In September 2022, the FDA ushered in a groundbreaking transformation in the medical device industry by unveiling a new draft guidance on software validation titled “Computer Software Assurance for Production and Quality System Software.”
For years, the medical device industry relied on a traditional approach to software validation, known as Computer System Validation (CSV). It was a rigorous, step-by-step process involving Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ). However, the growing complexity of software and the burden of documentation often made this approach cumbersome, both in terms of time and resources.
Enter Computer Software Assurance (CSA), the future of software validation.
Now, the FDA envisions a landscape where medical device manufacturers adopt CSA as a risk-based approach. CSA encourages MedTech companies to assess the risks associated with their software and adjust their validation activities accordingly. Instead of the one-size-fits-all approach of CSV, CSA promotes flexibility, efficiency, and a stronger focus on product quality and patient safety.
The Role of FDA
The FDA is at the forefront of shaping the future of software validation. Its new guidance reflects a commitment to “the least-burdensome approach” to compliance, acknowledging the challenges faced by medical device manufacturers. It’s a reflection of the changing economy and trends taking place in MedTech.
The agency is reinforcing the importance of adherence to Quality System Regulation, Part 820, as a foundation for their operations. This regulation requires manufacturers to validate software used in production or quality systems to ensure medical devices meet specifications.
The Challenge of Traditional Validation
Whilst the old CSV model had merits, it also definitely had its limits. For example, the extensive documentation and resources. In addition, there is the maintenance of data integrity after the validation is completed. Often, the amount of work to perform the validation would be a determining factor for whether or not to update the system as well. This created situations where systems were not patched or updated because of the amount of work to revalidate the system. Obviously, this was not the FDA’s intent.
Often, these behaviors would result in:
- Stress-inducing gaps in documentation during compliance audits.
- Unresolved questions about system performance due to insufficient testing.
- Planning issues caused by complex processes and process landscapes.
- Compromises or lack of system updates due to a shortage of skilled personnel.
The New Norm: Computer Software Assurance
CSA offers a risk-based strategy that allows MedTech organizations to identify foreseeable software failures, evaluate their impact, and tailor our validation activities accordingly. The process involves four key steps:
- Identifying the Intended Use: Understanding the role of software in our production and quality systems.
- Determining the Risk-Based Approach: Assessing the potential risks associated with software failures.
- Selecting Appropriate Assurance Activities: Focusing our resources where the risks are most significant.
- Establishing the Appropriate Record: Ensuring compliance with regulations while staying agile.
By applying a risk-based approach, manufacturers can better focus on assurance activities to maintain product quality, align with FDA regulations, and support patient safety. At its core CSA opens the doors to innovation, encourages the adoption of cutting-edge technologies, and still empowers manufacturers to grow.
CSV vs. CSA Differences
Get Support For Computer Software Assurance
SPK is committed to supporting medical device manufacturers to maintain compliance and navigate the new CSA process. We partner with Medtech companies globally to do exactly this every year. Because SPK has worked in the MedTech industry for over 20 years, we have formed partnerships with some of the top eQMS systems in the industry, including Greenlight Guru, MasterControl and others, that are designed specifically for medical device development and compliance. So, if you need support with Computer Software Assurance, contact us here.