FDA’s proposed guidance on CSA

The Pharma Industry’s Outlook on FDA’s proposed guidance on Computer Software Assurance (CSA)


After 20 years since the release of the first guidance document for Computer Systems Validation (CSV), FDA has started to realize that the traditional documentation focused validation process followed for the last two decades will no longer be ideal for assuring quality, compliance and productivity in today’s modern software platforms and medical devices.

Although the traditional CSV process focuses on evaluating risks and testing critical functions of a software system, it emphasizes more on creating extensive documentation that are ideal to qualify for GxP audits rather than evaluating the system’s holistic capability to perform consistently with ongoing changes.

The definitions, principles and boundaries laid out in FDA’s guidance documents have a broad context which in turn leads to misinterpretation, and validation limitations that leads to inconsistencies and compliance deficiencies.

Key Challenges with Computer Systems Validation

How can we help you?

Contact us by submitting a business inquiry online. We will get back to you very soon. 

Listed below are some of the key challenges faced by pharma companies with the current computer systems validation (CSV) methodology:

  • Enforcing a common validation protocol for different types of software systems (Standalone, mobile, cloud, database, SaaS, etc.)
  • Emphasis on extensive documentation because every function in the system gets misinterpreted to be a direct or indirect risk.
  • Incorrect assumption that the volume of test scripts correlates to an increase in value of validation.
  • Focus on discovering software defects is overshadowed with the findings in document deviation errors.
  • Lack of Risk and Compliance oversight after system deployment with the incorrect assumption that CSV is a one-time process.
  • Inconsistencies in CSV lifecycle change management.

In the current era of rapid digital transformation, FDA wants to encourage the use of advanced technology for automation and leverage powerful information technology and data solutions to significantly reduce errors and increase quality and assurance in software development and testing.

As software development and testing methodologies have evolved tremendously, the FDA plans to introduce a new paradigm called ‘Computer Software Assurance’ or CSA for executing all types of software and medical device validation in the pharma industry.

What made FDA to introduce the concept of CSA? What are the key drivers?

The FDA and CDRH (Centre for Devices and Radiological Health) formulated the ‘Case for Quality’ program in 2011 following evaluation of statistical data and advice from both the FDA and industry stakeholders. The FDA’s analysis recognized prevalent manufacturing risks that impact product quality and patient health. Thus, FDA felt the need for the introduction of CSA with a prime focus on Quality by treating compliance attainment as the baseline and considering the inclusion of critical-to-quality practices that result in higher-quality outcomes.

The program’s focus on computerized systems has increased in recent statements related to the Case for Quality, and the CDRH has also indicated its plan to release guidance on the topic of computer system assurance (CSA).

Key Drivers for the introduction of CSA by FDA:
  • Focus on Patient / Product Safety and Quality: Use the risk-based validation approach to computerized systems that focus on product quality and patient safety by applying critical thinking.
  • Change Mindset from Volume to Value: With the combination of unscripted testing, leveraging supplier documentation, and implementing continuous assurance monitoring, reduce the overall effort spent in generating a huge volume of scripted validation documentation.
  • Keep it Lean and Adaptive: Introduction of intelligent, automated processes that monitor and record manufacturing quality metrics, incorporating features and technological characteristics that can contribute to better options and higher quality that achieves their clinical purpose.

What are the principles of CSA?

As per FDA’s forthcoming guidance announcement, the new Computer Software Assurance (CSA) process is primarily focused on identifying intended use of the medical device or software system, checking its impact on patient / product safety and quality, identifying related risks, applying critical thinking and assurance needs, then finally execute testing and generate assurance documentation.

Pharma companies and device manufacturers are expected to provide a higher degree of assurance by applying critical thinking across system functions, business processes and mitigating all related risks that directly impacts patient safety, product quality, and data integrity.

The key to CSA is that recognition is given for all testing, including:

  • Supplier testing during the system development lifecycle should be leveraged for system software assurance.
  • Unscripted testing is testing without written test step instructions which classically relies on the tester’s experience to create test cases vigorously.
  • Limited scripted testing should be used for medium to high risks, with anticipated outcomes and a sign of pass/fail.
  • Robust scripted testing must be used for verification of high-risk functionality, as determined by critical thinking and risk assessment, and requires pre-approved test protocols used in CSV.

Techsol’s Perspective towards CSA

Based on our CSV experience and knowledge gathered around this new paradigm, ‘Computer Software Assurance’ should be a continuous process that provides an assurance that a software system used in a GxP function can meet the key quality attributes and applicable GxP regulations with qualitative and quantitative measures that are directly or indirectly related to patient safety and product quality.

