In the context of an IT organization, infrastructure refers to the hardware, software and other

systems that are necessary for delivering IT services in accordance with service level
agreements. IT Infrastructure management includes the management of IT policies and
processes, along with the equipment, data, human resources and external contacts (such as
vendors or security organizations) needed to ensure that IT operations run smoothly and
efficiently.

IT Infrastructure management is sometimes divided into three components: systems

management, storage management, and network management. There are several defined
categories of IT infrastructure elements that must be managed to ensure that critical
applications remain available. The availability of cloud services has changed the way
organizations manage their IT infrastructure, with an increasing number of Infrastructure
management tasks being outsourced to third-party managed service providers (MSPs). IT
Organizations can also invest in cloud-based infrastructure management tools to help
simplify and streamline their infrastructure management activities.

7 Components of IT Infrastructure
IT infrastructure consists of a set of hardware and software tools that an organization
leverages to deliver IT services. IT organizations that deploy and manage all of their IT
infrastructures in-house must effectively manage these components to successfully ensure the
ongoing availability of IT services.

Computer Hardware Platforms - Hardware platforms include laptops, desktops, tablets and
mobile phones along with server machines and mainframes.

Operating System Platforms - Computer hardware systems require an operating system to

function. An operating system provides the basic graphical user interface (GUI) that makes it
easier for users to communicate with the computer and leverage its full capabilities.

Enterprise Software Applications - Enterprise software applications include a variety of

software programs used by the IT organization. Enterprise middleware products such as
Oracle, SAP, PeopleSoft, Microsoft, and BEA are the major players in the enterprise software
space. Middleware products provide important services to the organization, including
application servers, content management, identity management, business intelligence, and
business process management.

Data Management and Storage - IT organizations that collect and aggregate large volumes
of data require a robust data storage solution. Storage and database management tools such as
IBM DB2, Oracle, MySQL, and SQL Server are all used by organizations that wish to track
and keep more information about their organization's operational, security and business
performance.

Networking and Telecommunications - Virtual network software products like Microsoft

Windows Server and Cisco fall under networking and telecommunications, along with the
physical networking infrastructure (telephones, in-office cabling, routers, additional wireless
access points, etc. Managing networking infrastructure is a growing challenge that IT
operators face each day.

Page 1 of 20
Internet Platforms - Internet platforms include a range of infrastructure elements that are
exclusively accessed via the world wide web. Platforms such as Apache, Java, UNIX, and
.NET are common.

Consultants and System Integrators - IT infrastructure management isn't always a

straightforward process, and it can sometimes be worthwhile to hire an experienced
consultant who can point you in the right direction with regard to managing your IT
Infrastructure. The most popular consulting firms for IT issues include IBM/KPMG, EDS,
and Accenture.

IT Infrastructure Management & Cloud Services

Cloud service providers have changed the way that IT organizations choose to manage the
infrastructure elements that are crucial for their daily activities. In the past, organizations that
wanted to undergo a digital transformation had no choice but to own and operate their own IT
systems. Today, thanks to the introduction and proliferation of cloud computing, it has
become easier than ever for organizations to outsource infrastructure management according
to one of three common models:

Infrastructure-as-a-Service - In this model, an IT organization outsources its physical

infrastructure and associated management needs to a third-party service provider. The
provider will operate and manage networking, storage, servers and virtualization services for
the IT organization.

Platform-as-a-Service - In this model, and IT organization outsources its physical

infrastructure and development platform to a third-party service provider. This includes
networking and storage infrastructure, servers, virtualization, operating systems, middleware,
and runtime.

Software-as-a-Service - In the SaaS model, the IT organization accesses a finished software

product through a web-based portal. On the other end, a third-party cloud service provider
manages all of the IT infrastructures that are necessary to deliver the application. The SaaS
model enables companies to access software applications that deliver business value without
the added burden of managing and administering the software.

Key Features of Infrastructure Management Solutions

Today's leading IT organizations choose infrastructure management solutions that help
automate and streamline processes, drive efficiency and reduce costs. Some of the most
common software features include:

 Capacity management and resource forecasting

 Trend analysis and dashboarding using data from all sources within a hybrid cloud
environment
 Heterogeneous environment support
 Comprehensive network monitoring
 Monitoring and troubleshooting of individual physical hardware assets and virtual
machines

Page 2 of 20
What is Computer Software Assurance (CSA) and why are the FDA
transitioning from traditional Computer System Validation?
4 Sep 2020

Following the launch of their ‘Case for Quality‘ initiative in 2011, the FDA were uncertain
why so few companies were investing in automated solutions and why so many continued to
run long-outdated versions of software.  The initiative, which set out to study quality best
practice in medical device manufacturing, found that the burden of Computer Systems
Validation (CSV) deterred technology investments and as a result, inhibited quality best-
practice (1).

