未分類

Are Potato Chips More High-Tech Than Pharmaceuticals? The Paradigm Shift from CSV to CSA

Are Potato Chips More High-Tech Than Pharmaceuticals? The Paradigm Shift from CSV to CSA

Introduction: Stagnation of Technological Innovation in the Pharmaceutical and Medical Device Industries

For many years, pharmaceutical and medical device companies have shown reluctance to invest in IT systems and automation systems. The primary reason lies in the existence of regulatory requirements such as 21 CFR Part 11 and Computerized System Validation (CSV).

CSV mandates extensive documentation and testing execution, all of which must be presented and explained in detail during regulatory inspections. CSV implementation requires significant time, effort, and cost. More problematically, despite all this effort, the possibility of receiving findings during regulatory inspections remains. Companies have long operated in fear of regulatory findings and, in worst cases, the issuance of Warning Letters.

This overly conservative approach has been a major factor in significantly delaying technological innovation in the pharmaceutical and medical device industries. In contrast, other industries such as food and chemicals have simultaneously achieved cost reduction and quality improvement through proactive adoption of IT systems and automation systems.

Industry Reality: Lessons to Learn from Potato Chip Manufacturing

On September 3, 2003, The Wall Street Journal published an intriguing article suggesting the pharmaceutical industry’s technological lag. The article stated: “The pharmaceutical industry has a little secret: Even if they develop groundbreaking new drugs, their manufacturing technology lags far behind that of potato chip or laundry detergent manufacturers.”

This comparison is by no means an exaggeration. In potato chip manufacturing, products with consistent hardness and texture are stably produced even when the moisture content and size of raw potatoes vary. This is the result of advanced process control technology and automation systems.

When we translate this situation to pharmaceutical manufacturing, the technological gap becomes extremely clear. While pharmaceutical manufacturing also requires maintaining consistent quality despite variations in raw material characteristics, many companies still rely heavily on manual processes, with the adoption of the latest automation and control systems lagging behind.

Problems with CSV Compliance: Compliance for the Sake of Compliance

Much of the extensive documentation created for CSV and Part 11 compliance unfortunately does not directly contribute to ensuring patient safety or guaranteeing product quality. In reality, these documents are primarily created solely for presentation to inspectors during inspections.

In other words, compliance itself has become the objective, creating an enormous burden on companies that is disconnected from the original purposes of quality assurance and patient safety. It is no exaggeration to say that compliance costs spent on CSV and Part 11 have been consumed for inspection response rather than for patient benefit.

An even more serious problem is that companies, rather than fearing the release of poor-quality products to the market, take overly conservative approaches out of fear of inspection findings, performing excessive documentation and verification work. This “inspection response culture” hinders the pursuit of genuine quality improvement and patient safety.

These compliance costs ultimately transfer to drug prices, resulting in increased patient burden. Resources that should be used for product innovation and quality improvement are being consumed on document creation for inspection response. This is putting the cart before the horse.

The Emergence of CSA: The Beginning of a Paradigm Shift

To break through this situation, the US Food and Drug Administration (FDA) published the draft guidance “Computer Software Assurance for Production and Quality System Software” (hereafter, CSA Guidance) on September 13, 2022. On September 24, 2025, the FDA issued the final version of this guidance, officially entering the implementation phase.

The CSA Guidance fundamentally reconsiders the CSV concept that the pharmaceutical and medical device industries had regarded as the greatest barrier to automation system adoption. This is not merely a fine-tuning of regulatory requirements but represents an essential transformation of the validation approach.

Core Changes in CSA

The key features of the final CSA Guidance include:

1. Thorough Risk-Based Approach Rather than treating all systems uniformly, CSA determines appropriate assurance activities based on the system’s Intended Use and process risk. Functions determined to be “high process risk” require rigorous assurance activities, while “not high process risk” functions can apply minimal assurance activities.

2. Documentation Optimization Rather than “documentation for the sake of documentation” as before, only truly valuable records are created. Digital records such as system logs and audit trails are actively utilized, minimizing manual document creation and paper-based evidence collection.

3. Flexible Testing Methods Not only scripted testing but also ad hoc and unscripted/exploratory testing are recommended. This simultaneously improves testing efficiency and effectiveness.

4. Leveraging Vendor Resources Software vendors’ development lifecycles, quality management systems, and certifications are actively utilized to reduce duplicate verification work. Particularly for Commercial Off-The-Shelf (COTS) software, emphasis can be placed on vendor assessment and configuration verification.

5. Support for Cloud Services and AI/ML The final version adds specific definitions and guidance for cloud computing (IaaS, PaaS, SaaS) and Artificial Intelligence/Machine Learning (AI/ML) systems. This facilitates the adoption of cutting-edge technologies.

