It seems like everyone is talking about computer software assurance these days, including the FDA. The Agency's upcoming CSA guidance, Computer Software Assurance for Manufacturing, Operations and Quality System Software, was slated to be released in 2020 but delayed due to the Covid-19 pandemic. Understandably, regulated companies anxiously awaiting the guidance have lots of questions.
The most obvious question is: What is CSA, and how does it differ from traditional CSV? The current process, CSV, focuses on producing accurate, approved documentation to present to auditors, then testing, then assurance needs, and finally, critical thinking.
The CSA methodology is the exact opposite; it flips the paradigm. It emphasizes critical thinking (risk-based), assurance needs, testing activities, and documentation, in that order. In a nutshell, the goal of CSA is to "right-size" validation activities, placing the focus on what directly impacts patients or product quality.
In a word: overkill. In 1997, the FDA issued 21 CFR Part 11, which specifies how FDA-regulated companies must manage electronic records and signatures. The Agency’s intentionally vague instructions led to overwork, costing the industry millions of dollars. Five years later, the FDA released a related guidance advising regulated companies to take a least burdensome approach and integrate software management and risk management, laying the foundation for CSV.
Unfortunately, the 2002 guidance has not solved the problem. Companies continue to generate copious amounts of documentation, primarily to appease auditors. This focus on documentation impedes critical thinking and the use of automation and modern technologies to enable more effective testing.
Although there are subtle differences between CSV and CSA, such as ad hoc testing, CSA still promotes a risk-based, least burdensome approach consistent with the 2002 guidance. In reality, the FDA isn’t asking us to do something that’s incredibly different from what we’re doing now. They’re just asking us to do it better by putting critical thinking at the forefront and leveraging the powerful technology tools we have at our disposal.
Editor's note: This blog post summarizes the first episode of a five-part podcast series devoted to CSA. In my next post/episode, I’ll explain how to be a critical thinker and how to apply critical thinking to CSA. Don’t miss it.
Press the play button to listen to the full podcast of episode one.
Is CSA the new CSV? Not exactly. Here's the rest of your comprehensive guide to computer software assurance, the FDA's new framework for validating software systems.