CSV vs. CSA: Exploring FDA’s New Software Validation Approach

June 4, 2023

CSV vs. CSA Exploring FDA’s New Software Validation Approach-1

In September of 2022, FDA issued a new draft guidance on software validation: Computer Software Assurance for Production and Quality System Software.

The long-awaited guidance signaled a major shift in the way FDA is thinking about the process of software validation in MedTech. It’s part of a broad industry shift away from the older method of software validation—computer system validation (CSV)—to the newer, risk-based approach known as computer software assurance (CSA).

Ultimately, this shift is about moving away from a one-size-fits-all approach to software validation and toward a risk-based approach. The regulations aren’t changing; just the way MedTech companies approach compliance and validate the software solutions used throughout their business.

In this article, I’ll break down the differences between CSV and CSA, and what the move to computer software assurance means for MedTech.

FREE DOWNLOAD: Click here to download a guide to Greenlight Guru’s validation approach and Software Package.

What is production and quality system software and why do MedTech companies need to validate it?

In the FDA’s draft guidance, the agency divides “software used as part of production or the quality system” into two subcategories:

  • Software used directly as part of the production or quality system. For example, software used for automating production processes or quality system processes.

  • Software used to support production or the quality system. For example, software used to test or monitor other software systems. 

MedTech companies must validate both types of software. Both the FDA’s 21 CFR Part 820 - Quality System Regulation and ISO 13485:2016 require medical device manufacturers to validate software used in production or the quality system.

The goal of the validation process is to establish and maintain confidence that the software meets its user needs and intended uses. It’s about ensuring that the software solutions MedTech companies use to support safe and effective medical devices always deliver the right results. 

And for the past two decades, FDA has provided MedTech companies with an approach to software validation known as computer system validation (CSV).

What is computer system validation (CSV)?

Computer system validation is a form of software validation that relies heavily on testing to provide the “objective evidence” FDA requires to confirm the software meets its user needs and intended uses. 

In practice, this testing usually takes the form of “the three Q’s” known as IQ, OQ, PQ:

  • Installation Qualification (IQ) - Verifying the installation of the software.

  • Operational Qualification (OQ) - Verifying the software functions according to its operational specifications.

  • Performance Qualification (PQ) - Verifying that the software consistently performs to the specification for day-to-day use.

Each of these steps consists of a protocol and a report, which can add up to an enormous amount of documentation. And, given that MedTech companies on average implement and use up to nine different software tools for business operations and compliance requirements, CSV often ends up costing companies too much time and effort—and papercuts. 

In fact, in the 2023 MedTech Industry Benchmark Report, respondents in pre-market companies said the cost of validating new tools and processes was the second-most-cited quality challenge they faced.

Fortunately, FDA recognizes these problems and knows that CSV is no longer in line with the agency’s own emphasis on “the least-burdensome approach” to compliance. That’s why the agency is now emphasizing a different method to software validation: computer software assurance.

What is computer software assurance (CSA)?

Computer software assurance is a risk-based approach to software validation. This method of software validation encourages medical device companies to start by considering the risks inherent in the failure of the software they use.

That risk determination will then form the basis for deciding the appropriate software assurance activities the company should carry out.

As FDA states in its guidance document: 

Broadly, this risk-based approach entails systematically identifying reasonably foreseeable software failures, determining whether such a failure poses a high process risk, and systematically selecting and performing assurance activities commensurate with the medical device or process risk, as applicable.

Essentially, rather than spending the same amount of time testing every piece of software they use, CSA encourages companies to select more rigorous assurance activities for software that poses higher risks. 

The computer software assurance process involves four steps, which are included in more detail in the guidance document:

  1. Identifying the intended use

  2. Determining the risk-based approach

  3. Determining the appropriate assurance activities

  4. Establishing the appropriate record

Keep in mind, this approach to software validation is not changing any regulations. FDA is clarifying its position and emphasizing that the risk-based approach in the CSA guidance will provide MedTech companies with a more efficient and flexible method for meeting the software validation requirements in its Quality System Regulation.

It also brings FDA guidance more in line with ISO 13485:2016, which states clearly that “The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.”

How is Greenlight Guru working with the new CSA framework?

Greenlight Guru has always been committed to taking on the heavy lifting of software validation for our customers by providing an always-updated Validation Package with our software. Traditionally, this included extensive PQ protocols and reports performed by our team and templates for IQ and OQ for customers to execute. 

Now, in light of the shift from CSV to CSA, Greenlight Guru has adopted an automated, risk-based approach to validating our QMS software. We’ve also strategically updated our Software Validation Package to help teams efficiently implement and adopt the latest enhancements and functionality while assuring compliance with evolving validation requirements. 

The updated Validation Package reflects the requirements and best practices of both the FDA’s computer software assurance guidance and ISO /TR 80002-2:2017. Greenlight Guru’s Validation Package will now include items, such as:

  • Intended use statements

  • Test case summaries

  • New validation test reports

  • Updated validation memos and templates

This shift in our validation approach will be enormously beneficial to both Greenlight Guru’s software and our customers. 

First, it’s going to save time previously spent on the IQ, OQ, PQ protocols and documentation. It will also allow us to release new software faster—without manually re-validating code that hasn’t changed—meaning our customers get access to new innovations, features, and functionality faster. 

On top of that, the new validation approach reduces the amount of time our customers need to spend on validation, allowing them to focus on what they do best: bringing life-changing medical devices to market. 

FREE DOWNLOAD: Click here to download a guide to Greenlight Guru’s validation approach and Software Package.

How will the shift from CSV to CSA benefit your MedTech company?

The shift to CSA is a major benefit to MedTech companies. It massively reduces the burden of software validation, allowing teams to allocate resources to ensure that high-risk software is meeting its intended uses.

Traditionally, the cost and time spent validating new software tools have limited the MedTech industry and complicated the implementation and adoption of new software. 

Now that CSA is the officially promoted approach to software validation, companies will be able to explore new technologies and use more SaaS tools without the immense burden of validation looming over them. Of course, as the draft guidance is updated, Greenlight Guru will update documentation as required. 

And that’s really the FDA’s goal here. As they state in the guidance:

FDA believes that these recommendations will help foster the adoption and use of innovative technologies that promote patient access to high-quality medical devices and help manufacturers to keep pace with the dynamic, rapidly changing technology landscape, while promoting compliance with laws and regulations implemented by FDA.

If you’re ready to learn more about Greenlight Guru’s approach to CSA and how it will benefit your MedTech company, then get your free demo today!

Looking for an all-in-one QMS solution to advance the success of your in-market devices and integrates your quality processes with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →


Jesseca Lyons is a Senior Medical Device Guru at Greenlight Guru and a Mechanical Engineer by trade who loves working with cross functional teams, including both engineering and non-engineering disciplines. She’s spent most of her career gathering and defining requirements for new product design and development in the...

Greenlight Guru’s Software Assurance Guide
Download Now
Greenlight Guru’s Software Assurance Guide - slide in
Search Results for:
    Load More Results