Guest Column | October 6, 2021

4 Strategies for Medtech Compliance With FDA's Upcoming Computer Software Assurance Guidance

By Kathleen Warner, Ph.D., RCM Technologies


As the FDA finalizes and publishes the Computer Software Assurance (CSA) guidance later this year, companies that have not already started the transformation process to CSA can get started now – don’t wait!

The medical device industry can benefit greatly by implementing CSA. In a recent European study1 on medical devices, AI application categories and types were researched and cited as producing data that can be collected and analyzed throughout the life cycle of the patient. Based on our understanding, the CSA guidance will, in many cases, require continuous validation of medical devices that use intelligent technology for patient and product safety to comply with the CSA guidance. The following includes examples of data collection and medical device scenarios that could benefit from the use of a “CSA approach” or “CSA methods”:

  • Medical devices that collect clinical data
  • Healthcare delivered remotely by medical personnel via txt, video, or phone
  • Laboratory information systems (LIMS), chromatography testing, etc.
  • Neurology, breast, oncology, molecular imaging, and X-ray equipment (i.e., portables)
  • Personal assistance applications
  • Physiological monitoring devices and those that monitor the function of an organ
  • Surgical, medical, and manufacturing robotics

As we continue to build on the CSA transformation challenges ahead, there are activities that need to be performed to make this transformation to CSA in an organized and productive way, as follows:

  1. Develop a transformation plan.
  2. Implement a phased approach for achieving CSA.
  3. Implement test automation tools that enable CI/CD (continuous integration/continuous deployment).
  4. Establish a continuous software validation life cycle.

Two of the tenets of CSA are critical thinking and risk-based assessments. In the first article of this series, I discussed the importance of critical thinking, provided a definition, and listed skills required to master critical thinking. Additionally, I provided the “how” to perform a risk-based assessment for GAMP 5. The process has not changed; however, for direct impact systems, the risk-based assessment focuses on critical and high risks to assure that the software requirements align with the CSA guidance for patient and product safety, quality, and data integrity. This shift in thinking from validating everything to validating only critical and high risks for direct impact systems is new and places responsibility on software vendors to implement a continuous validation framework to successfully realize the transformation to CSA from CSV.

Transformation Planning

One of the most important activities is to develop a transformation plan that includes a phased approach to CSA. A well-developed transformation plan focuses on change management and business improvement for people, process, technology, and transformation (pptx).  It should describe the phases of the transformation, approach/methods, and deliverables. Deliverables include estimated timeline, budget, and process improvement, which involves replacing old processes with new processes, developing success criteria and metrics, such as key performance indicators (KPIs) and/or software-level agreements (SLAs) with suppliers/vendor/partners, and addressing the barriers to transformation through organization change management (OCM). New technical competencies need to be developed through learning management programs to train employees on the new FDA CSA guidance. The effort to transform an organization is significant and can be successfully achieved by executing a well-developed transformation plan.

Recent data on this topic indicates that you could see a return on investment (ROI) between 50% and 80% with some of the following benefits: cost savings in time, improved quality processes, and reduction in resources combined with new development methods that enable continuous integration (CI), continuous validation (CV), and continuous deployment (CD).

The IT foundational framework provides the building blocks to achieve the CSA transformation. At the top of the list of transformation planning are the IT infrastructure architecture and the cloud integration strategy that describe your cloud and/or hybrid (i.e., cloud and on-premises) environments.

Since the transformation plan is a strategic document, to be effective, content should include, but not be limited to, the following:

  • Description of IT architecture and cloud integration strategy (include cloud environment and on-premises environment)
  • Description of DevOps tools being used for cloud and on-premises integration. Examples include, but are not limited to, codeless test creation and automation, end-to-end testing, and CI/CD tools, such as Jenkins, Bamboo, Azure DevOps, CircleCI, Teamcity, etc.
  • Off-the-shelf (OTS) and commercial off-the-shelf (COTS) applications, such as ADOBE, Microsoft, SAP, SalesForce, etc.
  • List of IT cloud partners, software products and services, roles and responsibilities, and SLAs.
  • List of applicable U.S. and global standards (ISO 9001:2015) and regulations/guidance (FDA GAMP, EU, etc.)
  • List of current quality standards, processes, and policies
  • Organizational change management (OCM) approach and deliverables
  • Descriptions of non-product computerized systems (e.g., manufacturing execution systems [MES], quality management systems [QMS], and electronic data management systems [EDMS]), to name a few, and non-product quality systems (e.g., QMS and product life cycle management [PLM] systems for change management and continuous improvement of quality processes)

In a report published by the FDA in 2011 on Medical Device Quality,2 the FDA identified seven major opportunities to improve quality in the industry, to enhance operating systems and management infrastructure, and to change the mindset and behavior.  As described in Figure 1 below, the seven major opportunities are as follows:

  1. Design and reliability engineering
  2. Robust postproduction monitoring and feedback
  3. Supplier management processes
  4. Quality metrics and measurement systems
  5. Quality organization
  6. Performance management
  7. Quality culture

When developing the transformation plan, it’s important to review the seven major opportunities to ensure the plan covers quality for all three goals: enhanced operating, enhanced management infrastructure, and enhanced mindset and behavior.

