Computer System Assurance Self-Assessment

Computer software assurance is a risk-based approach for establishing and maintaining confidence that software is fit for its intended use. As the computer software assurance effort is risk-based, it follows a least burdensome approach, where the burden of validation is no more than necessary to address the risk. Such an approach supports the efficient use of resources, in turn promoting product quality.

CSV/CSA Standard Operating Procedure (SOP) is a Step-by-Step Guide for Achieving Compliance in the Pharmaceutical, Medical Device, and Biotech Industries.

EDMS system are used to create, approve and store all the validation documents in a validated computer system. Test Management system is used to create, approve and store the requirements, qualification protocols, execution logs and Defects in a validated computer system. Quality Management system include software for document control, change control, corrective and preventive actions (CAPA), training management, audit management, and other quality-related functions.

Change control is integral to computer software assurance as it helps maintain the stability, reliability, and security of software systems. By systematically managing changes, organizations can mitigate risks, ensure compliance, and foster a controlled and accountable environment for software development and maintenance.
Change control should be implemented and validated for its effectiveness. Validation involves confirming that the implemented process operates as intended and achieves the desired outcomes. Validation helps build confidence in the reliability of the process and its ability to manage changes in a controlled and efficient manner within the software assurance context.

A risk based approach carried out to determine the GxP Criticality of change request/system.

Supplier assessment involves evaluating the capabilities, reliability, and compliance of third-party vendors providing components, software, or services for a validated computer system. This process ensures that the suppliers meet predefined quality standards and regulatory requirements essential for the successful implementation and maintenance of the validated system.

GxP risk assessments are carried out to determine the level of impact a computer system has on product quality, patient safety, or data integrity. Based on the intended use, the system falls into one of two categories: software that is used directly as part of production or the quality system and software that supports production or the quality system.
Conduct a thorough analysis, involve stakeholders, consider regulatory requirements, assess risks, and use established frameworks to classify the system based on its intended use. Properly classifying a system is crucial for implementing effective software assurance measures, as the level of assurance required often varies based on the system’s purpose, criticality, and potential impact. This classification is foundational for implementing effective software assurance practices tailored to the specific needs and risks of the software system.

This occurs during revalidation of the system. It offers the opportunity to check that the systems are still operating as originally validated and that no unintended changes have affected the process, system or piece of equipment and the end result.

Assessment on 21 CFR Part 11 and Data Integrity – It establish measures to ensure the trustworthiness, reliability, and equivalence of electronic records, electronic signatures, and handwritten signatures on electronic records to their paper counterparts.

Functional Risk assessment is a process of identify the potential business and compliance risks associated with each functional requirement, strategy to mitigate those risks and determine the level of testing required for each FRA classification.

Training is a cornerstone of successful software assurance. It equips individuals with the knowledge and skills needed to create high-quality, secure, and reliable software systems while fostering a culture of continuous improvement and collaboration within teams.

Quality risk management is a proactive approach to identify, assess, and mitigate risks associated with the implementation, operation, and maintenance of computer systems used in regulated environments. This process involves systematically analysing potential risks to data integrity, product quality, and patient safety throughout the system lifecycle. Key steps in quality risk management include risk identification, risk assessment, risk mitigation, and risk control.

SOPs for the creation and maintenance of deviations, non-conformances and Corrective and preventive actions (CAPAs) are crucial to meet the regulatory compliance and audits.

Periodic review refers to the ongoing and systematic assessment of a validated computerized system to ensure that it continues to operate in compliance with predefined requirements and regulatory standards. This review process is essential for maintaining the validated state of the system throughout its lifecycle

For high-risk software features, functions, and operations more rigor such as the use of scripted testing or limited scripted testing required.
In contrast, for software features, functions, and operations that are not high-risk, may consider using unscripted testing methods such as ad-hoc testing, error-guessing, exploratory testing, or a combination of methods that is suitable for the risk of the intended use.

When establishing the record, capture sufficient objective evidence to demonstrate that the software feature, function, or operation was assessed and performs as intended.

The utilization of automation tools in assurance activities is instrumental in enhancing the efficiency, reliability, and effectiveness of software development and testing processes. The benefits include faster execution, improved test coverage, early defect detection, resource optimization, and seamless integration with modern development practices like CI/CD, ultimately leading to higher-quality software products.