The draft guidance calls for “establishing confidence in automation used for production or quality systems, and identifying where additional rigor may be appropriate” as well as for software validation and appropriate use. A risk-based approach to measures is detailed. When implemented, FDA said the framework will help meet the requirements of 21 CFR 820.70(i), which sets forth maintenance schedule requirements for medical devices. (Related: FDA drafts guidance on device manufacturing and quality system software assurance., Regulatory focus 12 September 2022)
The guidance, when finalized, is intended to replace Section 6 of the “General Principles for Software Validation” (GPSV) published in January 2002.
Consult the ICH Q9 guidance.
Stakeholders commenting on FDA’s draft guidance generally welcomed the agency’s flexible, risk-based approach to production and quality system computer software assurance (CSA).
Biotechnology company 23andMe wrote, “The flexible approach in this draft guidance is a welcome improvement over the historically rigid and non-value-added approaches to computer system validation (CSV),” in their comments.
Several commenters noted that the Agency should adopt the quality risk management terminology and principles as described in the recent ICH Q9 (revision) guidance, rather than the language used in the draft guidance. (Related: ICH issues revised Q9 guidelines to improve risk assessment., Regulatory focus 03 January 2022)
The International Society for Pharmaceutical Engineering (ISPE) wrote in its commentary, “The use of ICH terms and principles should lead to more consistent interpretation by industry and regulators and facilitate understanding and possible acceptance by other regulatory agencies. “
CSA vs. CSV
In particular, several commenters were concerned with the draft guidance’s use of the term CSA in the title and body of the document and its potential for misinterpretation by industry. “If the guidance will have an impact outside the field of medical devices, the title of the guidance will be reconsidered as it conflicts with the definition of ‘computerized system’ based on PIC/S PI 011-3, section 6.2,” European Wrote Compliance Academy
“CSV does not just cover software quality but takes a comprehensive approach, including computerized, controlled processes, related procedures, and personnel. These elements in the guidance are not only too limited to those that may be but cause confusion for readers,” he explained. In some cases, compliance can’t be reduced to computer software alone, he noted, since many existing manufacturing and laboratory equipment are computer-controlled.
“There may be existing guidance material. [misunderstood] Loss of compliance by industry and loss of control for production and quality system computer systems.
While 23andMe viewed the use of the term CSA as deviating from the traditional meaning of validation, they asked the FDA to “be more specific in stating that these computer software assurance methods (ie, unscripted testing ) actually fulfill the authentication requirements and not just. ‘Help meet the authentication requirements.’
Commenters observed that cybersecurity is a component of security risk for medical device products and is missing from the draft guidance.
“Security risks (e.g., private information exposure) pose a potential security risk that is not associated with a specific medical device. Siemens Healthineers wrote in its comment that high-performance risks are meant to be limited to “medical devices” and not That may lead to inadequate implementation of clinical data to validate the risk scenario.
Boston Scientific urged the FDA to urgently create guidance for industry and agency staff to consider cybersecurity requirements, noting that cybersecurity is “an important component of ensuring that production and quality systems meet and maintain their intended use.”
System lifecycle tools are not covered by 21 CFR 820.70 (i).
There was also a question as to whether system lifecycle tools should be considered in the guidance, as they are not included in other similar directives such as EU GMP, Annex 11, Computerized Systems and ISPE GAMP 5.
“Based on the reasoning below, and for consistency [other guidances]In its comment, ISPE wrote, it is recommended that system lifecycle tools not be used as part of a production or quality system in the final guidance and therefore not validated under 21 CFR 820.70(i).
Another place where the FDA’s guidance deviates from GAMP 5 and EU, Annex 11 is how it characterizes the validation of support software, whereas the other guidance only requires demonstration of suitability rather than validation. There is a need. “Applying the concept of ‘validation’ to such tools creates a potential barrier and discouragement to their use, as well as, depending on the interpretation of ‘validation’ in the regulated company, without potential additional quality and safety benefits. cost increases,” explained ISPE. .
Boston Scientific also raised an issue with data collection and whether it all falls within the scope of 820.70(i). “The way the guidance is written, it suggests that all production data that is collected falls under 820.70(i). This is not the case as much as the data collected relates to scrap, production, etc. is from,” wrote Boston Scientific. “Make [it] Clarify that only data collection and processing for the quality system must be within the scope of 820.70(i).
Applicable to non-medical industries
Technology company Medidata wrote in its commentary expressing concern about the guidance’s applicability beyond medical devices. “If the agency has contributed to multiple arms and intends to apply this guidance beyond a medical device, it should clarify the applicability in the introduction and scope section. Please clarify that the CSA replaces the CSV. Not taking it,” he said.
The European Compliance Academy cautioned against the FDA using this guidance in non-medical device industries as well. “Comparing less regulated medical devices to less regulated industry sectors can be very dangerous. Safety expectations are not the same. Past experience shows that industrial practices from less regulated sectors to more heavily regulated sectors (aircraft, health (maintenance of) can lead to a security disaster.
The European Compliance Academy also questioned the need for a new supplementary guidance for the GPSV, suggesting that the agency should update the GPSV instead of creating new guidance with a limited scope.
“Give [chosen] The way GPSV is being amended by replacing section 6 and replacing it with CSA guidance is very unfortunate as it creates confusion for readers,” he wrote. “It would be clearer and better to issue a new version of the GPSV with revised content, including possible formal scope expansion.”