What Is Pc Software program Assurance, And What Are Its Advantages?

By Kamila A. Novak, KAN Consulting

Ever because the FDA revealed steerage on laptop system validation (CSV) in 2022¹, it’s develop into a frightening activity for regulated trade, which has usually chosen to screenshot every step of each check case —regardless of how trivial — as a regular strategy to documenting validation actions. Though the Basic Rules of Software program Validation already included a risk-based strategy to validation, most organizations didn’t implement it, seemingly resulting from uncertainty about mandatory documentation and compliance considerations. Thus, the laborious documentation-heavy strategy has persevered for the previous twenty years.

A breakthrough occurred in September 2022, when the FDA launched the draft steerage Pc Software program Assurance (CSA) for Manufacturing and High quality System Software program and finalized its newest replace in February 2026.² The FDA’s aim is to assist producers produce high-quality medical units whereas complying with the QMSR (21 CFR Half 820).³

Since then, ISO customary 13485:2016 has been the premise of 21 CFR Half 820, which requires medical machine producers to determine high quality methods for the design, manufacture, packaging, labeling, storage, set up, and servicing of completed units to make sure secure, efficient, and compliant merchandise. ISO 13485 and the QMSR are particular for medical units and don’t apply to different regulated areas that sometimes have their frameworks, resembling present cGMPs, ICH Q10 Pharmaceutical High quality System, and so forth.

What Is Pc Software program Assurance (CSA)?

CSA is a risk-based strategy for establishing and sustaining confidence that software program is match for its supposed use. The steerage supplies a risk-based framework for software program assurance, examples of assorted testing strategies, and lots of use instances on the right way to apply it. As well as, the CSA steerage recommends leveraging validation carried out by software program distributors and descriptions extra assurance concerns for organizations utilizing such software program.

The most recent model now consists of the next sections:

• Definitions of cloud computing, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software program as a Service (SaaS)
• Manufacturing or High quality Administration System Software program Adjustments
• Extra Issues for Assurance Actions
• Issues for Digital Information Necessities
• Instance 4 SaaS Product Life Cycle Administration System

CSA Steerage Deep Dive

Allow us to look nearer at every part of the CSA steerage and summarize its key factors.

Part V. A. CSA Threat Framework

The CSA steerage describes a risk-based strategy to determine confidence within the automation used for manufacturing or high quality administration methods, to establish the place extra rigor could also be applicable, and varied strategies and testing actions that could be utilized to determine laptop software program assurance. The FDA’s aim is to assist producers produce high-quality medical units whereas complying with the QMSR (21 CFR Half 820).

The CSA steerage makes use of a easy binary threat categorization, excessive threat versus non-high threat, though the FDA acknowledges that producers might comply with a extra granular strategy to threat classes, e.g., medium, low, and so forth. The chance framework follows six fundamental steps:

1. Determine the system’s supposed use.
2. Decide the risk-based strategy primarily based on components with potential influence on the computerized system performing as supposed.
3. Handle manufacturing or high quality administration system software program modifications.
4. Decide applicable assurance actions commensurate with threat, e.g., forms of testing relying on the danger stage.
5. Contemplate extra assurance actions for methods provided by distributors.
6. Set up satisfactory information, together with ample goal proof to show the software program performs as supposed.

To find out the extent of assurance effort and actions applicable to determine confidence within the software program, threat evaluation ought to concentrate on potential compromised security and/or high quality of the machine. The CSA follows the least burdensome strategy, the place the burden of validation is not more than mandatory to handle the danger.

Part V. A. (1) Determine System’s Meant Use

Step one is to find out if the software program will probably be used straight for manufacturing or high quality administration, or if its perform will probably be supportive. Supportive software program often presents decrease threat; therefore, validation efforts could also be diminished.

Organizations make the most of not solely software program particular to manufacturing or the standard administration system, but in addition software program supposed for administration of normal enterprise processes or operations, resembling electronic mail or accounting purposes, and software program supposed for establishing or supporting infrastructure, resembling networking, consumer authentication, or continuity of operations (e.g., backup and restore). Whereas the CSA steerage doesn’t apply to those methods, their dangers associated to enterprise criticality, cybersecurity, confidentiality, and so forth., ought to be assessed and categorized (e.g., utilizing GAMP 5)⁴, and the software program ought to be adequately validated to guard the group’s enterprise.

The choice strategy of figuring out the supposed use ought to be documented because the use and deployment, particularly for cloud computing methods or commercial-off-the shelf (COTS) software program, might have varied use instances.

Part V. A. (2) Decide The Threat-Based mostly Method

This risk-based strategy consists of the systematic identification of moderately foreseeable software program failures, which determines whether or not such a failure poses a excessive course of threat, and deciding on and performing assurance actions commensurate with the medical machine or course of threat. The chance-based evaluation for manufacturing or high quality administration system software program focuses on components that will influence or stop the software program from performing as supposed, resembling correct system configuration and administration, system safety, knowledge integrity, knowledge storage, knowledge switch, or operation error. That is totally different from performing a threat evaluation for a medical machine as described in ISO 14971:2019 – Medical units – Utility of threat administration to medical units.⁵

The CSA steerage discusses each course of dangers and medical machine dangers. A course of threat refers back to the potential to compromise manufacturing or the standard administration system, whereas a medical machine threat refers back to the potential for a tool to hurt the affected person or consumer. Course of dangers ought to set up whether or not the method itself is ahigh threat, resembling sustaining course of parameters like temperature or humidity, or non-high threat, e.g., corrective and preventive actions (CAPA) routing, automated logging/monitoring of complaints, and so forth.

