Q&A: CSV, CSA, and Why the Paradigm Shift


The following questions were asked during the Update From the FDA on CSV Changes webinar with Francisco Vicenty, Case for Quality program manager at the U.S. Food and Drug Administration, and Sandy Hedberg, Cloud Assurance QA/RA manager at USDM Life Sciences.

The goal of the webinar was to provide clarity on what the upcoming computer software assurance (CSA) guidance means for regulated life sciences companies and what you can do today to start preparing. Click here to watch the on-demand webinar.

If you have questions that are not answered in this Q&A, please contact us at usdm@usdm.com.

What is the difference between computer system validation (CSV) and computer software assurance (CSA)? 

If you think of the 80/20 rule, the current CSV methodology has manufacturers spending 80% of their time documenting and only 20% of their time testing. The FDA wants to flip this so that 80% of a manufacturer’s time is spent on critical thinking and applying the right level of testing to higher-risk activities, while only 20% of their time is spent documenting (CSA methodology). This critical thinking should be focused on three questions:

  • Does this software impact patient safety?
  • Does this software impact product quality?
  • Does this software impact system integrity?

Using a risk-based approach is nothing new, and regulatory agencies such as the International Society for Pharmaceutical Engineering (ISPE) who author Good Automated Manufacturing Practice (GAMP®) have been advocating this for two decades.

CSA is a framework designed to help manufacturers achieve CSV. CSA will provide clarity on the stance and methodology used to determine what is high risk and what is not, therefore minimizing misinterpretation by manufacturers. The clarification in the CSA approach flips the paradigm to focus on critical thinking (risk-based), assurance needs, testing activities, and documentation, in that order.

Why is the FDA making this change?

Too much work is done for fear of regulatory punishment instead of fear of putting a poor-quality product on the market. For software not used in a product, manufacturers are referring to burdensome guidance that is more than 20 years old, trying to avoid FDA Form 483 observations and warning letters from FDA investigations and third-party consultants. Nothing should be done for fear of regulatory observations. Instead, the focus should be on testing for higher confidence in system performance and applying the right risk-based assurance rigor for a given level of risk to patient safety and product quality. The new CSA framework also enables manufacturers to “take credit” for prior assurance activity and upstream and downstream risk controls like vendor qualifications.

What does “software not used in a product” (or non-product software) mean?

Non-product software is any software that is not directly used in a medical device, Software as a medical device (SaMD), medical device as a service (MDaaS), or end-product. It includes all of the software used in manufacturing, operations, and quality system activities that would follow the 21 CFR Part 820.70(i) guidance.

Is this just for medical device companies?

The short answer is no, the new CSA framework isn’t just for medical device companies. There are a lot of potential applications for all of life sciences.

The FDA’s Center for Devices and Radiological Health (CDRH) is working on this new draft guidance in cooperation with the Center for Biologics Evaluation and Research (CBER) and the Center for Drug Evaluation and Research (CDER). It is founded on a true, risk-based approach that should be considered when deploying non-product, manufacturing, operations, and quality system software solutions such as:

  • Quality management systems (QMS)
  • Enterprise resource planning (ERP)
  • Laboratory information management systems (LIMS)
  • Learning management systems (LMS)
  • Electronic document management systems (eDMS)

What is an indirect system versus a direct system?

Indirect systems do not have a direct impact on patient safety or product quality (for example, tools used in your CSV process like bug tracking systems or load testing and lifecycle management tools that do not directly impact the product). Indirect systems require less documentation.

Direct systems have a direct impact on patient safety or product quality—like electronic device history or adverse event reporting—and may require increased testing based on risk. In other words, the riskier a system impact is to the end-product and to the safety of the patient, the more testing and documentation is required.

The FDA has started citing companies for inadequate CSV efforts. How will inspectors be trained on the CSA initiative?

The FDA is undergoing an extensive training program for its auditors and is rolling out an agency-wide Case for Quality program. Further, the FDA is creating a Digital Center of Excellence, where it will encourage manufacturers to reach out to the FDA to ask questions on their processes and procedures before an audit takes place. The goal is to provide more collaboration throughout the process and minimize this fear of regulatory observations that have led to misinterpretation of the original intent of the guidance.

Has the FDA reached out to other regulatory agencies such as MHRA, EU, etc. to verify that this approach is acceptable for companies who sell overseas? 

