COMPUTER SYSTEM ASSURANCE VS VALIDATION: WHICH IS BETTER FOR PHARMACOVIGILANCE SOFTWARE?
If you're involved in the procurement or quality efforts surrounding pharmacovigilance software (or any other form of computer system for that matter), there are two terms that you are likely to have come across by now: computer system assurance and computer system validation. Though they may seem similar, they actually refer to two distinct processes that ultimately ensure the same level of reliability, safety and security of computerised systems. To understand the benefits of both and to make an informed decision on which approach is appropriate for your organisation, considering the differences is worthwhile.
Computer system assurance (CSA) involves identifying potential risks, analysing them, and implementing measures to mitigate these risks, with the goal of providing confidence in the system's ability to perform as expected and to prevent or minimise potential failures that could lead to harm. Computer system validation (CSV), on the other hand, refers to the process of verifying that a computer system meets its intended purpose by ensuring that the system is designed and implemented to meet specific requirements, and that it operates correctly and consistently. Unlike CSA, the primary goal for CSV is to provide substantial evidence that the system is fit for its determined use.
CSA is typically achieved through a variety of activities such as risk assessments, testing, monitoring and auditing. For example, a risk assessment should identify potential vulnerabilities in a system and testing should involve simulating all high/medium risk scenarios to ensure that the system can handle them. Monitoring and auditing are ongoing processes that ensure the system remains reliable and secure over time, with a heavy focus on the system integrity and its trustworthiness.
Alternatively, CSV calls for more documented evidence of the system life cycle such as requirements gathering, design documentation and meticulously detailed test scripts testing every feature and function of the system. Documentation is a key component of CSV, as it provides evidence that the system was designed, implemented, and tested in accordance with specific standards and regulations.
In the past, CSA has been considered a futuristic concept and for the highly regulated PV industry, it is often assumed that an excess of evidence is equal to better quality controls, therefore favouring the longstanding CSV approach. It may also be overlooked that both CSA and CSV processes call for clear documentation and definitions of intended use, however with differing steps to get to a specific end goal. It should be noted that this stance is seeing a shift throughout the industry and regulatory authorities such as the FDA have been referencing and providing training on CSA with increasing regularity.
"If you think of the 80/20 rule, currently, many manufacturers spend 80% of their time documenting and only 20% of their time testing. The FDA wants to flip this to be 80% of a manufacturer's time spent critically thinking and applying the right level testing for higher-risk activities, and only 20% of the time documenting. This critical thinking and rigor should be focused on three questions: Does this software impact patient safety? Does this software impact product quality, and how does the software impact your quality system integrity?"
Update from the FDA on CSV Changes. Presented by Cisco Vicenty (FDA) & Sandy Hedberg (USDM)
To recap, the CSA approach is to focus first on critical thinking (risk-based), then assurance needs, testing activities, and finally, documentation and whilst it can be argued that the CSV approach is less efficient, it is more widely recognised and trusted, particularly in the PV industry. So, if both approaches are recognised as suitable validation efforts, choosing the right approach should come down to your organisation's objectives.
Case study - a computerised system provider
To gain insight, we asked a computerised system provider what their preferred approach is and why, here is what we learned:
To meet the demands of customers and audits, evidential documentation is crucial. However, for a pre-validated system, a risk perspective provides an additional viewpoint into the continuity of the system against its existing functionality, whilst collecting an appropriate level of evidence and thus meeting the required regulations.
"As a software provider, the CSA approach provides the desired level of validation proof that CSV can, but with additional benefits":
More Flexible - CSA allows organisations to develop and implement customised approaches that fit their specific needs and requirements. When you consider the variables between computerised systems, it is clear that a 'one-size fits all' approach may focus heavily on areas that are less applicable and perhaps less on the areas that are of higher importance. With CSA, organisations are able to tailor their quality and compliance processes to suit their unique circumstances.
Continuous Improvement - CSA emphasises continuous improvement, whereas CSV is a repetitive process. The assurance approach encourages ongoing monitoring, evaluation, and optimisation of systems to ensure that they remain compliant, efficient, and effective. This ensures that the system is constantly evolving with the changing business needs.
Enhanced Quality - CSA is an ongoing process. By focusing on continuous improvement, organisations can ensure that their systems continue to be of the highest quality possible and that the system is maintained to the standards that are required. Considering both the current functionality and potential risks assists in identifying suitable improvements or actions that are appropriate and effective in addressing said risks.
Reduced Costs - CSA can be less costly than CSV, as computer system validation requires an extensive amount of documentation and testing to be completed before the system can be approved for use. A time-effective, risk based approach focuses on critical areas of the system by testing and documenting those areas involved in change and that have an identified risk. Therefore, a cost effective approach allows providers to routinely schedule improvement upgrades and, in the case of a good provider, at no extra cost.
More Agile - CSA allows organisations to quickly adapt to changes in business processes and technology without compromising compliance. This is particularly important for those who deal with multiple regulatory authorities with differing (and continually evolving) guidelines and where technology, methodology and business practices are advancing.
In conclusion, while both computer system assurance and computer system validation are important approaches to ensure the quality and compliance of computerised systems, one usually suits an organisation better than the other. Ultimately, the end goal should be factored into the decision and the reasoning behind such a choice should be backed by clear intentions.