What Is Pc Software program Assurance, And What Are Its Advantages?

By Kamila A. Novak, KAN Consulting

Ever because the FDA printed steerage on laptop system validation (CSV) in 2022¹, it’s turn into a frightening activity for regulated trade, which has usually chosen to screenshot every step of each check case —regardless of how trivial — as a normal method to documenting validation actions. Though the Normal Rules of Software program Validation already included a risk-based method to validation, most organizations didn’t implement it, possible as a consequence of uncertainty about needed documentation and compliance issues. Thus, the laborious documentation-heavy method has continued for the previous 20 years.

A breakthrough occurred in September 2022, when the FDA launched the draft steerage Pc Software program Assurance (CSA) for Manufacturing and High quality System Software program and finalized its newest replace in February 2026.² The FDA’s aim is to assist producers produce high-quality medical gadgets whereas complying with the QMSR (21 CFR Half 820).³

Since then, ISO commonplace 13485:2016 has been the idea of 21 CFR Half 820, which requires medical machine producers to determine high quality methods for the design, manufacture, packaging, labeling, storage, set up, and servicing of completed gadgets to make sure protected, efficient, and compliant merchandise. ISO 13485 and the QMSR are particular for medical gadgets and don’t apply to different regulated areas that sometimes have their frameworks, comparable to present cGMPs, ICH Q10 Pharmaceutical High quality System, and many others.

What Is Pc Software program Assurance (CSA)?

CSA is a risk-based method for establishing and sustaining confidence that software program is match for its supposed use. The steerage gives a risk-based framework for software program assurance, examples of varied testing strategies, and plenty of use instances on apply it. As well as, the CSA steerage recommends leveraging validation carried out by software program distributors and descriptions further assurance concerns for organizations utilizing such software program.

The most recent model now consists of the next sections:

• Definitions of cloud computing, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software program as a Service (SaaS)
• Manufacturing or High quality Administration System Software program Modifications
• Further Issues for Assurance Actions
• Issues for Digital Data Necessities
• Instance 4 SaaS Product Life Cycle Administration System

CSA Steering Deep Dive

Allow us to look nearer at every part of the CSA steerage and summarize its key factors.

Part V. A. CSA Threat Framework

The CSA steerage describes a risk-based method to determine confidence within the automation used for manufacturing or high quality administration methods, to establish the place further rigor could also be applicable, and numerous strategies and testing actions which may be utilized to determine laptop software program assurance. The FDA’s aim is to assist producers produce high-quality medical gadgets whereas complying with the QMSR (21 CFR Half 820).

The CSA steerage makes use of a easy binary threat categorization, excessive threat versus non-high threat, though the FDA acknowledges that producers might observe a extra granular method to threat classes, e.g., medium, low, and many others. The danger framework follows six fundamental steps:

1. Determine the system’s supposed use.
2. Decide the risk-based method based mostly on elements with potential impression on the computerized system performing as supposed.
3. Handle manufacturing or high quality administration system software program adjustments.
4. Decide applicable assurance actions commensurate with threat, e.g., sorts of testing relying on the chance degree.
5. Think about further assurance actions for methods provided by distributors.
6. Set up sufficient information, together with enough goal proof to reveal the software program performs as supposed.

To find out the extent of assurance effort and actions applicable to determine confidence within the software program, threat evaluation ought to deal with potential compromised security and/or high quality of the machine. The CSA follows the least burdensome method, the place the burden of validation is not more than needed to handle the chance.

Part V. A. (1) Determine System’s Supposed Use

Step one is to find out if the software program might be used straight for manufacturing or high quality administration, or if its perform might be supportive. Supportive software program normally presents decrease threat; therefore, validation efforts could also be diminished.

Organizations make the most of not solely software program particular to manufacturing or the standard administration system, but additionally software program supposed for administration of basic enterprise processes or operations, comparable to e-mail or accounting functions, and software program supposed for establishing or supporting infrastructure, comparable to networking, person authentication, or continuity of operations (e.g., backup and restore). Whereas the CSA steerage doesn’t apply to those methods, their dangers associated to enterprise criticality, cybersecurity, confidentiality, and many others., ought to be assessed and categorized (e.g., utilizing GAMP 5)⁴, and the software program ought to be adequately validated to guard the group’s enterprise.

The choice means of figuring out the supposed use ought to be documented because the use and deployment, particularly for cloud computing methods or commercial-off-the shelf (COTS) software program, might have numerous use instances.

