Software is at the point where your usage can automatically be validated as features are released and enabled during configuration.

By Erin Wright, Senior Product Manager, MasterControl

Computer system validation (CSV) is a time-consuming process for most regulated companies. Someone needs to comb through the release notes, every feature needs to be tested and countless screenshots need to be taken. But does a company really need to do any of that? Certainly, the U.S. Food and Drug Administration (FDA) requires companies to validate its software to ensure it works for its intended use. But a company can validate their software in a much shorter amount of time using a risk-based approach.

No one enjoys compiling or reviewing stacks of documentation.
No one enjoys compiling or reviewing stacks of documentation.

The Burden of CSV

Traditional validation is so firmly cemented in people’s minds that the FDA decided a new acronym was needed for its risk-based approach. The new computer software assurance (CSA) will drastically reduce the documentation and work that validation requires while focusing mainly on risks to quality and patient safety. The exact guidance hasn’t come out yet, but the existing guidances surrounding CSV have always given companies the flexibility to do what works best for them. They’ve just usually erred on the side of caution by doing considerably more than was required.

The busywork of traditional CSV doesn’t benefit anyone. Employees don’t enjoy doing it, and regulators don’t enjoy reviewing it. A months-long validation process is a waste of time and resources. And it doesn’t reduce your risk, especially when you focus on the software and not your use of it. When companies focus on how they use the software and identify where the biggest risks are, they can reallocate those resources to areas that need them the most, their actual products. This mindset shortens validation and makes it possible to update software more frequently. When validation takes months, most companies avoid upgrading. When validation takes hours or minutes, upgrading quarterly or even more frequently is possible. This is essential for ensuring the continued security of your IT systems and data and having access to the most up-to-date software features.

The Steppingstone to Self-Validation

Years ago, I began using a risk-based approach to help customers validate. We’d leverage validation documentation provided by the company, look at how closely their usage mirrored the company’s best practices and then determined which usage scenarios required testing based on that. Eventually, I expanded on this idea to create the Validation Excellence Tool (VxT)™ (U.S. Pat. 10,324,830). VxT allows users to perform an initial assessment in a matter of hours. And with each upgrade, change control can take as little as 45 minutes.

However, this is all based on the traditional waterfall approach to software development. An agile approach brings new features to users immediately, but that requires continuous validation. Even with risk-based tools, that’s still too much validation. The only solution is to make validation as effortless for users as updating and configuring the software.

Self-Validating Software

No, this concept is not too good to be true. Neither is it too good to be compliant. In many ways, this process is already happening. What we’re proposing simply shifts the burden of validation to the software company. In a cloud environment, software as a service (SaaS) companies are continually running automated testing on their software. The problem now is that users do their own testing based on their configuration. When software vendors build testing into every feature, the minute users complete their configuration an automated test is ready to be executed just for them. From the users’ perspective, this will require no additional effort or testing. Every time a new feature is released, if they choose to enable it, they’ll be able to re-execute their validation tests at the drop of a dime.

From the developer’s standpoint, this does require more effort. The software is only self-validating and automatic because of the coding and logic checks that are programmed into it. Essentially, it involves developing a library of puzzle pieces that are test methods for numeric fields, dynamic routing, etc. and those pieces come together as configuration is completed. Because the work has been done beforehand, the customer doesn’t have to do it. The associated documentation templates are also prepared by the developer beforehand, so when you run your specific validation, the validation records are automatically generated. When regulators show up, users can immediately demonstrate that their software is validated.

Conclusion

Companies working in regulated industries have more important things to do with their time than validate their software. Since a SaaS company’s whole existence revolves around its software, the burden of validation should fall on it. When more companies embrace this approach, self-validating software will become the norm and taking countless screenshots will become a thing of the past. Focusing on risk and getting developers more involved in validation means their users will update more often, have the best features available and get their products to market sooner.

erin wright mastercontrol
Erin Wright

Erin Wright, Senior Product Manager
As MasterControl’s senior product manager over validation and Insights, Erin Wright spearheads the efforts pertaining to the development of the company’s groundbreaking Validation Excellence Tool (VxT). She holds a patent related to streamlining the validation process by using a risk-based approach to greatly reduce validation time, with a second patent pending. She created and implemented the configuration-based testing that drives the VxT and is currently working to develop self-validating capabilities in MasterControl software.

She joined MasterControl in 2013 as a professional services consultant and worked closely with hundreds of regulated companies, including the FDA’s Center for Drug Evaluation and Research (CDER), Ancestry.com, Abbott Point of Care, Institute for Transfusion Medicine (ITxM), and the University of Utah, in conducting custom validation implementations. Her extensive experience in quality, validation, and regulatory compliance includes working for an automated-testing software company and several clinical-trial software providers.

Wright graduated summa cum laude from West Chester University with a degree in psychology.