It seems like everyone is talking about computer software assurance these days, including the FDA. In December of 2021, the FDA’s Center for Devices and Radiological Health (CDRH) is expected to release a highly anticipated new guidance document, Computer Software Assurance for Manufacturing, Operations and Quality System Software.
The guidance was initially slated for 2020 but delayed due to the Covid-19 pandemic. As of this writing, there’s no word as to whether the FDA will hit its target release date. Understandably, regulated companies have lots of questions.
What is CSA?
The most obvious question is: What is CSA, and how does it differ from traditional CSV? The current process, CSV, focuses on producing accurate, approved documentation to present to auditors, then testing, then assurance needs, and finally critical thinking.
The CSA methodology is the exact opposite; it flips the paradigm. It emphasizes critical thinking (risk-based), assurance needs, testing activities, and documentation, in that order. In a nutshell, the goal of CSA is to "right-size" validation activities, placing the focus on what directly impacts patients or product quality.
Why the shift?
In a word: overkill. In 1997, the FDA issued 21 CFR Part 11, which specifies how FDA-regulated companies must manage electronic records and signatures. The Agency’s intentionally vague instructions led to overwork, costing the industry millions of dollars. Five years later, the FDA released a related guidance advising regulated companies to take a least burdensome approach and integrate software management and risk management, laying the foundation for CSV.
Unfortunately, the 2002 guidance has not solved the problem. Companies continue to generate copious amounts of documentation, primarily to appease auditors. This focus on documentation impedes critical thinking and the use of automation and modern technologies to enable more effective testing.
What’s the FDA looking for?
Although there are subtle differences between CSV and CSA, such as ad hoc testing, CSA still promotes a risk-based, least burdensome approach consistent with the 2002 guidance. In reality, the FDA isn’t asking us to do something that’s incredibly different from what we’re doing now. They’re just asking us to do it better by putting critical thinking at the forefront and leveraging the powerful technology tools we have at our disposal.
Editor's note: This blog post summarizes the first episode of a five-part podcast series devoted to CSA. In my next post/episode, I’ll explain how to be a critical thinker and how to apply critical thinking to CSA. Don’t miss it.
Press the play button to listen to the full podcast of episode one.
Computer software validation (CSV) and computer software assurance (CSA) aren't all that different. So then, what's all the hype about? Let's discuss.
Steve Thompson has worked in Life Sciences for over two decades in both Information Technology and Quality Assurance roles. He’s a certified systems auditor and has audited hundreds of companies globally. A published author, a frequent speaker at industry conferences, on the Board as a Director for PRCSQA, Editorial Advisory Board for ISPE, and Elite Faculty member for KENX, and Adjunct Lecturer, Temple University, School of Pharmacy, RA/QA Graduate Program. He was honored with an APEX 2020 award of excellence for a peer-reviewed article he co-authored for Pharmaceutical Engineering on Blockchain. Currently, as Director Industry Solutions at ValGenesis, Steve helps Life Science organizations realize the potential benefits of advanced technologies, along with inherent risks.