Figure 1: FDA Seven Major Opportunities to Improve Quality

Phased Approach to Achieving CSA

Initially, companies will need to inventory their computer software systems and applications to determine the ones that have a direct impact on patient and product safety, quality, and data integrity. Next, you will need to review the risk assessment categories following the FDA’s GAMP5 regulation.  By reviewing the prior risk assessments, you will be able to verify the categories that directly impact patient and product safety and need to be updated/revised for CSA:

  • inventory of direct impact systems/applications (e.g., have a direct impact on patients and product safety and quality)
  • assessment of Global Data Protection Requirements (GDPR) and impact on CSA
  • obtain financials to support the transformation project
  • identify stakeholders and champions to sponsor and support the transformation project
  • promote CSA through company-wide announcements, education, training, and implementation

The transformation planning task may be easier if your IT architecture and cloud integration strategy are documented; however, if you live in a hybrid IT world, and have several cloud partners, the transformation planning task becomes more involved. According to a Harvard Business Review survey, “3

Being intentional and optimizing the cloud solution can advance your organization’s ability to transform to a CI/CV/CD environment. By doing the prep work and determining which systems are direct impact systems, you can focus on the risk categories and determine the work effort needed to transition to CSA.4 Pilot the CSA requirements in both cloud and on-premises environments to understand where you can leverage existing documentation and support CI/CV/CD.

Figure 2 below provides a sample of an IT architecture for private cloud on-premises/internal, and public cloud off-premises/external.

Figure 2: Sample Hybrid Cloud

Test Automation

Moving your organization to automated testing is a significant effort but well worth the investment. As described in section Transformation Planning, a similar approach is required to transition your organization from manual to automated testing.

To start the transition, you will need to develop a test automation strategy and implementation plan. Benefits of making this transition include, but are not limited to, the following:

  • efficiency gains by automated testing
  • re-skilled testers
  • newer testing tools, fewer bugs, and human errors, etc.
  • improvements in test processes and quality
  • shorter time to implementation
  • reduction in validation life cycle and documentation
  • focus on patient and product safety, improved quality, and data security. 

There are several published documents and guides5 to help you develop the test automation strategy and implementation plan.  With continuous life cycle management for software development, QA can focus on quality enhancements for operating systems, infrastructure, and change management.

Continuous Software Validation Life Cycle

Continuous software validation is now becoming a requirement for the life sciences industry. Cloud vendors are being requested to implement best practices and provide solutions that are validated and documented during development.  Cloud vendors that can meet these requirements now are at the forefront of the digital transformation.  

To achieve continuous software validation, you need to have a cloud adaptive framework, meaning that frequent requirement changes can be continuously managed when new upgrades are released. Some benefits of continuous software validation are reduction in resources, greater efficiency, improved quality, and cost savings. Even though life sciences companies are ultimately responsible for meeting regulations, following guidance, and being compliant, you can leverage your software vendors and suppliers in the transformation to continuous software integration, validation, and delivery.   


Digital transformation is about changing the way you are doing business by solving underlying business problems that need to be fixed, removing old processes that prevent change, and developing new processes that support a new mindset and behavior.

By changing the CSV paradigm and refocusing on transformation challenges, the journey from CSV to CSA becomes a reality. The solution starts with transformational planning and a phased approach to CSA. With the CSA goal in reach, the potential to realize an 80% savings in business process improvement, quality, and compliance is real.  Don’t let this opportunity slip away. Life sciences solutions companies can provide the knowledge, experience, and processes to help you achieve a CSA transformation focused on what’s important – patient and product safety, improved quality, and data security.

This is the final article in my three-part series on CSA.  Future articles will focus on intelligence technologies: AI, machine language (ML) for collaboration, and machine language processing.

About The Author:

Kathleen Warner, Ph.D., VP of consulting services for RCM IT and Life Sciences, is an executive consultant with more than 25 years of experience in information technology (IT) and the life sciences. She has served as a chief information officer, subject matter expert, and domain expert in regulated environments. As a management consultant, Warner has provided oversight for hundreds of life science projects both in the U.S. and globally. Her strengths include leadership, advisory, organization change management, business process analyses, and program/project management engagements. As a practitioner and technologist, Warner has performed future cloud assessments and delivered transformation program services to IT, R&D, and quality departments of life sciences companies.