CSV vs. CSA - What Are The Main Differences - Scilife
CSV vs. CSA - What Are The Main Differences - Scilife
| Scilife
#QMS
The FDA is transitioning from Computer System Validation (CSV) to Computer Software Assurance
(CSA) for computers and automated data processing systems used as part of medical device
production or medical device quality systems. So, what is the difference? How can your Life Science
organization utilize either approach? And what are the benefits of transitioning to CSA?
Both approaches play a similar role in Life Science companies that use digital systems, but have some
key differences. Whereas CSV validates that a system does what it is designed to do and complies with
regulations, CSA moves beyond compliance only with a risk-based approach that provides high
https://www.scilife.io/blog/csv-csa-main-differences 1/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
This is all part of the FDA’s development in its regulatory approach, as outlined in the latest draft
guidance, “Computer Software Assurance for Production and Quality System Software,” on September
13, 2022. To compare CSV and CSA, we’ll first examine each approach separately…
Let’s start with a definition of CSV: A documented process of ensuring that a computer system is
suitable for use. It means the computer system does exactly what it was designed to do in a consistent
and reproducible manner, guaranteeing data integrity and security, product quality, and compliance
with applicable GxP regulations.
The FDA has used this approach since the publication of the CSV guideline in 2003, in addition to the 21
CFR Part 11. The FDA’s “Guidance for Industry Computer Systems Used in Clinical Trials” applies to the
computerized systems used to create, modify, maintain, archive, retrieve, or transmit clinical data
intended for submission to the FDA because the clinical data have broad public health significance and
must be of the highest quality and integrity.
According to GAMP 5, computerized systems (software and hardware) are categorized into
different categories:
https://www.scilife.io/blog/csv-csa-main-differences 2/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
Risk management is also an important aspect to consider with regard to CSV. QRM (Quality Risk
Management) is a systematic process for the assessment, control, communication and review of
risks - both internal and external. The application of QRM enables effort to be focused on critical
aspects of a computerized system, which leads to many benefits. These include management of
risks to patient safety, product quality, and data integrity.
The software category is one of the factors considered in the risk-based approach to decide the
rigor of assessment in the life cycle activities, based on GxP impact, complexity and novelty of a
system.
https://www.scilife.io/blog/csv-csa-main-differences 3/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
The sequence of the above questions is essential. First, we need to know the software or software-
related parts to be validated and the acceptance criteria. Knowing the acceptance criteria, we
can then define the tests that need to be performed. And from knowing the tests, we can define
the roles and responsibilities.
When planning, the life cycle of a computerized system should also be taken into account.
Planning should include all required activities, responsibilities, and procedures. Life cycle
activities should be scaled to system impact on patient safety, product quality, and data integrity,
as well as system complexity and outcome of supplier assessment.
Preparing plan
Establishing team
Develop requirements
The acceptance criteria depend on the user requirements (URS), functional specifications (FS),
and design specifications (DS). Acceptance criteria are also met if the URS, FS, and DS
requirements are met.
URS allows you to define your requirements and needs for the software without being influenced
by any particular vendor's solution
URS helps you to evaluate potential vendors and their software solutions
The URS also includes any additional constraints that must be considered, such as
regulatory compliance, safety requirements, operational constraints, and other critical
factors.
For example, the following is a list of a few user requirements that might be needed for a lab
system:
Automatically assign tasks to the lab analysts based on availability and training
The functional specification document describes how the software operates and intends to
meet the user's needs. The document might include descriptions of how specific user
interface screens and reports should look or describe data that needs to be captured.
The functional requirements can also include logic, calculations, and regulatory
requirements. For example, passwords and the audit trail should work to comply with the 21
CFR Part 11 requirements. They are the basis for operational qualification testing.
https://www.scilife.io/blog/csv-csa-main-differences 5/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
The design specification document contains how the system will meet the functional
specifications. It also contains all of the technical elements of the software or systems,
including:
Database Design – field definitions, file structures, entity relationship diagrams, data flow
diagrams, etc.
Interface Design – what data transfer will occur from one system to another, with what
frequency and how; failure handling
Network requirements
According to GAMP 5 2nd Edition, both the specification and verification approach can be either
linear (V-model), or iterative and incremental (Agile).
Linear approach is based on the classic V-model or waterfall model. This model is suitable
when system requirements are well understood and defined upfront. The application of the
V-model varies depending on the complexity, risk, and novelty of the system.