On learning that the burden of CSV was holding companies back from realising their
investment in technology, the FDA decided to partner with industry to strike a balance
between promoting automation and value-add CSV activities.  The FDA aimed to improve
quality, remove non-value add activities, and focus testing on high risk areas, therefore
reducing validation cost and time by focusing on the software’s impact to patient safety,
impact to product quality, and impact to quality system integrity (Direct or Indirect system). 
Too often, testers spend time ensuring their protocol is error free, as opposed to spending
time on automated solutions that verify the software meets it’s intended use.

The FDA’s new approach to CSV, Computer Software Assurance (CSA), represents a step-
change in computer system validation, placing critical thinking at the centre of the CSV
process, as opposed to a traditional almost one size fits all approach.

As its regulatory approach continues to mature, the FDA intends to focus on direct impact
systems and not on indirect systems. The change allows manufacturers to focus testing rigor
on areas that directly impact patient safety and device quality, as:

 ‘Direct system software’ (e.g. inspects or dispositions product, labeling systems) will require
testing based on risk, and expected deliverables are similar to current expectations, i.e. the
riskier the application, the more testing and documentation is required.
 ‘Indirect system‘ is software that does not directly impact the product or patient safety but
does impact the quality system (e.g. Document Control, Complaint Management, Lifecycle
Management tools). The same rigor is not needed for the assurance of these types of
systems and they require less documentation.

The current approach to Computer System Validation

(CSV)
CSV has morphed into an activity that is being done primarily to secure evidence for
auditors, rather than to assure the quality of systems being validated. The current CSV
approach is seen as:

 a deterrent to pursuing automation time, cost, use of automated testing tools,

documentation generation etc
 regulatory burden (e.g., Data integrity) as an excuse for resisting progress; meanwhile, other
regulated and nonregulated industries have moved forward and adopted frameworks for
modern testing.
 all software is being validated as if it is product software.
Page 3 of 20
  burdensome and the creation of complex Risk Assessments.
 focusing on gathering evidence for auditors.
 a duplication of vendor efforts at client site. 
 80% of deviations due to tester or test script errors.
 Numerous post-go-live issues.

 From CSV to CSA

Computer System Validation

• A focus on creating documentary records for compliance

• “Validate” everything (and miss higher risk areas)
• Ignoring previous assurance activity or related risk controls

Computer System Assurance

• A Focus on testing for higher confidence in system performance.

• Risk based “Assurance”, applying the right level of rigor for a given level of risk to patient
safety and/or product quality.
• “Take credit” for prior assurance activity and upstream/downstream risk controls.
• Focus on testing, not scripting. Use unscripted testing for low / medium risk components.

Page 4 of 20
 

The right level of documentation is; however, always remember:

•  “If it’s not documented, it didn’t happen.”

•  “Unscripted Testing ≠ No Documentation”
•  “Traceability is still required”

 Scripted vs Unscripted Testing: what’s the difference?

Traditionally each test script was written in great detail, regardless of whether the system or
feature was a Direct or Indirect system or feature. So, the same level of effort was being put
into creating test documentation for low risk systems or features and high-risk systems or
features. CSA introduces the terms Scripted Testing and Unscripted testing.

Let’s examine these terms: 

 ‘Scripted Testing’ is what we would know as traditional testing. Scripted tests as we know
usually contain at a minimum a test Objective for the test script, a step-by-step test
procedure, Expected Results and a Pass/Fail. Scripted Testing is to be used to test to higher
risk (Direct) systems or features as the software does directly impact the product or patient
safety.
 ‘Unscripted testing’ is testing that is carried out without the use of detailed test scripts.
Unscripted Testing is to be used to test lower risk (Indirect) systems or features as the
software does not directly impact the product or patient safety but does impact the quality
system. There should be a Test Objective and a Pass/Fail, but no step-by-step test
procedure.

Details regarding any failures or deviations and disposition regarding fails found while
performing Scripted and Unscripted Testing will still need to be recorded to ensure failures or
deviations are documented from the discovery of the failure or deviation to the successful
implementation of the appropriate corrective action.

Computer Software Assurance Benefits

 A reduction in cycle times cycle times (test creation, review and approval)
 A system can be broken into features, and only the High-Risk features will require scripted
testing.
 Reduced test script execution time
 Lower number of detected defects for example script errors & configuration
 A reduction in the number of generated documents for example the use of the combining
deliverables and test scripts)
 Testing focused on ensuring SW Quality
 Better use of Supplier Qualification
 Maximized use of CSV and Project Resources expertise (e.g., SMEs)
 The release of the CSA guidelines will support companies who have taken the path to
automation.

Transitioning from CSV to CSA

Page 5 of 20
  Change the culture from of your organisation from a compliance-centric mindset to quality-
focused culture.
 Leverage your software suppliers existing activities (perform supplier audits)
 Consider using computer system validation tools to automate assurance activities
 Know the intended use of your computer system(s).
 Know the high-risk features, operations and functions of the computer system(s).
 Review and update your current policies to align with the CSA approach.

