Professional Documents
Culture Documents
7 Components of IT Infrastructure
7 Components of IT Infrastructure
systems that are necessary for delivering IT services in accordance with service level
agreements. IT Infrastructure management includes the management of IT policies and
processes, along with the equipment, data, human resources and external contacts (such as
vendors or security organizations) needed to ensure that IT operations run smoothly and
efficiently.
7 Components of IT Infrastructure
IT infrastructure consists of a set of hardware and software tools that an organization
leverages to deliver IT services. IT organizations that deploy and manage all of their IT
infrastructures in-house must effectively manage these components to successfully ensure the
ongoing availability of IT services.
Computer Hardware Platforms - Hardware platforms include laptops, desktops, tablets and
mobile phones along with server machines and mainframes.
Data Management and Storage - IT organizations that collect and aggregate large volumes
of data require a robust data storage solution. Storage and database management tools such as
IBM DB2, Oracle, MySQL, and SQL Server are all used by organizations that wish to track
and keep more information about their organization's operational, security and business
performance.
Page 1 of 20
Internet Platforms - Internet platforms include a range of infrastructure elements that are
exclusively accessed via the world wide web. Platforms such as Apache, Java, UNIX, and
.NET are common.
Page 2 of 20
What is Computer Software Assurance (CSA) and why are the FDA
transitioning from traditional Computer System Validation?
4 Sep 2020
Following the launch of their ‘Case for Quality‘ initiative in 2011, the FDA were uncertain
why so few companies were investing in automated solutions and why so many continued to
run long-outdated versions of software. The initiative, which set out to study quality best
practice in medical device manufacturing, found that the burden of Computer Systems
Validation (CSV) deterred technology investments and as a result, inhibited quality best-
practice (1).
On learning that the burden of CSV was holding companies back from realising their
investment in technology, the FDA decided to partner with industry to strike a balance
between promoting automation and value-add CSV activities. The FDA aimed to improve
quality, remove non-value add activities, and focus testing on high risk areas, therefore
reducing validation cost and time by focusing on the software’s impact to patient safety,
impact to product quality, and impact to quality system integrity (Direct or Indirect system).
Too often, testers spend time ensuring their protocol is error free, as opposed to spending
time on automated solutions that verify the software meets it’s intended use.
The FDA’s new approach to CSV, Computer Software Assurance (CSA), represents a step-
change in computer system validation, placing critical thinking at the centre of the CSV
process, as opposed to a traditional almost one size fits all approach.
As its regulatory approach continues to mature, the FDA intends to focus on direct impact
systems and not on indirect systems. The change allows manufacturers to focus testing rigor
on areas that directly impact patient safety and device quality, as:
‘Direct system software’ (e.g. inspects or dispositions product, labeling systems) will require
testing based on risk, and expected deliverables are similar to current expectations, i.e. the
riskier the application, the more testing and documentation is required.
‘Indirect system‘ is software that does not directly impact the product or patient safety but
does impact the quality system (e.g. Document Control, Complaint Management, Lifecycle
Management tools). The same rigor is not needed for the assurance of these types of
systems and they require less documentation.
Page 4 of 20
‘Scripted Testing’ is what we would know as traditional testing. Scripted tests as we know
usually contain at a minimum a test Objective for the test script, a step-by-step test
procedure, Expected Results and a Pass/Fail. Scripted Testing is to be used to test to higher
risk (Direct) systems or features as the software does directly impact the product or patient
safety.
‘Unscripted testing’ is testing that is carried out without the use of detailed test scripts.
Unscripted Testing is to be used to test lower risk (Indirect) systems or features as the
software does not directly impact the product or patient safety but does impact the quality
system. There should be a Test Objective and a Pass/Fail, but no step-by-step test
procedure.
Details regarding any failures or deviations and disposition regarding fails found while
performing Scripted and Unscripted Testing will still need to be recorded to ensure failures or
deviations are documented from the discovery of the failure or deviation to the successful
implementation of the appropriate corrective action.
Page 5 of 20
Change the culture from of your organisation from a compliance-centric mindset to quality-
focused culture.
Leverage your software suppliers existing activities (perform supplier audits)
Consider using computer system validation tools to automate assurance activities
Know the intended use of your computer system(s).
