What do the FDA's new CSA guidelines mean?


    The FDA's new CSA guidelines, 'Computer Software Assurance for Production and Quality System Software', were unveiled in September 2022.

    What do they mean?

    The draft is open for comments from the public until mid-November, and - in short - aims to formalize and document the new world order of computerized system assurance, or CSA.

    It’s a useful draft to explore for an early feel of how the FDA envisions a modern and optimal CSA approach, particularly in regards to quality system software like Qualio.

    The draft offers a definition of what computerized system assurance is, and lays out a handful of assurance and testing methods and objectives.

    The document particularly focuses on medical device organizations, and how computerized system assurance can support compliance with the Part 820 Quality System Regulation.

    Let's dive into the what the FDA's new CSA guidelines mean for your business.


    What is computerized system assurance?


    The FDA's new CSA guidelines offer a clear definition of what CSA is:


    ...a risk-based approach for establishing and maintaining confidence that software is fit for its intended use.

    This approach considers the risk of compromised safety and/or quality of the device… to determine the level of assurance effort and activities appropriate to establish confidence in the software.

    Because the computer software assurance effort is risk-based, it follows a least burdensome approach, where the burden of validation is no more than necessary to address the risk.

    Such an approach supports the efficient use of resources, in turn promoting product quality.


    In short, CSA is the new framework within which your GxP-regulated business can sensibly, critically and appropriately evaluate the digital tools you add to your operation.


    Why is computerized system validation (CSV) being replaced by computerized system assurance (CSA)?


    We sat down with Sion Wyn, FDA advisor and editor of the GAMP 5 guidelines from the ISPE, to learn about the shift from CSV to CSA.




    In essence, CSA aims to streamline and simplify the digitization of life science companies by removing many of the traditional blockers which made these  businesses hesitant about adopting new digital tools: namely, the older process of computerized system validation, or CSV.

    Over time since its inception in 1997, CSV developed a bad name, becoming associated with:

    • Long, complex validation tasks
    • Lots of burdensome documentation
    • Fear of a slap on the wrist from regulatory authorities if businesses got it wrong


    The logic of computerized system assurance is clear:

    CSA easier validation


    Computerized system assurance does this by promoting a tailored, business-by-business approach based on the risk profile of the software you're onboarding.

    As such, businesses only need to take appropriate assurance activities relevant to their unique operational context, not a one-size-fits-all compliance straitjacket.

    We can summarize the guiding principles of the FDA's new CSA guidelines as follows:

    CSA guidelines


    The CSA process


    The FDA's CSA guideline draft lays out the broad step-by-step framework that businesses should follow to 'assure' the quality and safety of their computerized tools.


    1. Identify the intended use of the software


    Is it a direct part of the production or quality system, or a supporting element?

    Are there multiple uses arising from multiple features, functions or operations?


    2. Determine the risk-based approach


    Based on the intended use, what is the risk profile of the software and its potential impact on product and patient safety?

    eQMS software like Qualio, for instance, will have a much lower risk profile than, say, an adverse event MDR reporting system.


    3. Determine appropriate assurance activity


    How much objective evidence is appropriate for completion and collection, based on the risk posed by the software?

    Will unscripted testing (ad-hoc, error guessing, exploratory) or scripted testing (robust or limited) be performed, or both?


    4. Establish an appropriate record


    Does your record of CSA activity include the following?

    • The intended use of the software feature, function, or operation

    • The determination of risk of the software feature, function, or operation

    • Documentation of the assurance activities conducted, including:
      • Description of the testing conducted based on the assurance activity

      • Issues found (e.g., deviations, failures) and the disposition
      • Conclusion statement declaring acceptability of the results
      • Date of testing/assessment and the name of the person who conducted it
      • Established review and approval when appropriate


    Read the draft guidance



    Learn more about the FDA's new CSA guidelines


    Download our complete guide to computerized system compliance in 2022 to understand the key industry shifts taking place in the world of digital tool adoption, including the FDA's new CSA guidelines, the new edition of GAMP 5, the Enabling Innovation Good Practice Guide, and much more!