 Computer Software Assurance: 6 things you need to know

Computer
Software
Assurance (CSA):
The FDA’s New
Approach to CSV

Jul 15, 2021 | Testing &

Validation

During a 2011 review of

medical device quality data, the
FDA’s Center for Devices
and Radiological Health
(CDRH) noticed a variety of
widespread
manufacturing risks that were
impacting product quality. A
few of these risks included:

 An industry focus on
regulatory compliance as opposed to adopting best quality practices
 Lack of adoption of automation and digital technologies, with manufacturers choosing
instead to continue running long-outdated versions of software
 Virtually no competitive market around medical device quality

After obtaining feedback from both FDA and industry stakeholders, the CDRH launched
their Case for Quality. The initiative’s intention was to identify best manufacturing practices
and help medical device manufacturers raise their manufacturing quality level by shifting
Page 6 of 20
their focus from being compliance oriented to what really mattered – improving product
quality. Through effective collaboration with companies and stakeholders, the Case for
Quality established manufacturing standards for the medical device industry, providing the
industry with clear objectives to strive for.

One of the key findings of the FDA’s Case for Quality initiative was that the burden of
Computer Systems Validation (CSV) was deterring technology investments and as a result,
inhibiting quality best practice. The FDA’s regulation 21 CFR Part 11 in 1997 and the related
guidance of 2003 created the clear foundation for implementation of Computer System
Validation (CSV) processes. Adhering to FDA CSV guidance can be a challenge for life
science organizations, however. CSV guidelines prioritize documentation, primarily to
appease auditors, which can be both time-consuming and costly. This emphasis on
documentation impedes the application of critical thinking during the validation process,
along with opportunities to improve automation via system modernization.

To address these issues, the CDRH, in collaboration with the Center for Biologics Evaluation
and Research (CBER) and the Center for Drug Evaluation and Research (CDER), is planning
to release a new guidance document later this year (2021) entitled Computer Software
Assurance for Manufacturing and Quality System Software. This guidance will create
opportunities for streamlining documentation by shifting the focus of CSV processes towards
critical thinking, risk management, patient and product safety, data integrity, and quality
assurance.

Even though this guidance is being developed for the medical device industry manufacturing,
the FDA has indicated that it will be suitable for R&D, clinical, and other groups within
pharmaceutical, biotech and medical device companies that are currently following electronic
records and signatures and CSV regulations. The guidance should be considered when
deploying non-product, manufacturing, operations, and quality system software systems such
as:

 Quality management systems (QMS)

 Enterprise resource planning (ERP)
 Laboratory information management systems (LIMS)
 Learning management systems (LMS)
 Electronic document management systems (eDMS)

With the implementation of this Computer Software Assurance (CSA) guidance, many new
opportunities and freedoms will become available to life science companies previously
weighed down by the attention to documentation demanded by CSV. In this blog, we will
discuss some of the key components of CSA, along with best practices for making the shift.

Computer System Assurance

The focus of current CSV processes is producing accurate and approved documentation to
present information to auditors. Auditors, such as the FDA, require evidence and records,
therefore the CSV methodology inspires a compliance-mindset rather than an innovative one.
As such, existing CSV methodology results in manufacturers spending around 80% of their
time producing documentation and only 20% of their time doing actual testing of the
software.

Page 7 of 20
Documentation will always be a vital part of the process, but it is more important to have a
high quality, safe product that meets patient needs, rather than robust documentation that
passes an audit cycle. The intention of the upcoming CSA guidance is to support product
quality and patient safety by emphasizing critical thinking in the validation process. The FDA
wants manufacturers to spend 80% of their time on critical thinking in order to apply the right
level of testing to higher-risk activities, with only 20% of time spent documenting.

By stressing critical thinking in the validation process, the FDA is emphasizing a risk-based
approach to streamline validation based on the International Society of Pharmaceutical
Engineers (ISPE) GAMP® 5 model. This means that while all aspects of the system used in
manufacturing must be tested, only components essential to the quality of the product and
safety of the patient need to be subjected to full validation rigor. This frees up both testing
and validation resources to allow more value-add activities to occur.

The CSA process can be described in four broad steps:

