The Shift from CSV to CSA

In today's rapidly evolving pharmaceutical landscape, ensuring compliance with regulatory requirements and maintaining the highest standards of quality is paramount. However, the conventional approach of computer system validation (CSV) is proving to be insufficient for keeping up with the complex demands of the industry. It is frequently characterized as a burdensome task, with time-consuming and rigid validation exercises due to a standardized, “one-size-fits-all” approach to the creation and execution of test scripts.

With the ever-increasing complexity, integration capabilities, and faster pace of technological development, this burdensome approach is lacking efficiency and turning into a mandatory regulatory checkmark instead of the actual evaluation of the technology's fitness for its intended use.

Computer system validation aims to guarantee that the computer system used within different cGMP processes does not have a negative impact on product quality or patient safety, and that it ensures data integrity. On the other hand, computer software assurance (CSA) intends to simplify testing by allowing companies to perform unscripted testing and use automated tools instead of traditional testing. In fact, automated testing finds more defects than testing performed by humans since it executes steps in a sequential and systematic manner, evaluating the results with 100% accuracy, leading to less documentation.

The time has come for a significant shift from CSV to CSA, focusing on preventing the introduction of defects the software development process while applying a risk-based approach to determine the suitable level of assurance effort and activities to establish confidence in the software. Furthermore, CSA supports the maintenance of a state of control throughout the software development lifecycle. This paper aims to shed light on the industry's current challenges, highlight the pressing need for CSA implementation, and present an approach to assist the pharmaceutical sector in comprehending the necessity of CSA adoption.

From CSV to CSA

I. Introduction

With the technological evolution of computer systems and their use in both the pharmaceutical and medical device industries in the late '70s and early '80s, CSV emerged. As more and more companies began to see that they could leverage the computational power of computer systems to help streamline their processes, the use of computer systems strongly increased. The shape of CSV was influenced by several factors, including quality assurance principles, GMP requirements, and other regulatory requirements such as 21 CFR Part 11, which emphasize the need for comprehensive documentation of all CSV activities related to electronic records and signatures.

This paper will start by covering the fundamentals of CSV and CSA, focusing on the paradigm shift from the former to the latter while covering the regulatory landscape under which this transition should operate. Subsequently, a summary of the benefits and challenges will be presented which will lead to a typical roadmap for CSA implementation and the technological infrastructure that can propel the successful execution of this roadmap.

II. CSV

Computer system validation is a documented process used to verify and ensure that computerized systems consistently and reproducibly meet their intended use while complying with regulatory requirements. In the life sciences industry, CSV aims to guarantee patient safety and product quality by ensuring system reliability, accuracy, and integrity; managing risks, maintaining data integrity and security; and adhering to the regulatory landscape.

Even though CSV is a complex and resource-intensive process, it is essential in the highly regulated life sciences industry to ensure the reliability and compliance of critical computer systems. A robust CSV process builds confidence in computerized systems, enhancing product quality and minimizing errors.

III. CSA

Both CSV and CSA play similar roles in the life sciences industry, but CSA represents a significant advancement in computer system validation, prioritizing critical thinking over a “one-size-fits-all” approach. Therefore, the aim of CSA is to continue focusing on patient safety and product quality while streamlining the validation process.

CSA extends beyond compliance by using a risk-based approach, ensuring high confidence that systems meet their intended specifications and user requirements.

Through the management of the entire lifecycle of computer systems, CSA enables an efficient use of resources and, by focusing on mitigating risks, reduces overall validation burden and ensures that the software remains in a controlled and validated state throughout its lifecycle.

CSA incorporates robust cybersecurity measures and prioritizes continuous monitoring, evaluation, and improvement of computer systems to adapt to evolving technologies, regulations, and business needs.

Ultimately, CSA provides flexibility and agility in ensuring that software remains validated and targets critical functionalities that directly impact patient safety and product quality, reducing the need for extensive documentation.

CSA aligns with good manufacturing practices (GMP), quality management systems (QMS), and risk-based decision-making to consistently deliver accurate and reliable results while maintaining compliance, thereby enhancing the overall assurance of consistent outcomes of computerized systems.

IV. Transition from CSV to CSA

The release of the FDA draft guidance in 2022 marked a shift towards CSA, as it is explained below in the section “Regulations are not a Roadblock”.