Critical Thinking Required by CSA

The most important aspect of CSA implementation is the application of critical thinking. This concept is also emphasized in ISPE GAMP 5 Second Edition (published in 2022), and rather than simply following procedures, answering the following questions is required:

  • What is the intended use of this system?
  • How does this function impact patient safety, product quality, and data integrity?
  • What assurance activities are appropriate for this risk level?
  • Does this documentation truly provide value?

Through critical thinking, validation teams shift from asking “What is written in the specification?” to “What could go wrong?” This enables earlier discovery of data integrity and safety issues while avoiding excessive effort in low-risk areas.

Alignment with International Regulatory Trends

Synergy with GAMP 5 Second Edition

The GAMP 5 Second Edition issued by ISPE (International Society for Pharmaceutical Engineering) in July 2022 is highly aligned with the CSA Guidance. GAMP 5 Second Edition supports the transition from traditional Computerized System Validation (CSV) to Computer Software Assurance (CSA).

Key updates include:

  • Addition of a new appendix on Critical Thinking (Appendix M12)
  • Comprehensive guidance on IT infrastructure including cloud services and SaaS environments (Appendix M11)
  • Support for new technologies such as Agile development methodologies, AI/ML, blockchain, and open-source software
  • Promotion of risk-based testing methods (combination of scripted and unscripted testing)

Major Revision of EU GMP Annex 11

On July 7, 2025, the European Commission published a draft of the significantly revised EU GMP Annex 11 (Computerised Systems). This revision is the first major update in 14 years since 2011, with finalization expected mid-2026.

Key changes in the revised Annex 11:

  • Document expanded from 5 to 19 pages, with 17 sections
  • Clarification of 8 fundamental principles (lifecycle management, risk management, data integrity, supplier management, etc.)
  • Addition of specific requirements for cloud services, AI/ML, and cybersecurity
  • Strengthening of data integrity requirements based on ALCOA+ principles
  • Proposal for new Annex 22 “Artificial Intelligence”

This revision is intended to align with FDA CSA Guidance, GAMP 5 Second Edition, and ICH Q9(R1), advancing global regulatory harmonization.

Integration with ISO 13485:2016

The FDA has decided to harmonize the Quality System Regulation (21 CFR Part 820) with ISO 13485:2016 starting February 2, 2026. This change requires medical device manufacturers to build quality management systems based on international standards. The CSA approach is fully aligned with this ISO integration.

Path to Implementation: Steps Companies Should Take

To effectively implement CSA, companies are recommended to take the following steps:

Step 1: Conduct Gap Assessment

Compare the current CSV approach with CSA Guidance requirements and identify areas where changes are needed. Inventory all manufacturing and quality system software and evaluate each for its intended use and risk level.

Step 2: Build Risk Classification Framework

Establish clear criteria for classifying each software function as either “high process risk” or “not high process risk.” This classification should be based on impact to patient safety, product quality, and data integrity.

Step 3: Optimize Assurance Activities

Define appropriate assurance activities according to risk level. Apply rigorous scripted testing for high-risk functions and vendor evaluation or simplified verification for low-risk functions. Maximize use of digital evidence such as system logs and audit trails.

Step 4: Update SOPs and Master Validation Plan

Create or update SOPs reflecting the CSA approach and incorporate risk-based decision-making processes into the Master Validation Plan (MVP).

Step 5: Training and Cultural Transformation

The most important step is organizational mindset transformation. Employees need to develop the ability to make risk-based decisions rather than simply following procedures. Conduct comprehensive training on how to apply critical thinking, assess system risks, and define appropriate validation strategies.

GAMP 5 has a saying: “80% of effort should be on improvement, but currently only 20% is.” Full adoption of CSA requires cultural change to reduce time spent on documentation and increase time on improvement (e.g., root cause analysis, process optimization).

Step 6: Strengthen Vendor Management

CSA recommends utilizing information and evidence from software vendors. Evaluate vendors’ software development lifecycles, quality management systems, and relevant certifications (such as ISO 13485), and incorporate CSA requirements into contracts. Particularly for SaaS-based systems, ensuring change management visibility and cybersecurity controls is important.

Clarification of Relationship with Part 11

The CSA Guidance also clarifies the relationship with 21 CFR Part 11 (Electronic Records; Electronic Signatures). While the FDA exercises enforcement discretion for some Part 11 requirements, this enforcement discretion does not apply to the validation requirements for production or quality system software under 21 CFR 820.70(i).