Part V. A. (2) Decide The Threat-Based mostly Strategy

This risk-based method consists of the systematic identification of moderately foreseeable software program failures, which determines whether or not such a failure poses a excessive course of threat, and choosing and performing assurance actions commensurate with the medical machine or course of threat. The danger-based evaluation for manufacturing or high quality administration system software program focuses on elements which will impression or forestall the software program from performing as supposed, comparable to correct system configuration and administration, system safety, knowledge integrity, knowledge storage, knowledge switch, or operation error. That is totally different from performing a threat evaluation for a medical machine as described in ISO 14971:2019 – Medical gadgets – Utility of threat administration to medical gadgets.⁵

The CSA steerage discusses each course of dangers and medical machine dangers. A course of threat refers back to the potential to compromise manufacturing or the standard administration system, whereas a medical machine threat refers back to the potential for a tool to hurt the affected person or person. Course of dangers ought to set up whether or not the method itself is ahigh threat, comparable to sustaining course of parameters like temperature or humidity, or non-high threat, e.g., corrective and preventive actions (CAPA) routing, automated logging/monitoring of complaints, and many others.

Part V. A. (3) Handle Software program Modifications

This part gives reporting expectations for adjustments of software program utilized in manufacturing or high quality administration and applies to gadgets with accepted premarket approval functions (PMA) or humanitarian machine exemptions (HDE).

The steerage consists of an instance of a producing execution system (MES) inside medical gadgets and inside the scope of PMA/HDE contexts. Whether it is used to handle workflow, observe progress, report knowledge, and set up alerts or thresholds based mostly on validated parameters which might be a part of sustaining the standard administration system, a failure to carry out as supposed might disrupt operations however not have an effect on the method parameters established to provide a protected and efficient machine. Typically, adjustments affecting these MES operations are to be submitted in annual studies. In distinction, adjustments in MES used to mechanically management and modify established crucial manufacturing parameters, comparable to temperature, strain, or course of time, might change a producing process that impacts the protection or effectiveness of the machine. On this case, adjustments are to be submitted by way of 30-day discover.⁶

Part V. A. (4) Decide Applicable Assurance Actions

As soon as the group has established whether or not a software program function, perform, or operation poses a excessive course of threat, i.e., a high quality downside which will foreseeably compromise security, it ought to decide assurance actions commensurate with the medical machine threat or the method threat:

• If the standard downside might foreseeably compromise security (excessive course of threat), the extent of assurance rigor ought to be commensurate with the medical machine threat.
• If the standard downside might not foreseeably compromise security (non-high course of threat), the extent of assurance actions ought to be commensurate with the method threat.

In each instances, elevated dangers usually require higher rigor for assurance, i.e., a higher quantity of goal proof, and comparatively low threat (non-high course of threat) usually implies a decrease quantity of goal proof for assurance actions.

The CSA steerage describes guide and automatic testing choices together with scripted testing (check instances are recorded) and unscripted testing (dynamic testing through which the tester’s actions are usually not prescribed by written directions in a check case). The latter might be executed based mostly on eventualities (advert hoc testing) or expertise (error guessing and exploratory testing).

Unscripted testing doesn’t imply testing with none documentation. Nevertheless, not like conventional screenshots used to doc validation actions, unscripted testing might embrace specification-based check case design strategies based mostly on exercising sequences of interactions between the check merchandise and different methods and testing ideas comparable to check assaults, excursions, and error taxonomies that focus on potential issues comparable to safety, efficiency, and different high quality areas.

Part V. A. (5) Further Assurance Actions

This part outlines further controls which will lower the impression of compromised security and high quality if failure of the software program function, perform, or operation have been to happen. Such controls embrace however are usually not restricted to:

• procedures to make sure integrity within the knowledge supporting manufacturing, subsequent inspection or testing, or software program high quality assurance processes carried out by different organizational items
• buying management processes for choosing and monitoring software program distributors and leveraging their validation
• course of controls included all through manufacturing to cut back cybersecurity publicity
• knowledge and knowledge periodically or constantly collected by the software program for monitoring or detecting points and anomalies within the software program after implementation
• use of instruments supporting software program improvement and system life cycle actions, comparable to bug or anomaly monitoring, and requirement traceability instruments
• use of testing and outcomes executed in iterative cycles and constantly all through the life cycle of the software program.

This part gives steerage and suggestions for methods and software program provided by distributors. Organizations ought to deal with rigorous vendor choice and (re)qualification, together with audits of distributors offering high-risk methods. Additionally, organizations can leverage validation and assurance carried out by distributors supposing distributors present sufficient proof. With applicable justification and threat evaluation, organizations can scale back their assurance actions.

Part V. A. (6) Set up Satisfactory Data

Organizations ought to seize enough goal proof to reveal that the software program function, perform, or operation was assessed and performs as supposed. Data ought to embrace:

• the supposed use of the software program function, perform, or operation
• the results of the risk-based evaluation of the software program function, perform, or operation
• documentation of the peace of mind actions performed:

  • An outline of the testing performed based mostly on the peace of mind exercise
  • Points discovered throughout testing, e.g., deviations, defects, and/or failures
  • A conclusion assertion declaring acceptability of the software program for its supposed use. If points have been discovered, decision of points ought to be a part of the conclusion assertion, e.g., course of controls applied to handle any impression from the problems to the supposed use or applicable threat justification addressing why the problems discovered won’t impression the supposed use.
  • File of who carried out testing/evaluation and date it was carried out
  • Established overview and approval when applicable, e.g., a signature and date of a person with signatory authority

The report ought to retain enough particulars of the peace of mind exercise to function a baseline for enhancements or as a reference level if points happen.

