From CSV to CSA

From CSV to CSA
May 14, 2020

As part of its mission, the Food and Drug Administration is responsible for protecting the public health by ensuring the safety, efficacy and security of human and veterinary drugs, biological products and medical devices. The FDA is also responsible for advancing the public health by helping to speed innovations that make medical products more effective, safer and more affordable.

Title 21 CFR Part 11, originally released in 1997, is an FDA regulation on how regulated companies should manage their electronic records and electronic signatures, so they are considered credible, trustworthy, compliant and can replace paper-based systems. Six years later, in 2003, the FDA released its guidance aimed to elaborate on the then current thinking regarding the scope and application of 21 CFR Part 11. Today, these two documents are still being followed strictly by Computer Software Validation (CSV) practitioners in regulated companies.

Many things have changed in the 20 years since the original code was released. At the time, most IT systems were custom built bespoke systems, whereas these days most regulated companies choose an off-the-shelf, configurable solution, that they can easily adapt to their needs, while minimizing validation costs. Furthermore, cloud technology was not available and was embraced by regulated companies only in recent years.

Over the years it has become apparent that the current CSV methodology does the job, but poses quite a few challenges. It produces massive amounts of documents and tests, while ignoring the fact that certain areas are riskier than others and testing should focus on those high risk items. It tests everything. This takes a great amount of time and resources and being a manual process, it is error prone and may require few iterations, often due to documentation and script errors, not actual software failure. Not to mention the costs, which can easily get to 30-50% of the overall project costs.

Traditional CSV is perceived as a burden that companies do to check the box and successfully pass audits, not necessarily improve the quality of deliverables. Companies tend to perform it only when they must, actually delaying new projects and adoption of new technologies. In the era of cloud computing, where updates are usually pushed by software and app vendors on a regular basis, customers don’t always get to decide which updates they would like to embrace. Some companies consciously decide to be at risk and do not perform an impact assessment of every release.

With this kind of feedback, one cannot wonder, does CSV really support innovation and drive better product safety and quality?

And now, after all these years, a change is finally coming. In 2020 The FDA is expected to release a new guidance document, “Computer Software Assurance for Manufacturing, Operations and Quality System Software” (CSA). The guidance made it to the CDRH Proposed Guidances for Fiscal Year 2020 (FY 2020).

Based on the information currently available, the transformation from Validation to Assurance encompasses changing the focus from documentation to critical thinking and encouragement of automation. The emphasis should be on identifying those critical items that actually impact product safety and based on the intended use of the system. Once identified, the impact of failure has to be assessed and based on it, what assurance activities need to take place. Only then the appropriate tests steps should be compiled and eventually documented.

The FDA has conducted some initial assessments and pilots showing the enormous time saving, financial and quality benefits of the CSA approach. These have shown a significant reduction of the burden involved in validation tasks.

Paradigm Shift - from CSV to CSA

How can companies progress to computer software assurance?

While the draft guidance is expected to be released in 2020, there is nothing actually preventing companies from already embracing this new way of thinking now and enjoy some of the benefits it offers. The FDA has stated this a few times, including a recent webinar held on 23-Apr-2020 where Francisco Vicenty CDRH Program Manager, Case for Quality, stated this.

Validify is an approved Salesforce partner with a unique application designed to streamline risk assessment, validation and assurance activities for regulated companies operating on top of the Salesforce platform. Validify is CSA ready, so companies may choose to work according to the new draft guidance using a risk-based approach or according to the traditional CSV model.

Leveraging Validify comes with all the advantages of using a modern tool. Validify automates most of the agonizing validation activities that used to be manual till now. This saves time & money while producing consistent quality deliverables time and again.

Using Validify’s automated tool eliminates any deliberation on when to start a validation cycle, simply because every run literally takes minutes and identifies what configuration changes were introduced and what activities should be further done as a result, taking organizations one step closer to continuous validation. Whether it’s a Salesforce update, an internal process built on top of Salesforce or an application from a third-party vendor installed on top of Salesforce, we can analyze and validate it.

Why else should you contact us today for a free, no strings attached trial?

Validify does not require any IT infrastructure apart from your existing Salesforce Org, we offer a full SAAS model. The application can be installed in 10 minutes from Salesforce’s AppExchange. No services required and all included training and support is done remotely while our team and your works from home, so everyone stays safe.

The application will analyze your Salesforce org within 10 minutes and immediately identify potential risks and mitigations. Upon approval, a set of validation documents will be created and ready for your review. All documents can be edited online, and the application will save any edits for the next run, so no need to amend it again.

Advance to the next level of computer software validation, install Validify today!


About Validify

Validify Inc. is a Salesforce partner, the vendor of Validify, a Salesforce application that automates the risk analysis and computer system validation (assurance) processes for regulated companies, managing their product related processes on the Salesforce platform. Validify is an automated solution providing risk analysis of any Salesforce org and generating all necessary verification and validation documents based on risk and other predefined, configurable parameters. Validify also provides a real-time status of your org’s compliance and identifies changes in your org automatically.

About the author

Gal Barnea is a Co-Founder of Validify. With over 13 years of industry experience managing global accounts, leading international deployment teams, analyzing, designing and validating IT Quality systems for regulated companies such as life science, food & beverage and cosmetics, Gal is heading customer success at Validify. Gal holds a master’s degree in business administration, specializing in IT systems and is PMP certified.

Want to hear more or book a demo? Click here

Are you ready to move to the next generation of validation?

Tell me more