In other words, companies cannot rely on Part 11 enforcement discretion to avoid validating production/QMS software and must instead use CSA’s risk-based approach. When electronic records are maintained under Part 820, Part 11 applies, but the CSA approach recommends focusing assurance activities on functions relevant to record integrity and Part 11 requirements.

Expected Benefits of CSA Implementation

Appropriate CSA implementation is expected to deliver the following benefits:

1. Reduced Compliance Costs By reducing unnecessary documentation and testing, validation activity costs can potentially be reduced by 30-50%. These resources can be reallocated to higher-value activities (quality improvement, innovation).

2. Accelerated Technological Innovation Lower barriers to adopting new automation systems and advanced technologies (cloud, AI/ML) will accelerate digitalization in the pharmaceutical and medical device industries. This will realize improved manufacturing efficiency, reduced errors, and enhanced product quality.

3. Improved Quality and Safety The risk-based approach enables focusing resources on truly important areas (patient safety, product quality, data integrity). Application of critical thinking enables earlier discovery and response to potential problems.

4. Constructive Dialogue with Regulators Moving from overly conservative approaches based on fear of inspections to rational approaches based on risk and value enables more constructive dialogue with regulators. CSA requires logical explanation of “why this approach was chosen,” which is also easier for regulators to evaluate.

5. Promotion of Global Regulatory Harmonization Alignment of FDA CSA, GAMP 5 Second Edition, EU Annex 11 revision, and ISO 13485 advances global regulatory harmonization. This enables multinational companies to apply consistent approaches across global sites.

Considerations and Challenges in Implementation

The following points require attention when implementing CSA:

1. Flexibility Requires Effort CSA provides flexibility, but to enjoy that flexibility, detailed justification of risk assessments and assurance activities is necessary. The sense of security from completing the entire lifecycle and feeling “covered” disappears, replaced by the need to constantly explain “why this approach is appropriate.”

2. Phased Transition Rather than transitioning all systems to the CSA approach at once, it is recommended to first gain experience with pilot projects (e.g., learning management systems or PLM), validate processes, and then gradually roll out.

3. Handling Existing Systems CSA can be applied not only to new systems but also to existing systems. However, retrospective revalidation of existing systems is unnecessary. Instead, apply the CSA approach at the next major change or upgrade.

4. Addressing Multiple Regulatory Authorities Companies that need to comply with both US FDA and other regulatory authorities (such as EU) must carefully consider the scope of CSA draft guidance application. Since regulatory expectations may differ by region, an approach that balances these is required.

5. Importance of Organizational Change More than technical changes, organizational culture transformation is crucial for CSA success. Transitioning from a CSV repetitive strategy of “just repeating work” to an approach based on critical thinking requires mindset reform for all stakeholders.

Conclusion: Achieving Both Technological Innovation and Quality Assurance

The finalization of CSA Guidance represents a historic turning point for the pharmaceutical and medical device industries. Three years after the draft’s publication in 2022, the September 2025 final version brings the industry into full implementation phase.

CSA resolves the false dichotomy of “compliance or innovation” and shows a path to achieve both simultaneously. When properly implemented, CSA reduces unnecessary validation burden, promotes adoption of digital technologies, and most importantly, enables an approach that truly focuses on patient safety and product quality.

The time has come to leave behind the criticism from over 20 years ago that the pharmaceutical industry “lags behind potato chip manufacturing.” Through the evolution of CSA, GAMP 5 Second Edition, EU Annex 11 revision, and ISO 13485 integration, the industry can build a framework that maintains the highest standards of quality and safety while utilizing cutting-edge technology.

Cooperation among regulators, industry, and software vendors is essential for this transformation to succeed. CSA is not merely a change in regulatory requirements but an invitation to a new paradigm that promotes innovation while prioritizing patient safety.

Now is the time to build a genuine quality culture centered not on fear of inspections but on delivering value to patients. CSA is a powerful tool for realizing this, and the entire industry is expected to maximize this opportunity.

Key Reference Materials:

  • FDA Computer Software Assurance for Production and Quality System Software (Final, September 2025)
  • ISPE GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition, July 2022)
  • EU GMP Annex 11: Computerised Systems (Draft Revision, July 2025)
  • EU GMP Annex 22: Artificial Intelligence (Draft, July 2025)
  • ICH Q9(R1) Quality Risk Management (2023)
  • 21 CFR Part 11 Electronic Records; Electronic Signatures
  • 21 CFR Part 820 Quality System Regulation
  • ISO 13485:2016 Medical devices – Quality management systems
Critical Thinking in Pharmaceutical Quality Management: A Risk-Based Approach to Excellence Previous post Understanding Quality Assurance: Beyond Auditing Next post

Related post

Comment

There are no comment yet.