The focus of CSV is on testing all system functionalities regardless of the level of risk to product quality and safety, leading to unnecessary tasks and excessive documentation. On the other hand, CSA’s primary focus is to ensure the software is maintained in a validated state by leveraging principles such as risk-based testing, unscripted testing, continuous performance monitoring, and data monitoring, as well as validation activities (Figure 1).

The shift from a repetitive CSV strategy to a critical thinking approach requires careful planning, implementation, and execution. This transition demands a significant change in mindset for everyone involved in CSA activities.

_{Figure 1 - CSV to CSA paradigm shift.}

When comparing CSV and CSA, it is evident that CSA offers a high-value solution without compromising quality and optimizing resources and time. CSA differs from CSV in the following ways:

• Focuses on critical thinking rather than on testing formalization.
• Defined purpose of validation allows for less documentation.
• The combination of unscripted and scripted testing enables a dynamic, agile, and evolving approach allowing for continuous improvement.

Influenced by quality assurance practices, regulatory requirements, and 21 CFR Part 11, the CSV approach was traditionally centered around creating extensive paper-based testing records, and large volumes of documentation based on the assumption that more documentation leads to higher quality and greater effort in validating computerized systems. However, this approach proved to be ineffective in ensuring product quality, data integrity, and patient safety.

The concept of critical thinking, introduced by GAMP guidance, addresses the critical aspects mentioned above that the CSV approach overlooked. Applying CSA, a critical thinking approach, reveals that excessive documentation does not correspond with better quality outcomes. Proof of this is that issues such as lack of segregation of duties, data integrity violations, and system functionality failures are common during inspections.

The CSA approach integrates both unscripted and scripted testing to balance flexibility with rigorous validation, based on risk. Unscripted testing enables a flexible and dynamic approach, while scripted testing follows predefined test cases. Both approaches are complementary and are used according to the level of risk to ensure repeatability, traceability, and auditability, with minimal documentation required.

Regulations are not a Roadblock

In the '90s, the U.S. Food & Drug Administration (FDA) started to increase its expectations regarding CSV and compliance because of several pivotal inspections. In 1997, the FDA issued the General Principles of Software Validation and 21 CFR Part 11. The first version of the ISPE GAMP guide was published in 1995, and the latest version, GAMP 5 (Second Edition), was published in 202212.

I. FDA’s CSA Draft Guidance

To challenge the CSV paradigm, the FDA released its Draft Guidance for Industry and FDA Staff on Computer Software Assurance for Production and Quality System Software in September 2022, introducing a more iterative, agile approach for the validation of computer software. By defining CSA as a “risk-based approach for establishing and maintaining confidence that software is fit for its intended use,” the FDA states that this approach should be supported by the following premises:

• Assurance efforts and activities should be determined according to the risk of compromised safety and/or quality of the software.
• A least-burdensome approach, in which validation is only necessary to address identified risks.
• Software should be in a state of control throughout its lifecycle.

This guidance proposes a framework for CSA implementation based on four stages:

1. Identifying the intended use of the software and determining if it will be used as part of the production and/or quality system.
2. Determining the risk-based approach by establishing the level of risk if the software were to fail to perform as intended.
3. Determining the appropriate assurance activities, commensurate with the identified risk.
4. Establishing the appropriate record to capture sufficient evidence demonstrating the software was assessed and performs as intended.

Nevertheless, this is still a draft guidance, meaning that CSA is not yet a regulatory requirement. CCSA will streamline manufacturers' implementation of novel technologies, but it should not be seen as a replacement for CSV.

II. ISPE’s GAMP 5 Second Edition

Also released in 2022, the ISPE GAMP 5 - A Risk-Based Approach to Compliant GxP Computerized Systems has been updated to its second edition12.
Even though it maintains its principles and framework, it introduces new content to face the fast-evolving pace of technology and the need to foster a more flexible approach to computerized systems validation activities.

The main changes include the addition of new appendices such as: Agile Software Development, Software Tools, Distributed Ledger Systems, Artificial Intelligence and Machine Learning, IT infrastructure and Critical Thinking.

