CSA – Is Computer Software Assurance Cheating?

CSA is literally catching fire, but there remains a lot of bad information out there. Something I hear (or some variant of) every week is: “Is CSA cheating?” If CSA is a simplified, streamlined approach (test more and document less), how can it possibly deliver better results than a traditional Computer System Validation (CSV)? That just doesn’t add up and other regulators (or customers who audit my organization) will think I’m cheating, won’t they?

I can certainly understand the thinking that goes into the idea that any shortcut is cheating. We tend to think that more and harder is better than less and easier. The truth however, is that CSA is delivering better results than traditional CSV. With more than 50 manufacturers that have converted to Computer Software Assurance, the success stories are now beyond reproach. Indeed, even ISPE GAMP now endorses the CSA risk-based approach and covers it in their “Data Integrity by Design” guidance, published in November of 2020.

The question then becomes, how? How can a simplification improve the quality of validation? First, CSA puts risk to patient safety and product quality at the core of the process. When you consider systems and requirements through the lens of impact to these factors, the shape of testing and validation fundamentally changes. Most organizations have been assessing risk to business criticality and regulatory / compliance impact. The FDA guidance asks us to consider our patients first. Second, CSA relies heavily on unscripted testing for lower-risk functions. To be clear, unscripted does not mean undocumented. An unscripted test case still gets a test case identifier, a version, and a run number. An unscripted test case still gets mapped to the associated requirement in a traceability matrix. What we find is that when testers are unhandcuffed from detailed, click level test scripts and are allowed to engage with a computer system more naturally, they are better at discovering functional issues. After all, they are working with the system more like they will in their day job.

So this is just the tip of the iceberg for CSA, and as I routinely say, there is no “one size fits all” approach to implementing CSA. Every organization has a unique risk tolerance and unique needs. We asked Cisco Vincenty of the FDA at the KENX Data Integrity conference this week, what he would say to organizations reluctant to deploy CSA without the FDA guidance. In a nutshell, Cisco stated that FDA will not force the adoption of CSA, but the organizations that don’t lose out on the improved quality and efficiencies CSA has to offer.

If you’d like to discuss this subject further, or any other needs, call us for an appointment (847.327.3167 x 406). As always, we’re here to help.