Know the high-risk features, operations and functions of the computer system(s).
Review and update your current policies to align with the CSA approach.
Computer
Software
Assurance (CSA):
The FDA’s New
Approach to CSV
An industry focus on
regulatory compliance as opposed to adopting best quality practices
Lack of adoption of automation and digital technologies, with manufacturers choosing
instead to continue running long-outdated versions of software
Virtually no competitive market around medical device quality
After obtaining feedback from both FDA and industry stakeholders, the CDRH launched
their Case for Quality. The initiative’s intention was to identify best manufacturing practices
and help medical device manufacturers raise their manufacturing quality level by shifting
Page 6 of 20
their focus from being compliance oriented to what really mattered – improving product
quality. Through effective collaboration with companies and stakeholders, the Case for
Quality established manufacturing standards for the medical device industry, providing the
industry with clear objectives to strive for.
One of the key findings of the FDA’s Case for Quality initiative was that the burden of
Computer Systems Validation (CSV) was deterring technology investments and as a result,
inhibiting quality best practice. The FDA’s regulation 21 CFR Part 11 in 1997 and the related
guidance of 2003 created the clear foundation for implementation of Computer System
Validation (CSV) processes. Adhering to FDA CSV guidance can be a challenge for life
science organizations, however. CSV guidelines prioritize documentation, primarily to
appease auditors, which can be both time-consuming and costly. This emphasis on
documentation impedes the application of critical thinking during the validation process,
along with opportunities to improve automation via system modernization.
To address these issues, the CDRH, in collaboration with the Center for Biologics Evaluation
and Research (CBER) and the Center for Drug Evaluation and Research (CDER), is planning
to release a new guidance document later this year (2021) entitled Computer Software
Assurance for Manufacturing and Quality System Software. This guidance will create
opportunities for streamlining documentation by shifting the focus of CSV processes towards
critical thinking, risk management, patient and product safety, data integrity, and quality
assurance.
Even though this guidance is being developed for the medical device industry manufacturing,
the FDA has indicated that it will be suitable for R&D, clinical, and other groups within
pharmaceutical, biotech and medical device companies that are currently following electronic
records and signatures and CSV regulations. The guidance should be considered when
deploying non-product, manufacturing, operations, and quality system software systems such
as:
With the implementation of this Computer Software Assurance (CSA) guidance, many new
opportunities and freedoms will become available to life science companies previously
weighed down by the attention to documentation demanded by CSV. In this blog, we will
discuss some of the key components of CSA, along with best practices for making the shift.
Page 7 of 20
Documentation will always be a vital part of the process, but it is more important to have a
high quality, safe product that meets patient needs, rather than robust documentation that
passes an audit cycle. The intention of the upcoming CSA guidance is to support product
quality and patient safety by emphasizing critical thinking in the validation process. The FDA
wants manufacturers to spend 80% of their time on critical thinking in order to apply the right
level of testing to higher-risk activities, with only 20% of time spent documenting.
By stressing critical thinking in the validation process, the FDA is emphasizing a risk-based
approach to streamline validation based on the International Society of Pharmaceutical
Engineers (ISPE) GAMP® 5 model. This means that while all aspects of the system used in
manufacturing must be tested, only components essential to the quality of the product and
safety of the patient need to be subjected to full validation rigor. This frees up both testing
and validation resources to allow more value-add activities to occur.
1.
1. Identify the software’s intended use. The CSA approach starts with identifying
intended use of the software or software feature. If the system directly impacts
patient safety, device quality, or quality system integrity, then it would be
considered a direct system (e.g., software within the device, electronic device
history, adverse event reporting, etc.). If it does not, then it would be considered an
indirect system (e.g., lifecycle management software).
2. Prioritize risk and determine your approach. This is where you use critical thinking
to develop a validation methodology appropriate to the risk of the system. The FDA
knows that you will have the best insights into how risk is introduced into your
products and where it matters, and they expect you to have an element of
understanding and control about your product and processes. You’ll want to be able
to tell your story to an auditor by explaining in detail where risk is being introduced.