1.
1. Identify the software’s intended use. The CSA approach starts with identifying
intended use of the software or software feature. If the system directly impacts
patient safety, device quality, or quality system integrity, then it would be
considered a direct system (e.g., software within the device, electronic device
history, adverse event reporting, etc.). If it does not, then it would be considered an
indirect system (e.g., lifecycle management software).
2. Prioritize risk and determine your approach. This is where you use critical thinking
to develop a validation methodology appropriate to the risk of the system. The FDA
knows that you will have the best insights into how risk is introduced into your
products and where it matters, and they expect you to have an element of
understanding and control about your product and processes. You’ll want to be able
to tell your story to an auditor by explaining in detail where risk is being introduced.
For validation purposes, it will be important to delineate where the system in
question could introduce risk, versus what is a process risk, and use critical thinking
to calculate the risk impact of the system or system feature on patient safety and
product quality. Note that a “low risk” designation for a system is only accurate if
the system’s failure has no impact on patient safety and product quality. If failure
has an impact, then the risk assessment is inaccurate.
Page 8 of 20
 3. Leverage vendor documentation where possible. Audit your software vendors. If
they have quality documentation and validation in place, it can be used for medium
and low risk features. You don’t need to perform rigorous validation procedures and
extensive documentation for out-of-the-box software that’s already been validated
by the software vendor.
4. Conduct testing activities based on determined risk level. For high-risk (direct)
software and features, extensive validation activities (scripted testing) and
documentation will still be necessary. At a minimum, validation activities in this
instance will include a test objective for the test script, a step-by-step test
procedure, expected results, a pass/fail designation, along with thorough
documentation. For medium risk features, vendor documentation or unscripted
testing (a test objective and a pass/fail, but no step-by-step test procedure) can
often suffice. For indirect systems that do not affect patient safety or product
quality, vendor documentation, or in some instances little to no validation at all can
be sufficient.

The objective of the CSA guidance is to promote critical thinking, more testing of the
system’s intended use, and less functionality testing. As a result, Kalleid expects to see the
upcoming CSA guidance lead to less out-of-the box functionality testing and a bigger focus
on User Acceptance Testing (UAT), where users test their business processes and the
intended use of the system.

Transitioning from CSV to CSA

Too often, process changes like CSA are pasted on top of existing procedures, without taking
full advantage of the potential benefits. Though not yet officially released, the CSA concept
is already leading to exciting changes in workflow and policy at leading medical device
companies. A few key best practices for facilitating the transition from CSV to CSA
methodology include:

Perform a validation assessment. To best take advantage of the new CSA guidance, you
need to assess your current environment. How much time are you currently spending
planning, designing, testing, documenting, etc.? Document your current validation processes,
resource utilization, and gaps with CSA methodology.

Develop a transition plan. Now that you have documented your current environment, you
can develop a transition plan that focuses on key aspects of the CSA approach – new
streamlined validation processes, critical thinking, product quality, patient safety, data
integrity, operational efficiency, and effectiveness. This should include quantifiable metrics
that allow you to measure your operational performance (e.g., costs, time spent on validation,
etc.).

Audit your vendors. Audit your vendors to determine the quality and availability of their
validation documentation. This can allow you to begin using vendor documentation to satisfy
regulatory requirements for appropriate medium and low risk systems.

Develop a change management plan. You cannot accomplish an effective transition to CSA
without supporting your people to make the change. You’ll want to put communication and
training programs in place to support changing the culture of your organization from a
compliance-centric mindset to quality-focused culture. These programs will support your
team in understanding key CSA concepts like critical thinking, risk-based approach, product
quality, patient safety, data integrity, value-add activities, etc.
Page 9 of 20
Once the guidance is officially released, the details will become clearer on how best to
implement the CSA methodology. Until then, check the CDRH website for the latest updates.

Conclusion
Computer system validation procedures emphasize elaborate documentation requirements to
ensure auditors have a detailed overview of all aspects of applications being used to
manufacture a product. Instead of assuring product quality, these extensive documentation
requirements have become somewhat of a bottleneck and a burden to life science companies,
effectively deterring investment in more automated IT solutions.

The new CSA guidelines are the FDA’s attempt to rectify this problem, emphasizing patient
safety, product quality, risk control, and critical thinking, which is a major reorientation of
the previous CSV framework. Instead of having documentation at the forefront like CSV, the
CSA flips this structure completely and establishes critical thinking as its principal phase.
Benefits that can be realized from this new approach include reduced software development
and implementation times, reduced costs, reduced documentation, and more effective
software systems.

As the FDA prepares to release its new CSA guidance, life science companies need to be
proactive and develop a strategy to transition to the new CSA methodology that focuses on
patient safety, product quality, and data integrity. Industry-leading organizations often partner
with knowledgeable consultants to ensure a successful transition from CVS compliance to
CSA innovation.

Page 10 of 20
Let USDM manage all your Validation and Qualification
needs.
From methodology development through end-user training, we ensure your systems are
compliant. Our validation best practices and test automation capabilities significantly
decrease your implementation and validation time.

Whether you are still using the traditional CSV approach or are ready to take the first
steps to a more modern CSA approach to improve your quality and efficiency, we can
help!

Click here to contact us

What types of systems does USDM validate?

