Whether or not we like to admit it, most of us are incredibly reliant on software in our day-to-day lives. Yet while we are aware that certain applications can pose risks to our personal data, we don’t go to any great lengths to ensure that the software works exactly as it’s supposed to. When it comes to investing in enterprise software, though, there’s much more at stake than some embarrassing selfies being leaked—especially in the life sciences industry. This is why software in the life sciences is regulated and must be validated, proving that it's compliant with the relevant regulatory requirements.
However, as much as validation is a crucial part of software implementation in the life sciences, it increases the complexity and burden of implementing new software tools, often elongating the process significantly. This, in turn, discourages some organizations from investing in the very tools that will improve their efficiency and productivity in the long run, for fear of a lengthy, arduous validation project.
With this issue in mind, we turned to the experts to learn how businesses can accelerate the implementation process without sacrificing compliance. Their answer? Risk-based validation. In this article, we’ll discuss why the pros use risk-based validation to speed up the software implementation process—and how you can, too.
- Software validation: A quick refresher
- Risk-based validation invites you to work smarter, not harder
- Risk-based validation begins with vendor selection
- Get real about the 'risk' in risk-based validation
- How to begin defining your risk-based approach
- The buck doesn't stop with validation during implementation
- Key takeaways
Software validation: A quick refresher
When looking to implement new software, you need to be certain that it does what it’s supposed to do—and you need to be able to prove it. For life sciences organizations, this means generating objective evidence that the software not only functions properly and meets your needs, but also demonstrating that it’s compliant with relevant GxP regulations.
Through the process of validation, you establish confidence that you can use the system while upholding three key elements: patient safety, product quality, and data integrity. If you can’t prove that your software will protect your patients, products, and data—or worse, if it doesn’t protect them—then you could be opening yourself up to difficult questions during an audit or inspection. For those interested in further exploring the topic of validation, you should also check out the FDA’s new draft guidance on “computer software assurance”, as risk-based approach which some are saying may very well replace our current conception of software validation.
Of course, when investing in new software, the time it takes to validate it is an important factor when weighing the costs and benefits of implementation. A lot of us still conceive of the software validation process as requiring binders upon binders of documents, screenshots, and all manner of other materials to prove that the system does indeed meet the requirements. But it doesn’t have to be this way.
We spoke to our experts to learn more about the tried-and-true method that allows for accelerated software implementation: leveraging a risk-based validation approach.
Risk-based validation invites you to work smarter, not harder
Would you trust someone you don’t know to watch your home while you’re away? Probably not. But what if that person came from an accredited organization, had hundreds of glowing recommendations, and was personally vouched for by several of your closest friends? You’d probably be more likely to consider it.
This is an example of risk-based validation—or at least a metaphor for it. Risk-based validation is the preferred method for thousands of life science organizations globally, further reinforced by the recent release of the second edition of the be-all and end-all guide to validating GxP computerized systems, GAMP® 5. But what, exactly, does it entail?
Risk-based software validation involves understanding your organization’s unique context, performing risk assessments, and employing critical thinking skills to mitigate the identified risks. It veers away from the traditional urge to push paper and produce documents solely for the sake of producing documents. Instead, it invites organizations to use informed logic in order to reasonably assess what risks the software may pose to patient safety, product quality, and data integrity.
For instance, the validation process for a quality management system would look different than the validation process for software-as-a-medical device that controls insulin injections for diabetic patients. Why? Well, the latter could pose a greater direct risk to patient safety should it not be functioning as intended.
Now, let’s take a closer look at how leveraging risk-based validation will speed up your software implementation process.
Risk-based validation begins with vendor selection
In fact, you may not even realize it, but most everyone looking to invest in new software utilizes principles of risk-based validation from the outset. When searching for vendors, we tend to start by selecting established companies, instinctively understanding that their software poses less of a risk than a program developed by, say, your neighbour’s son working out of his garage. These companies employ vetted software developers and execute routine testing and maintenance of the software to ensure it remains both functional and compliant. By doing your due diligence and confirming that your vendor has qualified personnel, set operating procedures, and a software development lifecycle with rigid testing, you can then leverage this due diligence to considerably lessen the load of factors you’ll need to validate further down the road.
