What Is Computer Software Assurance (CSA) - The FDA's New Approach To CSV
What Is Computer Software Assurance (CSA) - The FDA's New Approach To CSV

Anna Iliopoulou, MSc
Quality Assurance and CSV Manager
The purpose of pharmaceutical quality assurance is to ensure that the medication being manufactured will provide the desired effect to the patient.
For years, Computer Systems Validation (CSV) documents have played a significant role in ensuring software quality and being able to demonstrate that computer systems work as intended during inspections and audits.
However, is that the ultimate goal? Is there a way to maintain or even improve computer systems quality while reducing the documentation efforts?
There is and this is the new approach recommended by the FDA called Computer Software Assurance (CSA), which heavily focusing on computer systems tesing as opposed to CSV documentation. In more details, CSV methodology has testers
spend 80% of their time documenting the process, whereas only 20% of their time is actually used for testing the quality of the product. On the other hand, CSA guidelines suggest that 80% of the tester’s time will be spent on critical thinking and actual testing, and the remaining 20% of their time will be spent on creating documentation.

“The principal objective of software testing is to give confidence in the software.”
The FDA’s New Approach To CSV
After receiving input from the Food and Drug Administration (FDA) and industry stakeholders, the Center for Devices and Radiological Health (CDRH) began the case to ensure quality. The aim of the initiative was to identify the best manufacturing processes and help medical device manufacturers improve their manufacturing quality levels by changing from being conformity-oriented toward what matters most to the quality of the product. Through a successful
partnership with companies and stakeholders, the case established manufacturing standards for the medical device industry, offering an industry-clear goal. When the FDA asked the companies that participated in technology investments, what the barriers to realizing value were, the answer was one: CSV.
When FDA asked why these companies had not started implementing CSA, their answers were documented and are summarized in the below table:
Is CSA Mandatory? Understanding The FDA’s Recommendation
Computer Software Assurance (CSA) is not mandatory, but it is strongly recommended by the FDA as a best practice. Here’s why manufacturers should highly consider adopting CSA even though it’s not compulsory:
FDA’s Encouragement
The FDA has been vocal in promoting CSA as a modernized approach to software validation. While the FDA has not mandated CSA through regulations, they encourage manufacturers to adopt it to align with evolving best practices and to improve the efficiency and effectiveness of their validation processes.
Regulatory Compliance
While CSA itself isn’t a legal requirement, the underlying principles of risk-based validation are consistent with existing FDA regulations. For instance, the FDA’s Electronic Records and Electronic Signatures Regulation (21 CFR Part 11) requires manufacturers to ensure that electronic systems maintain data integrity, provide secure audit trails, and support validated electronic signatures. CSA offers a risk-based approach to meet these requirements more efficiently by focusing on critical system functions that impact data accuracy and compliance.
Flexibility & Innovation
CSA offers manufacturers greater flexibility in how they approach software validation. It allows them to use modern software development practices, such as Agile or DevOps, which are often difficult to reconcile with traditional validation methods. This flexibility can lead to more innovative and efficient development processes.
Potential for Reduced Regulatory Scrutiny
Manufacturers who adopt CSA and demonstrate its effective implementation may experience fewer regulatory challenges. The FDA is more likely to view positively the efforts of a company that is proactively managing software risks through CSA, potentially leading to smoother inspections and audits.
Industry Trend
As the pharmaceutical industry evolves, CSA is becoming increasingly recognized as a best practice. Companies that do not adopt CSA may find themselves at a competitive disadvantage as peers and competitors benefit from the efficiency and innovation that CSA supports.
Challenges In Adopting CSA

Key Differences Between CSV & CSA
While CSA itself isn’t a legal requirement, the underlying principles of risk-based validation are consistent with existing FDA regulations. For instance, the FDA’s Electronic Records and Electronic Signatures Regulation (21 CFR Part 11) requires manufacturers to ensure that electronic systems maintain data integrity, provide secure audit trails, and support validated electronic signatures. CSA offers a risk-based approach to meet these requirements more efficiently by focusing on critical system functions that impact data accuracy and compliance.
CSV is an approach that focuses on securing evidence for the auditors rather than concentrating on actual testing. The company will recreate the documentation that has already been created by the vendor, which costs time and effort. Last but not least, there might also be lots of deviations due to the tester’s errors and typos.
On the other hand, there’s CSA; it is less burdensome and much faster. Moreover, there is a reduction in deviations due to the tester’s errors. Furthermore, the tester can use critical thinking to ensure the quality of the software. Last but not least, it will help with the risk assessment of the features.
Benefits Of CSA Over CSV
Moving away from traditional CSV to CSA represents a cultural shift for validation that reduces documentation time and cost for life sciences organizations that implement software. The FDA has outlined the success companies can achieve with such an enabling technology at their March 2019 case conference.
The below table summarizes and highlights the main differences and strengths of the CSA approach.

