Save the trees – A paperless, structured approach to Computer Software Assurance

By Marco Peters


Companies involved in the development of healthcare products that could affect human beings are required to validate these products before submitting them for operational usage. This also applies for the software products that are used during development. In the healthcare industry, the FDA (American Food & Drug Administration) is the leading authority defining how to validate computer systems (CSV = Computer Systems Validation). The implementation of CSV however showed to be very evidence focused resulting in companies spending more time on proving that they “followed the rules” then spending time on the actual validation of the computer systems. Because of this very high effort approach companies postponed upgrades of the software products they used. This of course resulted in complex upgrades, increased maintenance costs and integration incompatibilities.

To improve this, the FDA engaged with different partners from the industry to define a new approach. This resulted in CSA: Computer Software Assurance. CSA is very much focused on the actual validation instead of gathering evidence.

The foundation is a risk assessment approach that puts a lot of emphasis on the severity of a requirement relating to Patient Safety / Product Quality in combination with the implementation method for a software product to deliver the required capabilities.

Layered V-model like specification and qualification

This assessment is executed on different requirement refinement levels starting with the user requirements, followed by functional requirements, etc. The assessing risks (when plotted in a matrix, see the Polarion screenshot below) quickly identify the items that require structured (scripted) testing followed by the items that require a less structured why (unscripted) testing. Like the levels of writing the requirements, testing is also done on each of these levels.

Automatic generation of a Risk Matrix

OOB refers to requirements that are delivered Out Of the Box, Config refers to requirements that required configuration of the application and Custom refers to requirements that require customization to be delivered.


Even though this new and improved approach emphasizes on the actual qualification activities instead of gathering evidence there is still a risk that it remains to be very labor intensive, and very much paper driven.

Fortunately, CSA was developed with digitalization and automation in mind. What are the biggest challenges to overcome?

  1. Having “One Single Source of Truth”
  2. Efficient Traceability / Impact Analysis
  3. Having one environment for all CSA
  4. Standardization on templates and workflow

Computer Software Assurance with Polarion

With Polarion the CSA activities such as writing requirement / qualification specifications, performing the risk assessment, and executing tests are digitized, based on one unified repository and at the same time traceability, consistency and coverage are integrally addressed.

Governed solution supporting CSA.

All the information:

  • Requirement Specification Documents and the Requirements
  • Test Specification Document and the Test Cases
  • Risks
  • Etc.

is stored in one repository including all meta-data, lifecycle, review, approval, digital signatures, and traceability (links). For CSA Polarion is the single source of truth regarding CSA data consistency.

Standard way of working

Adding new Software Products to Polarion to qualify is as easy as creating a new Software Product work item. The required plan / specification documents are created automatically or manually (depending on user preference) based on predefined and readily available document templates.

Templates to standardize requirement and qualification specification documents.

These templates combined with the configured workflows for Software Product work items and the different document types help in the standardization of the Computer Software Assurance process. For users that are involved in CSA there is a clear way of working that enforces sticking to the required workflow.

The industry compliant digital signatures make sure that the review of specification documents, validation plans and reports comply with regulatory standards.

End to end traceability

Polarion supports the process of qualifying the software products. Following the different process steps in Polarion, requirement, risk and test information is captured and stored in the unified repository (building the single source of truth). Traceability data is captured in parallel showing the requirement / risk and requirement / test case coverage.

Reporting page showing progress, coverage and traceability.

With Polarion (Live)Reports the progress and potentials gaps in traceability and coverage is identified and shown to the user. These reports help the user quickly assessing the progress of the qualification of a Software Product. The provided information guides the user in focusing on these activities that help increasing coverage so that the actual qualification tests can be executed as soon as possible.

Risk assessment tracked and traced.

This same traceability information help in performing efficient and proper change impact analysis. By linking a change to the product and product requirements it directly impacts, the indirect impact can be analysis very easily.

Like the governance of requirement, risk and test activities, the change process is governed by Polarion as well. Changes to requirements, risks or tests only can be applied when an approved change request is linked to it.

All the capabilities combined with the project and document baselining capability provides a solution that delivers all the information required for compliancy at the touch of your fingertips.


The architecture of Polarion allows to create an environment that can start small and grow together with a growing company. The web technology allows the application to be used anywhere in the world only requiring an internet browser.

This makes Polarion very suitable for a centrally managed Computer Software Assurance platform for all CSA activities independent of the geographical location of the user. No scattered solutions are required anymore.


For Requirements Management and Test Management customers Polarion is valued for its capabilities relating to lifecycle management, reviewing, digital signoffs, baselining (project, collection, and document), etc. A significant number of these customers also uses the same capabilities for Risk Management, Project Management and even to support a full Application Lifecycle Management orchestration.

All these capabilities are even as valuable when using Polarion to support Computer Software Assurance (CSA).

With Polarion there is:

  1. One unified repository containing all information saves time on manual maintenance of traceability and coverage.
  2. One unified platform standardizing templates and way of working reduces errors and inconsistency.
  3. One unified roles and permissions definition ensures proper governance.
  4. One reporting engine showing status and progress of requirements, risk assessment and qualification provides full transparency on qualification progress.
  5. One source of truth for any software product or tool chain to be qualified.

With this solution a real efficiency boost is possible for a compliant CSA process where all the evidence to show compliancy is available by a click on the button.

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at