ISPE’s GAMP 5 (Second Edition) and FDA’s draft guidance on CSA are aligned with each other in the creation and revision of their guidelines to tackle the inefficiency of CSV practices. Both documents have a strong focus on critical takeaway concepts that should be part of an organization’s CSV/CSA procedure, such as:

• Risk-based assurance activities
• Focus on critical features
• Leverage supplier assurance activities
• Clarification on the types of testing
• Limited scripted and unscripted testing
• Using tools and automation instead of documentation
• Using audit trails as testing evidence
• Flexible reporting documentation

What are the Benefits of CSA?

Computer Software Assurance is a modern, risk-based approach that focus on critical thinking and risk management. At the end of the CSA process, we will ensure that the right validation effort is made, leading to key benefits, including:

I. Enhanced Focus on Product Quality and Patient Safety

Computer Software Assurance focuses on critical aspects of computer systems ensuring that any risks to patient safety or product efficacy are identified and mitigated early in the system's lifecycle. Therefore, this is a proactive approach that ultimately leads to safer products and a higher level of trust in the systems used.

II. Efficiency in Compliance and Reduced Costs

Traditional CSV often requires extensive documentation and over-testing, which may not align with actual risk, leading to inefficiencies. Computer system validation also fails to leverage automated test tools that can maximize productivity and testing compliance. In contrast, CSA streamlines these processes through continuous assurance, enabling more efficient resource allocation, targeted testing, and documentation efforts. Ultimately, CSA accelerates system implementation, reduces time to market, and promotes cost savings that extend to long-term maintenance and operations, allowing organizations to maintain high standards of assurance while remaining agile and competitive.

Computer Software Assurance stands out as a forward-thinking methodology that aligns closely with the evolving nature of the regulatory landscape by emphasizing risk management and quality assurance. In this way, it reduces compliance issues in a more cost-effective manner while fostering stronger relationships with regulators, who are increasingly advocating for risk-based methodologies.

III. Adaptability and Scalability

Computer Software Assurance is designed to be adaptable and scalable, making it ideal for a broad spectrum of systems, from small scale to complex applications. In fast-paced, innovative environments, CSA is particularly useful as it supports rapid software deployment and iteration of systems while maintaining compliance with evolving technology and regulatory demands.

The traditional CSV approach does not align with Agile principles for software development, given the iterations and multiple product releases. The need for a scalable approach is also relevant to meet the growing demand for computerized systems in the industry. Without a scalable methodology, the amount of non-value-added documentation would be unmanageable.

IV. Facilitation of Innovation

Traditional CSV processes can be cumbersome and slow, often acting as a barrier to the adoption of new technologies. On the other hand, CSA promotes a faster and more efficient integration of new tools and technologies, supporting innovation and enabling companies to stay competitive and responsive to market demands.
This is particularly important in the life sciences industry, where advancements in technology can lead to significant improvements in patient outcomes.

What are the Challenges?

The upgrade of CSV practices into a more flexible and agile CSA approach faces several obstacles, primarily arising from within the organizations rather than from regulatory requirements and expectations.

I. Resistance to Change

Shifting from established practices to a new approach can face resistance from stakeholders who are accustomed to the traditional CSV methodology. It may require significant effort to educate and persuade key decision-makers about the benefits and advantages of CSA.

Although CSA focuses on extensive quality testing, there is also the fear of performing some testing (e.g., unscripted testing) without fully documented evidence, which, from a Quality Assurance standpoint, raises concerns.

II. Resource Allocation

Implementing CSA requires allocating adequate resources, including financial investments, skilled personnel for monitoring control and assurance activities, and time. The pharmaceutical industry must carefully plan and allocate resources to facilitate the adoption of CSA, which can involve training personnel, updating infrastructure, and integrating new software solutions.

III. System Complexity and Integration

The pharmaceutical industry relies on numerous interconnected systems, making the adoption of CSA complex. Ensuring seamless integration, data integrity, and proper validation across the entire system landscape is a significant challenge.

IV. Change Management and Documentation

Implementing CSA involves revisiting existing validation procedures, documentation practices, and quality management systems. It requires an effective change management strategy to ensure that all necessary modifications are properly planned, documented, and communicated to relevant stakeholders.

The CSA Roadmap

Organizations should define a roadmap to shift from a documentation-overburdened CSV approach to a risk- and critical-thinking-based agile CSA approach, and to focus the validation effort on the features that are critical to patient safety, product quality, and data integrity. This will allow the implementation of a robust standardized CSA that is compliant, efficient, and scalable.