Our understanding of CSA is depicted in the following illustration based on the key learning’s from past projects, common challenges faced by clients, and leveraging modern technology to establish lean validation.

Techsol GxP CSA

CSA vs CSV – What are the Key Differences?

Computer System Validation (CSV) Computer Software Assurance (CSA)
Focuses on developing a documented assurance that a software system does exactly what it was designed to do in a consistent and reproducible manner. Focuses on applying critical thinking and risk-based validation approach to software systems that provide a higher degree of assurance on product quality, patient safety and data integrity.
Validation is executed by adopting a risk-based approach that works well with SDLC methodologies like waterfall, agile, RAD, etc. Validation is executed by first applying critical thinking and then performing a risk-based test execution where there is a combination of unscripted and scripted testing.
CSV requires the manual execution, review, and approval of test scripts, test outcomes and supporting evidence. CSA encourages the use of more automated technologies for unscripted testing and leverage newer technology for digital validation execution.
Quality of systems validation is determined primarily on the volume of test cases. Quality of systems validation is determined primarily on reducing risks and increasing quality across system functions and related processes.

How Life Sciences and Pharma companies should approach the adoption of CSA

Although, the FDA has not yet released its final guidance document around ‘Computer Software Assurance’ (CSA), Life sciences and Pharma companies can work towards the adoption of CSA by completing a gap assessment to identify and understand their current quality and compliance pitfalls.

As the risk-based validation approach will remain an integral part of CSA, it important that companies continue to evaluate their current validation processes, tools, techniques, and methods and identify suitable compliance assurance measures that are in turn determined based on their relevance to patient safety and product quality. The outcomes of this exercise can serve as inputs for developing a compliance and validation framework that is formulated based on the critical thinking principles set forth by the agency.

Another key aspect is to continue building better business relationships with vendors and educating them on the importance of providing CSA oriented supplier documentation that is generated through test automation.

One of the primary barriers for CSA adoption is the lack of knowledge on regulatory compliance requirements amongst stakeholders. This requires continuous knowledge and skills enablement in the form of trainings and practical exercises.

To derive maximum value from this paradigm shift, organizations can initiate the following actions:

  • Develop a value focused process for validating software systems and related technology platforms.
  • Nurture critical thinking amongst team members.
  • Establish measurable Key Quality Attributes that can account for system quality and consistent performance.
  • Constantly identify opportunities to leverage advanced technology to automate testing and develop self-documentation capabilities.

How should your organization plan for transitioning from CSV to CSA

At a high-level, we have described the key areas and the methods that can be executed to begin the transition from the traditional CSV process to CSA.

System Requirements Definition

  • Apply critical thinking to identify, define and classify Key Quality Attributes of the System across System Functions that have a direct or indirect impact on Patient Safety and Product Quality parameters
  • Define quality and compliance measures for critical GxP functions

Software Development, Testing and Release

  • Adopt formal modeling techniques to account for those Key Quality Attributes
  • Leverage Test-driven development with automation to refactor defects
  • Set quality measures for the SDLC to account for security, performance and quality assurance
GxP System Implementation and Validation Planning and Execution
  • Perform a rigorous risk management exercise across system functions against regulatory and compliance requirements to prioritize the order and extent of validation
  • Set quality and compliance goals, objectives and measures based on the outcomes of risk assessment
  • Identify, analyze and organize the test plan with the objective of mitigating identified risks
  • Execute validation with both positive and negative testing to identify system boundaries and defects in functional behavior
  • Leverage a digital platform to auto-detect interdependencies of cross-modules for all test failures and to generate an accurate traceability of test results to the software requirements.

Post-deployment incremental Changes

Setup a continuous compliance and risk oversight process to ensure that ongoing change management meets the Key Quality Attributes

How Techsol can Help?

As a trusted validation and assurance services provider for global pharma companies, we have a decade of industry experience and domain knowledge to provide practical and ready-to-adopt solutions depending on your business goals. We have engineered robust validation and assurance frameworks and techniques that are suitable for a wide range of GxP systems that are used across clinical development, drug safety, labs, manufacturing, and commercial functions. Our clients rely on our expertise for setting up standard validation processes, conducting supplier audits, and for all types of GxP systems implementation and validation. With our ‘Center of Excellence’ for developing lean validation methodologies, we also help our clients to stay updated with all latest regulatory changes.

For more information, please reach out to us at info@techsollifesciences.com.

Request More Information