The FDA Group's Insider Newsletter

This is a free bonus issue for all subscribers. If you’re not already a paid subscriber, you can upgrade here.

We recently hosted a webinar with senior validation engineer and consultant Rashida Ray that revisited a handful of CSV basics and best practices that industry teams typically struggle with.

Watch the full presentation above and grab the slide deck here.

If you prefer a written version, we’ve provided a transcript below—edited for clarity and flow.

Need CSV project support? Our team of experts conducts thorough computer systems and data assessments to ensure data integrity, validation, and quality, meeting all system requirements with proper documentation.

We employ risk-based validation strategies to evaluate data governance and management practices, enhancing your quality system and addressing any compliance gaps. Our computer system validation (CSV) expertise ensures data safety, reliability, and availability, focusing on proprietary and commercial software.

We specialize in Computerized and Cloud System Validation (CCSV), data integrity infrastructures, vendor audits, risk assessments, and more. Additionally, we offer guidance on data governance, audit preparations, training programs, and responses to regulatory concerns, ensuring comprehensive data integrity and CSV support.

Learn more and contact us to start the conversation.

Sam Swiech 00:47: Now, let's dive into today's discussion on CSV. Our presenter is Rashida Ray. Rashida is an experienced quality assurance and compliance professional with a strong background in computer system validation and auditing across the pharma, medical device, and biologics sectors. As a Senior Validation Engineer for the FDA group, she evaluates computer systems for clients, ensuring compliance with relevant regulations and standards. Her expertise also includes conducting audits, managing quality systems, and offering guidance on regulatory compliance. Our agenda today will cover five challenges related to CSV: planning, communication, understanding regulations, URS, and cross-functional collaboration. So, Rashida, one significant challenge is the planning phase of a CSV project. Can you discuss the common planning-related issues and share some best practices?

Rashida Ray 03:40: When it comes to a new CSV project and implementing a new system, the first thing to consider is what you want the system to do. You might create a process map, especially if the system will span multiple departments or just one particular area. Once you have that mapped out, you can understand how your organization will acquire, store, and use the data. This becomes part of your data process map. It requires brainstorming with different team members, especially if the application spans various areas. You want to get their feedback for a user requirements specification to ensure you're procuring the right system. Sometimes, you might be excited about one system and then realize it doesn't have the needed functionality. The process map is a great roadmap for this. You can take it to the vendor and ask if their system can accommodate your department's structure. This helps the vendor understand how their application works, how it stores data, and how it can be configured to fit your process.

Sam Swiech 06:23: Do you have any specific tips for creating process maps? Have you seen good examples of companies that have made high-quality process maps? Any advice for teams on creating a process map?

Rashida Ray 06:44: The process map should be basic. The simpler, the better. You want to understand your process and for others to understand it too, so they can configure the system according to your needs. A simple process map ensures nothing gets lost in translation.

Sam Swiech 07:20: Let's move on to the second challenge around communication. You mentioned the siloing of departments and the lack of routine meetings between them during such projects. Can you discuss the effects of siloing and how teams can improve inter-departmental collaboration during a project?

Rashida Ray 07:49: Siloing is unfortunately common. Often, the department responsible for procuring a system might overlook other departments that will be affected. A well-constructed process map can help identify all stakeholders. If you understand the system's intended function and reach across departments, you can identify which areas need involvement. For instance, facilities might need to be included, or the laboratory might use the application for specific tasks. By contacting these departments during the planning phase, you can gather their feedback and understand their needs. This collective input can then be presented to vendors to ensure the chosen system meets everyone's requirements. It might be worth exploring other options if a vendor can't meet these needs. If they can, it's essential to understand how their solution integrates with your processes.

Sam Swiech 12:29: Let's move on to our third challenge around understanding the applicable regulations for CSV. What knowledge base challenges do you see that can impact a project, specifically regarding regulation standards and expectations?

Rashida Ray 12:55: I often see organizations aware of regulations, but newer organizations or startups, especially those from a laboratory or IT background, might be unaware. They often view deliverables as a paper-pushing exercise, not understanding their interconnectedness and necessity. They might estimate, for example, five hours to create a URS with a Requirements Traceability Matrix and a protocol, not realizing the complexity of qualifying an entire enterprise system. It's essential to understand the risks and not just view everything in terms of hours and minutes. Knowing the regulations helps set realistic expectations, especially for large systems affecting multiple departments.

Sam Swiech 15:33: If a team wanted to create a training program to get up to speed on relevant regulations and guidance documents for a validation project, what materials would you recommend they include in their training program for CSV?

Rashida Ray 16:18: Definitely 21 CFR Part 11. There's also the FDA's data integrity guidance and computer software assurance. MHRA and WHO have guidances, as does PIC/S. A simple Google search for "data integrity guidances" or "computer systems validation and FDA" will provide many of these resources. I'd start with 21 CFR Part 11 because it inherently includes data integrity.

Sam Swiech 17:28: Regarding Regulatory Affairs and compliance, some areas are more fluid and fast-moving than others. How would you characterize the CSV in the regulatory world? Have you seen many regulatory changes and new guidance documents? Is it a fast-moving or slower-moving area of regulatory in your view?