Each test in the software validation process verifies specific pieces of the planning and
specifications that were used to design the system. The model's left side addresses the
requirements and specifications to define and build a system. The model's right side
addresses the associated testing required to verify the requirements and specifications.
https://www.scilife.io/blog/csv-csa-main-differences 6/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
In other words, the number of tests performed in a CSV approach is equal to the number of
specifications (URS, FS, and DS together). The report should conform to the validation plan
and include results for each test against the corresponding specifications. The results
should also include screenshots of the tested specifications. This makes CSV a highly
documentation-oriented approach, resulting in vast volumes of information that may be
burdensome.
The Agile approach is focused on delivering quality and value during product development
of customized applications at speed. It uses an incremental product configuration that
promotes technical innovation and flexibility.
The planning, specification, configuration, verification and reporting are not linear, but
incremental, iterative, and exploratory. This permits developers to meet compliance and
demonstrate fitness for the intended use with less burdensome than with the linear model
(V-model).
https://www.scilife.io/blog/csv-csa-main-differences 7/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
Computer software assurance is a risk-based approach for establishing and maintaining confidence
that software is fit for its intended use. This approach considers the potential risk of compromised
safety and/or quality of the device to determine the level of assurance effort and activities appropriate
to establish confidence in the software.
Because the computer system assurance effort is risk-based, it follows the least burdensome
approach, where the burden of validation is no more than necessary to address the risk. Such an
approach supports the efficient use of resources, in turn promoting product quality. In addition,
computer software assurance establishes and maintains that the software used in production or the
quality system is controlled throughout its lifecycle, meaning the software is always in the validated
state.
Risk-based “Assurance”, applying the right level of rigor for a given level of risk to patient safety and/or
product quality.
https://www.scilife.io/blog/csv-csa-main-differences 8/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
“Take credit” for prior assurance activity and upstream/downstream risk controls.
Focus on testing, not scripting. Use unscripted testing for low/medium risk components.
The four simple steps in establishing computer system assurance are as follows:
The US FDA recognizes that the level of assurance needed for a computer system depends on the
software’s intended use. If the software is part of a production or quality system, then it needs a
high level of assurance compared to software used as support for the production or quality
system. Similarly, software not part of the production or quality system needs a low level of
assurance.
The FDA recommends using a risk-based analysis to determine the appropriate assurance
activities. Broadly, the proposed risk-based approach in the draft guidelines entails systematically
identifying reasonably foreseeable software failures, determining whether these failures pose a
high process risk, and systematically selecting and performing assurance activities
commensurate with the medical device or process risk, as applicable.
A software is considered high risk if its malfunctioning may lead to a quality issue that elevates the
risk of medical devices and compromises safety.
Therefore, any software used as support or is part of a production or quality system can be
categorized from high risk to low risk for purposes to determine assurance activities.
FDA suggests that heightened risks of software features, functions, or operations generally entail
greater rigor, i.e., a greater amount of objective evidence. Conversely, relatively less risk (i.e., no
high process risk) of compromised safety and/or quality generally entails less collection of
objective evidence for the CSA effort. Thus, the level of assurance rigor should be commensurate
with the process risk.
https://www.scilife.io/blog/csv-csa-main-differences 9/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
When establishing the record, the manufacturer must capture sufficient objective evidence that
demonstrates they assessed and performed the software feature, function, or operation as
intended.
The intended use of software can be identified with the help of some rules of thumb described in
the CSA draft guidelines. For example, software with the following intended uses is considered to
be used directly as part of production or the quality system:
Software is intended for automating production processes, inspection, testing, or the collection
and processing of production data; and
Software is intended to automate quality system processes, collect and process quality system
data, or maintain a quality record established under the quality system regulation.
Software with the following intended uses is considered to be used to support production or the
quality system:
Software is intended for use as development tools that test or monitor software systems or that
automate testing activities for the software used as part of production or the quality system, such
as those used for developing and running scripts; and
Software is intended for automating general record-keeping that is not part of the quality records.
On the other hand, software with the following intended uses generally is not considered to be
used as part of production or the quality system, such that the requirement for validation in 21 176
CFR 820.70(i) would not apply:
Software is intended for the management of general business processes or operations, such as
email or accounting applications; and
Software is intended for establishing or supporting infrastructure not specific to production or the
quality system, such as networking or continuity of operations.
https://www.scilife.io/blog/csv-csa-main-differences 10/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
The risk-based analysis for production or quality system software should consider factors that
may impact or prevent the software from performing as intended, such as proper system
configuration and management, system security, data storage, data transfer, or operational error.
