Fortify Your Systems: The Power of Validation & Support

Validating computer systems and ensuring robust IT infrastructure support is critical for companies in regulated industries like pharmaceuticals, medical devices, and financial services. Adhering to regulations and guidelines like GMP, GLP, and SOX requires documented evidence that computer systems are fit for their intended use and adequately controlled. This blog will provide an overview of computer system validation and IT infrastructure assurance activities that help meet regulatory compliance in quality-centric industries. We’ll explore validation concepts like user requirements, traceability matrices, risk assessments, and change control.

What is Computer System Validation (CSV)?  

CSV is a documented process to ensure that a computerized system consistently does what it is designed to do, ensuring the integrity of data processing, product quality, and compliance with applicable GxP regulations.  

What is Computer System Assurance (CSA)? 

CSA is a different approach to the traditional CSV approach, which involves critical thinking and consideration of risk. 

FDA CSA Guidance 

The U.S. FDA’s Center for Devices and Radiological Health (CDRH) released a draft guidance, DRAFT – Computer Software Assurance for Production and Quality System Software 13Sep2022. 

The draft guidance, Computer Software Assurance (CSA) for Production and Quality System software, will allow industries to minimize their existing CSV efforts and documentation burden and focus on more efficient approaches to ensure software quality.  

What is the difference between Scripted and Unscripted Testing? 

CSA introduced the terms scripted testing and unscripted testing: 

Scripted Testing: Scripted test cases generally contain, at minimum, a test objective for the test script, a step-by-step test procedure, expected results, documented evidence, and a pass or fail. Scripted testing was the former standard and should still be used for higher-risk (direct) systems and features where the functionality directly impacts product or patient safety.  

Unscripted Testing: Unscripted testing is carried out without detailed test scripts. Unscripted testing should be used for lower-risk (indirect) systems and features where the functionality does not directly impact the product or patient safety. There should be a test objective and a pass or fail, but no step-by-step test procedure. 
 
NOTE: Unscripted testing does not imply documentation is not required. If it’s not documented, it did not happen. Traceability and documentation are always needed. 

What are the Benefits of a CSA Approach? 

As part of its Case for Quality program, the FDA participated in several pilot programs that consistently delivered the following results: 

• Better testing + less documentation = Faster “time to value” 
• Improved quality, efficiency, speed, agility, responsiveness, and transformation 
• Decreased test script issues by up to 90% 
• Reduced testing overhead 
• Leveraged vendor assurance activities. 
• Maximized use of CSV and expert resources 
• Test Incident/Nonconformance Reduction 

How to Transition from CSV to CSA? 

Here are a few steps an organization can take to transition from CSV to CSA: 

1. Change your organization’s culture from a compliance-centric mindset to a quality-focused one. 

2. Leverage your software supplier’s existing activities (perform supplier audits). 

3. Consider using automated testing tools to streamline assurance activities.  

4. Know the intended use of your computer system(s). 

5. Know the high-risk features, operations, and functions of the computer system(s). 

6. Review and update your current policies to align with the CSA approach. 

Essential Facts about CSA to Help Understand Why Many Organizations are Transitioning to CSA 

1. The risk is based on the impact on patient safety and product quality measured against requirement complexity.  

2. It calls for the least burdensome approach to documentation. 

3. It can reduce paperwork by 80% with unscripted testing and leveraging approved vendor testing. 

4. This results in fewer issues encountered in production, as more time is spent challenging the system than on dry-running protocols.  

5. CSA does not involve creating new regulations, but the level sets the FDA’s expectations. 

6. The Food and Drug Administration (FDA) and the International Society for Pharmaceutical Engineering (ISPE) support CSA.  

IT Infrastructure Support  

IT Infrastructure is so dynamic that the best approach is to achieve and maintain a qualified state as an exercise in managing compliance, i.e., implementing and managing controlled processes to ensure infrastructure is qualified throughout the system’s changes.  

• Current Infrastructure installation and management is a dynamic process requiring robust processes and policies rather than fixed documentation. 
• Infrastructure is generally qualified and needs to be validated. 
• Automated tools are vital to maintaining a well-managed and qualified infrastructure. Configuration management and computerized tools allow reviews and approvals before deploying new or revised infrastructure components. In many companies, infrastructure is provisioned by automatic processes, lowering the risk of error and offering process control.  
• When outsourcing IT Infrastructure to external vendors, similar guidelines apply. 
• Ultimately, the company ensures quality, safety, and data integrity in an internal or cloud environment. 

You can learn how to navigate the complexities of software validation and assurance and ensure compliance with FDA and EMA guidelines in our new whitepaper (CSV Vs. CSA – Unpacking FDA’s revised software validation).

Contact our experts today at sales@biotech.com explore how PSC Biotech can elevate your understanding of CSV and CSA. Uncover insights into how these critical processes can drive precision, reliability, and trust in your operations.