test can be appropriate, while in others that are high-risk/high-impact, you might consider “negative testing” to be sure certain processes can account for different failure modes. Finally, the idea that by testing a higher-level process will automatically qualify the underlying systems will save you a tremendous amount of time. Think of all the time spent qualifying server installation, OS installation, application, and database setup.
With the CSA approach, there will be more flexibility when it comes to assurance approach and acceptable records of result and this is based on the risk level. This varies from ad-hoc testing (only a summary document is required) up to robust scripted testing like we use today.
The release of the CSA guidelines will support companies who have taken the path to automation, and will definitely lead to lower patient risks and higher quality medicine.
CSA vs CSV: FDA’s New Guidance for Software Assurance
“Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives.” William A. Foster
Regulations exist all over the world for the protection and safety of consumers. They serve a vital purpose in economies and societies and are depended on by practically every individual in the world in some way, shape or form. Without any or with little regulations, consumers would be at a great risk, with their safety jeopardized and no way of determining whether or not a product is able to perform as marketed. On the other end of the spectrum, with extremely complex and highly mechanical regulations, manufacturers would lose the incentive to innovate and introduce newer and better products to the market, and as modern manufacturing and Industry 4.0 are all about automation, fast innovation and even faster introduction to market are imperative to progress.
When it comes to products directly affecting the health and well-being of a consumer, the regulations generally become more stringent, as the quality of the product and safety of the patient are paramount. The medical device (or Medtech industry) is subjected to such stiff regulations and must meet and comply with the FDA’s guidelines in order to market and sell their products in the USA and abroad.
FDA regulations are considered to be benchmarks globally, and are often mimicked and imposed around the world and in developing nations, especially if those countries expect to do business with the US. This places even more burden on FDA to keep modifying its norms and guidelines and to keep abreast of technological advancements, while maintaining a level of compliance that is achievable within the timeframes and still providing the overarching consumer protections.
The new industrial revolution, Industry 4.0, focuses on digital transformation through technology. It relies heavily on the manufacturer’s and their supply chain partners’ ability to leverage vital information, derived from the shop floor and in the value chain through an interconnected IT infrastructure, to capture data and add context and value to it, and subsequently use this enriched information to enable process improvements, higher production efficiencies, cost savings and innovation. The results are better, higher quality products, developed and brought to market more efficiently and expediently, with the lowest possible costs, leading both to higher profitability and continued customer satisfaction and loyalty.
The FDA’s general view of automation is basically a “green light” for companies. The agency encourages the use of automation, their tools, and underlying IT solutions. Because, at the end of the day, automation provides advantages by reducing errors in testing, optimizing the usage of resources, and ultimately reducing patient risk.
CSV vs CSA
The FDA too, in trying to balance the degree and complexity of its regulations, have taken note of the demands the modern industrial revolution places on manufacturers and amended its 1997 General Principles of Software Validation to a more modern and Industry 4.0-friendly guideline called CSA (Computer Software Assurance).
The CSA ‘represents a step-change in computer system validation, placing critical thinking at the center of the CSV process, as opposed to a traditional ‘one size fits all’ approach.’ CSA helps manufacturers achieve CSV.
As we move along we will explain what changes occur with CSA and how it may benefit the manufacturer with the right IT infrastructure and specifically, with the right MES both to comply with CSA guidelines and to facilitate the transition from CSV to CSA without hampering the speed of Industry 4.0 adoption.
Both CSV and CSA oversee the deployment and use of ‘software not used in a product.’ This means that it is software not directly used in a medical device, medical device as a service or end product. It includes all of the software used in manufacturing, operations and quality systems activities that follow the 21 CFR Part 820 guidance.
Let’s first spend a few moments in understanding CSA’s predecessor CSV. As the name suggests the guideline is focused on the documentation and validation of the software being used in regulated life sciences manufacturing. It governs a ‘fitness for intended use’ by adopting principles, approaches, and life cycle activities. There is a validation methodology that includes plans, reports and is governed by standard operating procedures (SOPs).
CSV takes the approach of creating elaborate documentation, which ensures auditors have a detailed overview of each and every aspect of the application being used for manufacturing the product. While testing all aspects of the software and validating its effectiveness were primary objectives of the CSV guidelines, it became more intrinsically focused on documentation and as a result was perceived as a deterrent to investing in more automated solutions. Rather than a boon for life sciences manufacturing, it became a bottleneck and a burden.