Yes, the FDA has been working on the Case for Quality program in tandem with its sister agencies abroad.

When does the FDA anticipate releasing this guidance?

The U.S. Food and Drug Administration (FDA) is expected to release the Computer Software Assurance for Manufacturing and Quality System Software guidance in 2021. As always, this framework is acceptable today under current guidelines and the FDA is encouraging the industry to adopt it even prior to release. The guidance was initially expected in 2020, but was delayed due to COVID-19.

How can USDM help my company today?

USDM is on the cutting edge of technology and compliance, and we are watching the FDA’s CSA guidance closely. We already have progressive solutions in place and can save you significant time and money on your validation programs. Programs include:

  • CSA Education and Training – USDM can help your team with a pilot project; train and mentor your teams on how to apply the critical thinking; develop a risk-based approach; and consult on automated testing processes.
  • CSV/CSA Assessments – USDM will take a holistic approach to assess your current CSV process and make recommendations to get you to a true, risk-based CSA process according to your current state (i.e., quality of documentation, testing, SOPs/WIs, use of automation, and audit performance).
  • CSV/CSA Methodology – USDM can revamp your entire CSV process and digitally transform it into a CSA process. From methodology development through end-user training, USDM will assure your systems are compliant.
  • Cloud Assurance – USDM provides a subscription service to deliver end-to-end GxP compliance of your cloud systems. From implementation through ongoing validation maintenance—including new releases—USDM can manage and lighten your cloud validation burden.

How does the FDA define critical thinking?

As the manufacturer—the company and people producing the product—you know the business and you know the processes. You’ve got the best insight into how risk is introduced, where it matters, and what’s going on from a process standpoint. Critical thinking is considering where the system could introduce a risk versus what is a product or process risk. This helps you tell your story, whether it is to the FDA or an arbitrary regulator and auditor. Demonstrate that you can tell that story, that you’ve got the element of understanding and control about your product and your processes. There is no one-size-fits-all for any company or system. The FDA wants to know that you really understand your processes and systems and that you are in control. Ensure that you can tell the FDA you know where the risk is being introduced, how you will mitigate the risk, and whether the controls you put in place are working.

What does CSA mean for GAMP? Will GAMP become obsolete?

The impending CSA guidance is not going to create new concepts per se. It intends to simplify and clarify the use of non-product software and maximize testing efforts while minimizing documentation for lower risk, non-product software systems. There is no misalignment with GAMP 5. CSA is what the FDA intended all along but lacked clarity, and the misinterpretation resulted in too much documentation for documentation’s sake instead of better quality.

What is the impact on 21 CFR Part 11?

CSA principles are applicable to Part 11, but the scope is narrowly focused. Primary concern is around system risk, intended use, and ensuring that you have confidence in the system.

What about audit trails?

Part 11, audit trail, is just a set of requirements and you must understand the best way to exercise those requirements. Know when you need more robust testing of those requirements and when you can just make sure that your vendor built that in. Overall, audit trails are not something that you need to expend a lot of extra resources and energy on.

What about ISO 13485?

ISO 13485 is integrated and well written to incorporate risk-based thinking throughout all processes and applications. Nothing changes as it is based on a true risk-based approach.

What about MDSAP?

The FDA will make sure the medical device single audit program (MDSAP) is aligned with CSA down the road.

What does this mean for installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ)? 

The goal of CSA is to focus on critical thinking, do more business testing of the process and its intended use, and do less functionality testing.

Installation qualification: The vendor often does a good job of installation testing; still, it’s smart to turn on the equipment, log in, and make sure it works. That’s pretty low risk, because if it doesn’t work, that will be obvious.  Additional tasks would be to ensure you have all of your required user manuals, vendor qualifications, and the like.

User acceptance testing (UAT): Focus on your business processes and how they work within the system and how you wanted them to work within the system. This is where we expect to see much more of the testing being done and far less on the actual functionality or out-of-box functionality.

USDM Can Help

If you would like a consultation on your current CSV processes and a plan to move to a CSA approach, please contact us at compliance@usdm.com.

If you have questions that are not answered here, please contact us at usdm@usdm.com.

 Additional CSA References

Explore more on:


There are no comments for this post, be the first one to start the conversation!

Resources that might interest you