The FDA has announced a new approach to computer systems validation. The FDA will no longer use the term ‘Computer Systems Validation’ anymore or for that matter ‘Independent Verification and Validation (IV&V)’. The new name is ‘Software Assurance’. So what is Software Assurance and why do you care?
Life sciences companies are experiencing a technology revolution along with other compliant industry sectors. Today’s advanced computer systems are driving global regulatory processes, helping companies to bring new products to market faster.
Artificial intelligence and robotics are game changing, disruptive technologies that may displace some human labor and accelerate efficiencies and growth.
The rapid adoption of mobile and cloud applications are driving mission-critical business processes.
Finally, electronic communications are seeing explosive growth in both digital communications and mobile technologies, delivering knowledge at the speed of thought. As technology advances, the need for rapid adoption of these technologies coupled with streamlining and optimizing the validation process is a must.
There are many barriers to rapid technology employment besides software assurance which include manual processes, cyber threats, data privacy and integrity, in’s security, document cycle times, and silo technologies, which are integrated or disjointed technologies that increase inefficiency and pose a greater risk as well as barriers to technology adoption.
As you know, cyber threats and attacks are everywhere. A recent bio-space article highlighted that the life sciences industry has become the latest arena in digital hackers and hackers’ digital warfare.
So what keeps the regulators up at night? The key things are vulnerability of cloud environments, data integrity within validated systems, security, and quality risk associated with systems that have significant impact on patient health and safety as well as product quality. These are the key things that keep regulators up at night.
Software assurance refers to the justified confidence that software functions as intended and is free of vulnerabilities throughout the product lifecycle. A more practical definition emphasizes software risk management by balancing cost and potential loss as the result of poor software quality. Carnegie Mellon says the level of confidence we have that a system behaves as expected and the security risk associated with the business use of the software are acceptable. If any of these definitions hit home, you should be concerned about software assurance.
What is the FDA getting at with respect to the change in the software validation process? The FDA recognizes all of the changes in technology and how they are being adopted by life sciences companies. They recognize that the old methodologies simply are not practical anymore and that a new approach is justified. They also recognize that many were going through the motions of validation without recognizing the spirit of validation which is to ensure software quality. Finally, the FDA recognizes that systems have significant vulnerability whether you are in life sciences or not. The agency recognizes the global threat of cybersecurity attacks and their impact on patient health and safety as well as product quality. These and many other factors are cited as the reason for the FDA fundamentally changing the approach to validation.
There are many things in the software assurance methodology that are the same but there are many things that are indeed different. As you think about your validation strategy, you really need to understand this complete paradigm shift in the agency’s thinking on how we should be validating systems in the future.
Check out my presentation delivered at the Institute of Validation Technology on Mastering Software Assurance.