Is CSA the new CSV?
For many decades, the regulated organizations have been validating computerized systems according to CSV principles. Too much work is done for fear of regulatory non -compliance instead of fear of putting a poor-quality product on the market.
As we look ahead, does FDA’s shift of focus from computer system validation to critical thinking quality assurance practices, signifies that validation will not be in anymore?
As per FDA , the conventional Computer system validation is defined as “Confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled”
It mandates the need to perform Computer System Validation and having the objective evidences that computer systems are serving their intended purpose and operating properly represents a good business practice.
Delays in corrective action can result in shutting down manufacturing facilities and financial penalties.
Testers often spend time ensuring their protocol is error free, rather than spending time on automated solutions that verify the software meets it’s intended use.
As regulatory approach mature, the FDA intends to focus on direct impact systems. The change allows to focus testing on areas that directly impact patient safety, device quality etc. Aiming to improve quality ,focus testing on high risk areas, therefore reducing validation cost and time by focusing on the software’s impact to patient safety, product quality, and system integrity .
What is Changing?
Validating everything (which may miss higher risk functionality) VS Risk-based quality assurance practices for areas involving patient safety and/or product quality.
The FDA’s new approach to CSV, “Computer Software Assurance (CSA), represents a step-change in computer system validation, placing critical thinking at the center of the CSV process, as opposed to a traditional almost one size fits all approach.”
As per the 80/20 rule, the current CSV methodology has spending 80% of their time documenting and only 20% of their time testing. This goes for a flip ,so that 80% of time is spent on critical thinking and applying the right level of testing to higher-risk activities, while only 20% of their time is spent documenting .
Transitioning to CSA
Compliance-centric to quality focused
Identifying high-risk features, operations and functions of the system.
Focus on testing, not detailed documentation.
Use unscripted testing where only Test Objective and a Pass/Fail is documented for testing for low / medium risk components.
Deploying CSV tools to automate quality assurance activities
More detailing which focus on intended use of computer systems
Computer Software Assurance Benefits
Reduced test script execution time
Reduces paperwork by 80%
Testing focused on ensuring SW Quality leading to confident products.
Maximized use of CSV and Project Resources expertise
Easier of Organizations who has taken the path to automation.
Several of the FDA-sponsored case studies illustrated that organizations that have implemented the new CSA approach have seen significant time-to-value improvements — not only in testing, but also in product development.
All CSV enthusiasts including me looking forward to shifting to automated testing and critical thinking, which ultimately will drive faster time to market.
Being said this, it is important to note that the right level of documentation is still necessary to avoid the FDA’s comment:
“If it’s not documented, it didn’t happen.” :)