Our proposal is to invest in the upstream activities of assessing, planning, training, and implementing changes before being ready to execute the improved CSA practices.

I. Assessment

A first step in mapping the current practices and procedures and evaluating the whole portfolio of computerized systems is the execution of a CSV to CSA gap assessment and the writing of a CSV to CSA use case to facilitate change management.

There is also the assumption that SOPs will exist with practical aspects of CSA implementation. The SOPs should be written with some flexibility, allowing for interpretation and enabling users who are going to follow the CSA approach to use their own critical thinking skills in that process. In addition to SOPs, having a CSA playbook helps teams that are still growing in maturity when applying CSA.

_{Figure 2 - CSA implementation roadmap.}

II. Planning

The next step should be the execution of a risk-based gap analysis to identify the practices and procedures to be revised. In parallel, the stakeholders and training needs should be identified, and the communication plan should be defined. These identified needs in terms of resources and scope will facilitate the implementation phase.

Applying critical thinking before you adopt a CSA program really equates to understanding what CSA is and getting all stakeholders involved (quality, IT, validation, business and system users, etc.) is paramount for this exercise.

III. Training

CSA implementation should be a cross-functional effort, and the training needs should cover every identified stakeholder. Depending on their level of involvement, different levels of training on what is the proposed CSA approach and on the new procedures (SOPs, CSA playbooks, etc.) should be considered, so that the organization is aligned, and the message is consistent from top management and decision-makers to the SMEs and end-users.

Training on risk management is also paramount to ensure a proper understanding of key concepts in CSA, such as when unscripted testing is viable and how the degree or amount of documentation is much less than what we would have in traditional robust scripted testing.

IV. Implementation

At this point, the needs are identified, and the stakeholders and specific tasks are planned.

The organization should now implement the actual changes such as reviewing the procedures, work instructions, templates, and tools; the computerized systems inventory should also be reviewed to accommodate the revised digital strategy for the implementation of CSA methodology; and the future roles and responsibilities of the CSA team should be assigned.

V. Execution

As a good practice, the execution phase should focus on one selected computerized system, based on the previously defined methodology, and establish the grounds for methodology replication to the wider computerized system portfolio.

After selecting the system to be submitted to the CSA framework, the team should evaluate its intended use, goal, classification, and overall impact, followed by a risk assessment on the system’s features. This will enable the definition of the testing types based on the risk assessment. The execution of the computerized system testing activities and corresponding documentation should be done according to the revised procedures.

The usage of templates will also help the adoption of a CSA program by enforcing process standardization during execution while facilitating collaboration and communication amongst different stakeholders.

Assessing, planning, implementing, and applying the CSA framework to a relevant computerized system will build a strong case for the stakeholders to experience the added value of CSA and for the whole organization to implement a successful change, while avoiding common roadblocks and challenges.

Tools to Leverage

In today’s landscape, there is a significant shift from substantial investments in infrastructure and on-premises systems to embracing digital solutions such as Software as a Service (SaaS) and Infrastructure as a Service (IaaS). Correlating the traditional CSV approach with digital advancements such as Industry 4.0, Cloud Computing, Internet of Things (IoT), Machine Learning, Artificial Intelligence, and Blockchain, it is evident that technology has transformed the industry. However, the core focus of CSV remains unchanged: product quality, patient safety, and data integrity.

The landscape of CSA is evolving rapidly with the integration of these cutting-edge technologies that streamline CSA processes, improve efficiency, enhance risk management, and improve compliance with regulatory requirements:

I. Cloud Computing

Cloud-based solutions offer scalable and secure environments for data storage and software applications. This technology allows for real-time data access and enables collaboration among global teams, improving CSA efficiency and effectiveness. For example, cloud platforms support remote monitoring and validation, facilitating compliance across various locations.

II. Artificial Intelligence (AI) and Machine Learning (ML)

Artificial Intelligence is transforming CSA by automating repetitive tasks, quickly analyzing large datasets, and detecting patterns that human observation might miss. For instance, AI streamlines the validation process by automating routine checks, thereby minimizing human error. It will also be able to write automated test scripts, improving the amount and quality of testing far better than any human being.

