The Applicability of FDA’s Computer Software Assurance Guidance to Data Integrity

Life Science Consultant


As technology progresses, new approaches to software inspection continue to be found. In the webinar ‘Understand the Applicability of FDA’s Software Assurance Guidance to Data Integrity’ (linked below), a new approach to validation is introduced.

Computer Software Assurance (CSA) is a risk-based Computer System Validation (CSV) approach that limits testing to features that directly impact data integrity, product quality, and patient safety.

Critical thinking is essential to be applied in the end-to-end validation process. It is vital for the risk-based validation approach throughout the entire process, from design to testing to change management. The CSA approach is not a change in the validation approach (process and methodology). It is about enforcing the shift from a V-Model to Agile Validation. It is not about less documentation but shifting from paper-based to tool-based documentation using tools such as Jira.

CSA strives to decrease redundant documentation while ensuring that the software is suitable for its purpose and that all risks are minimized. The FDA (Food and Drug Administration) favors quality over quantity, so even though the documentation is brought down to the minimum, it should still contain sufficient data regardless of whether it is on paper or electronic. Essentially, the documentation should represent evidence that all the requirements have been met and show what was done to achieve regulatory compliance. The way the information is presented is essential to the FDA inspectors; the information should be easy to read so that inspectors can quickly find the answer to their questions based on available data.

Computer Systems Assurance, based on the International Society of Pharmaceutical Engineers (ISPE) GAMP 5 model, is a risk-based, least demanding way to speed up the validation process. GAMP 5 provides practical industry guidelines for achieving compliant computerized systems that are fit for their intended use in a timely and efficient manner. Based on scalable specification and verification, this technical document offers a flexible risk-based approach to compliant GxP-regulated computerized systems.

In fact, Computer Software Assurance is the FDA’s new approach to validation, which results in reduced validation time of more than 50%, reduced testing errors by more than 90% and lower overall project cost compared to the previous Computer System Validation (CSV) approach, as reported by the FDA in December 2020, at the MDIC Case for Quality Forum (linked below).

As technology progresses with tremendous speed, improvements in validation and verification can be seen. The use of Artificial Intelligence (AI) in the mentioned processes is implemented in testing and visual comparison and is also applicable to data integrity. AI/ML can help enhance data quality, automate data pipelines, and minimize manual workload by understanding changes in data, alerting data drifts, and recommending quality criteria. As a result of this form of innovation, data visibility and observability are made possible.

As defined by Oxford Languages, critical thinking is the “objective analysis and evaluation of an issue to form a judgement. Although critical thinking is not a new term, as it has been previously mentioned in CSV, the CSA emphasizes precisely that. This means that if the application has a certain feature that will impact patient safety and/or the drug’s quality, it must be tested thoroughly. The remaining functions are tested by scripted or non-scripted testing. Also, If the changes are being made, critical thinking comes to light while assessing the risk. Depending on the risk, different levels of testing are needed.

The second novelty in the CSA is assessing the vendors. Before, everything was done within the same company—the infrastructure, the components, the platform, and the application. Now, as vendors do all that, no double-checking is needed. If the vendors are trusted, and their documentation is available and proper, then the accumulation of documentation is redundant and time-consuming. Documentation management is important as well. The records need to be organized in such a manner that when it comes to an audit or an inspection, they are readable, complete, and, moreover, easy to find. That is why it is suggested to use a good structure and use labels or attributes linked to the documents so that they are easier to find.

But ultimately, the company managing the validation has the last responsibility, meaning they should choose and assess whether the vendors are to be trusted. After they pass the assessment, the Quality Agreement is usually closed between the two parties.

Despite significant technological advancements, there needs to be more progress in data integrity (DI) in the pharmaceutical industry. It must be mentioned that the pharmaceutical industry is not alone regarding DI issues; in fact, they occur in all sectors. And there are a couple of reasons for that, according to FDA experts:

  1. Not an electronic issue: technology is not the one causing the problems; it is the people who use it.
  2. Need to understand Data Integrity as a whole: DI is a business process that is independent of technology; here, technology is just an enabler.

While validating, besides following the predicate rules, it is essential that software meets its intended use and that the tools used in the process are also validated.

During the inspections, health authorities would like to see the below-listed information:

  • Sufficient data Quality over Quantity,
  • Evidence of how the system works,
  • Electronic or paper, Data should be readily available for inspection

As stated in GAMP 5 guidelines, this can be achieved by applying the CSA approach, and where possible, information available from vendors should be leveraged. However, the final responsibility of providing the pieces of evidence relies on the organization but not the vendor.

Data Integrity requirements are to be treated as system requirements and apply a risk-based CSA approach in addressing the same.

Benefits of the CSA approach:

  • Regulators encourage and support automation & Solutions
  • Focus shifted from documentation to a risk-based approach
  • Leveraging Vendor documentation where possible

More details on CSA – Critical thinking are coming in the GAMP 5 second edition in July 2022.

Similarity and Difference between the CSV and CSA Approach

The similarity is that the new CSA processes must produce documentary evidence that the “software product” was defined, designed, developed, used and maintained in a controlled environment and the CSA records serve as evidence that the software product works as intended.

However, the chief differences are:

  1. that the new CSA processes allow the product teams (DevOps or Ops) to think critically and decide on the level of details of the CSA records. For instance, deciding if the tester should capture screenshots or not during a particular test.
  2. apply critical thinking to the review and approval of the CSA records. For instance, the requirements that are classified as “critical” should be approved by the Product Owner, and less critical requirements can be approved by the BA or the product manager.
  3. apply critical thinking and decide on the level and rigour of testing
  4. apply critical thinking to the process dependancies e.g. ensure all critical requirements have been approved before testing is completed
  5. the same CT principles can be applied to other processes e.g. code review, Product demos etc.
  6. While the FDA defines computer software validation (CSV) as a documented process for demonstrating that computer software performs as intended, Computer software assurance (CSA) is a risk-based method focusing on functions that affect product quality and patient safety. CSA also urges businesses to leverage software vendors’ documentation to save testing costs and speed up application deployment. If the vendor has already completed the required work, CSA proposes assessing the vendor. If the tool functions well in the system, the system is considered validated without additional effort.

In conclusion, the CSA has caused quite a stir-up. The opinions of the experts are somewhat divided on whether critical thinking is more important than documentation itself. However, most agree that the vast majority of documents can be reduced by employing a more organized method, such as colour-coding and adding related attributes. Essentially, documentation needs to provide the correct information to the right people at the right time; if that is achieved, there is no doubt that CSA is the future of validation.



Webinar –

Quality Forum –


Author: Durda Zdrakovic, Life Science Consultant KVALITO


KVALITO is a strategic partner and global quality and compliance service and network for regulated industries. To find out more, please visit us at . If you would like to benefit from KVALITO’s expert services, please send us an email at Are you looking for an exciting and challenging position as a consultant, or maybe you are an ambitious student/graduate looking for an internship? Please send your complete application to


You May Also Like…

Megan Hoo Internship Report

Megan Hoo Internship Report

Three years ago, I made a deliberate choice to pursue science, with a future I’d envisioned myself entrenched in...

Would love your thoughts, please comment.x