未分類

From CSV to CSA: A Paradigm Shift in Computer System Validation

The concept of Computerized System Validation (CSV) is undergoing a fundamental transformation in the pharmaceutical and medical device industries.

Background and Development of the New Guidance

In late 2020, the FDA’s Center for Devices and Radiological Health (CDRH) announced plans to release a new draft guidance document titled “Computer Software Assurance for Production and Quality System Software.” The draft guidance was officially published on September 13, 2022, marking the beginning of a significant regulatory evolution. After an extensive comment period and industry consultation, the FDA released the final version of this guidance on September 24, 2025, representing the culmination of years of collaborative effort between regulators and industry.

While CDRH led the development of this guidance, the Center for Drug Evaluation and Research (CDER) and the Center for Biologics Evaluation and Research (CBER) actively participated in its creation. Additionally, ISPE’s GAMP working team was involved in the guidance development process. This multi-stakeholder approach ensures that the guidance applies not only to medical devices but also to pharmaceuticals and biologics, creating a unified framework across the regulated life sciences industry.

Historical Context: The Burden of Traditional CSV

Historically, pharmaceutical and medical device companies have frequently experienced delays in IT implementation and automation initiatives, and many organizations have been reluctant to update their IT systems and computerized systems. The primary reason for this hesitation has been the mandatory requirement to perform CSV.

Traditional CSV approaches demanded the creation of extensive documentation and records, imposing significant burdens on pharmaceutical and medical device companies in terms of effort, cost, and time. These burdens often made companies reluctant to invest in IT implementation, automation, and technological advancement. The documentation-heavy nature of traditional validation created barriers to innovation and slowed the adoption of modern technologies that could improve efficiency and quality.

The Documentation Problem in Traditional CSV

Much of the documentation and records generated under traditional CSV were created primarily for the purpose of presentation during audits and regulatory inspections, rather than for the intrinsic purpose of ensuring computer system quality assurance itself. This approach often resulted in validation activities that were more focused on compliance documentation than on actual quality improvements.

Furthermore, the compliance costs incurred by companies were ultimately passed on to drug prices and other costs, which eventually became burdens on patients. This economic reality highlighted the need for a more efficient and value-driven approach to computer system validation.

To address these fundamental issues, the new CSA guidance aims to eliminate the excessive complexity and documentation burden that characterized traditional CSV approaches, while maintaining and even enhancing the assurance of system quality and patient safety.

Relationship to Part 11 and Modern Standards

The new guidance represents an evolution beyond the 1997 regulation 21 CFR Part 11 “Electronic Records; Electronic Signatures,” and is expected to serve as the FDA’s common guidance for computerized systems across all product centers. It is noteworthy that Part 11 has remained essentially unchanged for more than 27 years since its issuance, and GAMP 5 First Edition was published 17 years ago (with the Second Edition released in July 2022). Both documents have continued to rely on older concepts that, while foundational, did not adequately address the rapidly evolving technological landscape of modern software development, cloud computing, and digital transformation.

Scope and Applicability of the New Guidance

The new CSA guidance applies to software used in the manufacturing, measurement and analysis, and implementation of quality systems for pharmaceuticals and medical devices. Software used for implementing quality systems specifically includes Enterprise Resource Planning (ERP) systems, Laboratory Information Management Systems (LIMS), Learning Management Systems (LMS), Electronic Document Management Systems (EDMS), and event management systems such as complaint and Corrective and Preventive Action (CAPA) management systems.

It is important to note that the guidance does not apply to software embedded in products as medical devices or medical device programs. These types of software are regulated by separate frameworks, specifically IEC 62304 (Medical device software – Software life cycle processes) and FDA’s guidance on General Principles of Software Validation (GPSV), with the CSA guidance superseding Section 6 of the GPSV.

Additionally, the final guidance clarifies that cloud computing models, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), fall within the scope when used as part of production or quality systems. The guidance also explicitly acknowledges that artificial intelligence (AI) and machine learning (ML) systems may be subject to CSA principles when used in these contexts.