USDM has experience qualifying, verifying, and validating the myriad systems, equipment,
and processes that are found in most life sciences GxP environments, both on-prem and
cloud-based. Our expertise includes but is not limited to:

 Blood and Plasma Systems

 Building Management/Environmental Control Systems
 CAPA Systems
 Clinical Systems (CDMS, CTMS, EDC, eTMF, ePRO, IRT)
 Content Management Systems 
 Laboratory Systems and Equipment (ELN, Freezer Management, LIMS)
 Manufacturing Systems and Equipment
 Process Validation
 Quality Management Systems (LMS, Quality Document Management, QMS)
 Regulatory Publishing and Submissions
 Software-as-a-Medical Device (SAMD)
 UDI & Serialization

Additionally, USDM can provide related services such as:

 Auditing, both external (vendor) and internal

 Vendor/Product selection assistance
 Data Migration
 Staffing Services
 Training Services
 Organizational Change Management

Have a question about how we can work with your speciifc GxP system setup?

Fill out our contact form with your system requirements and we can review them.

Page 11 of 20
What is USDM’s Computer System Validation (CSV) methodology?

Our current methodology aligns with Good Automated Manufacturing Practice (GAMP) best
practices and includes the following: 

 Vendor Audit
 Validation Plan
 Part 11 and Annex 11 Assessments
 Risk and Impact Assessments
 User Requirements and Functional Specification
 IQ/OQ/PQ/UAT Protocols and Test Scripts and Execution Assistance
 Traceability Matrix
 Administration, Use and Operation SOPs
 Business Process SOPs
 Validation Summary Report 

Specific documents and deliverables will depend on GAMP category. Contact USDM today
to discuss your specific CSV needs.

What about the Computer Software Assurance (CSA) guidance coming from the FDA?

To harmonize with international standards, the FDA's Center for Devices and Radiological
Health (CDRH) plans to release a new draft guidance, “Computer Software Assurance for
Manufacturing, Operations, and Quality System Software,” that aligns with the current
quality systems regulation ISO 13485. With the FDA changing focus from compliance to
quality and encouraging the use of automation and new technologies, USDM is already
modernizing and practicing a more streamlined approach to CSV and in the process of
updating our Cloud Assurance methodology to include a true, risk-based, CSA approach. We
can help you develop your CSA approach too!

What is Computer Software Assurance (CSA)?

In 2011 the Center for Devices and Radiological Health (CDRH) initiated the Case for
Quality, a new program that identified barriers in the current Validation of Software in
Medical Devices guidance (released in 2002). The current guidance focuses on software,
which is an integral part of the medical device but does not clearly address the many software
systems that support the quality of a medical device. The CDRH is working on a new draft
guidance “Computer Software Assurance for Manufacturing, Operations, and Quality System
Software” that will allow manufacturers minimize their existing computer system validation
(CSV) efforts and documentation burden and focus on more efficient approaches, including
automation, to improve their overall process and product quality. This guidance is founded on
a true risk-based approach systems assurance, which should be considered when deploying
non-product software systems.

Computer Software Assurance (CSA) Highlights

 Guidance on FDA's A list for release in 2021

 CDRH Guidance, in cooperation with the Center for Biologics Evaluation and Research
(CBER) and the Center for Drug Evaluation and Research (CDER)

Page 12 of 20
  Non-product quality system software (i.e., ERP, LIMS, LMS, eDMS, and QMS applications as
well as software tools)
 Principles and approaches are applicable now to all regulated organizations

Why is the FDA introducing Computer Software Assurance?

As part of their Case for Quality program, one of the top priorities for the FDA's medical
devices center, the FDA identified several barriers with CSV:

 Complex, confusing, hard to use, risk-based approaches

 Too much focus on documentation for the auditor, creating significant compliance burden
 Lack of clarity on how much testing is enough and where to focus that testing
 The FDA believes the use of automation, information technology, and data solutions
throughout the system life cycle can provide significant benefits to drive enhanced quality
and safety, thereby reducing patient risk

How is the FDA guiding the CSA?

 By defining indirect versus direct systems

 By identifying acceptable approaches to indirect and direct system validation
 By focusing on a risk-based approach using critical thinking to spend more time developing a
methodology appropriate to the risk of the system, focus on testing of high-risk systems and
functionality, and less time documenting
 By training inspectors to focus their review on the higher-risk activity and the critical thinking
behind the chosen methodology

What are the benefits of a CSA approach?

As part of their Case for Quality program, the FDA participated in several pilot programs that
consistently delivered the below results;

 Improved quality and efficiency

 Up to 90% decrease in test script issues
 Significant testing overhead reduction
 Utilize vendor assurance activities
 Maximized use of CSV and expert resources
 Capability to deliver value faster

How can USDM help?