Thus, a risk-based analysis for production or quality system software should consider which
failures are reasonably foreseeable (as opposed to likely) and the risks resulting from each such
failure.
The FDA considers a software feature, function, or operation to pose a high process risk when its
failure to perform as intended may result in a quality problem that foreseeably compromises
safety, meaning an increased medical device risk. Examples of software features, functions, or
operations that are generally high process risk are those that:
Maintain process parameters (e.g., temperature, pressure, or humidity) that affect the physical
properties of product or manufacturing processes identified as essential to medical device safety
or quality.
Measure, inspect, analyze, and/or determine acceptability of product or process with limited or no
additional human awareness or review.
Produce directions for use or other labeling provided to patients and users that are necessary for
the safe operation of the medical device.
Automate surveillance, trending, or tracking data that the manufacturer identifies as essential to
medical device safety and quality.
In contrast, the FDA considers a software feature, function, or operation not to pose a high
process risk when its failure to perform as intended would not result in a quality problem that
foreseeably compromises safety. Examples of software features, functions, or operations that
generally are not high process risk include those that:
Collect and record data from the process for monitoring and review purposes that do not have a
direct impact on production or process performance.
Software used as part of the quality system for corrective and preventive actions (CAPA) routing,
automated logging/tracking of complaints, automated change control management, or automated
procedure management.
Software intended to manage data (process, store, and/or organize data), automate an existing
calculation, increase process monitoring, or provide alerts when an exception occurs in an
established process.
https://www.scilife.io/blog/csv-csa-main-differences 11/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
Based on the above examples, the Scilife platform would come under not high process risk as it is
used as part of the quality system for corrective and preventive actions (CAPA) routing,
automated logging/tracking of complaints, automated change control management, or
automated procedure management.
The US FDA suggests that depending on the level of risk associated with the system, the following
types of assurance activities can be performed for the CSA:
Unscripted Testing
With unscripted testing, the tester is free to select any possible methodology to test the
software without preparing written instructions. Software developers use their personal
knowledge, skills, and abilities to test the software developed by themselves. There is no
preparation, documentation, or test scripts. It includes:
Ad-Hoc Testing – focuses primarily on performing testing that does not rely on large amounts of
documentation to execute.
Error-guessing – Test cases are derived on the basis of the tester’s knowledge of past failures or
general knowledge of failure modes.
Exploratory Testing – tester spontaneously designs and executes tests based on the tester’s
existing relevant knowledge, prior exploration of the test item, and heuristic “rules of thumb”
regarding common software behaviors and types of failure. It looks for hidden properties,
including hidden, unanticipated user behaviors, or accidental use situations that could interfere
with other software properties being tested and pose a risk of software failure.
Scripted Testing
Scripted testing is performed by preparing a plan with written instructions with the details
of all the tasks. A test script is a set of rules, phases and different steps involved in the
testing process. Scripted testing includes both robust and limited scripted testing.
Robust Scripted Testing – scripted testing efforts in which the risk of the computer system or
automation includes evidence of repeatability, traceability to requirements, and auditability.
https://www.scilife.io/blog/csv-csa-main-differences 12/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
Limited Scripted Testing – a hybrid approach of scripted and unscripted testing that is
appropriately scaled according to the risk of the computer system or automation. This approach
may apply scripted testing for high-risk features or operations and unscripted testing for low- to
medium-risk items as part of the same assurance effort.
For high-risk software features, functions, and operations, manufacturers may consider more
rigorous methods, such as the use of scripted testing or limited scripted testing, when
determining their assurance activities. In contrast, for software features, functions, and
operations not high-risk, manufacturers may consider using unscripted testing methods, such as
ad-hoc testing, error-guessing, exploratory testing, or a combination of methods suitable for the
risk of the intended use.
