By Allan Marinelli and Howard Mann
The pharmaceutical industry, under the FDA and other regulatory bodies, has been utilizing computer software validation testing methodology to validate software that is categorized to be GxP by using an approach in alignment with the principles of good, automated manufacturing practices (GAMP) since the first published guidance in 1994.1,2
The first edition of GAMP 5 was published in 2008, and it was used by the applicable industries until the second edition was made available for download from the International Society for Pharmaceutical Engineering’s (ISPE) website in July 2022.
There have been numerous discussions within both the pharmaceutical and the medical device industries related to endorsing more practical, efficient guidelines based on ideas generated by private corporations throughout the years. These focused on adhering to good manufacturing practices (GMP) that included lessons learned, while maintaining or supplementing or encapsulating the quality paradigms (CFR Part 11, CFR 210, 211, GAMP 5, EMA Annex 11, etc.) that are intrinsic to the life cycles of computerized systems.
As a consequence, discussions around computer software assurance2 (CSA) center on bringing it into closer alignment with the current Industry 4.0 standards, as opposed to continuing to use the more prescriptive and restrictive compliance approaches derived from the amended 1997 General Principles of Software Validation.3
The FDA Center for Devices and Radiological Health has endorsed the Case for Quality4 (CfQ) since 2011, to enable medical device manufacturers to further enhance or augment the performance outputs of the devices while simultaneously maintaining quality and safety for patients. The Technical Information Report AAMI TIR45: 2012/(R) 2018 titled Guidance on the use of Agile practices in the development of medical device software4 can be looked upon as an example of CfQ in terms of enabling the augmentation of software performance output testing from the developmental phase to the release phase of the software, while maintaining the regulatory compliance requirements at an acceptable level based on deciphered risk assessments.
Moreover, over the years, pharmaceutical manufacturers have been using computerized scientific risk-based assessments and approaches to validate computerized or automated systems in alignment with ISPE GAMP 5 guidelines. This includes performing more stringent testing on critical systems (e.g., performing negative testing, regression testing to account for potential critical failure modes, etc.) or testing of critical operational functions, versus less stringent rudimentary testing for non-critical operational functions.
Agile is a methodology used in the development of software from its inception phase to its release phase that involves continued overlapping review iterations (“sprints”). It was utilized by many industries, although not including the pharmaceutical and medical device industries until recently. This methodology involves close alignment, or synchronization, with the programmers’ software programming approaches that initially were noticed by the public in the 1990s. Moreover, recently Agile has gained enough momentum to potentially be encapsulated into the quality management systems (QMS) applicable to the medical device industry. This led to the proposed guideline per AAMI TIR45:2012/(R)2018, Guidance on the use of Agile practices in the development of medical device software.5
The use of Agile methodologies for validation of computerized and automated systems within the QMS was also being discussed by various pharmaceutical and biotechnology companies (e.g., gene therapy companies, etc.), as a current theoretical or empirical topic toward potentially endorsing an Agile approach under certain conditions aligned with the current GAMP 5 2nd edition standards and QMS requirements.
Note that the GAMP 5 2nd edition guideline6,7 is not a prescriptive method, but it is intended to provide overall guidance and tools for the user to factor into a wide range of other models, methods, and schemes, such as:
- Quality systems standards and certification schemes, such as the ISO 9000 Series
- ISO 14971 Medical devices - Application of risk management to medical devices
- Assessing and improving organization capability and maturity, such as Capability Maturity Model Integration (CMMI)
- Software process models such as ISO 12207
- Iterative and incremental (Agile) software development methods and models
- Approaches to IT service management, such as ITIL
- Full compatibility with the approach described in the ASTM E2500 Standard Guide for Specification, Design, and Verification of Pharmaceutical and Biopharmaceutical Manufacturing Systems and Equipment
The remainder of this article will describe a conventional computerized system validation approach and its pros and cons and discuss how it differs from computer software assurance and Agile methodologies. In part two of this series, an Agile approach will be further discussed to show how it can be used and aligned with the pharmaceutical, biotechnology, and medical device industries QMSs.
Conventional Computerized System Validation (CSV) Approach
The pharmaceutical and biotechnologies industries have understood for many decades that the computerized system validation approach was used to mirror the guidance as stipulated in the GAMP, which has been intrinsic to the quality assurance and management of IT, CSV, and automated systems. Software validation in the medical device industry followed the General Principles of Software Validation, Guidance for Industry and FDA Staff, issued on Jan. 11, 2002, coupled more recently with reference on the use of Agile practices in the development of medical device software (AAMI TIR45: 2012 (R) 2018).