Core Concepts: Risk-Based Approach and Critical Thinking

The new guidance incorporates not only the risk-based approach that FDA introduced in 2003, but also integrates the concept of critical thinking as a central principle. This critical thinking approach forms the core foundation of CSA.

Critical thinking, as a concept, was first introduced in the international standard ISO/IEC/IEEE 80002-2:2017 (Technical Report) titled “Medical device software – Part 2: Validation of software for medical device quality systems.” This international standard provided the conceptual framework that influenced both the FDA’s CSA guidance and ISPE’s GAMP 5 Second Edition, published in July 2022. The GAMP 5 Second Edition includes a dedicated appendix (Appendix M12) on critical thinking, emphasizing its application throughout the system development lifecycle.

The critical thinking approach encourages validation teams to focus on what truly matters for patient safety, product quality, and data integrity, rather than following rote procedures that generate documentation without proportional value. It empowers subject matter experts (SMEs) to make informed, risk-based decisions about the appropriate level of assurance activities for each software feature, function, or operation.

The Four-Step CSA Framework

The Computer Software Assurance approach is built upon a systematic four-step process:

Step Activity Purpose
1 Identify Intended Use Define how the software feature, function, or operation is used within production or quality systems
2 Determine Risk-Based Approach Assess whether the software poses “high process risk” or “not high process risk” based on potential impact on product quality, patient safety, and data integrity
3 Determine Appropriate Assurance Activities Select validation activities commensurate with the identified risk, which may include scripted testing, unscripted testing (exploratory, scenario-based, error-guessing), vendor assessments, continuous monitoring, or leveraging vendor documentation
4 Establish Appropriate Record Document the rationale, activities performed, results obtained, and conclusions in a manner proportionate to risk

This framework emphasizes fitness for intended use and maintaining a validated state throughout the software lifecycle, rather than generating exhaustive documentation for every system regardless of its risk profile.

Focus on What Truly Matters

What is truly important for computerized systems is ensuring patient safety, maintaining data integrity, and guaranteeing product quality. Systems that have only an indirect impact on these critical factors, such as Learning Management Systems (LMS) or certain document management functions, do not necessarily require the creation of extensive documentation simply for the sake of having documentation. Unnecessary documentation represents a wasteful expenditure of compliance costs without proportional benefit to quality or safety.

For example, it is not always necessary to create detailed test scripts for every validation activity. What is fundamentally important is focusing attention on test results and the evidence they provide that the system performs as intended. Traditionally, significant effort and time have been expended in creating comprehensive test scripts. However, the test scripts themselves are not the critical element; rather, it is the evidence that the system functions correctly for its intended use that matters most.

The CSA guidance recognizes that for software features with “high process risk” – where failure could directly impact patient safety or product quality – more rigorous assurance activities such as scripted testing may be appropriate. Conversely, for features with “not high process risk,” unscripted testing methods, vendor assessments, and continuous monitoring may provide sufficient assurance while being more efficient.

Important Principles That Remain Unchanged

It is crucial to understand that the principle “if it is not documented, it was not done” remains in effect. The CSA guidance does not mean that no documentation or records need to be created. Companies must still maintain appropriate records that demonstrate the software has been assessed and performs as intended for its use within production or the quality system.

The final guidance emphasizes leveraging digital records and automated outputs, such as system logs, audit trails, and electronic test results, rather than relying solely on paper-based documentation or screenshots. This approach aligns with modern software engineering practices and can reduce manual documentation burden while actually improving traceability and evidence quality.

Additionally, traceability matrices between documents remain important. Organizations must maintain clear connections between intended use, risk assessments, assurance activities, and evidence of system performance. The difference under CSA is that this traceability should be proportionate to risk and focused on demonstrating fitness for intended use.

Testing Approaches: Scripted and Unscripted Methods

The final CSA guidance provides clarity on different testing approaches, drawing from international standards such as IEC/IEEE/ISO 29119-1 (Software and systems engineering – Software testing):

Scripted Testing: Formal, documented test cases with predetermined inputs, execution steps, and expected results. This approach is appropriate for high process risk features where system failure could directly impact patient safety, product quality, or data integrity. Scripted testing provides detailed documentation of what was tested and the results obtained.