https://www.scilife.io/blog/csv-csa-main-differences 13/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
Scripted Testing: T P In
e a t
s s e
Robust t s n
o /f d
b a e
j il d
e f u
c o s
ti r e
v t Ri
e e s
s s k
T t d
e c e
s a t
t s e
c e r
a D m
s e in
e t a
s a ti
( il o
s s n
t r
e e D
p g e
- a t
b r ai
y d le
- i d
s n r
t g e
e a p
p n o
p y rt
r f o
o a f
c il t
https://www.scilife.io/blog/csv-csa-main-differences 14/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
e u e
d r st
u e in
r s g
e / p
) d e
E e rf
x v o
p i r
e a m
c ti e
t o d
e n P
d s a
r f s
e o s/
s u fa
u n il
lt d r
s e
I s
n ul
d t
e fo
p r
e e
n a
d c
e h
n t
t e
r st
e c
v a
i s
e e
w Is
a s
n u
d e
a s
p fo
p u
r n
o d
v a
a n
l d
o di
f s
https://www.scilife.io/blog/csv-csa-main-differences 15/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
t p
e o
s si
t ti
c o
a n
s C
e o
s n
cl
u
si
o
n
st
a
t
e
m
e
n
t
R
e
c
o
r
d
o
f
w
h
o
p
e
rf
o
r
m
e
d
t
e
st
in
g
a
n
d
d
https://www.scilife.io/blog/csv-csa-main-differences 16/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
a
t
e
E
st
a
bl
is
h
e
d
r
e
vi
e
w
a
n
d
a
p
p
r
o
v
al
w
h
e
n
a
p
p
r
o
p
ri
a
t
e
https://www.scilife.io/blog/csv-csa-main-differences 17/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
Reduced test script execution time and lower number of detected defects.
CSA guidelines support companies that have taken the path to automation.
Now that we have provided a detailed overview of the CSV and CSA processes separately, let’s
summarize the similarities between the two approaches:
The similarity between CSV and CSA is that both require some tests to be performed and objective
evidence to be generated. However, the most crucial difference between the CSV and CSA is that CSV
is an objective, evidence-based approach without risk assessment. Therefore, the CSV process
results in more tests and test evidence. As a result, the CSV process generates larger volumes of data
in the form of reports. This makes CSV a more burdensome approach compared to CSA, as in the
case of CSA, the number of tests to be performed depends on the potential impact of the failure mode
of the specific feature on the process or medical device.
The number of steps in the CSV and CSA process differs as follows
C
CSV S
A
Planning Id
e
n
ti
fy
in
g
t
https://www.scilife.io/blog/csv-csa-main-differences 18/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
h
e
in
t
e
n
d
e
d
u
s
e
D
e
t
e
r
m
in
in
g
ri
s
k-
Defining DS, FS, and URS b
a
s
e
d
a
p
p
r
o
a
c
h
Testing includes: D
e
Verifying IQ against DS t
e
r
Verifying FS against PQ
m
in
https://www.scilife.io/blog/csv-csa-main-differences 19/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
e
c
o
r
d
s
Another difference between CSV and CSA is that the CSV is a validation process itself, whereas CSA
always remains in the validated state.
Benefits of CSA
In a nutshell, CSA is a more critical thinking-driven and efficient approach compared with the CSV
approach. However, the choice of CSV vs. CSA may also depend on your objective. For example, as a
computerized system vendor, you may prefer to rely on the extensive testing and evidence to leave no
stone unturned. But if you are a user, it might make sense to prioritize testing of the failure modes for
high-risk features or systems.
As the FDA moves from CSV to CSA, this new approach represents a step-change in computer system
validation, placing critical thinking at the center of the CSV process, as opposed to a one size fits all
approach. The change allows manufacturers to focus testing rigor on areas that directly impact patient
safety and device quality. It’s an approach that Scilife is fully onboard with, so if you’d like to discover our
validation strategy, please get in touch.
https://www.scilife.io/blog/csv-csa-main-differences 21/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
#QUALITY MANAGEMENT
Related stories
GAMP 5 and GAMP 5 2nd Edition: What SaaS validation strategy: Scilife
are the main differences? | Scilife Implementation without hassle
Why GAMP 5 Needed a 2nd Edition GAMP 5 (Good What are SaaS solutions? Software as a service
Automated Manufacturing Practice) is a risk- (SaaS) solutions allow users to easily connect to
based approach for the implementation, and use cloud-based apps over the internet
operation, and ... instead ...
https://www.scilife.io/blog/csv-csa-main-differences 22/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
#Compliance #GxP
Business Email*
Industry*
Pharma / Biotech
Other
https://www.scilife.io/blog/csv-csa-main-differences 23/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
Submit
Product
Pricing
Industries
Company
Resources
Solutions
Contact Us
Terms of Use
Privacy Policy
Cookie Policy
https://www.scilife.io/blog/csv-csa-main-differences 24/25
29/07/2024, 11:04 CSV vs. CSA: What Are the Main Differences? | Scilife
https://www.scilife.io/blog/csv-csa-main-differences 25/25