 CSA Education and Training – USDM can help teach and mentor your teams on CSA
principles and how to apply critical thinking to your process
o Increase awareness and knowledge about CSA principles and benefits
o One-off courses, reoccurring training, GxP training for suppliers, and more
o Training customized to your business needs and processes
o Onsite or virtual programs
 CSA Assessments – USDM can assess your CSV process and recommend CSA changes based
on your quality of documentation, SOPs/WIs, testing, use of automation, performance on
audits, etc.
o Evaluate your current CSV process for quick wins and longer-term improvements
o Prioritize recommended changes based on business justification
Page 13 of 20
 o Improve your vendor qualification process
o Build a CSA roadmap based on your business priorities
 CSA Development and Methodology – From vendor selection to methodology
development to end-user training, USDM can transform your CSV into a CSA approach and
help drive adoption across your organization
o Implement fast-start improvements to your processes
o Develop and execute pilot programs
o Deliver complete overhauls to your CSV processes and procedures
 Cloud Assurance – USDM can manage your entire CSV or CSA process and deliver an end-
to-end GxP compliant managed service, including the continuous maintenance of all your
cloud vendor releases
o Assist with cloud vendor selection and RFP process
o Manage cloud vendor assurance, vendor qualification, and maintenance of new
releases
o Leverage automated regression testing

USDM is on the cutting edge of technology and compliance and we are watching the FDA’s
Computer Software Assurance guidance closely. We already have progressive solutions in
place and can save you significant time and money on your validation programs. Please
contact us to discuss your unique challenges today.

Additional Resources

 Webinar: Update from the FDA on CSV Changes

 White Paper: CSA: What You Need to Know About the FDA’s Upcoming Guidance
 White Paper: Regulatory Risk Reduction in the Cloud: Why Cloud Systems Are Safer Than On-
Premise Systems
 Podcast: Adapting Computer System Validation to Accommodate Evolving FDA Guidance
 Blog: FAQ: CSV vs. CSA
 Blog: Lessons from USDM’s Cloud Assurance Automated Testing Tool for Box GxP

The following questions were asked during the Update From the FDA on CSV

Changes webinar with Francisco Vicenty, Case for Quality program manager at the
U.S. Food and Drug Administration, and Sandy Hedberg, Cloud Assurance QA/RA
manager at USDM Life Sciences. 

The goal of the webinar was to provide clarity on what the upcoming computer software
assurance (CSA) guidance means for regulated life sciences companies and what you can
do today to start preparing. Watch the on-demand webinar here. 

If you have questions that are not answered in this Q&A, please contact us
at usdm@usdm.com.

What is the difference between computer system validation (CSV) and computer
software assurance (CSA)? 

If you think of the 80/20 rule, the current CSV methodology has manufacturers spending
80% of their time documenting and only 20% of their time testing. The FDA wants to flip
this so that 80% of a manufacturer's time is spent on critical thinking and applying the right

Page 14 of 20
level of testing to higher-risk activities, while only 20% of their time is spent documenting
(CSA methodology). This critical thinking should be focused on three questions:  

 Does this software impact patient safety?  

 Does this software impact product quality?  
 Does this software impact system integrity? 

Using a risk-based approach is nothing new, and regulatory agencies such as the International
Society for Pharmaceutical Engineering (ISPE) who author Good Automated Manufacturing
Practice (GAMP®) have been advocating this for two decades.  

CSA is a framework designed to help manufacturers achieve CSV. CSA will provide clarity
on the stance and methodology used to determine what is high risk and what is not, therefore
minimizing misinterpretation by manufacturers. The clarification in the CSA approach flips
the paradigm to focus on critical thinking (risk-based), assurance needs, testing activities, and
documentation, in that order.

Why is the FDA making this change?

Too much work is done for fear of regulatory punishment instead of fear of putting a poor-
quality product on the market. For software not used in a product, manufacturers are referring
to burdensome guidance that is more than 20 years old, trying to avoid FDA Form 483
observations and warning letters from FDA investigations and third-party consultants.
Nothing should be done for fear of regulatory observations. Instead, the focus should be on
testing for higher confidence in system performance and applying the right risk-based
assurance rigor for a given level of risk to patient safety and product quality. The new CSA
framework also enables manufacturers to "take credit" for prior assurance activity and
upstream and downstream risk controls like vendor qualifications.

What does “software not used in a product” (or non-product software) mean?

Non-product software is any software that is not directly used in a medical device, Software
as a medical device (SaMD), medical device as a service (MDaaS), or end-product. It
includes all of the software used in manufacturing, operations, and quality system activities
that would follow the 21 CFR Part 820.70(i) guidance. 

Is this just for medical device companies?

The short answer is no, the new CSA framework isn't just for medical device companies.
There are a lot of potential applications for all of life sciences. 

The FDA’s Center for Devices and Radiological Health (CDRH) is working on this new draft
guidance in cooperation with the Center for Biologics Evaluation and Research (CBER) and
the Center for Drug Evaluation and Research (CDER). It is founded on a true, risk-based
approach that should be considered when deploying non-product, manufacturing, operations,
and quality system software solutions such as: 

 Quality management systems (QMS)  

 Enterprise resource planning (ERP)  
 Laboratory information management systems (LIMS)  
 Learning management systems (LMS)  
 Electronic document management systems (eDMS)  
Page 15 of 20
What is an indirect system versus a direct system?

