Quality Management

Computer Systems Assurance – What are the Steps and How to Test?

Quality Management

August 30, 2021

Share this...
Share on facebook Share on twitter Share on linkedin Youtube

Computer Systems Assurance entails performing various levels of validation testing based on the software’s risk. The following steps should be followed when leveraging Computer Systems Assurance (CSA):

  • Determine how the software will be used in the organization

Is the software affecting the quality of the product or the safety of the patients? If this isn’t the case, you won’t need the same level of assurance as you would for software that affects the product or patient safety. Document management, change management, and audit management software, for example, do not require the same level of testing as device software.

  • Determine if there is the potential to influence product quality, patient safety, or system integrity.

CSV validation of computer systems focuses on evaluating the severity of the impact and the likelihood of failure, which leads to risk prioritization. Conversely, with CSA, the emphasis is on calculating the risk/impact on patient safety and product quality, as well as the implementation approach of the software program functionality.

The first step is to determine the degree of impact of the specific software on patient risk and product quality. If the risk is high in one or both of these areas,  more time should be spent in the testing phase. If the impact is very low on these areas, testing can be reduced.

When looking at the software itself, there are different degrees of implementation risk depending on the software’s origin. If the software is out-of-the-box with the pertinent documentation, then it should most likely be of lower risk.  If however there is a need to configure or completely customize the software, there is then a significant increase in the risk  to the situation.

  • Wherever feasible, make use of vendor documentation.

If the software vendor’s documentation is audited and validated, then there is no need to reproduce this documentation. Use the vendor’s documentation and validation if it is of high quality, based on an initial assessment of the vendor provided documentation.

  • Based on risk, conduct the specific level of testing required for that system or function.

With CSA, which is a risk-based approach, the focus is on critical thinking and professionals determining which systems and functions provide the greatest risk to patient safety and product quality. The highest level of testing should be applied to these areas. To those other low to no risk areas a significantly lower level of testing should be applied.

Testing with Computer System Assurance

Now that we’ve defined the process to follow to determine which areas are high-risk to patient safety or product quality, the next question to answer is, how is testing performed in a CSA context?

In the past, test scripts were written in great detail and were not as concerned with whether or not the system and its functions had a direct impact on patient safety or product quality. With CSA, this has changed. There are now new approaches to testing i.e., Scripted Testing , Unscripted Testing, and Ad-hoc Testing.

Scripted Testing is the traditional form of testing that has been done with CSV. It requires a step-by-step test procedure, required results, and it is pass/fail. However, the difference with CSA is that Scripted Testing is only applied to higher risk systems and features that directly impact the product or patient safety.

Unscripted Testing is less detail oriented than Scripted Testing. It is used to test the lower risk systems or functions that do not directly impact the product or patient safety. They do however impact the quality system. With Unscripted Testing there needs be a test goal and a pass/fail, however, there is no step-by-step test procedure.

Ad-hoc Testing – a third testing method can be used on those systems and functions that are low business risk to the quality area. This testing is performed without planning and required documentation.


The new CSA risk-based approach to systems validation requires the professional to spend more time focused on critical thinking and less time on documentation. The objective is to focus on those areas that have the largest impact to patient safety, product quality, or the quality system overall.

With this new process, CSA involves different levels of testing. Scripted Testing is used for those systems and functions of high risk to patient safety and product quality. Unscripted Testing is used for those systems and functions with low impact to these areas, however, they do have an impact to the quality system. And finally, Ad-hoc testing is used on those systems with low risk to the business.

Why it Matters to You

This new CSA risk-based approach is important for you to learn about because:

  • It will potentially lower the cost of quality by requiring less time in testing and documentation.
  • It will drive the team to achieve higher, quality, and productivity.
  • Helps to maximize the use of validation and project resource expertise.

 About Astrix

For over 25 years, Astrix has been a market-leader in dedicated digital transformation & dedicated staffing services for science-based businesses.  Through our proven laboratory informaticsdigital quality & compliance, and scientific staffing services we deliver the highly specialized people, processes, and technology to fundamentally transform how science-based businesses operate.  Astrix was founded by scientists to solve the unique challenges which science-based businesses face in the laboratory and beyond.  We’re dedicated to helping our clients speed & improve scientific outcomes to help people everywhere


Contact us today and let’s begin working on a solution for your most complex strategy, technology and staffing challenges.

Web developer Ibiut