Home » What the future holds – The Transition from CSV to CSA

What the future holds – The Transition from CSV to CSA

What is Computer System Validation 

The FDA, EU and other regulatory agencies require you to validate your computer system prior to deploying it into a regulated process. 

The purpose of this article is to provide an introduction to the topic of Computer System Validation (CSV), including what it is and why you should do it.

CSV is the process of ensuring that a computer system or software application meets regulatory requirements. It’s a critical component of the risk-based compliance program for regulated industries, and if you’re in one of these industries, you need to understand what CSV is and why it’s important.

Computer systems can be used as tools to achieve many goals–such as improving efficiency and productivity or reducing costs–but they also pose certain risks.

Documentation to capture this hasn’t always been consistent or agreed upon across the industry. The GAMP forum, along with the International Society for Pharmaceutical Engineering (ISPE) introduced the first edition of Good Automated Manufacturing Practices (GAMP) in 1994 to address this.

Good Automated Manufacturing Practices

GAMP defined a clear set of industry best practices to ensure regulatory compliance and utilizes the V-Model Software Development Life Cycle (SDLC).  The V-Model gives us a clear path to validation, that includes verification activities for each level of specification.

Before beginning a new project, an assessment of risk for the system must be completed and the system must be given a GAMP category classification. There are 4 categories in which GAMP 5 groups computerized systems according to their complexity. These GAMP 5 categories define the approach to full validation.

In other words, they determine:

  • the validation route to follow
  • and the necessary documents to demonstrate that your system is suitable for the use that will be given and complies with the GxP regulation.

GAMP category 1: infrastructure

GAMP category 3: non-configurable software

GAMP category 4: configurable software





GAMP category 5: custom or bespoke software






By identifying the risk and the GAMP category, we can implement our own internal processes/procedures which indicate the level of validation and deliverables required for the project. CSV is required by regulatory agencies to ensure:

  • Data Integrity
  • Product Quality
  • Patient Safety

If the validation process isn’t documented appropriately then an organization risks findings during an audit that can have an impact across the organization. Ensuring your systems are validated appropriately can mitigate many of these issues and ensure your systems/products are reliable and safe.

Which systems do (and don’t) need to be validated – including off-the-Shelf

Validation is a critical part of the process for developing and deploying systems that are required to be regulated.

As with most things in life, it’s important to know what you’re getting into before you go down that road. When it comes to validation, there are three main types: off-the-shelf (OTS) software, SaaS applications and cloud services (software as a service).

Spreadsheets also fall into this category–but they’re not exactly like OTS or SaaS. Spreadsheets are typically used by non-programmers who have no formal training in computer science or engineering; they’re often used by people who don’t even have a college degree!

What are the consequences of not validating systems?

Not validating systems can have a range of consequences. You may be unable to meet regulatory requirements and face penalties, such as fines or being forced to shut down. Your business could also suffer from reputation damage, especially if you are a regulated organization that is publicly visible.

What are the steps you need to take to implement a computer system validation program? You can begin to develop your computer system validation program by establishing a process to validate systems and developing a checklist that will help you conduct the validation.

Conducting gap analysis will help identify where your systems are lacking, so you can create plans to address those gaps in the future. Implementing these new processes and monitoring results is important as well.


What the future holds – The Transition from CSV to CSA


The FDA’s new approach to CSV, Computer Software Assurance (CSA), represents a step-change in computer system validation, placing critical thinking at the center of the CSV process, as opposed to a traditional almost one size fits all approach.

Following the launch of their ‘Case for Quality‘ initiative in 2011, the FDA were uncertain why so few companies were investing in automated solutions and why so many continued to run long-outdated versions of software.

The initiative, which set out to study quality best practice in medical device manufacturing, found that the burden of Computer Systems Validation (CSV) deterred technology investments and as a result, inhibited quality best-practice. On learning that the burden of CSV was holding companies back from realizing their investment in technology, the FDA decided to partner with industry to strike a balance between promoting automation and value-add CSV activities.

The FDA aimed to improve quality, remove non-value add activities, and focus testing on high risk areas, therefore reducing validation cost and time by focusing on the software’s impact to patient safety, impact to product quality and impact to quality system integrity (Direct or Indirect system).

This shift in approach to validation from computer system validation to assurance aims to realign effort to planning and preparation first, then defining the testing to be performed, and finally test execution and documentation.


Share This Post
Have your say!

To access our website and/or services, you may be required to provide certain information about yourself as part of the registration process. You agree that any information you provide will always be accurate, correct, and up to date. We take your personal data seriously and are committed to protecting your privacy. We will not use your email address for unsolicited mail. Any emails sent by us to you will only be in connection with the provision of agreed products or services. We have developed a policy to address any privacy concerns you may have. For more information, please see our Privacy Statement and our Cookie Policy.