Erring on the side of caution can be a good thing, but when it comes to validation, it tends to create unnecessary work for quality and regulatory professionals. Finding the right balance between doing too much and not enough for computer system validation (CSV) requires taking a risk-based approach.
This is the approach that the U.S. Food and Drug Administration (FDA) has been pushing for years. Even before the new guidance on computer software assurance was released, we began using this approach at MasterControl and defined eight steps that satisfy regulatory compliance and save time in the process.
1. Use your vendor’s documentation and templates
GAMP guidance recommends that companies “leverage the knowledge, experience, and documentation” of their suppliers to complete validation. Software as a service (SaaS) companies do their own internal testing and create validation documentation to support it. Their customers can use this documentation in their own validation process to save themselves time and take advantage of the in-depth knowledge that the SaaS company has of its own software.
2. Include your vendor’s usage testing in your validation package
The above-mentioned testing done by the software provider can work to the customer’s advantage in more ways than just documentation. Again, citing GAMP, “Where the system has been appropriately tested, there is no value in the regulated organization repeating those tests.” In my experience, I’ve seen customers take the exact tests that we’ve run and run them again. This adds no value to the validation process — it simply makes it take much longer, especially in the SaaS space when your sites are managed on the cloud and identical to your vendor sites.
3. Follow your vendor’s best practice configuration
It’s normal for people to be resistant to change. Unfortunately, when it comes to software implementation and configuration, at least some change is necessary. Some companies assume that by mirroring their paper-based processes, it’ll be easier to adjust to a digital system. This can be problematic when it comes to validation as well as the use of your digital system. According to GAMP, “The regulated organization can minimize the volume and rigor of testing required by avoiding unnecessary customization." The closer a company sticks to the SaaS company’s best practice configuration, the lighter the validation burden.
4. Base validation on your specific configuration and usage
When it comes to software validation, how you use the software is critical to determining where most of your effort should go. Per FDA guidance, “Any software used to automate any part of the device production process or any part of the quality system must be validated for its intended use.” This can be the most difficult aspect of validation because it requires the person performing the validation to be familiar with how their organization is using the software, the best practices recommended by the supplier, and how the two differ. If there’s functionality in the software that your business never uses, it’s a waste of time to validate it.
5. Focus on your critical business processes
Regulators are typically focused on how software affects your product quality and patient safety. That’s definitely important, but how the software affects your business is important too, so it’s important to identify which critical business processes need to be validated. This can be a huge lift, so it’s helpful when SaaS companies provide tools to help their customers perform CSV that will not only fulfill regulatory requirements but ensure their business continually runs smoothly.
6. Follow a risk-based approach
As stated earlier, regulators are interested in anything that affects product quality or patient safety. When you add in what poses a risk to your critical business processes, you know where to focus your validation efforts. I’ve seen customers validate email notifications with the same criticality as they would a pacemaker. That’s a dramatic example, but it captures the value of taking a risk-based approach. According to the FDA, “The selection of validation activities, tasks, and work items should be commensurate with the … risk associated with the use of the software.”
The principles of risk-based validation can be applied to any software by leveraging what’s provided by your vendor, examining how you use the software, and focusing testing on the high-risk areas.
7. Use a change control methodology for upgrades
It might seem like there’s no possible way to validate your software in 45 minutes, but that’s where this methodology comes in. Every time your vendor releases an upgrade, there’s quite a bit that isn’t going to change. If it doesn’t change and you continue to use it in the exact same way you’ve been using it, why would you go through the trouble of extensive testing and formal validation? GAMP agrees with this idea, advising “the rigor of the approach, including the extent of documentation and verification, should be based on the risk and complexity of the change.” With this approach you can identify what’s changed in the latest release, how that affects how you use the software, and how much additional work is warranted based on that. Once again, this is a question of focusing your efforts on the areas that most need it rather than treating every new or changed feature in the same way.
8. Upgrade frequently
If you’re in charge of CSV at your company, an upgrade can be enough to give you an ulcer. If you follow these tips, upgrade-induced ulcers can be a thing of the past. The reason companies refuse to upgrade is they’re afraid of the months of validation they assume will follow. When you reduce validation to less than an hour, taking advantage of quarterly upgrades in the cloud just makes sense. Small, frequent upgrades that include risk-based validation take less time and effort than one full-scale validation ever 2-3 years. Plus, you’ll get the newest functionality and the most secure version of the software.
The right amount of work
When it comes to validation, there’s a common attitude of it being better to do too much than not enough. That ignores the third option of just doing the right amount of work to ensure safe and effective products without consuming your schedule with several months of busy work. By following these 8 tips, you’ll save time in any software validation.