The above graphic gives a high-level overview of the scope of software validation and the responsibilities of both vendors and life science companies.
Get real about the ‘risk’ in risk-based validation
In addition to practicing critical thinking, taking a risk-based approach to validation requires you to be practical—and then leveraging this practicality to be more efficient. For instance, you can begin scaling your activities by relying on the work the software vendor has already done. The vendor should be willing to share the outputs of their testing activities (even if just momentarily for you to review during a virtual meeting). If they’ve already produced testing and documentation to validate software features, then ask yourself if it’s truly necessary to redo all of the work yourself. Most of the time, it’s not—unless there is a specific gap in the vendor’s documentation or a specific business risk that you need to mitigate. Of course, you still have the onus of making sure that the vendor’s activities are suitable and meet your quality standards, but this can be assessed through an audit designed to check the vendor’s outputs.
You can even use a risk-based approach when it comes to the level of evidence generated during the validation process itself. While our tendency may be to take screenshots of everything, sometimes it adds additional paperwork and prolongs your implementation timelines with no tangible benefit. A simple checklist may suffice if the features you’re validating are not highly critical.
By trusting in your vendor and relying on your team’s understanding of the potential risks involved, you can significantly expedite the software validation process while still remaining compliant.
How to begin defining your risk-based approach
Now that we’ve spent a fair bit of time touting the benefits of risk-based validation, you might be wondering how you can start defining a suitable risk-based approach to accelerate your next software implementation process. Well, there’s no better place to start than gathering input from your internal (or external) subject matter experts. If you’re looking to invest in an electronic trial master file (eTMF) system, for instance, you’ll want to start by bringing in end-user representatives and people with knowledge of the applicable regulations, amongst many others. You’ll also need to consult people with knowledge of information security policies and infrastructure. Essentially, you’ll need to talk to subject matter experts from a number of different departments in order to determine the risk the software could pose to patient safety, product quality, and data integrity.
Gaining insights from your subject matter experts will also allow you to have a better understanding of the unique context in which your organization will be using the software. In the case of an eTMF system, do you plan on using it as simply a repository, or as a tool for creating and collaborating on clinical trial documentation? All of these factors will affect how you establish your risk-based validation process and determine which elements are the most crucial to validate in depth.
The buck doesn’t stop with validation during implementation
Taking a risk-based approach can speed up more than just your software validation journey. Once you’ve completed the validation stage, you can apply a risk-based approach to a number of other pieces of the implementation puzzle. When it comes to things like creating standard operating procedures for end users or determining the extent of training required, you can break out your critical thinking cap and carry out these tasks in a fashion that’s appropriately proportionate to the risks involved. You can also use risk analyses as a guiding factor in ensuring that you continue to use the system in a controlled manner. While we could go on about the myriad of ways in which you can use a risk-based approach to accelerate software implementation, these might be topics for another time. For now, let’s take a look at some of the key takeaways of the approach covered in this article.
- Software validation is a critical part of implementing enterprise software and helps to ensure that new systems are compliant with all of the relevant requirements.
- The new edition of ISPE GAMP® 5 has brought the concept of risk-based validation further into the limelight.
- You can leverage risk-based validation to accelerate your software implementation process.
- Risk-based validation involves using critical thinking in order to determine which elements of the software pose the greatest risk and to whom.
- By simply doing your due diligence, you can utilize your software vendor’s hard work in order to expedite the validation process.
- If you want to begin defining your own unique risk-based approach to validation, start by talking to your team!
- Validation isn’t the only aspect of software implementation to which you can apply a risk-based approach.
Looking to implement an EDMS? Validation isn’t the only thing you’ll need to consider. Download our implementation checklist below 👇