How would MES evaluations fit into CSV? Since MES is a dynamic environment, during validation developers pay extra attention to assessing the performance of its workflows. MES systems are often tested by the ‘configurable manufacturing model.’ A CSV engineer has to assess and approve of alternate paths, step-by-step operator procedures, dispense specifications, etc. The validation process has to enforce the security and compliance of the MES and its ‘fit for purpose.’
The current CSV methodology has manufacturers spend 80% of their time documenting the process, and only 20% of their time actually testing the efficacy of the solutions. The FDA, realizing this is counterproductive, initiated the CSA (Computer Software Assurance) guidelines, so that 80% of the manufacturer’s time is spent on critical thinking and testing, and only 20% of their time in documentation.
The CSA guidelines are in stark contrast to CSV guidelines with their focus predominantly on testing. The goal is to ensure the overall system performance is optimized, which means that while all aspects of the system used on the shop floor must be tested, only components essential to the product and safety of the patient need to be validated and subjected to scripted tests. This frees both testing and validation resources and allows more value-add activities to occur.
In reducing the focus on documentation, CSA guidelines encourage Medtech manufacturers to pursue process improvements, such as automation, and use MES/MOM platforms to their highest potential. There is greater flexibility with CSA and emphasis is made on risk mitigation, but with a keen focus on validation of vital software functions and overall assurance of the system’s efficacy.
CSA divides the software features into high and low risk. CSV-level validation and testing is required only for high risk areas. This results in increased flexibility, reduction of overall cycle time to make changes in the process or MES/MOM functionality, which allows manufacturers to pursue automation and Industry 4.0 as the effort and complexity related to scripted testing and validation of each and every aspect of the deployed software is drastically reduced and compliance is more focused on quality assurance than documentary compliance.
CSA then will look more like this:
The transition from CSV to CSA entails:
- A focus on testing to increase confidence in actual system performance
- Risk-based ‘assurance’
- Traceability is still required
Since CSV requires a very heavy use of documentation, more often than not it is done without real critical thinking. CSA attempts to shift this paradigm back to a critical thinking approach, focusing on main patient risks with more concise testing and less documentation.
How do the new regulations help MES selection and deployment?
From an MES standpoint, now that the need for compliance is shifting from documentary evidence to risk-based assurance, does that mean Medtech manufacturers can choose any MES available in the market and subsequently pursue Industry 4.0? This is a critical question, and while it seems logical that if the requirements from the FDA are changing, why shouldn’t any available MES be used as long as it works fine and is able to model the process? With changing regulations, it becomes even more important to work with MES vendors who have deep industry experience, insight and proven success within the regulated life sciences industry. A familiarity with CSV guidelines, with an established track record in enabling automation and Industry 4.0 in accordance with said guidelines is necessary to ensure your certification journey will be successful.
First and foremost, industry knowledge and capability from compliance to norms are extremely important and highly desirable traits when it comes to MES vendors and their products. While transitioning from one FDA guideline to another, any MES/MOM platform, no matter how good it looks in the presentation, must be ruled out if it does not have the relevant industry experience (and therefore, important functionality required for a validated environment).
The ideal MES application for this transition is one where the vendor is able to support the ability to clearly demarcate high and low risk functional features and simultaneously allow both scripted and unscripted testing, accompanied with relevant documentation based on level of risk and impact on product quality and patient safety.
The MES would also need to adapt to reduced compliance documentation and while it may seem as a plus for the automation and paperless argument, the ability of the application to maintain data and process integrity with reduced checkpoints will be a crucial factor. Since CSA relies on the system’s quality assurance and reduced scripted testing, the MES vendor should be able to leverage this to make responsive changes to the process as directed by the testing, however, ensure that all changes made to the application and its functionality are validated from a system output perspective and would meet the unscripted testing requirements placed by CSA.
Medtech manufacturers, as the CSA guideline is eventually introduced and becomes the norm, know that the changes being made will help you pursue automation and Industry 4.0 better. However, bear in mind that your MES will play the most important role in all three vital aspects: the transition from CSV to CSA; compliance to CSA and the pursuit of Industry 4.0, which will involve macro and micro-level changes at the application and implementation level, from testing functionality of the application, to the recording and reporting of actual production compliance data. The right MES can and will make all the difference.
Special thanks to Ardavan Heidari – from our partner Frontwell Solutions– for his contribution to this post.
Join the Manufacturing Data Revolution