Rashida Ray 17:56: I find it slow. I've been in this field for almost five years, and it's been gradual. The first data integrity guidances came out around 2015. The CSA guidance is recent. Before that, there was a lot of talk about predicate rules. 21 CFR Part 11 has been around for a while, and it's a solid foundation. Everything else seems to have evolved from it. The computer software assurance relates to 21 CFR Part 11 but introduces a new perspective, moving away from mere paper-pushing to ensure meaningful testing and deliverables. It emphasizes thoughtful testing and deliverable creation.

Sam Swiech 19:17: Let's move on to challenge four, focusing on the user requirements specification (URS). Establishing user requirements is a crucial step of CSV. Can you discuss specific URS issues you often see and any advice you give teams about URS?

Rashida Ray 19:40: A common issue is not creating a process map to determine what you want the application to do. Is it for one department or multiple areas? Regardless of the scope, you need to expand on what you want the application to achieve. What are your needs? This helps in the procurement process, allowing you to ask vendors if their application meets your requirements. It's essential to understand the intended use of the application. A process map is invaluable for visualizing its impact and determining if it benefits your organization. Maybe it's something you want to develop in-house. Once you understand your intended use and have a clear process map, you're on the right path to selecting and validating the right application.

Sam Swiech 21:41: A challenge we've often heard about is translating user needs. When gathering needs from various departments, turning those into technical requirements for a system can be difficult. It's about taking input from a person and converting it into a technical specification for a system. Do you have any advice or strategies for this translation process?

Rashida Ray 22:17: I haven't encountered a situation where I had to translate user requirements. Typically, user requirements are general, like wanting the application to do X, Y, and Z. It's the vendor's responsibility to interpret those requirements and ensure their application can meet them. If there's technical jargon, the vendor should handle the translation to ensure the application performs the desired function. From the user's perspective, the focus is on the outcome, like picking apples. During validation, you determine how the application achieves that outcome. Vendor input and input from SMEs, the IT department, and others are crucial. Start with a simple requirement. There might be some translation, especially if the system is customized. However, with process maps and feedback from relevant departments, you have what you need. Testing ensures the application meets those requirements. Delving into the technical details is the vendor's job, or the IT or development team's job if it's a custom-built application.

Sam Swiech 24:44: Let's discuss our fifth challenge: cross-functional collaboration during a project. A primary challenge is involving subject matter experts from each department to contribute to the project's requirements. Do you have tips for assembling a team from different departments for a CSV project?

Rashida Ray 25:27: As I mentioned earlier, it's about networking. Ask around: "Do you know someone in marketing or bioinformatics?" They might introduce you to someone in that department. That individual might suggest that the topic needs higher-level attention and escalate it to their superior. This can lead to the involvement of subject matter experts familiar with their department's processes. Building the ideal cross-functional team takes time. Starting with one representative from each area helps, as they can escalate matters to decision-makers. Over time, you'll identify key collaborators and decision-makers who can provide insights into their processes and evaluate if an application suits their needs.

Sam Swiech 27:43: Thank you, Rashida, for discussing those challenges. We wanted to touch on the role of consultants in executing projects like this. Specifically, their value in bringing a fresh perspective, sharing best practices from experience, and helping teams navigate regulatory requirements. Could you elaborate on these points?

Rashida Ray 28:28: Certainly. Regarding a fresh perspective, it's beneficial to have someone unbiased who can view things objectively. This allows for easier identification of gaps. When you're new to a process, you can ask questions like, "Have you considered this?" or "What about this aspect?" Drawing from diverse experiences across various organizations and projects can provide insights like, "This reminds me of a similar situation I've encountered before." An external consultant isn't influenced by the company's culture, allowing them to offer a truly fresh perspective. Even if they've only worked at one other organization, they can still suggest, "At our previous company, we approached it this way." A fresh pair of eyes is invaluable.

Sam Swiech 30:38: Regarding the second point about best practices informed by experience, do you find that you've developed a toolkit from past projects that you can apply to benefit the teams you work with?

Rashida Ray 30:56: With every project, there are lessons learned. Reflecting on what could have been done differently is crucial. From my experience at various sites and places, I've developed a toolkit of strategies and approaches. However, it's always evolving because each new workplace presents unique challenges. You might need to adjust, tailor, or even discard certain strategies based on the situation.

Sam Swiech 32:34: Moving to the third point about navigating regulatory requirements, it seems that bringing in an external perspective provides not just expertise but also training and mentorship. Can you discuss the natural training that occurs when someone is brought in for a project like this?

Rashida Ray 33:04: Certainly. But it's essential to note that the client must be cooperative and open to learning. If they view the process merely as a task to be completed, they might miss the value of understanding the "why" behind certain decisions. As a consultant, there's a lot of mentorship and training involved. However, the project's success hinges on the client's willingness to learn and potentially adjust their mindset. Once they've gone through one project and understand the time and effort required, they can set more realistic expectations for future projects, using the lessons learned to streamline processes.

