What is Computer Software Assurance (CSA), the FDA's new approach to CSV?

What is Computer Software Assurance (CSA),
the FDA's new approach to CSV?

Anna Iliopoulou, MSc

Anna Iliopoulou, MSc

Quality Assurance and CSV Manager

The purpose of pharmaceutical quality assurance is to ensure that the medication being manufactured will provide the desired effect to the patient.

For years, Computer Systems Validation (CSV) documents have played a significant role in ensuring software quality and being able to demonstrate that computer systems work as intended during inspections and audits.

However, is that the ultimate goal? Is there a way to maintain or even improve computer systems quality while reducing the documentation efforts?

There is and this is the new approach recommended by the FDA called Computer Software Assurance (CSA), which heavily focusing on computer systems tesing as opposed to CSV documentation. In more details, CSV methodology has testers
spend 80% of their time documenting the process, whereas only 20% of their time is actually used for testing the quality of the product. On the other hand, CSA guidelines suggest that 80% of the tester’s time will be spent on critical thinking and actual testing, and the remaining 20% of their time will be spent on creating documentation.

“The principal objective of software testing is to give confidence in the software.”

The FDA’s New Approach to CSV

After receiving input from the Food and Drug Administration (FDA) and industry stakeholders, the Center for Devices and Radiological Health (CDRH) began the case to ensure quality. The aim of the initiative was to identify the best manufacturing processes and help medical device manufacturers improve their manufacturing quality levels by changing from being conformity-oriented toward what matters most to the quality of the product. Through a successful
partnership with companies and stakeholders, the case established manufacturing standards for the medical device industry, offering an industry-clear goal. When the FDA asked the companies that participated in technology investments, what the barriers to realizing value were, the answer was one: CSV.

When FDA asked why these companies had not started implementing CSA, their answers were documented and are summarized in the below table:

What is preventing the companies from adopting CSA?

What are the Main Differences Between the Two Approaches?

CSV is an approach that focuses on securing evidence for the auditors rather than concentrating on actual testing. The company will recreate the documentation that has already been created by the vendor, which costs time and effort. Last but not least, there might also be lots of deviations due to the tester’s errors and typos.

On the other hand, there’s CSA; it is less burdensome and much faster. Moreover, there is a reduction in deviations due to the tester’s errors. Furthermore, the tester can use critical thinking to ensure the quality of the software. Last but not least, it will help with the risk assessment of the features.

Benefits of CSA over CSV

Moving away from traditional CSV to CSA represents a cultural shift for validation that reduces documentation time and cost for life sciences organizations that implement software. The FDA has outlined the success companies can achieve with such an enabling technology at their March 2019 case conference.

The below table summarizes and highlights the main differences and strengths of the CSA approach.

What do you Need to Know when Qualifying a Software or Device Vendor?

Many regulated companies in the Pharma and Biotech Industry will choose a vendor to buy software, a device, a solution, etc. Usually, this company will start retesting the software functionality to ensure it is compliant with GAMP5, 21cfr11.

According to the FDA guidance, if a vendor’s documentation seems to be of good quality, there should be a focus on making sure that the product will address the expectations rather than reproducing the validation package of the vendor.

Following the CSV approach, regulated companies are used to focusing on documentation, manual testing, and showing evidence. This method is used for every part of the tested product, whether it is high-risk functionality or not. However, the CSA approach is more about flexibility with acceptable records of results and the use of critical thinking. Therefore, there is also a need to introduce some new scripting techniques:

Scripted – only for higher risk activities of the system that can directly have a software impact on product quality

Unscripted – for medium risk features. In this scenario, any deviations should still be recorded as normal

Ad-hoc – for low risk, where exploratory testing will be conducted

What does the Transition to Computer Systems Assurance mean for the QMS?

In Quality Management Systems (QMS) applications, the risk to product quality and patient safety is much lower and therefore does not require the same level of testing. The guidelines acknowledge industry changes and recognize the distinct levels of risks associated with a variety of applications. The most common industry software is Category 4 Configured software, which allows firms to use verification tools for software changes without writing to meet the business process needs. This change saves time, money, and resources.

Is it Worth Transitioning - What are the Key Facts that an Organization Needs to Consider?

Is CSA Going to Affect GAMP?

Adopting CSA is not introducing new concepts. Its only purpose is to focus on testing and not documenting low-risk requirements.

Will this Affect 21 CFR Part 11 and Audit Tables?

The CSA approach is applicable to 21 CFR Part 11, but its purpose is to minimize its focus. Whereas the concern is gathered around the high-risk systems and the confidence the user has in these systems, this will not be changed. The better one understands these regulations, the more appropriate the performance and focus of the testing.

Will this Approach Affect the Process of IQ, OQ, and PQs?

The main goal is to invest in critical thinking and focus on actual scenarios when testing the system instead than spending time on functional tests.

Installation Qualification:
The supplier will most probably perform a successful installation test. However, it will be obvious if this does not get done successfully as the system will not work. Therefore, it does not offer value to re-perform the Installation Qualification (IQ).

Operational Qualification and Performance Qualification:
There should be a focus on the actual needs business-wise using critical thinking for Operational Qualification (OQ) and Performance Qualification (PQ) in order to perform only those scenarios that will be used in order to ensure that the system works correctly. There is no value in focusing on scenarios and functionality that are out of scope.

Is there Hope for CSA?

The new guidance will help companies develop more advanced medical technology to provide faster and more reliable treatments. It’s good news that digital technology is already beginning to become mainstream. Axendia’s report* noted that 63% of manufacturing companies now use cloud-based platforms.

Impact on Software Vendors?

The other side of the equation puts more pressure on software vendors to build and offer more validation support, including the production or validation of pre-validation tests. Also, as software is moving towards the Cloud and Software as a Service (SaaS) systems are becoming commonplace, the manufacturers need less customized and more flexible software solutions.


CSV procedures emphasize extensive documentation requirements so the auditor can see the application used for manufacturing a product. This extensive documentation requirement is now somewhat a bottleneck and burden for life sciences companies deterring investment in automation. The FDA is aiming to reduce the risk and quality of products by implementing these standards.

What do we do in Vimachem?

Vimachem is a quality-focused company that offers fully validated product solutions to its clients. On top of that, Vimachem offers a lean validation approach that focuses heavily on testing. Moreover, we provide Validation services to our clients. Our main concern is to interact with our clients and listen to them. Our experienced personnel are ready to help in the most effective way to prepare all necessary documentation and proof that is needed when the moment for regulatory inspection comes. Here are some facts about Vimachem:

We specialize in Computer Systems Validation (CSV) and Quality Assurance (QA) support services for our global customers in the Life
Sciences industry

Our employees are continuously trained on FDA and EMA Regulations and Good Clinical and Manufacturing Practices

We have developed our Quality Management System (QMS) centered around our Life Science customers’ needs.

We guarantee the quality of computerized systems is thorough and documented

We create and customize the Requirements and Specifications depending on the complexity of the system and the associated risks

We provide CSV as a Service (CSVaaS) where our customers choose one or more of our services depending on their needs and priorities

What is Computer Software Assurance (CSA), the FDA's new approach to CSV?



Vimachem Manufacturing Analytics - OEE

The Manufacturing Analytics – OEE module is an intelligent Pharma OEE Cloud solution that allows you to collect, store and visualize data across your site / enterprise and apply AI algorithms to optimize production efficiency and product quality.

Get started with real-time manufacturing analytics today!