Unscripted Testing: Flexible testing methods including exploratory testing, scenario testing, and error-guessing, where testers use their knowledge and experience to probe the system without predetermined scripts. This approach can be more efficient for features with lower process risk while still providing confidence that the system performs as intended.

The guidance emphasizes that the choice of testing method should be driven by risk assessment and critical thinking, not by default assumptions that all systems require the same level of scripted testing.

Vendor Assessment and Leveraging Supplier Information

A significant aspect of the CSA approach is the emphasis on leveraging vendor and supplier documentation, assessments, and evidence. The final guidance provides detailed recommendations on vendor assessment activities, which may include:

  • Evaluation of the vendor’s software development lifecycle (SDLC) practices
  • Review of the vendor’s quality management system and relevant certifications (such as ISO 13485, ISO 27001, or SOC 2)
  • Assessment of the vendor’s cybersecurity practices and infrastructure resilience
  • Review of contractual agreements covering security, availability, data integrity, and change management
  • Ongoing monitoring of vendor performance and system updates

This approach recognizes that manufacturers can and should rely on the work already performed by reputable software vendors, rather than duplicating validation efforts unnecessarily. For commercial off-the-shelf (COTS) software from established vendors with robust quality systems, manufacturers may significantly reduce their own testing burden while still maintaining appropriate assurance.

Cloud Computing and SaaS Considerations

The final CSA guidance explicitly addresses cloud computing models, providing much-needed clarity for manufacturers increasingly adopting cloud-based solutions. The guidance distinguishes between:

  • Infrastructure as a Service (IaaS): Provides fundamental computing resources; manufacturers retain more responsibility for software configuration and management
  • Platform as a Service (PaaS): Provides a platform for developing and running applications; shared responsibility between vendor and manufacturer
  • Software as a Service (SaaS): Provides ready-to-use software applications; vendor primarily responsible for maintenance and updates

For SaaS applications, where vendors frequently release automatic updates, the guidance recommends that manufacturers:

  1. Establish clear contractual requirements for notification of updates and changes
  2. Perform risk-based assessments of vendor updates to determine if additional assurance activities are needed
  3. Consider targeted regression testing rather than full revalidation for low-risk updates
  4. Maintain continuous monitoring of system performance to detect any issues

This approach enables manufacturers to benefit from the advantages of cloud computing and continuous software improvement while maintaining regulatory compliance.

Alignment with ISO 13485:2016 and Quality Management Systems

Looking forward, the FDA’s Quality System Regulation (21 CFR Part 820) is scheduled to be harmonized with ISO 13485:2016 in February 2026. The CSA guidance has been developed with this harmonization in mind, ensuring that its principles align with the international quality management system standard.

ISO 13485:2016 requires that organizations validate software used in the quality management system for its intended application. The CSA approach provides a modern, flexible framework for meeting these requirements while supporting innovation and efficiency. Organizations implementing CSA principles now will be well-positioned for the upcoming regulatory harmonization.

Practical Implementation Considerations

Organizations transitioning from traditional CSV to CSA should consider the following implementation strategies:

1. Start with a Gap Assessment: Evaluate current validation practices against CSA principles, identifying areas where risk-based approaches can replace prescriptive validation activities.

2. Pilot CSA on Selected Systems: Begin with one or two systems, such as an LMS or a COTS document management system, to develop experience with the CSA framework before broader implementation.

3. Invest in Training: Ensure that quality assurance, IT, and validation personnel understand critical thinking principles, risk assessment methodologies, and the CSA framework. This represents a cultural shift that requires education and support.

4. Update Procedures and Templates: Revise Standard Operating Procedures (SOPs), validation plans, and documentation templates to reflect CSA principles, including risk-based decision-making and proportionate documentation.

5. Strengthen Vendor Management: Develop robust vendor assessment procedures, contractual requirements, and ongoing oversight mechanisms to support the leveraging of supplier information.

6. Leverage Digital Tools: Implement systems and tools that capture electronic records, audit trails, and automated test results, reducing manual documentation burden.

