Most Frequently Question & Answer CSA.

Data Integrity App

 

Most Frequently Question & Answer CSA.


Question 01: 

What is the difference between computer system validation (CSV) and computer software assurance (CSA)? 

Best Answer: 

If you think of the 80/20 rule, the current CSV methodology has manufacturers spending 80% of their time documenting and only 20% of their time testing.

The FDA wants to flip this so that 80% of a manufacturer’s time is spent on critical thinking and applying the right level of testing to higher-risk activities, while only 20% of their time is spent documenting (CSA methodology). This critical thinking should be focused on three questions:

  • Does this software impact patient safety?
  • Does this software impact product quality?
  • Does this software impact system integrity?

Using a risk-based approach is nothing new, and regulatory agencies such as the International Society for Pharmaceutical Engineering (ISPE) who author Good Automated Manufacturing Practice (GAMP®) have been advocating this for two decades.

CSA is a framework designed to help manufacturers achieve CSV. CSA will provide clarity on the stance and methodology used to determine what is high risk and what is not, therefore minimizing misinterpretation by manufacturers.

The clarification in the CSA approach flips the paradigm to focus on critical thinking (risk-based), assurance needs, testing activities, and documentation, in that order.

 

Question 02: 

Why is the FDA making this change?


Best Answer: 

Too much work is done for fear of regulatory punishment instead of fear of putting a poor-quality product on the market.

For software not used in a product, manufacturers are referring to burdensome guidance that is more than 20 years old, trying to avoid FDA Form 483 observations and warning letters from FDA investigations and third-party consultants.

Nothing should be done for fear of regulatory observations. Instead, the focus should be on testing for higher confidence in system performance and applying the right risk-based assurance rigor for a given level of risk to patient safety and product quality.

The new CSA framework also enables manufacturers to “take credit” for prior assurance activity and upstream and downstream risk controls like vendor qualifications.

 

Question 03: 

What does “software not used in a product” (or non-product software) mean?


Best Answer: 

Non-product software is any software that is not directly used in a medical device, Software as a medical device (SaMD), medical device as a service (MDaaS), or end-product. It includes all of the software used in manufacturing, operations, and quality system activities that would follow the 21 CFR Part 820.70(i) guidance.


Question 04: 


Is this just for medical device companies?


Best Answer: 

The short answer is no, the new CSA framework isn’t just for medical device companies. There are a lot of potential applications for all of life sciences.

The FDA’s Center for Devices and Radiological Health (CDRH) is working on this new draft guidance in cooperation with the Center for Biologics Evaluation and Research (CBER) and the Center for Drug Evaluation and Research (CDER).

It is founded on a true, risk-based approach that should be considered when deploying non-product, manufacturing, operations, and quality system software solutions such as:

  • Quality management systems (QMS)
  • Enterprise resource planning (ERP)
  • Laboratory information management systems (LIMS)
  • Learning management systems (LMS)
  • Electronic document management systems (eDMS)

 

Question 05: 

What is an indirect system versus a direct system?


Best Answer: 

Indirect systems do not have a direct impact on patient safety or product quality (for example, tools used in your CSV process like bug tracking systems or load testing and lifecycle management tools that do not directly impact the product). Indirect systems require less documentation.

Direct systems have a direct impact on patient safety or product quality—like electronic device history or adverse event reporting—and may require increased testing based on risk. In other words, the riskier a system impact is to the end-product and to the safety of the patient, the more testing and documentation is required.


Question 06: 

The FDA has started citing companies for inadequate CSV efforts. How will inspectors be trained on the CSA initiative?


Best Answer: 

The FDA is undergoing an extensive training program for its auditors and is rolling out an agency-wide Case for Quality program. Further, the FDA is creating a Digital Center of Excellence, where it will encourage manufacturers to reach out to the FDA to ask questions on their processes and procedures before an audit takes place.

The goal is to provide more collaboration throughout the process and minimize this fear of regulatory observations that have led to misinterpretation of the original intent of the guidance.

