Overcoming CSA roadblocks for life sciences companies

  • November 16, 2023

It's been a year since the FDA released the draft guidance for Computer Software Assurance (CSA) and the ISPE (International Society for Pharmaceutical Engineering) updated GAMP 5 to v2. That was after over a year of hype over CSA and how it was going to change the way validation is done in the life sciences industry. Including industry analysts setting expectations that most companies will update their processes shortly after CSA is released.

So, why does it seem like many life sciences organizations haven't made any fundamental changes? Is it because they don't see the ROI? Is it because they are waiting to see their peers pass audits? One big reason is that the “compliance mindset” is so ingrained in their DNA as a company.

Re-examining the purpose of CSA

CSA guidance is meant to streamline current Computer System Validation (CSV) protocols for medical device manufacturing and quality systems. The changes focus on upfront risk-based analysis where the goal is to determine potential risk to product quality, patient safety and data integrity. This is essentially a return to the old Safety, Integrity, Security, Product Quality (SISPQ). It also allows for digital evidence, right-sized testing (based on the risk assessment) and leveraging vendor documentation and testing.

CSA isn't a replacement for traditional CSV processes. It also isn't an excuse or opportunity to not perform testing or not properly document test results. It isn't a shortcut for failing to complete due diligence. Instead, it is an opportunity to modernize your CSV processes and, potentially, significantly decrease the burden on testing.

Common roadblocks to implementing CSA

1) Only for medical devices: While the guidance from the FDA does note that it is for medical device manufacturing and quality systems, the updated GAMP guidance is the industry standard. The principles should apply to all validated systems across all life sciences companies.

2) Fear of change: Traditionally, life sciences companies have always been reluctant to change. Companies have processes that have adapted to previous failures (theirs and their peers) to make sure that their systems pass audits. The underlying issue here is that companies are likely working under a compliance mindset and are essentially following a checklist and doing documentation for documentation's sake. This is exactly what CSA is targeting — excessive and unnecessary documentation.

3) Current processes are still paper-based: Many life sciences companies are still using paper in their validation processes. In fact, the 2022 State of Validation* annual report noted that 86% of companies still use paper-based or hybrid validation processes. While it may seem more daunting to change processes that are not even digitized, the ROI for implementing a fully paperless validation process based on CSA principles is even more compelling.

4) QA or IT driven initiative: The need to adopt CSA is driven by QA and/or IT and doesn't benefit the business; it's just to make life easier for IT. While it’s true that lessening the testing burden does benefit IT, as does the lesser documentation benefits QA, the larger picture should be considered here. The overall cost and timeline of a system implementation or upgrade can be significantly reduced if the risk assessment supports simplified testing or leveraging vendor documentation. And obviously, a less expensive and quicker project benefits the business as much or more so than IT or QA.

It’s hard to get out of the compliance mindset

As mentioned earlier, we believe the “compliance mindset” is the most significant reason companies haven't implemented CSA. This mindset is one that insists that the only way to ensure audit readiness is via a checklist mentality that makes sure you do everything every time, regardless of need. It’s based on that fear of, or past actual audit findings and/or because they have always done it that way.

In addition, this mindset is focused on creating documents, whether those are digital or paper. It’s also simpler because you have a checklist in the Validation Plan template of everything you need to do, and you only need to justify if something wasn’t done. Often, however, the compliance mindset just creates extra work and documentation.

Ok, so the compliance mindset might be the root of the problem. But that doesn't give us a roadmap to successfully updating a company’s CSV processes, does it? It may not give us a roadmap, but it does give us the key. Consider the implications that one of the common roadblocks to implementing CSA principles is that it’s a QA or IT driven initiative. The business may have the most to gain from the updating of processes (time to market and cost being key reasons), but they may also have the most to lose if there is an audit failure (with QA as a close second, and probably receiving the blame as well).

If you have a compliance mindset across multiple business groups in an organization, and if any one group isn't on board, then your initiative will fail. NTT DATA has worked with clients across the life sciences industry whose CSA implementations have come to a halt due to lack of buy-in or support from business groups.

Regularly we see that QA and/or IT have driven the project, even to the PoC stage, before the business says no and blames it on something like “CSA is only for medical devices.” Once you stick your neck out that far, then you only have the option to backtrack and basically implement just SOP changes that are more of a more traditional risk-based approach.

The solution starts at the top

This is a key business initiative that, at its core, is an organizational change. You must start with a high-level leadership champion who sees the value in breaking the compliance mindset. Not just a passive “sponsor” who'll let their name be attached to the project, but a vocal advocate of the need for, and benefits of, changing the culture. Refer to industry studies for data to make your case.

This probably means a slower start to the public piece of your program, because now you need to spend time educating your leadership — and then they need to advocate for it. Of course, you can be working on the details before the campaign begins. But in the end, to be successful, you'll need to move up the chain of command to affect culture change beyond a compliance mindset.

Our highly experienced team of industry experts can help you with life sciences advisory and validation services that keep your company ahead of the curve. Contact us now or read more to find out how to map out the best life sciences quality and regulatory assurance roadmap for your organization.

* State of Validation. (2022, October 6.). Kay, J. State of Validation Retrieved from https://stateofvalidation.com

Subscribe to our blog

1341990-Robb-Willman-Option 2.jpg
Robb Willman

Robb is the practice leader for NTT DATA’s Quality and Regulatory Assurance and Compliance services. He's responsible for QRAC capabilities, go-to-market strategy, partnerships and staffing. Robb has more than two decades of compliance and IT leadership within the industry. He is an established Regulatory Compliance and Life Sciences capability leader whose experience has provided industry expertise, standardization and leadership, delivery management, and oversight for multiple pharma and biotech clients.


Related Blog Posts