For validation purposes, it will be important to delineate where the system in
question could introduce risk, versus what is a process risk, and use critical thinking
to calculate the risk impact of the system or system feature on patient safety and
product quality. Note that a “low risk” designation for a system is only accurate if
the system’s failure has no impact on patient safety and product quality. If failure
has an impact, then the risk assessment is inaccurate.
Page 8 of 20
3. Leverage vendor documentation where possible. Audit your software vendors. If
they have quality documentation and validation in place, it can be used for medium
and low risk features. You don’t need to perform rigorous validation procedures and
extensive documentation for out-of-the-box software that’s already been validated
by the software vendor.
4. Conduct testing activities based on determined risk level. For high-risk (direct)
software and features, extensive validation activities (scripted testing) and
documentation will still be necessary. At a minimum, validation activities in this
instance will include a test objective for the test script, a step-by-step test
procedure, expected results, a pass/fail designation, along with thorough
documentation. For medium risk features, vendor documentation or unscripted
testing (a test objective and a pass/fail, but no step-by-step test procedure) can
often suffice. For indirect systems that do not affect patient safety or product
quality, vendor documentation, or in some instances little to no validation at all can
be sufficient.
The objective of the CSA guidance is to promote critical thinking, more testing of the
system’s intended use, and less functionality testing. As a result, Kalleid expects to see the
upcoming CSA guidance lead to less out-of-the box functionality testing and a bigger focus
on User Acceptance Testing (UAT), where users test their business processes and the
intended use of the system.
Perform a validation assessment. To best take advantage of the new CSA guidance, you
need to assess your current environment. How much time are you currently spending
planning, designing, testing, documenting, etc.? Document your current validation processes,
resource utilization, and gaps with CSA methodology.
Develop a transition plan. Now that you have documented your current environment, you
can develop a transition plan that focuses on key aspects of the CSA approach – new
streamlined validation processes, critical thinking, product quality, patient safety, data
integrity, operational efficiency, and effectiveness. This should include quantifiable metrics
that allow you to measure your operational performance (e.g., costs, time spent on validation,
etc.).
Audit your vendors. Audit your vendors to determine the quality and availability of their
validation documentation. This can allow you to begin using vendor documentation to satisfy
regulatory requirements for appropriate medium and low risk systems.
Develop a change management plan. You cannot accomplish an effective transition to CSA
without supporting your people to make the change. You’ll want to put communication and
training programs in place to support changing the culture of your organization from a
compliance-centric mindset to quality-focused culture. These programs will support your
team in understanding key CSA concepts like critical thinking, risk-based approach, product
quality, patient safety, data integrity, value-add activities, etc.
Page 9 of 20
Once the guidance is officially released, the details will become clearer on how best to
implement the CSA methodology. Until then, check the CDRH website for the latest updates.
Conclusion
Computer system validation procedures emphasize elaborate documentation requirements to
ensure auditors have a detailed overview of all aspects of applications being used to
manufacture a product. Instead of assuring product quality, these extensive documentation
requirements have become somewhat of a bottleneck and a burden to life science companies,
effectively deterring investment in more automated IT solutions.
The new CSA guidelines are the FDA’s attempt to rectify this problem, emphasizing patient
safety, product quality, risk control, and critical thinking, which is a major reorientation of
the previous CSV framework. Instead of having documentation at the forefront like CSV, the
CSA flips this structure completely and establishes critical thinking as its principal phase.
Benefits that can be realized from this new approach include reduced software development
and implementation times, reduced costs, reduced documentation, and more effective
software systems.
As the FDA prepares to release its new CSA guidance, life science companies need to be
proactive and develop a strategy to transition to the new CSA methodology that focuses on
patient safety, product quality, and data integrity. Industry-leading organizations often partner
with knowledgeable consultants to ensure a successful transition from CVS compliance to
CSA innovation.
Page 10 of 20
Let USDM manage all your Validation and Qualification
needs.
From methodology development through end-user training, we ensure your systems are
compliant. Our validation best practices and test automation capabilities significantly
decrease your implementation and validation time.
Whether you are still using the traditional CSV approach or are ready to take the first
steps to a more modern CSA approach to improve your quality and efficiency, we can
help!
USDM has experience qualifying, verifying, and validating the myriad systems, equipment,
and processes that are found in most life sciences GxP environments, both on-prem and
cloud-based. Our expertise includes but is not limited to:
Have a question about how we can work with your speciifc GxP system setup?
