未分類

Breaking News: FDA Issues CSA Guidance

On September 24, 2025, the U.S. Food and Drug Administration (FDA) officially issued guidance of critical importance to the medical device industry. This document, entitled “Computer Software Assurance for Production and Quality System Software,” fundamentally transforms the approach to quality assurance for software used in medical device manufacturing and quality systems.

The shift from the uniform and rigid verification requirements symbolized by the traditional term “validation” to a more flexible, risk-based approach called “assurance” represents far more than a mere change in terminology. It signifies a return to the essence of quality assurance: more effectively utilizing limited resources and concentrating on truly critical areas to ultimately ensure patient safety more reliably.

Three Years of Dialogue Producing Practical Guidance

The completion of this guidance took a full three years. After the draft version was published on September 13, 2022, numerous comments were received from industry during the 60-day public comment period. These comments came from an extremely diverse range of stakeholders, from industry associations like the Advanced Medical Technology Association (AdvaMed), to major medical device companies such as Abbott and GE Healthcare, pharmaceutical companies including GSK, Sanofi, AstraZeneca, and Daiichi Sankyo, and even cloud service providers like Amazon Web Services.

Interestingly, there were common themes across these comments. Many companies sought alignment with ISPE’s GAMP (Good Automated Manufacturing Practice) guidance, requested clarification on cloud computing approaches, and, above all, strongly demanded concrete examples rather than just theory.

The earnest voices from the field expressing “we understand the concepts, but don’t know how to actually apply them” were evident in many comments.

The FDA listened sincerely to these voices. The final version includes a newly established comprehensive definitions section, with clear definitions of cloud computing service models (SaaS, PaaS, IaaS). Furthermore, four detailed implementation examples were added to Appendix A: a nonconformance management system, a Learning Management System (LMS), a business intelligence application, and a SaaS-based Product Lifecycle Management (PLM) system. These case studies provide practitioners with a concrete roadmap for applying the CSA approach to their own systems.

The Essence of the CSA Approach: Smart Assurance Based on Risk

The core of CSA lies in the concept of “providing appropriate assurance based on risk.” Rather than verifying all software functions at the same level, the depth of assurance activities varies according to the potential impact on patients.

For example, consider a system that automatically controls temperature in a production line. Failure of this system could directly affect product quality and ultimately threaten patient safety. This would be classified as “high process risk.” Conversely, for a system managing nonconforming product records, where a physical segregation process is already established and paper procedures can handle system downtime, the impact on patients is limited. This would be classified as “not high process risk.”

This binary risk classification enables detailed verification for high-risk areas while allowing efficient methods such as exploratory testing and vendor evaluation for low-risk areas. By concentrating resources on truly critical areas, overall quality improvement is achieved.

The important aspect is the criteria for determining “high process risk.” The guidance evaluates whether software failure could directly affect product quality or patient safety. While process risk and medical device risk do not necessarily align, when process risk leads to medical device risk, a higher level of assurance activities is required.

The Innovation of Formally Approving Exploratory Testing

One particularly noteworthy aspect of the final guidance is the formal approval of unscripted testing. Under traditional FDA regulations, testing without detailed test specifications was unthinkable. However, for low-risk functions, methods where experienced testers freely explore while discovering issues are now recognized.

While the draft version used the term “ad hoc testing,” the final version changed this expression to “scenario-based testing,” clarifying its position as a more systematic approach. This demonstrates the evolution of quality assurance thinking itself.

Specifically, the following methods were recognized as formal assurance activities:

  • Error Guessing: Predicting problems based on past failure patterns
  • Scenario Testing: Realistic testing assuming actual usage situations
  • Exploratory Testing: Free-form testing leveraging tester intuition and experience

However, this does not mean “everything has become easy.” Detailed scripted testing is still required for high-risk functions, and documenting the decision process and rationale is necessary. What matters is selecting the optimal method based on risk and being able to explain the validity of that selection.

The FDA has adopted terminology from IEEE/ISO/IEC 29119-1 (Software and Systems Engineering – Software Testing – Part 1: Concepts and Definitions) to align with international standards. This facilitates the transition from traditional IQ/OQ/PQ (Installation Qualification/Operational Qualification/Performance Qualification) terminology to more modern software testing methods.

Strategic Utilization of Vendor Evaluations

Another important change is that the results of vendor and supplier evaluations can now be actively utilized. For complex systems like cloud services, it is unrealistic for users to verify everything themselves. It is now clearly recognized that evaluating the quality management systems, development processes, and security measures of trusted vendors and utilizing those verification results as part of one’s own assurance activities is acceptable.

