CSA vs CSV: What a Difference One Letter Can Make!
Get out of Technical Debt | Save Time & Money
By Jackie Davidson
Regulatory Intelligence & Innovation, Sware
If you read our recent blog, "How Can the New Computer Software Assurance Approach Promote Efficiency in Your Computer Systems Validation Process?", then you have some background on the FDA’s Computer Software Assurance guidance. However, you may be wondering - what is Computer Software Assurance? And how do Computer Software Assurance and Computer System Validation compare in terms of effectiveness?
Let’s further explore the differences between the new Computer Software Assurance (CSA) guidance and traditional Computer Systems Validation (CSV).
Before diving into the intricacies of CSA vs. CSV, it’s a good idea to gain some background knowledge. CSV became part of the regulatory landscape way back in 1997 when the FDA released 21 CFR Part 11, “Electronic Records, Electronic Signatures” into law and the Spice Girls ruled pop music. Computer technologies were still in their infancy, the Teletubbies were introduced (annoying parents everywhere), and cloud-hosted systems as we know them today were non-existent. There were not many systems on the market purpose-built for life sciences.
To meet their needs, life sciences companies often had to “home grow” their software with in-house developers. Because of the risk entailed in building and testing a homegrown system from code, a “test-everything” approach was taken – complete with exhaustive, paper-based, step-by-step protocols accompanied by loads of screenshots and printouts.
Over time, this approach proved problematic. Because traditional CSV didn’t set the level of testing commensurate with risk, unnecessary items and low-risk features were tested at the same level as high-risk features.
As a result, GMP software validation began to feel more like “great mounds of paper,” instead of “good manufacturing practice.”
Often encumbered by test script errors and hundreds of screenshots, paper-based, manually tested computer software validation became more of an effort in compliance to try to please inspectors – as opposed to truly testing the system’s fitness for intended use or the maintenance of its validated state in the case of changes or updates. As technology advanced and picked up speed, these exhaustive CSV efforts were no longer sustainable. Considerable time, money, and personnel were tied up in documentation efforts that offered little ongoing benefit to companies beyond the act of validation itself.
The technology matured, and hosted systems (Software as a Service, hosted, cloud) became the norm. It was soon painfully obvious to companies – many stuck in seemingly inextricable technical debt, limping along on legacy systems without the resources to validate newer versions – that a new approach was necessary. In 2008, ISPE published the first edition of GAMP 5, which brought risk-based thinking to the software validation process. Such approaches made validating SaaS much easier since if companies vetted and qualified their vendors, they could leverage the vendor’s validation documents to ease the burden of the process. ISPE GAMP continues to keep up with industry trends, with a second edition (July 2022) embracing cloud technology, Agile development approaches, automation tools over documentation, artificial intelligence, blockchain, and other advancements.
Enter Computer Software Assurance (CSA). An offspring of the Center for Devices and Radiological Health’s (CDRH) Case for Quality Initiative, CSA provides a new approach that addresses modern technology and incorporates a risk-based, critical thinking-first approach involving Quality and IT Compliance teams early in the project. And when comparing CSV vs. CSA, it’s clear how the latter can provide a better overall experience over current processes, making it a high-value solution in a variety of industries.
CSA enables project teams to more accurately assess, assign, and mitigate risks – and to determine which features or workflows require more vs. less testing to prove fitness for the intended use.
This “thinking-and-analysis first” approach rests in sharp contrast to “old school” CSV, which puts brute force documentation first and thinking last. CSA cuts to the chase and helps companies get down to the essential questions:
- Does the system have a direct or indirect impact on patient safety?
- Does it have a direct or indirect impact on product safety and/or quality?
- Does the system have a direct or indirect impact on data integrity?
When companies plan, assess risk, and put critical thinking first, they are then prepared to develop appropriate validation plans and records:
- Find out what really needs to be assured (through vendor evaluation, risk assessment, and periodic risk reviews)
- Determine the features, operations, functions, and workflows plus their impact on the patient and product to justify the testing level selected.
Although the document deliverables of CSA vs. CSV may be the same (validation plans, validation protocols, and test cases), they will be shorter, more focused, and more meaningful.
Some companies have been apprehensive about adopting CSA because they think of CSA as having “no documentation” – which is a fallacy. The key thing to identify when comparing CSA vs. CSV is that with CSA, there is less but better planned and more useful documentation.
Companies may also worry that they could be at inspection risk, when in fact CSA offers:
- Greater focus on software quality
- Reduced time to create validation documents, such as test plans and protocols
- More strategic testing:
- Testing the most complex, highest-risk features the most
- Spending less time testing because you are not testing unnecessary or very low-risk features
- Taking prior assurance and risk control activities into consideration
- Right-sized testing based on quantitative risk evaluation, resulting in less but more meaningful documentation
- Evidence-based confidence in vendors, since vendor qualification is a key component of the “homework” in CSA
- Less duplicate work, since vendor documents can be leveraged
The Bottom Line
In the end, CSA is about what is right for your business. The thinking and planning that goes into the project upfront allow you to allocate resources and test where it is needed most – mindful of quality and compliance, with the goal of keeping your GxP applications in a state of control.
Your team is aligned strategically and can work together to assure that the software systems being validated are reliable, suited for intended use, and preserve data integrity. Instead of wasting time on low-priority system validation tasks, you can ensure that there are no critical product quality issues and improve the user experience where it matters most. And that’s where the CSA vs. CSV difference becomes the most apparent.
Changing that one letter – from CSV to CSA – and changing your thinking – will help your company get out of technical debt while saving money and valuable time.
As a result, you will have more hours in the day for innovative, patient-saving work…and more time to get up in the attic to find those old Spice Girls CDs and Teletubbies videos and donate them to charity.
Learn how Sware helps you manage risk and compliance with an easy-to-use, ever audit-ready validation solution.