TOPIC: CSV– CSA – GAMP – DI (Computer System Validation, Comp Soft Assurance, Good Automated Manufacturing Practices, Data Integrity)
The CSA guidance is intended to help manufacturers establish a risk-based framework for computer software assurance throughout the software’s lifecycle. The guidance includes an appendix of examples of applying this risk framework to various computer software assurance situations. The Experts at MEDVACON can assist you and your company integrate the risk framework into your CSV methodology.
Intended Use: CSA Risk Framework
The guidance requires manufacturers to validate software that is used as part of production or the quality system for its intended use (see 21 CFR 820.70(i)). To determine whether the requirement for validation applies, manufacturers must first determine whether the software is intended for use as part of production or the quality system. In general, software used as part of production or the quality system falls into one of two categories: software that is used directly as part of production or the quality system, and software that supports production or the quality system. The Experts at Medvacon can assist with categorizing the software to focus your validation resources in the areas needed most.
Software with the following intended uses are considered to be used directly as part of production or the quality system: (1) Software intended for automating production processes, inspection, testing, or the collection and processing of production data; and (2) Software intended for automating quality system processes, collection and processing of quality system data, or maintaining a quality record established under the Quality System regulation.
Software with the following intended uses are considered to be used to support production or the quality system: (1) Software intended for use as development tools that test or monitor software systems or that automate testing activities for the software used as part of production or the quality system, such as those used for developing and running scripts; and (2) Software intended for automating general record-keeping that is not part of the quality record.
Both kinds of software are used as “part of” production or the quality system and must be validated under 21 CFR 820.70(i). However, supporting software often carries lower risk, such that under a risk-based computer software assurance approach, the effort of validation may be reduced accordingly without compromising safety.
Software with the following intended uses generally are not considered to be used as part of production or the quality system, such that the requirement for validation in 21 CFR 820.70(i) would not apply: (1) Software intended for management of general business processes or operations, such as email or accounting applications; and (2) Software intended for establishing or supporting infrastructure not specific to production or the quality system, such as networking or continuity of operations.
In cases where software individual features, functions, and operations have different roles within production or the quality system, they may present different risks with different levels of validation effort. CSA recommends that manufacturers examine the intended uses of the individual features, functions, and operations to facilitate development of a risk-based assurance strategy. Manufacturers may decide to conduct different assurance activities for individual features, functions, or operations.
The CSA provides a very good spreadsheet example, one which Medvacon has had to address for our clients: A commercial off-the-shelf (COTS) spreadsheet software may be comprised of various functions with different intended uses. When utilizing the basic input functions of the COTS spreadsheet software for an intended use of documenting the time and temperature readings for a curing process, a manufacturer may not need to perform additional assurance activities beyond those conducted by the COTS software developer and initial installation and configuration. The intended use of the software, “documenting readings,” only supports maintaining the quality system record and poses a low process risk. As such, initial activities such as the vendor assessment and software installation and configuration may be sufficient to establish that the software is fit for its intended use and maintains a validated state. However, if a manufacturer utilizes built-in functions of the COTS spreadsheet to create custom formulas that are directly used in production or the quality system, then additional risks may be present. For example, if a custom formula automatically calculates time and temperature statistics to monitor the performance and suitability of the curing process, then additional validation by the manufacturer might be necessary. The Experts at Medvacon have experience validating spreadsheets used in the QC labs to assist in the release of products and we can assist you with your spreadsheet validation.
The CSA also provides some great advice that applies universally: The FDA recommends that manufacturers document their decision-making process for determining whether a software feature, function, or operation is intended for use as part of production or the quality system in their Standard Operating Procedures (SOPs).