Indirect systems do not have a direct impact on patient safety or product quality (for example,
tools used in your CSV process like bug tracking systems or load testing and lifecycle
management tools that do not directly impact the product). Indirect systems require less
documentation.  

Direct systems have a direct impact on patient safety or product quality—like electronic
device history or adverse event reporting—and may require increased testing based on risk.
In other words, the riskier a system impact is to the end-product and to the safety of the
patient, the more testing and documentation is required. 

The FDA has started citing companies for inadequate CSV efforts. How will inspectors
be trained on the CSA initiative?

The FDA is undergoing an extensive training program for its auditors and is rolling out an
agency-wide Case for Quality program. Further, the FDA is creating a Digital Center of
Excellence, where it will encourage manufacturers to reach out to the FDA to ask questions
on their processes and procedures before an audit takes place. The goal is to provide more
collaboration throughout the process and minimize this fear of regulatory observations that
have led to misinterpretation of the original intent of the guidance.

Has the FDA reached out to other regulatory agencies such as MHRA, EU, etc. to verify
that this approach is acceptable for companies who sell overseas? 

Yes, the FDA has been working on the Case for Quality program in tandem with its sister
agencies abroad.

When does the FDA anticipate releasing this guidance?

The U.S. Food and Drug Administration (FDA) is expected to release the Computer Software
Assurance for Manufacturing and Quality System Software guidance in 2021. As always, this
framework is acceptable today under current guidelines and the FDA is encouraging the
industry to adopt it even prior to release. The guidance was initially expected in 2020, but
was delayed due to COVID-19.

How can USDM help my company today?

USDM is on the cutting edge of technology and compliance, and we are watching the FDA's
CSA guidance closely. We already have progressive solutions in place and can save you
significant time and money on your validation programs. Programs include: 

 CSA Education and Training – USDM can help your team with a pilot project; train and
mentor your teams on how to apply the critical thinking; develop a risk-based approach; and
consult on automated testing processes.
 CSV/CSA Assessments – USDM will take a holistic approach to assess your current CSV
process and make recommendations to get you to a true, risk-based CSA process according
to your current state (i.e., quality of documentation, testing, SOPs/WIs, use of automation,
and audit performance).
 CSV/CSA Methodology – USDM can revamp your entire CSV process and digitally transform
it into a CSA process. From methodology development through end-user training, USDM will
assure your systems are compliant.
Page 16 of 20
  Cloud Assurance – USDM provides a subscription service to deliver end-to-
end GxP compliance of your cloud systems. From implementation through ongoing
validation maintenance—including new releases—USDM can manage and lighten your cloud
validation burden.

How does the FDA define critical thinking?

As the manufacturer—the company and people producing the product—you know the
business and you know the processes. You've got the best insight into how risk is introduced,
where it matters, and what's going on from a process standpoint. Critical thinking is
considering where the system could introduce a risk versus what is a product or process risk.
This helps you tell your story, whether it is to the FDA or an arbitrary regulator and auditor.
Demonstrate that you can tell that story, that you've got the element of understanding and
control about your product and your processes. There is no one-size-fits-all for any company
or system. The FDA wants to know that you really understand your processes and systems
and that you are in control. Ensure that you can tell the FDA you know where the risk is
being introduced, how you will mitigate the risk, and whether the controls you put in place
are working. 
 
What does CSA mean for GAMP? Will GAMP become obsolete?
 
The impending CSA guidance is not going to create new concepts per se. It intends to
simplify and clarify the use of non-product software and maximize testing efforts while
minimizing documentation for lower risk, non-product software systems. There is no
misalignment with GAMP 5. CSA is what the FDA intended all along but lacked clarity, and
the misinterpretation resulted in too much documentation for documentation's sake instead of
better quality. 

 What is the impact on 21 CFR Part 11?

 
CSA principles are applicable to Part 11, but the scope is narrowly focused. Primary concern
is around system risk, intended use, and ensuring that you have confidence in the system.

What about audit trails?

 
Part 11, audit trail, is just a set of requirements and you must understand the best way to
exercise those requirements. Know when you need more robust testing of those requirements
and when you can just make sure that your vendor built that in. Overall, audit trails are not
something that you need to expend a lot of extra resources and energy on. 
 
What about ISO 13485?
 
ISO 13485 is integrated and well written to incorporate risk-based thinking throughout all
processes and applications. Nothing changes as it is based on a true risk-based approach.
 
What about MDSAP?
 
The FDA will make sure the medical device single audit program (MDSAP) is aligned with
CSA down the road. 
 
What does this mean for installation qualification (IQ), operational qualification (OQ),
and performance qualification (PQ)? 
Page 17 of 20
The goal of CSA is to focus on critical thinking, do more business testing of the process and
its intended use, and do less functionality testing.  

