With the dual purpose of ensuring regulated software contributes to product safety and efficacy and of improving organizational compliance, regulatory authorities face not only the ubiquitous incorporation of these systems but increasingly complex technical environments. From their point of view, companies using software for regulated purposes also see a rapidly evolving technical landscape and a maturing regulatory environment, with increased technical competence on the part of interested third parties. The confluence of these two perspectives places the burden on both parties to “up their game” in terms of relevant regulatory frameworks, process discipline, and technical ability.
Designed and delivered by an industry veteran, with more than 30 years of experience as a practitioner, global leader, and executive advisor in the high technology life sciences space, this course will serve as a practical introduction to regulated software management. The course will begin with an overview of the current regulations (e.g. 21 CFR 820.70(i), 21 CFR Part 11, 21 CFR 211.68), standards (e.g. ISO 13485), guidance (e.g. FDA’s General Principles of Software Validation, AAMI/ISO TIR80002-2), methods (e.g. V-model, Agile Scrum), and terminology governing the design, development, validation, release, and maintenance of regulated software systems. Required and recommended lifecycle documentation based on this literature will be outlined, with special attention paid to predecessor relationships between documents and change management. Once this baseline is established, the discussion will move into best practices for addressing software systems in a variety of environments such as thick client installations, cloud-hosted systems, and Software-as-a-Service (SaaS). Within each of these environments, current and upcoming considerations such as data integrity, cybersecurity, off-the-shelf software, artificial intelligence/machine learning, configuration management, and electronic records/electronic signatures will be addressed.
Finally, there will be explorations of expected changes to the regulatory landscape and of current and future regulatory enforcement trends. Throughout the course, attendees will receive tips and techniques important for defending their processes and practices during third party inspections and audits.
Learning Objectives:
- Understand the difference between regulated and unregulated software in life sciences industries
- Identify the major global regulatory documents governing regulated software
- Become familiar with basic terms associated with regulated software and how they may differ from terms in other industries
- Understand the objectives of global regulatory bodies in their oversight of regulated software
- Understand the activities and elements of various regulated software lifecycle models
- Identify required and recommended documentation to ensure defensible evidence of validation for intended use
- Understand how to do an effective impact analysis of changes to the software system
- Understand the obligations of firms using software developed by third parties
- Understand the obligations of firms using software hosted by third parties
- Understand the importance of confidentiality, integrity, and availability (i.e. CIA) in the software lifecycle
- Understand the importance of 21 CFR Part 11 to the software lifecycle and why it is often mistaken for the sum total of validation requirements
- Gain insight into methods for defending validation evidence for regulated software systems
- Learn about future trends in technical environments, regulatory frameworks, and enforcement
Areas Covered:
- Current regulatory landscape (regulations, standards, guidance)
- Basic terminology and concepts of regulated software lifecycles
- Activity and documentation requirements
- Change management
- Cloud-hosted systems
- Software-as-a-Service (SaaS)
- Cybersecurity
- Artificial Intelligence/Machine Learning (AI/ML)
- Electronic records/electronic signatures
- Audit/inspection defense
- Enforcement trends
Course Content
Day One (10:00 AM to 5:00 PM EDT)- Training objectives review, expectations and scope.
- Defining computer software validation (CSV) by breaking down 21 CFR §820.70(i)
- What is a regulated software system anyway?
- Exercise: Is it or isn’t it?
- An overview of the software validation regulatory landscape
- U.S. FDA
- EU
- AAMI
- ISO
- ICH
- Other
- A review of software validation terms
- Electronic records/electronic signatures (21 CFR Part 11; EU GMP Guide, Annex 11)
- The software validation document set
- Planning
- Defining
- Building
- Validating
- Releasing
- The software validation document set (continued)
- Incorporating the software validation document set into your lifecycle model
- V-model
- Iterative methods (e.g. Agile scrum, XP, ADD)
- Exercise: What’s wrong with this requirement? What’s wrong with this test case?
- Change management and keeping software in a validated state
- Change management, configuration management, defect management
- Impact analysis
- Skipping back through the lifecycle
- Special considerations
- Spreadsheets
- Legacy software
- Off-the-shelf software
- Software-as-a-Service (SaaS)
- Cloud-hosted systems
- Compilers
- Special considerations:
- Cybersecurity
- Artificial intelligence/machine learning (AI/ML)
- Defending software validation in audits/inspections
- Current and future regulatory enforcement trends by U.S. FDA and other global competent regulatory authorities
- The upcoming Computer Software Assurance Guidance from U.S. FDA
Course Provider
Eric Henry,
Senior Quality Systems and Compliance Advisor ,
King and Spalding LLPEric Henry is a Senior Quality Systems and Compliance Advisor in the FDA and Life Sciences practice of the law firm King & Spalding. Eric is a 30-year industry veteran having led and coached global organizations through a wide variety of quality and compliance challenges. Complementing his leadership experience is an extensive hands-on skillset including audit management and response, Quality System remediation, software quality (including cybersecurity and AI/ML), medical device design controls, risk management, and regulatory due diligence.<,p>
Prior to King & Spalding, Eric led global technical and quality functions at Philips, Medtronic, GE Healthcare, Boston Scientific, and Hologic.
Prior to entering the medical device industry, Eric led a software quality management and program management office consulting capability in the Washington, DC area and held software design and development leadership roles in a small startup, a mid-size healthcare software company, a large financial services regulator and stock market, and a large retail organization.
Who Should Attend
- Regulatory Affairs Staff
- Quality Assurance Staff
- Managers
- Directors
- VPs
- IT Managers
- Manufacturing Managers
- Clinical Affairs Staff
- Software Vendors and Suppliers