Fill out our contact form with your system requirements and we can review them.
Page 11 of 20
What is USDM’s Computer System Validation (CSV) methodology?
Our current methodology aligns with Good Automated Manufacturing Practice (GAMP) best
practices and includes the following:
Vendor Audit
Validation Plan
Part 11 and Annex 11 Assessments
Risk and Impact Assessments
User Requirements and Functional Specification
IQ/OQ/PQ/UAT Protocols and Test Scripts and Execution Assistance
Traceability Matrix
Administration, Use and Operation SOPs
Business Process SOPs
Validation Summary Report
Specific documents and deliverables will depend on GAMP category. Contact USDM today
to discuss your specific CSV needs.
What about the Computer Software Assurance (CSA) guidance coming from the FDA?
To harmonize with international standards, the FDA's Center for Devices and Radiological
Health (CDRH) plans to release a new draft guidance, “Computer Software Assurance for
Manufacturing, Operations, and Quality System Software,” that aligns with the current
quality systems regulation ISO 13485. With the FDA changing focus from compliance to
quality and encouraging the use of automation and new technologies, USDM is already
modernizing and practicing a more streamlined approach to CSV and in the process of
updating our Cloud Assurance methodology to include a true, risk-based, CSA approach. We
can help you develop your CSA approach too!
In 2011 the Center for Devices and Radiological Health (CDRH) initiated the Case for
Quality, a new program that identified barriers in the current Validation of Software in
Medical Devices guidance (released in 2002). The current guidance focuses on software,
which is an integral part of the medical device but does not clearly address the many software
systems that support the quality of a medical device. The CDRH is working on a new draft
guidance “Computer Software Assurance for Manufacturing, Operations, and Quality System
Software” that will allow manufacturers minimize their existing computer system validation
(CSV) efforts and documentation burden and focus on more efficient approaches, including
automation, to improve their overall process and product quality. This guidance is founded on
a true risk-based approach systems assurance, which should be considered when deploying
non-product software systems.
Page 12 of 20
Non-product quality system software (i.e., ERP, LIMS, LMS, eDMS, and QMS applications as
well as software tools)
Principles and approaches are applicable now to all regulated organizations
As part of their Case for Quality program, one of the top priorities for the FDA's medical
devices center, the FDA identified several barriers with CSV:
As part of their Case for Quality program, the FDA participated in several pilot programs that
consistently delivered the below results;
CSA Education and Training – USDM can help teach and mentor your teams on CSA
principles and how to apply critical thinking to your process
o Increase awareness and knowledge about CSA principles and benefits
o One-off courses, reoccurring training, GxP training for suppliers, and more
o Training customized to your business needs and processes
o Onsite or virtual programs
CSA Assessments – USDM can assess your CSV process and recommend CSA changes based
on your quality of documentation, SOPs/WIs, testing, use of automation, performance on
audits, etc.
o Evaluate your current CSV process for quick wins and longer-term improvements
o Prioritize recommended changes based on business justification
Page 13 of 20
o Improve your vendor qualification process
o Build a CSA roadmap based on your business priorities
CSA Development and Methodology – From vendor selection to methodology
development to end-user training, USDM can transform your CSV into a CSA approach and
help drive adoption across your organization
o Implement fast-start improvements to your processes
o Develop and execute pilot programs
o Deliver complete overhauls to your CSV processes and procedures
Cloud Assurance – USDM can manage your entire CSV or CSA process and deliver an end-
to-end GxP compliant managed service, including the continuous maintenance of all your
cloud vendor releases
o Assist with cloud vendor selection and RFP process
o Manage cloud vendor assurance, vendor qualification, and maintenance of new
releases
o Leverage automated regression testing
USDM is on the cutting edge of technology and compliance and we are watching the FDA’s
Computer Software Assurance guidance closely. We already have progressive solutions in
place and can save you significant time and money on your validation programs. Please
contact us to discuss your unique challenges today.
Additional Resources
The goal of the webinar was to provide clarity on what the upcoming computer software
assurance (CSA) guidance means for regulated life sciences companies and what you can
do today to start preparing. Watch the on-demand webinar here.
