By following six steps, regulated companies are better positioned to adopt and validate computer software with ease.
Software validation is one of the most time-consuming and resource-intensive activities a company can encounter when implementing and using computer software in a regulated environment. These activities often delay an organization's ability to implement and go live with new software or features.
If your company is regulated by the Food and Drug Administration (FDA), you are required to validate your electronic systems to comply with 21 CFR Part 11 and 21 CFR 820, among other regulations. While the FDA requires software validation, it does not specify how to validate. Rather, the agency wants evidence that you've documented how you intend to validate and then to prove that you've done it the way you specified. The goal is to ensure the software will work as expected for your use cases and to ensure that any invalidated or altered records are easily identifiable.
FDA recently published a draft guidance for Computer Software Assurance, which is intended to further clarify how to use a risk-based approach to ensure device quality and patient safety are assured. Leveraging this guidance, below are six steps to help reduce the time, pain, and cost of the software validation process while ensuring the highest levels of quality and safety.
Companies should select vendors who have robust testing practices and products already in place for both the functional and best practice validation scenarios. As part of the selection process, they should conduct a vendor audit to better understand the vendor, its software, and its development and testing practices. An audit also importantly helps establish a working relationship between the customer and vendor. Audits can also be done immediately after the software purchase, while planning validation activities, or as part of a periodic review process. By understanding, having input to, and gaining confidence in the vendor's development practices, companies have greater flexibility to leverage the test efforts that the vendor is already performing, rather than spending time recreating them.
Defining your risk framework involves identifying the intended use of the software, determining the risk-based approach you will use, identifying appropriate assurance activities, and establishing the records you will need to maintain. Though defining risk frameworks can often be daunting, by first defining the intended use and then categorizing those activities as simply high risk or not high risk, you can greatly streamline this process. MasterControl’s patented Validation Excellence tool (VxT) further automates the risk assessment process by presenting the changes in each release and assigning a calculated risk score, enabling you to quickly identify any areas that may require additional scrutiny.
You should have a robust change control process in place, with FDA software validation a part of that process. Change control helps you manage system changes in a managed way, providing a framework whereby you can evaluate proposed changes, assess the impact and schedule, test, and implement those changes. With solid risk framework and change control policies in place, the overall validation activity is more likely to remain specific and focused, preventing the testing effort from also increasing the time and budget requirements.
Waiting years to upgrade typically increases the time and effort required for the software validation process. By staying current with smaller software releases, you're more likely to minimize the validation effort. Smaller releases generally have fewer changes, which means less risk, less code complexity, and lighter validation requirements. As a result, validation will take less time and cause less drain on company resources. Simply put, staying current with releases enables you, on a risk-based level, to validate only those areas of code that are affected, rather than the entire software suite.
Rather than duplicate validation work that your vendor does, leveraging the vendor's work and documentation will save significant time and effort in your software validation process. For example, test activities performed as part of MasterControl's software development lifecycle include significant automated unit and integration testing, functional testing, defect and enhancement verification, scalability testing, and more. Full regression testing is executed multiple times per day. MasterControl also performs comprehensive validation (IQ/OQ/PQ) testing. The Transfer OQ/PQ (TOQ/TPQ) provide completed validation and support documentation of validation tests performed. The vendor audit provides confidence that companies can use this documentation for their own regulatory test evidence.
The vendor’s testing should ideally cover all your high-risk processes. However, it can be difficult to anticipate all customer scenarios. In these cases, additional testing may be necessary. This testing should be defined by the risk framework and be executed according to your risk assessments and tolerance. If you perform the first five steps successfully, you should have minimal testing to do yourself.
As practiced by many companies today, FDA software validation is the single most costly, resource-intensive, and time-consuming aspect of installing new or upgraded computer software. As recently as five years ago, it wasn't unusual for regulated companies to expect to pay three times the cost of the software in validation and related services.
Done right, however, validation can help reduce overall costs by ensuring that the right system is built and that it functions as intended. Proper risk-based validation can help companies remain in a validated state, even when faced with frequent software upgrades.
By following the six steps laid out above, companies that do business in regulated environments are much more likely to adopt and validate the latest software quickly and efficiently, so they can focus more on their business activities and less on the business of validation.