The guidance recommends considering the following items in vendor evaluation:

  • Evaluation of Software Development Life Cycle (SDLC)
  • Confirmation of quality management systems and certifications such as ISO 13485
  • Review of cybersecurity documentation (SBOM – Software Bill of Materials, threat models, etc.)
  • Evaluation of AICPA SOC (Service Organization Control) reports
  • Assessment of data integrity controls
  • Evaluation of infrastructure support

Furthermore, when direct vendor audits are difficult, the use of remote assessments is also recognized. This is a realistic and reasonable judgment. By appropriately evaluating vendor capabilities, clarifying requirements in service contracts, and continuously monitoring, the need to verify everything in-house is eliminated. Of course, the ultimate responsibility remains with the medical device manufacturer, but resources can now be allocated more efficiently.

Efficiency Through Utilization of Digital Records

The CSA guidance actively embraces advances in digital technology. It recommends utilizing system logs, audit trails, and other digital data as objective evidence, encouraging the reduction of inefficient work such as paper-based documentation and manual screenshot capture.

This leads not only to improved work efficiency but also to enhanced data integrity and reliability. Digital records are difficult to tamper with and automatically record timestamps. By directly utilizing digital evidence generated by systems, more reliable assurance activities become possible.

However, when 21 CFR Part 11 (Electronic Records and Electronic Signatures) requirements apply, appropriate access controls and data integrity assurance remain necessary. As an important point, the guidance clarifies the scope of Part 11 application. Part 11 applies when records required by 21 CFR Part 820 are maintained electronically. While the FDA exercises enforcement discretion for some Part 11 requirements, this discretion explicitly does not apply to software validation required under 21 CFR 820.70(i).

February 2, 2026: An Important Milestone

There is another important date for understanding the CSA guidance. On February 2, 2026, the Quality Management System Regulation (QMSR) will be implemented. This replaces the current Quality System Regulation (QSR, 21 CFR Part 820) and represents a major reform achieving complete alignment with ISO 13485:2016.

The QMSR and CSA guidance function like two wheels of a vehicle. The QMSR provides the overall quality management system framework, while CSA provides specific methods for how to conduct software quality assurance within it. Medical device manufacturers must address both sets of requirements.

The main features of the QMSR are as follows:

  • Incorporation by reference of ISO 13485:2016
  • Simplification of most of 21 CFR Part 820, consolidating it into just two subparts (A, B)
  • Explicit requirement for risk-based approach
  • Enhanced alignment with international regulatory authorities
  • Alignment with the Medical Device Single Audit Program (MDSAP)

After February 2, 2026, the FDA will discontinue the current Quality System Inspection Technique (QSIT) and introduce a new inspection process. This new inspection process will align with QMSR requirements and will be documented in a revised Compliance Program (CP).

Medical device manufacturers are required to achieve full compliance with QMSR by February 2, 2026. The period until then is a preparation period, and companies are recommended to take the following steps:

  1. Conduct gap analysis between current QSR or ISO 13485:2016 and QMSR
  2. Develop action plan to address identified gaps
  3. Implement necessary changes by 2025
  4. Conduct comprehensive internal audit against QMSR by end of 2025
  5. Document audit results and implement CAPA (Corrective and Preventive Actions) as needed

Implementation Roadmap: The Importance of a Phased Approach

When introducing the CSA approach, a phased approach is recommended. First, accurately understand the current state and assess the risk of each software or function. Next, develop an assurance strategy according to each risk level.

What’s important is not to apply the CSA approach to all systems at once, but to start with a pilot project. The FDA recommends starting pilot projects with relatively low-risk systems such as Learning Management Systems (LMS) or Business Intelligence (BI)/reporting systems. By piloting with low-risk systems, gaining experience, and then gradually expanding, success can be achieved. The key to success is sharing the knowledge and challenges gained in this process within the organization and continuously improving.

Internal education is also important. Since the CSA approach differs significantly from traditional thinking, all stakeholders need to understand the essence of the new approach. Particularly, those responsible for making risk-based decisions require appropriate training and authority.

An important mindset shift in CSA implementation is the transition from “checkbox compliance” to “quality assurance based on critical thinking.” Rather than formal documentation, the emphasis is on the validity of risk assessment and being able to explain why the selected assurance activities are appropriate.

Learning from Practical Examples of the CSA Approach

The four examples presented in Appendix A of the guidance are extremely useful for understanding the practical application of the CSA approach.

Example 1: Nonconformance Management System

This is a case where a manufacturer purchased COTS (Commercial Off-The-Shelf) software and configured it to automate the nonconformance process. In this system, the electronic signature function was determined to be “not high process risk” and verification through scenario-based testing was applied. Meanwhile, the product recall decision function was determined to be “high process risk” and detailed scripted testing and repeatability testing were implemented.