 

Question 07: 

Has the FDA reached out to other regulatory agencies such as MHRA, EU, etc. to verify that this approach is acceptable for companies who sell overseas? 


Best Answer: 

Yes, the FDA has been working on the Case for Quality program in tandem with its sister agencies abroad.

 

Question 08: 

When does the FDA anticipate releasing this guidance?


Best Answer: 

The U.S. Food and Drug Administration (FDA) is expected to release the Computer Software Assurance for Manufacturing and Quality System Software guidance in 2021.

As always, this framework is acceptable today under current guidelines and the FDA is encouraging the industry to adopt it even prior to release. The guidance was initially expected in 2020, but was delayed due to COVID-19.

 

Question 09: 

How can USDM help my company today?


Best Answer: 

USDM is on the cutting edge of technology and compliance, and we are watching the FDA’s CSA guidance closely. We already have progressive solutions in place and can save you significant time and money on your validation programs. Programs include:

  • CSA Education and Training – USDM can help your team with a pilot project; train and mentor your teams on how to apply the critical thinking; develop a risk-based approach; and consult on automated testing processes.
  • CSV/CSA Assessments – USDM will take a holistic approach to assess your current CSV process and make recommendations to get you to a true, risk-based CSA process according to your current state (i.e., quality of documentation, testing, SOPs/WIs, use of automation, and audit performance).
  • CSV/CSA Methodology – USDM can revamp your entire CSV process and digitally transform it into a CSA process. From methodology development through end-user training, USDM will assure your systems are compliant.
  • Cloud Assurance – USDM provides a subscription service to deliver end-to-end GxP compliance of your cloud systems. From implementation through ongoing validation maintenance—including new releases—USDM can manage and lighten your cloud validation burden.

 

 

Question 10: 

How does the FDA define critical thinking?


Best Answer: 

As the manufacturer—the company and people producing the product—you know the business and you know the processes. You’ve got the best insight into how risk is introduced, where it matters, and what’s going on from a process standpoint.

Critical thinking is considering where the system could introduce a risk versus what is a product or process risk. This helps you tell your story, whether it is to the FDA or an arbitrary regulator and auditor.

Demonstrate that you can tell that story, that you’ve got the element of understanding and control about your product and your processes. There is no one-size-fits-all for any company or system.

The FDA wants to know that you really understand your processes and systems and that you are in control. Ensure that you can tell the FDA you know where the risk is being introduced, how you will mitigate the risk, and whether the controls you put in place are working.

 

Question 11: 

What does CSA mean for GAMP? Will GAMP become obsolete?


Best Answer: 

The impending CSA guidance is not going to create new concepts per se. It intends to simplify and clarify the use of non-product software and maximize testing efforts while minimizing documentation for lower risk, non-product software systems.

There is no misalignment with GAMP 5. CSA is what the FDA intended all along but lacked clarity, and the misinterpretation resulted in too much documentation for documentation’s sake instead of better quality.

 

 

Question 12: 

What is the impact on 21 CFR Part 11?


Best Answer: 

CSA principles are applicable to Part 11, but the scope is narrowly focused. Primary concern is around system risk, intended use, and ensuring that you have confidence in the system.

 

Question 13: 

What about audit trails?


Best Answer: 

Part 11, audit trail, is just a set of requirements and you must understand the best way to exercise those requirements. Know when you need more robust testing of those requirements and when you can just make sure that your vendor built that in.

Overall, audit trails are not something that you need to expend a lot of extra resources and energy on.

 

Question 14: 

What about ISO 13485?


Best Answer: 

ISO 13485 is integrated and well written to incorporate risk-based thinking throughout all processes and applications. Nothing changes as it is based on a true risk-based approach.

 

Question 15: 

What about MDSAP?


Best Answer: 

The FDA will make sure the medical device single audit program (MDSAP) is aligned with CSA down the road.

 

Question 16: 

What does this mean for installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ)? 


Best Answer: 

The goal of CSA is to focus on critical thinking, do more business testing of the process and its intended use, and do less functionality testing.