7. Focus on Continuous Assurance: Shift mindset from one-time validation events to continuous assurance through ongoing monitoring, periodic reviews, and assessment of changes.

Expected Benefits and Industry Impact

The transition from CSV to CSA offers significant potential benefits:

  • Reduced Compliance Costs: Industry experience suggests potential cost reductions of 40-50% in validation activities through more efficient, risk-based approaches
  • Faster Time to Implementation: Less extensive documentation requirements can accelerate system deployment and updates
  • Enhanced Focus on Quality: Resources redirected from low-value documentation to high-impact quality activities
  • Support for Innovation: Easier adoption of modern technologies including cloud computing, AI/ML, and continuous integration/continuous deployment (CI/CD) practices
  • Improved Agility: More responsive to technology changes and business needs
  • Better Alignment with Software Engineering Practices: Recognition of modern development methodologies including Agile and DevOps

Regulatory Expectations and Inspection Readiness

While CSA provides greater flexibility, it also demands robust justification of risk-based decisions. During regulatory inspections, companies can expect scrutiny of:

  • The rationale for risk classifications (“high process risk” vs. “not high process risk”)
  • The appropriateness of assurance activities relative to identified risks
  • The quality and reliability of vendor assessments and supplier information
  • The completeness of documentation demonstrating fitness for intended use
  • The effectiveness of change management for system updates
  • The integrity and availability of electronic records and audit trails

Organizations must be prepared to explain their decision-making logic and demonstrate that their CSA approach provides equivalent or better assurance than traditional CSV methods.

Ongoing Evolution and Future Directions

The CSA guidance represents current FDA thinking as of September 2025, but the regulatory landscape continues to evolve. Industry professionals should monitor:

  • Additional guidance documents and clarifications from FDA
  • Updates to GAMP 5 and related ISPE Good Practice Guides
  • Evolution of international standards including ISO/IEC/IEEE 80002 series and ISO 13485
  • Industry case studies and best practices as organizations gain experience with CSA implementation
  • Potential application of CSA principles to other regulated areas beyond production and quality system software

ISPE GAMP continues to serve as a complementary resource to regulatory guidance, with GAMP 5 Second Edition (July 2022) providing detailed practical implementation guidance for CSA principles. The ISPE GAMP Community of Practice actively maintains and updates this guidance to reflect emerging technologies and practices.

Conclusion

The paradigm shift from Computer System Validation (CSV) to Computer Software Assurance (CSA) represents a fundamental modernization of regulatory expectations for software used in pharmaceutical and medical device manufacturing and quality systems. By emphasizing critical thinking, risk-based approaches, and fitness for intended use, CSA enables organizations to reduce unnecessary validation burden while maintaining – and potentially enhancing – assurance of patient safety, product quality, and data integrity.

The journey from draft guidance in 2022 to final guidance in September 2025 demonstrates the FDA’s commitment to collaborative regulation and responsiveness to industry feedback. The resulting framework balances regulatory rigor with operational flexibility, positioning the life sciences industry to embrace technological innovation while maintaining the highest standards of quality and safety.

Organizations that proactively adopt CSA principles will not only reduce compliance costs and accelerate technology adoption, but will also build more robust quality systems that truly focus on what matters most: ensuring that their products are safe, effective, and of the highest quality for patients worldwide.

For questions, comments, or further discussion regarding this topic, please contact us through our official channels.

References and Additional Resources:

  • FDA Final Guidance: “Computer Software Assurance for Production and Quality System Software” (September 24, 2025)
  • ISPE GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems (Second Edition, July 2022)
  • ISO/IEC/IEEE 80002-2:2017: Medical device software – Part 2: Validation of software for medical device quality systems
  • 21 CFR Part 11: Electronic Records; Electronic Signatures
  • 21 CFR Part 820: Quality System Regulation
  • ISO 13485:2016: Medical devices – Quality management systems – Requirements for regulatory purposes
Analysis of the Revised QMS Regulations Previous post The Misconception of Printing to Paper: "Not GxP Compliant, So Print It Out!? Next post

Related post

Comment

There are no comment yet.