Sam Swiech 35:28: We often get asked about preparing to work with a consultant. What can teams do at the project's outset to ensure success and avoid delays? You've mentioned four key points: defining needs, preparing the team, providing access to information, and being open to feedback. Can you elaborate on these?

Rashida Ray 36:42: Certainly. First, it's vital to define the project's scope. I've been on projects where the initial objectives expanded or shifted, often due to unforeseen connections or requirements. Clear communication between the client and consultant is essential to set realistic expectations and timelines.

Preparing your team is also crucial. I've encountered situations where team members were unaware of a project or my role in it. Proper introductions and setting expectations can prevent confusion and streamline the process.

Providing access to information is another key point. Consultants often need specific documentation or system access to perform their tasks. Preparing your team for these requests can expedite the process.

Lastly, being open to feedback is vital. We're all continuously learning. If I identify a potential gap or issue, it's beneficial for the team to consider the feedback and understand the reasons behind it. This proactive approach ensures the project is done correctly the first time, avoiding costly revisions.

Sam Swiech 42:50: Thank you. Another frequently asked question revolves around risk management in CSV. Can you discuss its significance and how risks should be assessed and mitigated?

Rashida Ray 43:32: Risk management is integral to any validation process. The primary concerns are patient safety and quality. Depending on the application's purpose, it might directly impact patient safety. In such cases, it's essential to ensure the application functions as intended. Consider scenarios like power failures or disasters. How is data backed up? How quickly can operations resume after an interruption? Risk management aims to ensure patient safety and maintain quality, even in unforeseen circumstances. Tools like failure mode effect analysis are often used to assess and mitigate risks.

Sam Swiech 45:46: What about validating cloud-based systems versus on-prem systems? Are there specific considerations?

Rashida Ray 46:00: With cloud-based systems, it's crucial to have everything outlined in a service level agreement (SLA). This includes access to information and disaster recovery measures. For on-prem systems, you're often developing these protocols yourself, working directly with vendors to integrate processes and address gaps.

Sam Swiech 47:21: When software vendors claim their product is validated, how should teams interpret this?

Rashida Ray 47:40: While vendors may have tested their software, it's essential to ensure it works according to the client's intended use. The vendor's validation might be broad, but the client's requirements are specific. It's crucial to test the software within the client's processes.

Sam Swiech 49:11: How do you handle the validation of frequently updated software, like Microsoft Office applications?

Rashida Ray 49:33: IT would play a significant role here. For applications like Microsoft or operating systems like Windows, there should be SOPs regarding updates. Some updates might be postponed or scheduled quarterly or annually to ensure compatibility. For systems used in production, updates would be managed through a change control process, including risk analysis and unit testing.

Sam Swiech 51:25: Do you have any best practices for revalidating a system after a significant change or upgrade?

Rashida Ray 51:38: Companies should have a periodic review process. Depending on the system's criticality, this could dictate how often it's reviewed to ensure it remains in a validated state. For instance, systems with a direct impact on patient safety might require yearly revalidation. Over time, with multiple changes, it might be beneficial to revalidate to ensure the system still meets its intended use.

Get industry-leading CSV and data integrity support

Our data integrity, validation, and quality experts perform comprehensive computer systems and data assessments to ensure your system requirements are fully met and adequately documented.

Data governance and management practices are evaluated using risk-based validation strategies to protect the integrity of your data and strengthen your quality system in the process. Compliance gaps identified during the assessment are addressed through comprehensive remediation.

Thorough CSV ensures your system stands up to scrutiny, leaving you secure in the knowledge that your data is safe, reliable, and available. Our CSV experts implement systems and obtain “fit for use” certification in the areas of computer and cloud systems validation and data integrity.

Our framework for CSV and data integrity assessment can be applied to both proprietary and commercially available software. Projects are planned and executed by leading computer system validation experts with intimate knowledge of current regulatory requirements and years of experience enhancing IT operations, control systems, and data integrity for pharmaceutical, medical device, and biotechnology companies.

Our comprehensive data integrity and computer systems validation services include, but are not limited to: 

• Computerized and Cloud System Validation (CCSV) and qualification

• Establishing data integrity infrastructures

• Third party CMO audits

• Vendor audits

• Mock Pre-Approval Inspection (PAI) audits of data integrity

• Formal risk assessments and risk mitigation strategies

Additionally, we assist clients in: 

• Planning and remediation assistance for data integrity gaps

• Guidance and development of Data Governance and Data Management Programs

• FDA-483 and warning letter responses for data integrity

• Pre-audit preparation and support during audits

• Training and development of training programs in data integrity and CSV

Learn more and contact us to start the conversation.

Who is The FDA Group?

The FDA Group helps life science organizations rapidly access the industry's best consultants, contractors, and candidates. Our resources assist in every stage of the product lifecycle, from clinical development to commercialization, with a focus on Quality Assurance, Regulatory Affairs, and Clinical Operations.

With over 2,500 resources worldwide, over 225 of whom are former FDA, we meet your precise resourcing needs through a fast, convenient talent selection process supported by a Total Quality Guarantee.