Computer system validation (CSV) can be defined as a methodology or a process for verifying that the computerized and automated systems in question are meeting their specified design attributes/criteria in alignment with objective evidence of conformance to the specifications. It ensures that the systems are operating in synchronization with the user’s intended uses and all applicable requirements on a consistent basis.6
In addition, CSV uses a risk-based approach as part of the testing methodology by focusing on the identified critical functions or attributes. This has been an improvement compared to methods used over 25 years ago, when lots of unnecessary tests were repeated numerous times. For example, systems that were tested in the FAT (factory acceptance testing), despite numerous passing results, were also re-tested in commissioning, and then re-tested again in SAT (site acceptance testing). Moreover, a large percentage of the previous identical tests were also repeated in IQ (installation qualification)/OQ (operational qualification) and even, at times, also during the performance qualification (PQ).
CSV provides the user a sequential deployment of development and testing methodologies, or an approach baseline, when verifying that the computerized and automated systems are functioning on a consistent basis and are maintaining the human, equipment, and computer interactions to manufacture the GMP products without hampering or affecting the associated quality attributes.
Despite the fact, that CSV has been used throughout the years to represent a baseline in tackling the computerized systems, as mentioned in the Pros section above, the CSV methodology concentrates on more prescriptive measures (enabling linear thinking or a waterfall approach). This creates inadvertent limitations on stakeholders, hindering their ability to acquire the necessary bandwidth to potentially incorporate other viable added-value ideas during the inception of the software through to its release phase (life cycle).
Moreover, when attempting to enable users to quickly change the user requirements, among other validation deliverables, as efficiently as possible during the operational phase in response to rapid business changes, this inevitably results in the programmers’ interactions being lost in translation. In this waterfall (or linear) approach, the programmers’ potential added-value inputs into the programming of the software would be given a placeholder status. Consequently, capturing the new ideas using the waterfall methodology would result in the newly generated ideas (software performance enhancements or diminished output of bugs) being accounted for in numerous subsequent software releases as opposed to in the next software release, as they would be using the Agile methodology.
What Are the Computerized Software Assurance (CSA) And Agile Methodologies?
Computer software assurance can supplement the traditional approaches or represent a step change in computer system validation while still maintaining the fulcrum of CSV at the core of its critical thinking, as opposed to endorsing a one-size-fits-all or linear approach as in the traditional CSV waterfall approach.
CSV focuses on creating an exhaustive list of documents, in an attempt to ensure that the auditors acquire a satisfactory outlook of the detailed systems overview of each part of the manufacturing of the product.
This inevitably creates many unnecessary bottlenecks when attempting to fulfill arrays of documentation without much added value in the testing of the software’s output functionality. Instead, a portion of that time could be spent using automated tools to supplement the evidence from testing or realigning or regauging the testing methodology by primarily focusing on what is essential to the product and the safety of the patient supported by scripted tests used in CSV.
On the other-hand, Agile does not denote a specific methodology, approach, or practice, but is an umbrella terminology that is typically used in the software or product development derived from three aspects:5
- fits with the spirit of the Manifesto for Agile Software Development,8 see http://www.agilemanifesto.org
- is more empirical than deterministic
- is evolutionary and frequently iterative.
In addition, Agile emphasizes close collaborations through face-to-face communications between the programmers and the business experts, encompassing self-organizing teams to craft the code and attain usable testable requirements, as opposed to the less efficient focus on writing an exorbitant amount of documentation with less testable output.
Therefore, Agile takes the approach of focusing on further testing of the software boundaries that can identify software bugs or other software discrepancies earlier rather than through the use of the waterfall or linear methodology approach.
Using a combination of Agile and CSA methodologies to supplement GAMP 5 and align with the QMS can decrease the time needed to find software bugs or software discrepancies. This enables the stakeholders to focus on the quality and efficiency of their product and to determine what is important to the patient.
- Guidance On The Use Of Agile Practices In The Development Of Medical Device Software, https://webstore.ansi.org/Standards/AAMI/AAMITIR452012R201 8.
- ISPE GAMP 5: 2nd edition, page 9.
- “Role of Computer System Validation to Safeguard Data Integrity in Pharmaceutical Industry-A Review,” International Journal of Pharmaceutical Science Invention ISSN (Online): 2319 – 6718, ISSN (Print): 2319 – 670X www.ijpsi.org Volume 8 Issue 1 ‖ Jan 2019 ‖ PP.35-41.
About The Authors:
Allan Marinelli is the president of Quality Validation 360 Incorporated and has more than 25 years of experience within the pharmaceutical, medical device (Class 3), vaccine, and food/beverage industries. His cGMP experience has cultivated expertise in quality assurance, compliance, quality systems, quality engineering, remediation and validation roles controlled under FDA, EMA, and international regulations. His experience includes quality systems, CAPA, change control, QA deviation, equipment, process, cleaning and computer validation, as well as quality assurance management, project management, and strategies using the ASTM-E2500-07, GAMP 5, and ICH Q9 approaches. Marinelli has contributed to ISPE baseline GAMP and engineering manuals.
Howard Mann has extensive experience in the healthcare industry and works as an independent consultant and/or contractor in the operational, regulatory, and quality assurance arenas. He provides leadership to the product development process in all areas of GxP compliance. As new technology pushes the envelope of new product development, his knowledge of the regulated development process provides assistance when directly interacting with FDA and other regulatory authorities.