If you have questions that are not answered in this Q&A, please contact us
at usdm@usdm.com.
What is the difference between computer system validation (CSV) and computer
software assurance (CSA)?
If you think of the 80/20 rule, the current CSV methodology has manufacturers spending
80% of their time documenting and only 20% of their time testing. The FDA wants to flip
this so that 80% of a manufacturer's time is spent on critical thinking and applying the right
Page 14 of 20
level of testing to higher-risk activities, while only 20% of their time is spent documenting
(CSA methodology). This critical thinking should be focused on three questions:
Using a risk-based approach is nothing new, and regulatory agencies such as the International
Society for Pharmaceutical Engineering (ISPE) who author Good Automated Manufacturing
Practice (GAMP®) have been advocating this for two decades.
CSA is a framework designed to help manufacturers achieve CSV. CSA will provide clarity
on the stance and methodology used to determine what is high risk and what is not, therefore
minimizing misinterpretation by manufacturers. The clarification in the CSA approach flips
the paradigm to focus on critical thinking (risk-based), assurance needs, testing activities, and
documentation, in that order.
Too much work is done for fear of regulatory punishment instead of fear of putting a poor-
quality product on the market. For software not used in a product, manufacturers are referring
to burdensome guidance that is more than 20 years old, trying to avoid FDA Form 483
observations and warning letters from FDA investigations and third-party consultants.
Nothing should be done for fear of regulatory observations. Instead, the focus should be on
testing for higher confidence in system performance and applying the right risk-based
assurance rigor for a given level of risk to patient safety and product quality. The new CSA
framework also enables manufacturers to "take credit" for prior assurance activity and
upstream and downstream risk controls like vendor qualifications.
What does “software not used in a product” (or non-product software) mean?
Non-product software is any software that is not directly used in a medical device, Software
as a medical device (SaMD), medical device as a service (MDaaS), or end-product. It
includes all of the software used in manufacturing, operations, and quality system activities
that would follow the 21 CFR Part 820.70(i) guidance.
The short answer is no, the new CSA framework isn't just for medical device companies.
There are a lot of potential applications for all of life sciences.
The FDA’s Center for Devices and Radiological Health (CDRH) is working on this new draft
guidance in cooperation with the Center for Biologics Evaluation and Research (CBER) and
the Center for Drug Evaluation and Research (CDER). It is founded on a true, risk-based
approach that should be considered when deploying non-product, manufacturing, operations,
and quality system software solutions such as:
Indirect systems do not have a direct impact on patient safety or product quality (for example,
tools used in your CSV process like bug tracking systems or load testing and lifecycle
management tools that do not directly impact the product). Indirect systems require less
documentation.
Direct systems have a direct impact on patient safety or product quality—like electronic
device history or adverse event reporting—and may require increased testing based on risk.
In other words, the riskier a system impact is to the end-product and to the safety of the
patient, the more testing and documentation is required.
The FDA has started citing companies for inadequate CSV efforts. How will inspectors
be trained on the CSA initiative?
The FDA is undergoing an extensive training program for its auditors and is rolling out an
agency-wide Case for Quality program. Further, the FDA is creating a Digital Center of
Excellence, where it will encourage manufacturers to reach out to the FDA to ask questions
on their processes and procedures before an audit takes place. The goal is to provide more
collaboration throughout the process and minimize this fear of regulatory observations that
have led to misinterpretation of the original intent of the guidance.
Has the FDA reached out to other regulatory agencies such as MHRA, EU, etc. to verify
that this approach is acceptable for companies who sell overseas?
Yes, the FDA has been working on the Case for Quality program in tandem with its sister
agencies abroad.
The U.S. Food and Drug Administration (FDA) is expected to release the Computer Software
Assurance for Manufacturing and Quality System Software guidance in 2021. As always, this
framework is acceptable today under current guidelines and the FDA is encouraging the
industry to adopt it even prior to release. The guidance was initially expected in 2020, but
was delayed due to COVID-19.
USDM is on the cutting edge of technology and compliance, and we are watching the FDA's
CSA guidance closely. We already have progressive solutions in place and can save you
significant time and money on your validation programs. Programs include:
CSA Education and Training – USDM can help your team with a pilot project; train and
mentor your teams on how to apply the critical thinking; develop a risk-based approach; and
consult on automated testing processes.