This example demonstrates the importance of assessing risk for each function even within the same system and selecting appropriate assurance activities. There is no need to apply the same level of verification to all functions; resources can be allocated efficiently according to risk.

Example 2: Learning Management System (LMS)

In the case of implementing a COTS LMS, emphasis is placed on the integrity and accessibility of training records. In this system, user management functions, training content delivery functions, etc., are evaluated, and assurance activities are defined according to each risk level.

Example 3: Business Intelligence Application

In the case of BI tools for manufacturing data analysis and reporting, data accuracy and report reliability are primary concerns. However, the required assurance level differs depending on whether this system is used as a decision support tool or as a record-keeping system to meet regulatory requirements.

Example 4: SaaS-based PLM System

This newly added example in the final version demonstrates the CSA approach for cloud-based PLM systems. The importance of vendor evaluation is particularly emphasized, with the following items being evaluated:

  • Evaluation of software development lifecycle
  • Confirmation of quality management system
  • Review of cybersecurity documentation
  • Assessment of infrastructure support
  • Clarification of responsibilities in service contracts
  • Risk-based assessment when automatic updates affect intended use

This example demonstrates the practical application of CSA to modern cloud-based systems and provides particularly useful content for many companies.

Clarification of Relationship with Part 11

The final guidance explains the relationship between 21 CFR Part 11 (Electronic Records and Electronic Signatures) and CSA more clearly than the draft version. Important points are as follows:

  1. Part 11 generally applies when records required by 21 CFR Part 820 are maintained electronically
  2. While the FDA exercises enforcement discretion for some Part 11 requirements, this discretion does not apply to software validation requirements under 21 CFR 820.70(i)
  3. In the CSA approach, it is recommended to focus assurance activities on features or functions related to record integrity and Part 11 requirements
  4. Apply risk-based approach and assess impact on product quality, patient safety, and record integrity

This clarification enables companies to effectively integrate Part 11 compliance and CSA implementation.

Response to Change Management and Software Updates

The final guidance also adds detailed explanations about software change management. In particular, the following points were clarified:

Distinction Between 30-Day Notices and Annual Reports

Section V.A.3 of the guidance explains what changes require 30-Day Notices and what changes are sufficient with annual reports, using real-world examples such as MES (Manufacturing Execution Systems).

Generally, changes that may affect the safety or effectiveness of medical devices are subject to stricter reporting requirements. In the CSA approach, the appropriate level of re-assurance activities is determined based on risk assessment of changes.

Response to Automatic Updates

For SaaS platforms and similar services, automatic updates by vendors are common. The guidance recommends evaluating automatic updates through risk-based assurance activities when they affect intended use. This includes:

  • Requiring change notifications in service contracts
  • Assessing the scope of change impact
  • Additional testing or verification as needed
  • Documentation of change history

Applicability to Artificial Intelligence (AI) Systems

The final guidance explicitly states that the CSA framework can be applied to artificial intelligence (AI) tools. While this is limited to cases where they are used as part of production or quality systems, it is an important mention given the rapid development of AI technology.

When applying the CSA approach to AI systems, the following points are particularly important:

  • Quality and appropriateness of training data
  • Algorithm transparency and explainability
  • Continuous performance monitoring
  • Detection and response to bias and drift
  • Management of model updates and retraining

However, since current guidance does not provide detailed requirements specific to AI systems, future guidance updates or supplementary documents are expected.

Perspective on Global Regulatory Harmonization

The CSA guidance has important significance from the perspective of international regulatory harmonization. In particular, alignment is achieved with the following international standards and regulations:

Alignment with ISO 13485:2016

Through QMSR, which will be implemented on February 2, 2026, FDA requirements will be fully aligned with ISO 13485:2016. The CSA guidance is designed to be consistent with ISO 13485’s software validation requirements (Clause 4.1.6, 7.5.6, etc.) and risk management requirements (Clause 4.1.2).

Relationship with EU MDR

The CSA approach is also consistent with Annex I (General Safety and Performance Requirements) and Article 10 (Quality System Obligations) of the European Medical Device Regulation (EU MDR 2017/745). This increases the possibility for companies operating in global markets to address multiple regulatory requirements with a single quality system approach.

Relationship with GAMP

Alignment with ISPE GAMP (Good Automated Manufacturing Practice) guidance, widely used in the pharmaceutical industry, was also requested by many companies. The CSA approach is fundamentally consistent with GAMP’s risk-based classification and lifecycle approach, making it easier for companies handling both medical devices and pharmaceuticals to adopt a unified approach.

