ERP software validation - risk assessment vs validation scope

Tidge

Trusted Information Resource
What I’m finding a bit hard to fully understand still are the types of testing that should be done for software with different complexity,

Unscripted testing ? Ad-Hoc testing ? Scripted ?
The following is my advice. You will not find support for this is any published consensus authority. I recommend application of testing commensurate with the level of risk. For medical device manufacturers, risk three groups should be considered.
  1. Risk to patients, users ("14971 risk")
  2. Regulatory, compliance risk ("13485" or "21 CFR 820" risk)
  3. Business risk ("C-suite risk")
Scripted testing is the most thorough form of testing. It features:
  • Protocols approved prior to execution
  • Protocols with well defined and documented test conditions
  • Protocols with appropriately and specifically trained test executors
  • Protocols with complete and explicit traceability to requirements
  • Protocols with well-established, predicted, and necessary results
Scripted testing typically is described as having one feature: "any idiot is supposed to be able to look at an executed scripted protocol and be able to recognize if the protocol was passed successfully." I personally don't like this attitude, as belief in this requires that a tremendous amount of effort went into designing a 'bulletproof' protocol prior to approval... and if there are deviations that occur during execution (or review of executions) there could literally be "any idiot" trying to 'resolve' the deviation. But I digress.

Now that we've established what the most thorough end-point is, work backwards.

Unscripted testing is more relaxed. Individual organizations are free to relax any combination of the bullet points above. I have my own recommendations, but I will spare the forum any more polemics (at least in this post).

Ad hoc testing is literally just that: Testing done that isn't done per plan or procedure.

In the recent past (and present), medical device manufacturers (as well as pharmaceutical manufacturers) have been rightly concerned with the validation of medical device designs and manufacturing processes for pharmaceuticals... and those require scripted testing in order to satisfy regulatory requirements... which is why when people were trying to establish methodologies for "proving" that software systems met their business needs, they naively defaulted to the most stringent approach... which is entirely derived from '14971 risk' (for medical device manufacturers).

The FDA draft guidance will make it explicitly clear that if there is no risk to patients/users, that they will under no circumstances expect that the default NPS process for medical device manufacturers will require scripted testing, as is done for medical devices.
 
Top Bottom