Understanding CSA (Computer System Assurance)
CSA (Computer System Assurance) is the FDA’s concept for quality assurance of non-product software, intended to replace the traditional CSV (Computer System Validation) approach. (Note: Product software refers to software embedded in medical devices, while non-product software refers to software used to manufacture products.)
However, CSA is by no means a new concept. Since the FDA advocated for a risk-based approach in 2002, regulatory authorities have repeatedly stated that the effort (cost) related to quality assurance must be commensurate with risk. Many regulatory requirements have subsequently adopted a risk-based approach.
The same principle applies to CSV. GAMP 5, published in 2008, also adopted a risk-based approach, demonstrating that the industry had already been moving in this direction.
During a Q&A session at a webinar hosted by USDM Life Sciences, Francisco Vicenty of the FDA was asked, “What does CSA mean for GAMP? Will GAMP be discontinued?” He responded as follows:
“The upcoming CSA guidance does not itself create new concepts. It aims to simplify and clarify the use of non-product software, maximize testing activities while minimizing documentation for low-risk non-product software systems. There is no inconsistency with GAMP 5. CSA is what the FDA has always intended, but it lacked clarity. Due to misunderstandings, there has been too much documentation for documentation’s sake, rather than documentation that actually improves quality.”
In other words, he affirmed that GAMP 5 already incorporates the concepts of CSA, and there is no need for its revision merely to align with CSA principles.
Critical Thinking: A Fresh Perspective
If there is anything that could be considered a new concept in CSA, it would be the explicit emphasis on critical thinking.
Critical thinking, translated into Japanese as “批判的思考” (hihanteki shikou), does not mean rejecting everything indiscriminately. Rather, it means questioning existing assumptions, preconceptions, and prerequisites that we may have taken for granted.
Regarding CSV, the following assumptions likely exist within many organizations:
CSV must be performed, or regulatory authorities will cite deficiencies during inspections. As much documentation as possible must be created for CSV activities. Any system that stores GxP records must undergo CSV. CAD systems, compilers, and similar tools must also undergo CSV. Once CSV is completed and an inspection is passed, that is sufficient. CSV requires comprehensive testing of all system functions without exception. Test records (evidence) must be maintained in exhaustive detail. Systems without audit trail functionality must not handle GxP data. Cloud storage must not be used without performing CSV. Cloud storage must not store GxP data because it lacks audit trail functionality. CSV deliverables must be approved with handwritten signatures. Original documents with handwritten signatures must be presented to inspectors.
Critical thinking requires us to challenge whether these assumptions are truly valid and necessary.
Documentation in traditional CSV has often been created for inspection preparedness rather than for patient safety. This approach is fundamentally misguided and nonsensical. We must fundamentally reconsider why we perform CSV, whether it truly contributes to patient safety, and whether it can genuinely assure product quality.
FDA’s Definition of Critical Thinking
When Francisco Vicenty was asked, “How does the FDA define critical thinking?” during the same Q&A session, he provided the following response:
"As manufacturers—the companies and personnel who produce the product—you know your business and your processes. You have the best insight into how risks arise, where they are significant, and what is happening from a process perspective.
Critical thinking is about considering where your system may introduce risks and what the risks are to your product or process. This helps you tell your story, whether to the FDA or any regulatory authority or inspector.
Being able to tell that story demonstrates that you understand your product and your process and have control over the elements. There is no one-size-fits-all solution for any company or system.
The FDA wants to know that you truly understand your processes and systems and that you have them under control. Make sure you can tell the FDA that you know where the risks lie."
In other words, the FDA expects that company personnel undergoing inspection understand their products and processes better than FDA inspectors do. They should also have superior knowledge of associated risks. Therefore, the FDA wants companies to explain that they are implementing quality assurance activities appropriately commensurate with identified risks.
FDA inspectors will also receive training to properly listen to companies’ explanations and judge whether their approaches are reasonable and justified. This represents a significant shift from the traditional inspection paradigm, where inspectors primarily checked for the presence of prescribed documentation.
Implications for Industry Practice
The introduction of CSA and emphasis on critical thinking have several important implications for pharmaceutical and medical device manufacturers:
First, companies should shift their focus from creating documentation to satisfy inspectors to implementing meaningful quality assurance activities that genuinely protect patient safety and product quality. Documentation should serve as evidence of these activities, not as an end in itself.
Second, risk assessment becomes central to the validation strategy. Companies must develop robust risk assessment methodologies that identify where software systems could impact product quality or patient safety. Resources should be concentrated on these high-risk areas, while low-risk systems may require minimal documentation.
Third, companies need to develop the capability to articulate their rationale for validation decisions. This requires deep understanding of both their business processes and the software systems supporting them. Simply following a checklist or template is insufficient under the CSA paradigm.
Finally, the relationship between companies and regulatory inspectors is evolving toward a more collaborative model, where companies present their risk-based validation strategies and inspectors evaluate the soundness of the approach rather than merely checking for the presence of specific documents.
The Path Forward
As the industry transitions from traditional CSV to CSA, organizations should review their existing practices through the lens of critical thinking. Question long-held assumptions, eliminate documentation that does not add value, and focus resources where they truly matter for patient safety and product quality.
The CSA guidance, formally published by the FDA in September 2023, provides clarity on these principles and offers practical examples of how to apply critical thinking to computer system assurance. However, the fundamental concepts have been present in regulatory thinking for over two decades. What has changed is the explicit acknowledgment that excessive documentation does not equate to better quality, and that companies know their systems and risks better than regulators can during brief inspections.
This shift requires not just procedural changes but a cultural transformation within organizations—from compliance-focused mindsets to quality-focused, risk-based thinking that genuinely serves patient safety and product quality.
Comment