TOPIC: CSA Risk Framework
Generally, the risk-based approach entails systematically identifying reasonably foreseeable software failures, determining whether such a failure poses a high process risk, and systematically selecting and performing assurance activities commensurate with the medical device or process risk, as applicable. The risk-based analysis for production or quality system software considers those factors that may impact or prevent the software from performing as intended, such as proper system configuration and management, security of the system, data storage, data transfer, or operation error. Thus, a risk-based analysis for production or quality system software should consider which failures are reasonably foreseeable (as opposed to likely) and the risks resulting from each such failure. The Experts at MEDVACON can work with your team to establish a risk based approach based on the principles posited in the CSA Guidance.
The FDA considers a software feature, function, or operation to pose a high process risk when its failure to perform as intended may result in a quality problem that foreseeably compromises safety, meaning an increased medical device risk. This process risk identification step focuses only on the process, as opposed to the medical device risk posed to the patient or user. Examples of software features, functions, or operations that are generally high process risk are those that:
- maintain process parameters (e.g., temperature, pressure, or humidity) that affect the physical properties of product or manufacturing processes that are identified as essential to device safety or quality;
- measure, inspect, analyze and/or determine acceptability of product or process with limited or no additional human awareness or review;
- perform process corrections or adjustments of process parameters based on data monitoring or automated feedback from other process steps without additional human awareness or review;
- produce directions for use or other labeling provided to patients and users that are necessary for safe operation of the medical device; and/or
- automate surveillance, trending, or tracking of data that the manufacturer identifies as essential to device safety and quality.
In contrast, the FDA considers a software feature, function, or operation not to pose a high process risk when its failure to perform as intended would not result in a quality problem that foreseeably compromises safety. Examples of software features, functions, or operations that generally are not high process risk include those that:
- collect and record data from the process for monitoring and review purposes that do not have a direct impact on production or process performance;
- are used as part the quality system for Corrective and Preventive Actions (CAPA) routing, automated logging/tracking of complaints, automated change control management, or automated procedure management; and/or
- are intended to manage data (process, store, and/or organize data), automate an existing calculation, increase process monitoring, or provide alerts when an exception occurs in an established process;
The CSA guidance provides several examples to assist manufacturers with identifying the level of risks in real manufacturing scenarios. The Experts at MEDVACON can work with your team to establish a risk based approach based on the principles posited in the CSA Guidance.