Part V. B. Issues For Digital Data Necessities

Any digital information and signatures for regulatory functions ought to adjust to 21 CFR Half 11⁷ or Annex 11, at the moment being revised, within the European Medicines Company jurisdiction.⁸

For laptop software program used as a part of manufacturing or the standard administration system, the relevant predicate guidelines embrace these below Half 820. A doc required below Half 820 (together with however not restricted to a doc required to be signed) and maintained electronically would usually be an “digital report” below Half 11 (see 21 CFR 11.3(b)(6)). To find out when a report is required below Half 820, organizations ought to contemplate if the report is critical as proof of validation. If a corporation maintains a doc required below Half 820 in digital type, then Half 11 usually applies.

Key Advantages Of CSA

Transitioning from conventional CSV to CSA provides organizations a number of advantages:

• Lowered documentation burden: As a substitute of the normal one-size-fits-all method to validation documentation, CSA encourages organizations to deal with areas the place software program failure might jeopardize affected person security and/or product high quality.
• Financial savings: By leveraging unscripted testing, advert hoc strategies, and vendor-provided testing outcomes, organizations can considerably save sources spent on validation.
• Agility and scalability: The danger-based mannequin integrates seamlessly with fashionable improvement methodologies like Agile and DevOps. Organizations can deploy cloud-based instruments and new software program updates quicker.
• Improved affected person security and high quality: By lowering paperwork, high quality and compliance groups can deal with areas that genuinely shield product high quality and shopper security.
• Streamlined inspection readiness: Documenting risk-based choices and their rationale and using real-time automated traceability create a extra clear validation course of.
• Stronger regulatory alignment: Following CSA ideas and suggestions helps set up goal proof that software program is match for its supposed use, lowering potential compliance challenges.

See the choice bushes in Appendix 1 that organizations can observe when implementing CSA in validation processes.

Conclusion

The ultimate CSA steerage doc outlines sensible steps and examples for implementing a risk-based method to software program validation that aligns with the FDA guideline Normal Rules of Software program Validation, the FDA Half 11 Scope and Utility Steering Doc, and with the broader regulatory shift towards ISO 13485 harmonization below the amendments to 21 CFR 820 QMSR.^1,9,3 It gives suggestions for fit-for-purpose assurance testing and documentation that assist organizations make the most of their sources higher whereas guaranteeing that methods and software program they deploy are and stay match for his or her supposed use.

References:

1. Normal Rules of Software program Validation, FDA, January 2002, https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-software-validation
2. Pc Software program Assurance for Manufacturing and High quality Administration System Software program, Remaining Steering, February 3, 2026, https://www.fda.gov/media/188844/download
3. 21 CFR Half 820 High quality Administration System Regulation, FDA, February 2026, https://www.federalregister.gov/documents/2024/02/02/2024-01709/medical-devices-quality-system-regulation-amendments
4. GAMP® 5: A Threat-Based mostly Strategy to Compliant GxP Computerized Programs, ISPE, 2022 (second version)
5. ISO 14971:2019 – Medical gadgets – Utility of threat administration to medical gadgets
6. 21 CFR 814.39(b), 814.108, and 814.126(b)(1), and the “Annual Reports for Approved Premarket Approval Applications (PMA)” steerage
7. 21 CFR Half 11 Digital Data; Digital Signatures, FDA, https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11
8. EudraLex, The Guidelines Governing Medicinal Merchandise within the European Union, Quantity 4, Good Manufacturing Observe, Medicinal Merchandise for Human and Veterinary Use, Annex 11: Computerised Programs https://health.ec.europa.eu/document/download/8d305550-dd22-4dad-8463-2ddb4a1345f1_en?filename=annex11_01-2011_en.pdf
9. Half 11, Digital Data; Digital Signatures – Scope and Utility, FDA, 2003, https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application

About The Creator:

Kamila Novak, MSc, has been concerned in scientific analysis since 1995, having labored in numerous positions in pharma and CROs. Since 2010, she has run her consulting firm, focusing totally on GXP auditing. She has firsthand expertise with nations in Europe, the Center East, Africa, and North America. Kamila chairs the DIA Medical Analysis, Compliance & High quality Group and the SQA Information Integrity Subcommittee, leads the DIA Working Group on System Validation, and serves as a mentor on the SQA and the DIA. As well as, Kamila is a member of the CDISC, the European Medical Writers’ Affiliation, the Florence Healthcare Website Enablement League, the Persevering with Skilled Improvement UK, and different skilled organizations. She publishes articles and speaks at webinars and conferences. She acquired the SQA Distinguished Speaker Award in 2023 – 2025, the SQA Distinguished Mentor Award in 2025, and the DIA World Encourage Award for Group Engagement in 2024. She and her firm actively help capacity-building packages in Africa.

Appendix 1 Resolution Timber