Understanding the Nature of Change

The CSA guidance is not simply regulatory relaxation. This is a new paradigm for the medical device industry to ensure quality more intelligently and efficiently.

Three years of review, numerous comments from industry, and collaboration among all stakeholders. All of this has shaped a better future for medical device quality assurance.

What’s important is that this change was born from collaboration between industry and regulatory authorities. Field voices were reflected in regulations, and regulations became aligned with field realities. Approval of exploratory testing, utilization of vendor evaluations, promotion of digital records, clarification of cloud support, and mention of AI applicability. All of these reflect the realities of modern medical device manufacturing.

The essence of the CSA approach is the transition from formal compliance to substantive quality assurance. From activities to fill checkboxes to activities that truly protect patient safety. To successfully achieve this transition, organizational culture change is necessary.

Particularly important is establishing “risk-based thinking” as organizational culture. This does not simply mean conducting risk assessments, but maintaining an attitude of continuously asking “does this truly contribute to patient safety and product quality” in all decision-making.

Future Outlook: The Need for Continuous Evolution

The issuance of the CSA guidance is not an end, but a beginning. As new technologies such as AI/machine learning, IoT (Internet of Things), big data, digital twins, and predictive analytics are successively introduced into the medical device field, quality assurance methods must continue to evolve. The risk-based approach of CSA provides a framework that can flexibly respond to these new technologies.

For medical device manufacturers, CSA leads not only to burden reduction but also to innovation promotion. By concentrating resources on truly important areas, higher quality products can be brought to market more quickly. This ultimately benefits patients.

While the time remaining until QMSR implementation on February 2, 2026 is limited, effective use of this period can transform the CSA approach into competitive advantage. What’s important is not fearing change, but embracing it as an opportunity.

Companies that adopt CSA early may gain the following competitive advantages:

  1. Reduced Time to Market: Efficient assurance activities accelerate market introduction of new products and improvements
  2. Cost Reduction: Potential for up to 50% cost reduction by eliminating unnecessary documentation work and excessive testing
  3. Quality Improvement: Early detection of truly important quality issues by concentrating resources on high-risk areas
  4. Innovation Promotion: Reduced barriers to introducing new technologies, enabling competitive product development
  5. Global Harmonization: Easier business expansion in global markets through alignment with international standards

Concrete Steps for Implementation

To effectively implement CSA guidance, companies should consider the following phased approach:

Phase 1: Preparation and Assessment (3-6 months)

  1. Thorough understanding of guidance (management, quality, IT, manufacturing departments)
  2. Inventory of current software validation methods
  3. Conduct gap analysis considering both CSA and QMSR
  4. Selection of pilot project (low-risk systems such as LMS or BI systems recommended)
  5. Development of internal training programs

Phase 2: Pilot Implementation (3-6 months)

  1. Apply CSA approach to selected systems
  2. Practice and improve risk assessment methods
  3. Optimize documentation requirements
  4. Establish vendor evaluation processes
  5. Develop methods for utilizing digital records
  6. Document lessons learned

Phase 3: Deployment and Expansion (6-12 months)

  1. Deploy learnings from pilot across organization
  2. Phased application to higher-risk systems
  3. Standardize procedures and templates
  4. Continuous education and training
  5. Update internal audit programs

Phase 4: Continuous Improvement

  1. Periodic review of CSA approach
  2. Evaluate application methods for new technologies
  3. Incorporate industry best practices
  4. Continuous communication with regulatory authorities

Conclusion: Toward a New Era of Quality Assurance

The FDA’s CSA guidance heralds the dawn of a new era in quality assurance for the medical device industry. Risk-based approach, utilization of exploratory testing, strategic use of vendor evaluations, active adoption of digital technology, and alignment with QMSR to be implemented on February 2, 2026. The combination of these elements achieves more efficient and effective quality assurance.

This guidance is a regulatory framework to support digital transformation of the medical device industry, promote innovation, while maintaining uncompromising commitment to patient safety and product quality.

The key to success is not viewing CSA as merely a regulatory requirement, but utilizing it as a source of quality culture transformation and competitive advantage. From formal compliance to substantive quality assurance, from checkbox-style verification to risk assessment based on critical thinking. Companies that achieve this transformation will become leaders in the next-generation medical device market.

Toward the milestone of February 2, 2026, the medical device industry faces a major turning point. By understanding and effectively implementing both the CSA guidance and QMSR, companies can not only achieve regulatory compliance but also realize true quality improvement and accelerated innovation.

Now is the time not to fear change, but to actively embrace it and pioneer a new era of quality assurance.

What Makes a Company Trustworthy in the Eyes of the FDA Previous post Responding to Affidavit Requests During FDA Inspections Next post

Related post

Comment

There are no comment yet.