Topic: CSA Risk Framework
Once the manufacturer has determined whether a software feature, function, or operation poses a high process risk (a quality problem that may foreseeably compromise safety), the manufacturer should identify the assurance activities commensurate with the medical device risk or the process risk.
The CSA guidance formalizes some concepts that have been utilized by testers or advanced users of systems to determine issues based on testers gut feelings thorough ad-hoc testing. Types of assurance activities commonly performed by manufacturers include, but are not limited to, the following:
- Unscripted testing – Dynamic testing in which the tester’s actions are not prescribed by written instructions in a test case. It includes:
- Ad-hoc testing – A concept derived from unscripted practice that focuses primarily on performing testing that does not rely on large amounts of documentation (e.g., test procedures) to execute.
- Error-guessing – A test design technique in which test cases are derived on the basis of the tester’s knowledge of past failures or general knowledge of failure modes.
- Exploratory testing – Experience-based testing in which the tester spontaneously designs and executes tests based on the tester’s existing relevant knowledge, prior exploration of the test item (including results from previous tests), and heuristic “rules of thumb” regarding common software behaviors and types of failure. Exploratory testing looks for hidden properties, including hidden, unanticipated user behaviors, or accidental use situations that could interfere with other software properties being tested and could pose a risk of software failure.
Let it be clear that unscripted testing does not mean undocumented testing. The Experts at Medvacon can work with your team to establish an acceptable approach to integrating unscripted testing into your overall CSV methodology based on the principles posited in the CSA Guidance.
- Scripted testing – Dynamic testing in which the tester’s actions are prescribed by written instructions in a test case. Scripted testing includes both robust and limited scripted testing.
- Robust scripted testing – Scripted testing efforts in which the risk of the computer system or automation includes evidence of repeatability, traceability to requirements, and auditability.
- Limited scripted testing – A hybrid approach of scripted and unscripted testing that is appropriately scaled according to the risk of the computer system or automation. This approach may apply scripted testing for high-risk features or operations and unscripted testing for low- to medium-risk items as part of the same assurance effort.
In general, the FDA recommends that manufacturers apply principles of risk -based testing in which the management, selection, prioritization, and use of testing activities and resources are consciously based on corresponding types and levels of analyzed risk to determine the appropriate activities. The Experts at MEDVACON can work with your team to establish a risk-based testing approach based on the principles posited in the CSA Guidance.