Vendor Qualification In The CSA Era
Many regulated companies in the Pharma and Biotech Industry will choose a vendor to buy software, a device, a solution, etc. Usually, this company will start retesting the software functionality to ensure it is compliant with GAMP5, 21cfr11.
According to the FDA guidance, if a vendor’s documentation seems to be of good quality, there should be a focus on making sure that the product will address the expectations rather than reproducing the validation package of the vendor.
Following the CSV approach, regulated companies are used to focusing on documentation, manual testing, and showing evidence. This method is used for every part of the tested product, whether it is high-risk functionality or not. However, the CSA approach is more about flexibility with acceptable records of results and the use of critical thinking. Therefore, there is also a need to introduce some new scripting techniques:
Scripted – only for higher risk activities of the system that can directly have a software impact on product quality
Unscripted – for medium risk features. In this scenario, any deviations should still be recorded as normal
Ad-hoc – for low risk, where exploratory testing will be conducted

Implications Of CSA On Quality Management Systems (QMS)
In Quality Management Systems (QMS) applications, the risk to product quality and patient safety is much lower and therefore does not require the same level of testing. The guidelines acknowledge industry changes and recognize the distinct levels of risks associated with a variety of applications. The most common industry software is Category 4 Configured software, which allows firms to use verification tools for software changes without writing to meet the business process needs. This change saves time, money, and resources.
Steps For Transitioning To CSA
- Revise the current policies to align with this new CSA approach.
- Reconsider the way your company works and change it from being a compliant mentality to being quality centered
- Use to your benefit your vendor’s existing validation package
- Use automation tools to automate assurance activities
- Familiarization with the use of the product
- Get to understand the riskprone characteristics of the product.
- FDA supports the computer system assurance approach
- It will reduce documentation by up to 80%
- No new regulations need to be introduced for this approach
CSA's Impact On GAMP & 21 CFR Part 11
Adopting CSA is not introducing new concepts. Its only purpose is to focus on testing and not documenting low-risk requirements.
The CSA approach is applicable to 21 CFR Part 11, but its purpose is to minimize its focus. Whereas the concern is gathered around the high-risk systems and the confidence the user has in these systems, this will not be changed. The better one understands these regulations, the more appropriate the performance and focus of the testing.
Critical Changes In IQ, OQ & PQ Processes
The main goal is to invest in critical thinking and focus on actual scenarios when testing the system instead of spending time on functional tests.
Installation Qualification
The supplier will most probably perform a successful installation test. However, it will be obvious if this does not get done successfully as the system will not work. Therefore, it does not offer value to re-perform the Installation Qualification (IQ).
Operational Qualification & Performance Qualification
There should be a focus on the actual needs business-wise using critical thinking for Operational Qualification (OQ) and Performance Qualification (PQ) in order to perform only those scenarios that will be used in order to ensure that the system works correctly. There is no value in focusing on scenarios and functionality that are out of scope.
Future Prospects & Benefits Of CSA
The new guidance will help companies develop more advanced medical technology to provide faster and more reliable treatments. It’s good news that digital technology is already beginning to become mainstream. Axendia’s report* noted that 63% of manufacturing companies now use cloud-based platforms.
How Software Vendors Must Adapt To CSA
The other side of the equation puts more pressure on software vendors to build and offer more validation support, including the production or validation of pre-validation tests. Also, as software is moving towards the Cloud and Software as a Service (SaaS) systems are becoming commonplace, the manufacturers need less customized and more flexible software solutions.
Conclusion: The Shift From CSV To CSA
CSV procedures emphasize extensive documentation requirements so the auditor can see the application used for manufacturing a product. This extensive documentation requirement is now somewhat a bottleneck and burden for life sciences companies deterring investment in automation. The FDA is aiming to reduce the risk and quality of products by implementing these standards.
How Vimachem Can Help
Vimachem is a quality-focused company that offers fully validated product solutions to its clients. On top of that, Vimachem offers a lean validation approach that focuses heavily on testing. Moreover, we provide Validation services to our clients. Our main concern is to interact with our clients and listen to them. Our experienced personnel are ready to help in the most effective way to prepare all necessary documentation and proof that is needed when the moment for regulatory inspection comes. Here are some facts about Vimachem:
We specialize in Computer Systems Validation (CSV) and Quality Assurance (QA) support services for our global customers in the Life
Sciences industry
Our employees are continuously trained on FDA and EMA Regulations and Good Clinical and Manufacturing Practices
We have developed our Quality Management System (QMS) centered around our Life Science customers’ needs.
We guarantee the quality of computerized systems is thorough and documented
We create and customize the Requirements and Specifications depending on the complexity of the system and the associated risks
We provide CSV as a Service (CSVaaS) where our customers choose one or more of our services depending on their needs and priorities

READY TO AUGMENT YOUR SHOP FLOOR OPERATIONS?
READY TO AUGMENT YOUR SHOP FLOOR OPERATIONS?
Vimachem Manufacturing Analytics - OEE
The Manufacturing Analytics – OEE module is an intelligent Pharma OEE Cloud solution that allows you to collect, store and visualize data across your site / enterprise and apply AI algorithms to optimize production efficiency and product quality.