III. Internet of Things (IoT)

The Internet of Things (IoT) enables real-time data collection, exchange, and analysis through interconnected devices. This dynamic improves validation efficiency and system monitoring. IoT technologies enhance CSA processes by providing actionable insights into system performance and potential issues, allowing for proactive maintenance and compliance management.

IV. Blockchain Technology

Blockchain technology guarantees data integrity and transparency, which are vital for CSA. It provides an audit trail of all transactions and modifications, ensuring that changes are traceable and verifiable. In the pharmaceutical industry, where regulatory requirements demand meticulous documentation of all processes, this is especially important.

Conclusion

Computer software assurance enhances traditional CSV by prioritizing risk management and adapting to emerging technologies and new Agile methodologies in software development. It addresses the unique risks associated with these approaches, ensuring that quality assurance practices remain relevant.
Guided by GAMP principles, CSA begins with critical thinking rather than documentation. It prioritizes quality, patient safety, and data integrity, by focusing on risk reduction and ensuring that software meets its intended use. Documentation is developed following this process-oriented methodology. As a result, CSA minimizes the need for extensive testing and documentation, increasing efficiency and product safety. This leads to reliable performance of computerized systems in cGMP operations and ultimately better patient outcomes.

Computer software assurance targets high-risk areas efficiently, making system assurance both cost-effective and essential for effective system management. This approach helps organizations maintain system reliability, security, and compliance, driving both efficiency and innovation.

The drive towards digital transformation and automation enables more streamlined CSA processes, reducing manual effort, increasing accuracy, and enabling real-time monitoring and compliance. This results in more efficient and effective quality assurance processes. However, it also uncovers new risks and compliance challenges, requiring thorough risk-based approaches that can potentially leverage advanced analytics and predictive modeling.

The increasingly complex regulatory landscape for computer systems, with varied requirements across different regions, emphasizes the need for harmonized regulations and globally recognized standards. Consequently, efforts to establish international standards for CSA will help streamline compliance processes, facilitating a consistent approach to system assurance.

Moreover, as data complexity and data privacy concerns increase, CSA must ensure data integrity throughout the system lifecycle, CSA is, and will be, a critical component for ensuring the reliability, compliance, and safety of computer systems, providing robust assurance in a rapidly changing world, within the life sciences industry.

Finally, CSA is a continuous process that demands collaboration, adaptability, and a focus on meeting regulatory standards and technological advancements to ensure system integrity and patient safety9.

References

1. Creaner, G., & Fitzgerald, D. (2024, January). What is Meant by Computer System Validation? GetReskilled.

2. Ray, R. (2023, August 28). Computer System Validation (CSV) in the FDA-Regulated Industries. The FDA Group.

3. What is Computer System Validation? (2023, December 19). Sware.

4. Computer System Validation (CSV). (n.d.). Ofni Systems.

5. Buendia, A. (2023, July 14). CSV vs. CSA: What are the Main Differences? Scilife.

6. Benkirane, M. (2021, February 8). CSA vs CSV: FDA’s New Guidance for Software Assurance. Critical Manufacturing.

7. Visconti, A. (2023, August 28). Computer System Validation (CSV) in the Pharmaceutical Industry: Ensuring Quality and Compliance. LinkedIn.

8. Walia, G., & Neri, D. (2024, April). Computer Software Assurance and the Critical Thinking Approach. ISPE Pharmaceutical Engineering.

9. Computer Software Assurance (CSA) in Pharma Industry: First Steps to move from CSV to CSA. (2023, September 19). QBD Group.

10. Computer Software Assurance for Production and Quality System Software Draft Guidance for Industry and Food and Drug Administration Staff. (2022). https://www.fda.gov/regulatory-information/search-fda-guidance-documents/computer-software-assurance-production-and-quality-system-software.

11. McDowall, R. D. (2023, April 1). CSA: Much Ado About Nothing? Spectroscopy.

12. ISPE GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition). (2022).

13. CSA vs CSV: What a Difference One Letter Can Make! (2023, July 11). Sware.

14. CSA and Technology in Pharma: Are Our Employees Ready for the Revolution? (2024, June 5). Eminence Group Ventures.

15. The CSA IoT Security Controls Framework. (2020, June 30). FORTRA.