Installation qualification: The vendor often does a good job of installation testing; still, it's
smart to turn on the equipment, log in, and make sure it works. That's pretty low risk, because
if it doesn't work, that will be obvious.  Additional tasks would be to ensure you have all of
your required user manuals, vendor qualifications, and the like. 

User acceptance testing (UAT): Focus on your business processes and how they work within
the system and how you wanted them to work within the system. This is where we expect to
see much more of the testing being done and far less on the actual functionality or out-of-box
functionality.

USDM Can Help

If you would like a consultation on your current CSV processes and a plan to move to a CSA
approach, please contact us at compliance@usdm.com.

If you have questions that are not answered here, please contact us at usdm@usdm.com.

 Additional CSA References

 On-Demand Webinar: Update from the FDA on CSV Changes

 On-Demand Webinar: Q&A with the FDA on CSV Changes
 Podcast: Adapting Computer System Validation to Accommodate Evolving FDA Guidance
 White Paper: CSA: What You Need to Know About the FDA's Upcoming Guidance
 White Paper: Regulatory Risk Reduction in the Cloud: Why Cloud Systems Are Safer Than On-
Premise Systems
 Blog: Top CSA Insights

Why You Need Computer System Validation

Companies strive to create goals, processes, culture, management, and incentives that build
infrastructure. Computer Systems (software) are a dominant and increasing part of business
infrastructure. Computer System Validation is process validation and has the following
benefits:

 Excellent Return On Investment (ROI) - Cost of compliance is low with respect to

potential loss of intellectual property or other potential losses.
 Provides documentation required by FDA, other regulatory agencies, and your
customers.
 Maximizes the value of the computer system and the employees that use it.
 Reduces labor costs by increasing employee efficiency and effectiveness.
 Enhances project management to ensure projects are implemented on schedule and on
budget.
 Saves money by discovering defects early, before failures occur in production.
 Reduces risk. Legal liability, not regulatory, is often the most important reason to
perform validation. Software is made and used by people so it is guaranteed to be
imperfect. Software and process defects increase with software complexity. Having

Page 18 of 20
 the evidence that computer systems are correct for their purpose and operating
properly represents a good business practice.
 Promotes continual process improvement. Software is constantly evolving to keep up
with the increasingly complex needs of the people that use it. Therefore, validation is
an ongoing necessity.

Software Implementation
You want to implement a new computer system to increase productivity and lower costs. The
computer system includes hardware, software, processes, and instructions used to train your
workforce. Most companies mine their IT departments and software vendors to find a project
leader. What usually occurs is a series of delays, errors, and rework that result in more and
more costs. What was your experience the last time you were involved in a software
implementation project? Improper systems implementation causes a reduction in
productivity, frustrates employees, and brings a sour mood to the corporate culture.

Most organizations have experienced staff to do some of the needed activities but rarely is
there someone present that has sufficient skills and experience to lead a complete software
implementation project (also known as system implementation). The main reason companies
don’t have this resource is that it isn’t a full time permanent position; at least you hope it
doesn’t turn out that way.

Consider these required skills:

 Analyze system requirements: What functionality is actually needed and will be

highly effective in increasing productivity?
 Evaluating software vendors: What is the best software to buy?
 Evaluate software development vendors: What are the best technical and long-term
resources to develop custom software applications?
 Develop contracts with external resources that are fair and cost constrained.
 Manage IT and vendor resources for installation.
 Facilitate user groups to work together so that new, highly effective processes are
developed that will ensure increased productivity.
 Assess risk in the new processes and identify mitigating safeguards.
 Develop test approaches that prove system operation and system performance.
 Write instruction and training materials that effectively educate the workforce so they
are immediately productive and confident.
 Establish a process for making system changes that ensures continuous process
improvement, and supports long term growth and stability.

David Nettleton has successfully completed projects for a wide range of industries that
include, electrical engineering, software development, telecommunications, nuclear power,
medical devices, and pharmaceuticals.

Steve Cates has been implementing ERP systems since 1986, before it was referred to as
“ERP.” His background combines experience in both finance and operations so he is able to
assist in the implementation and validation of accounting software, manufacturing, and
distribution modules. He combines selection and implementation project management with a
background in validation and compliance.

Page 19 of 20
Together, David and Steve will help you achieve your goal of a speedy, cost effective
implementation of your ERP solution, insuring it is compliant, and maximizing the return on
your investment.

We use a consistent time proven approach that has the following benefits:

 Excellent Return On Investment (ROI): Increased productivity, and increased data

security safeguards for intellectual property.
 Maximizes the value of the computer system and the employees that use it.
 Reduces labor costs by increasing employee efficiency and effectiveness.
 Ensures projects are implemented on schedule and on budget.
 Saves money by discovering defects early, before failures occur in production,
thereby avoiding product recalls.
 Reduces risk and legal liability.
 Provides for continuous process improvement.
 Minimize documentation while providing evidence of due diligence required by
customers, partners, and regulatory agencies.

Page 20 of 20