The FDA recently released a final guidance document that should be on every medical device company’s radar. Computer Software Assurance for Production and Quality System Software provides recommendations on computer software assurance (CSA) for computers and data processing systems used as part of medical device production or the quality system.
The final guidance confirms the agency's shift away from the older method of software validation—computer system validation (CSV)—to the newer, risk-based approach of CSA.
Ultimately, this shift is about moving away from a one-size-fits-all approach to software validation and toward a contextualized, risk-based approach. The regulations aren’t changing; just the way medtech companies approach compliance and validate the software solutions used throughout their business.
In this article, I’ll break down the differences between CSV and CSA, and what the move to computer software assurance means for medical device companies.
What is production and quality system software and why do medtech companies need to validate it?
In the FDA’s draft guidance, the agency divides “software used as part of production or the quality system” into two subcategories:
-
Software used directly as part of the production or quality system. For example, software used for automating production processes or quality system processes.
-
Software used to support production or the quality system. For example, software used to test or monitor other software systems.
MedTech companies must validate both types of software. Both the FDA’s 21 CFR Part 820 - Quality System Regulation and ISO 13485:2016 require medical device manufacturers to validate software used in production or the quality system.
The goal of the validation process is to establish and maintain confidence that the software meets its user needs and intended uses. It’s about ensuring that the software solutions MedTech companies use to support safe and effective medical devices always deliver the right results.
And for the past two decades, FDA has provided MedTech companies with an approach to software validation known as computer system validation (CSV).
What is computer system validation (CSV)?
Computer system validation is a form of software validation that relies heavily on testing to provide the “objective evidence” FDA requires to confirm the software meets its user needs and intended uses.
In practice, this testing usually takes the form of “the three Q’s” known as IQ, OQ, PQ:
-
Installation Qualification (IQ) - Verifying the installation of the software.
-
Operational Qualification (OQ) - Verifying the software functions according to its operational specifications.
-
Performance Qualification (PQ) - Verifying that the software consistently performs to the specification for day-to-day use.
Each of these steps consists of a protocol and a report, which can add up to an enormous amount of documentation. And, given that MedTech companies on average implement and use up to nine different software tools for business operations and compliance requirements, CSV often ends up costing companies too much time and effort—and papercuts.
Fortunately, FDA recognizes these problems and knows that CSV is no longer in line with the agency’s own emphasis on “the least-burdensome approach” to compliance. That’s why the agency is now emphasizing a different method to software validation: computer software assurance.
What is computer software assurance (CSA)?
Computer software assurance is a risk-based approach to software validation. This method of software validation encourages medical device companies to start by considering the risks inherent in the failure of the software they use.
That risk determination will then form the basis for deciding the appropriate software assurance activities the company should carry out.
As FDA states in its guidance document:
This approach considers the risk of compromised safety and/or quality of the device (should the software fail to perform as intended) to determine the level of assurance effort and activities appropriate to establish confidence in the software. Because the computer software assurance effort is risk-based, it follows a least-burdensome approach, where the burden of validation is no more than necessary to address the risk.
Essentially, rather than spending the same amount of time testing every piece of software they use, CSA encourages companies to select more rigorous assurance activities for software that poses higher risks.
The computer software assurance process involves four steps, which are included in more detail in the guidance document:
-
Identifying the intended use
-
Determining the risk-based approach
-
Determining the appropriate assurance activities
-
Establishing the appropriate record
Keep in mind, this approach to software validation does not change any regulations. FDA is clarifying its position and emphasizing that the risk-based approach in the CSA guidance will provide medical device companies with a more efficient and flexible method for meeting the software validation requirements in its Quality System Regulation.
It also brings FDA guidance more in line with ISO 13485:2016, which states clearly that “The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.”
Greenlight Guru is fully aligned with the CSA approach to software validation
Greenlight Guru has been using the CSA approach for several years now. When the FDA released its draft of the CSA guidance in 2002, we proactively overhauled our validation approach to align with the CSA framework. By 2023, our validation strategy was fully risk-based and mapped by intended use, and our approach differentiates between process risk, data integrity risk, and patient impact—just like the FDA now recommends.
We also strategically updated our Software Validation Package to help teams efficiently implement and adopt the latest enhancements and functionality while assuring compliance with evolving validation requirements.
The updated Validation Package reflects the requirements and best practices of both the FDA’s computer software assurance guidance and ISO /TR 80002-2:2017. That means Greenlight Guru’s Validation Package includes intended use documentation, automated test evidence, and system-level validation aligned to CSA.
So, while the final guidance was published this year, Greenlight Guru's validation package has been aligned with the CSA framework for years and nothing is changing for our customers. Our validation approach will continue to help us ensure our customers are spending time where it matters: bringing life-changing medical devices to market.
Be confident in your compliance with a QMS built for medtech
CSA reduces the burden of validation for medical device companies, but it doesn't reduce their responsibility. Part of the supplier evaluation process for any production and quality system software should include the vendor's approach to validation. An outdated approach not only creates more work for your company, it means you'll be using an outdated approach that is out of line with FDA recommendations.
With Greenlight Guru, you'll get a CSA-aligned eQMS that's built specifically for medical device companies like yours. And you can rest easy knowing that we're always keeping up with best practices in the regulatory world in order to keep you compliant and audit-ready.
If you’re ready to learn more about how a medtech-specific eQMS can benefit your business, then get your free demo of Greenlight Guru today!
BONUS RESOURCE:
Greenlight Guru’s Software Assurance Guide
Greenlight Guru’s Software Assurance Guide