CSV/CSA Assessments – USDM will take a holistic approach to assess your current CSV
process and make recommendations to get you to a true, risk-based CSA process according
to your current state (i.e., quality of documentation, testing, SOPs/WIs, use of automation,
and audit performance).
CSV/CSA Methodology – USDM can revamp your entire CSV process and digitally transform
it into a CSA process. From methodology development through end-user training, USDM will
assure your systems are compliant.
Page 16 of 20
Cloud Assurance – USDM provides a subscription service to deliver end-to-
end GxP compliance of your cloud systems. From implementation through ongoing
validation maintenance—including new releases—USDM can manage and lighten your cloud
validation burden.
As the manufacturer—the company and people producing the product—you know the
business and you know the processes. You've got the best insight into how risk is introduced,
where it matters, and what's going on from a process standpoint. Critical thinking is
considering where the system could introduce a risk versus what is a product or process risk.
This helps you tell your story, whether it is to the FDA or an arbitrary regulator and auditor.
Demonstrate that you can tell that story, that you've got the element of understanding and
control about your product and your processes. There is no one-size-fits-all for any company
or system. The FDA wants to know that you really understand your processes and systems
and that you are in control. Ensure that you can tell the FDA you know where the risk is
being introduced, how you will mitigate the risk, and whether the controls you put in place
are working.
What does CSA mean for GAMP? Will GAMP become obsolete?
The impending CSA guidance is not going to create new concepts per se. It intends to
simplify and clarify the use of non-product software and maximize testing efforts while
minimizing documentation for lower risk, non-product software systems. There is no
misalignment with GAMP 5. CSA is what the FDA intended all along but lacked clarity, and
the misinterpretation resulted in too much documentation for documentation's sake instead of
better quality.
Installation qualification: The vendor often does a good job of installation testing; still, it's
smart to turn on the equipment, log in, and make sure it works. That's pretty low risk, because
if it doesn't work, that will be obvious. Additional tasks would be to ensure you have all of
your required user manuals, vendor qualifications, and the like.
User acceptance testing (UAT): Focus on your business processes and how they work within
the system and how you wanted them to work within the system. This is where we expect to
see much more of the testing being done and far less on the actual functionality or out-of-box
functionality.
If you would like a consultation on your current CSV processes and a plan to move to a CSA
approach, please contact us at compliance@usdm.com.
If you have questions that are not answered here, please contact us at usdm@usdm.com.
Page 18 of 20
the evidence that computer systems are correct for their purpose and operating
properly represents a good business practice.
Promotes continual process improvement. Software is constantly evolving to keep up
with the increasingly complex needs of the people that use it. Therefore, validation is
an ongoing necessity.
Software Implementation
You want to implement a new computer system to increase productivity and lower costs. The
computer system includes hardware, software, processes, and instructions used to train your
workforce. Most companies mine their IT departments and software vendors to find a project
leader. What usually occurs is a series of delays, errors, and rework that result in more and
more costs. What was your experience the last time you were involved in a software
implementation project? Improper systems implementation causes a reduction in
productivity, frustrates employees, and brings a sour mood to the corporate culture.
Most organizations have experienced staff to do some of the needed activities but rarely is
there someone present that has sufficient skills and experience to lead a complete software
implementation project (also known as system implementation). The main reason companies
don’t have this resource is that it isn’t a full time permanent position; at least you hope it
doesn’t turn out that way.
David Nettleton has successfully completed projects for a wide range of industries that
include, electrical engineering, software development, telecommunications, nuclear power,
medical devices, and pharmaceuticals.
Steve Cates has been implementing ERP systems since 1986, before it was referred to as
“ERP.” His background combines experience in both finance and operations so he is able to
assist in the implementation and validation of accounting software, manufacturing, and
distribution modules. He combines selection and implementation project management with a
background in validation and compliance.
Page 19 of 20
Together, David and Steve will help you achieve your goal of a speedy, cost effective
implementation of your ERP solution, insuring it is compliant, and maximizing the return on
your investment.
We use a consistent time proven approach that has the following benefits:
Page 20 of 20