Installation qualification: The vendor often does a good job of installation testing; still, it’s smart to turn on the equipment, log in, and make sure it works. That’s pretty low risk, because if it doesn’t work, that will be obvious. 

Additional tasks would be to ensure you have all of your required user manuals, vendor qualifications, and the like.

User acceptance testing (UAT): Focus on your business processes and how they work within the system and how you wanted them to work within the system.

This is where we expect to see much more of the testing being done and far less on the actual functionality or out-of-box functionality.



“Trust but Verify “ Ronald Reagan

 

Across the internet, there are millions of resources are available which provide information about Everything.

 

If you found all content under one roof then it will save your time, effort & you will more concentrated on your important activity.

Data Integrity App


 

Our Data integrity app will helpful for understanding what Data integrity & CSV really means & How 21 CFR Part 11, EU Annex 11 & other regulatory guidelines affects in pharmaceutical Industry.

 

Data Integrity App Include 

- Basic Data Integrity Concepts

- ERES & Its Requirement

- CSV & Its best practices 

- Mock Inspection and General Q&A

- Checklist for inspection

- Inspection Readiness

- Useful SOP’s

- Stay Regulatory Compliant.

 

“Stay One Step Ahead in Pharma IT Compliance” 


Data Integrity App Link:


https://play.google.com/store/apps/details?id=com.innovativeapps.dataintegrity

 

Try our "Data Integrity" app which helps you to better understand current regulatory agencies thinking on Data Integrity & CSV.


 

Comments

Post a Comment

Popular posts from this blog

CSA- Same Regulations; Different perspective

Image
Data Integrity App   CSA- Same Regulations; Different perspective A system whose software does not impact Patient Safety, Product Quality is considered Non-GxP, e.g., Systems or Tools used for Document Management, Compliance Management, and Lifecycle Management. The risk associated with such systems is low, and the same level of rigor on Testing, Documentation is not needed. GxP systems (Systems having a direct impact) such as LIMS, MES, Adverse event reporting have a higher risk of impacting Patient Safety and Product Quality. Hence such systems require adequate Testing and sufficient documentation. In a nutshell, the higher the risk, the higher the need for detailed Testing and Documentation. The below picture depicts how CSV and CSA differentiate from one another without compromising on the regulation requirements. This is done while keeping in mind the critical aspect  of documentation, which takes a lot of time and effort in a System Validation process for a...
Read more

Need of Computer System Assurance

Image
Data Integrity App   Why is the FDA making this change? Over the last decade, innovation and technology has emerged with tremendous speed and brought the industrial revolution (Industry 4.0) through smart manufacturing and automations. The Pharmaceutical industry has adopted most of the technological innovations such as Artificial Intelligence and Machine learning, Big Data & Analytics, cloud computing, Robotic Process Automation, 3D Printing, Virtual Reality and Augmented Reality, IoT (Internet of Things) and Tele radiology, etc. which is now known as Pharma 4.0. The traditional computerized system validation process was conceptualized prior to this technology evolution and being updated to some extent but is not able to cope up with industry expectations. The lack of expertise, understanding of the technology and over thinking makes the traditional computerized system validation process as prolonged activity. Too much work is done for fear of regulatory punishment i...
Read more

Industry Common CSV Pain Points

Image
Data Integrity App Industry Common CSV Pain Points USFDA and Industry working group of Computer System Assurance (CSA) identified the common pain points of the industry in implementation of new technologies with traditional CSV methodology I Deterrent to pursuing automation:  The volume of documentation and complex process of computerized system validation deter the rate of investment (ROI) on implementation of new technologies and automation. II. Gathering evidence for auditors:  The lack of knowledge and understanding on the regulatory expectations on CSV forced the industry to collect the evidence for each function in the computer system beyond the intended scope to please the auditors. This process of gathering the evidence doubles the CSV process implementation time. III. Duplication of vendor efforts at client sites:   The failure in exploring the product and supplier maturity and inexperience in communication with vendor results in customer to repeat the ac...
Read more