Part V. A. (3) Handle Software program Adjustments

This part supplies reporting expectations for modifications of software program utilized in manufacturing or high quality administration and applies to units with authorised premarket approval purposes (PMA) or humanitarian machine exemptions (HDE).

The steerage consists of an instance of a producing execution system (MES) inside medical units and throughout the scope of PMA/HDE contexts. Whether it is used to handle workflow, monitor progress, report knowledge, and set up alerts or thresholds primarily based on validated parameters which are a part of sustaining the standard administration system, a failure to carry out as supposed might disrupt operations however not have an effect on the method parameters established to provide a secure and efficient machine. Typically, modifications affecting these MES operations are to be submitted in annual studies. In distinction, modifications in MES used to routinely management and alter established important manufacturing parameters, resembling temperature, stress, or course of time, might change a producing process that impacts the protection or effectiveness of the machine. On this case, modifications are to be submitted by way of 30-day discover.⁶

Part V. A. (4) Decide Applicable Assurance Actions

As soon as the group has established whether or not a software program function, perform, or operation poses a excessive course of threat, i.e., a high quality drawback that will foreseeably compromise security, it ought to decide assurance actions commensurate with the medical machine threat or the method threat:

• If the standard drawback might foreseeably compromise security (excessive course of threat), the extent of assurance rigor ought to be commensurate with the medical machine threat.
• If the standard drawback might not foreseeably compromise security (non-high course of threat), the extent of assurance actions ought to be commensurate with the method threat.

In each instances, elevated dangers typically require better rigor for assurance, i.e., a better quantity of goal proof, and comparatively low threat (non-high course of threat) typically implies a decrease quantity of goal proof for assurance actions.

The CSA steerage describes handbook and automatic testing choices together with scripted testing (check instances are recorded) and unscripted testing (dynamic testing wherein the tester’s actions should not prescribed by written directions in a check case). The latter will be executed primarily based on situations (advert hoc testing) or expertise (error guessing and exploratory testing).

Unscripted testing doesn’t imply testing with none documentation. Nonetheless, not like conventional screenshots used to doc validation actions, unscripted testing might embrace specification-based check case design methods primarily based on exercising sequences of interactions between the check merchandise and different methods and testing ideas resembling check assaults, excursions, and error taxonomies that focus on potential issues resembling safety, efficiency, and different high quality areas.

Part V. A. (5) Extra Assurance Actions

This part outlines extra controls that will lower the influence of compromised security and high quality if failure of the software program function, perform, or operation had been to happen. Such controls embrace however should not restricted to:

• procedures to make sure integrity within the knowledge supporting manufacturing, subsequent inspection or testing, or software program high quality assurance processes carried out by different organizational models
• buying management processes for choosing and monitoring software program distributors and leveraging their validation
• course of controls integrated all through manufacturing to scale back cybersecurity publicity
• knowledge and knowledge periodically or constantly collected by the software program for monitoring or detecting points and anomalies within the software program after implementation
• use of instruments supporting software program growth and system life cycle actions, resembling bug or anomaly monitoring, and requirement traceability instruments
• use of testing and outcomes performed in iterative cycles and constantly all through the life cycle of the software program.

This part supplies steerage and suggestions for methods and software program provided by distributors. Organizations ought to concentrate on rigorous vendor choice and (re)qualification, together with audits of distributors offering high-risk methods. Additionally, organizations can leverage validation and assurance carried out by distributors supposing distributors present satisfactory proof. With applicable justification and threat evaluation, organizations can scale back their assurance actions.

Part V. A. (6) Set up Satisfactory Information

Organizations ought to seize ample goal proof to show that the software program function, perform, or operation was assessed and performs as supposed. Information ought to embrace:

• the supposed use of the software program function, perform, or operation
• the results of the risk-based evaluation of the software program function, perform, or operation
• documentation of the reassurance actions performed:

  • An outline of the testing performed primarily based on the reassurance exercise
  • Points discovered throughout testing, e.g., deviations, defects, and/or failures
  • A conclusion assertion declaring acceptability of the software program for its supposed use. If points had been discovered, decision of points ought to be a part of the conclusion assertion, e.g., course of controls applied to handle any influence from the problems to the supposed use or applicable threat justification addressing why the problems discovered is not going to influence the supposed use.
  • Report of who carried out testing/evaluation and date it was carried out
  • Established overview and approval when applicable, e.g., a signature and date of a person with signatory authority

The report ought to retain ample particulars of the reassurance exercise to function a baseline for enhancements or as a reference level if points happen.

Part V. B. Issues For Digital Information Necessities

Any digital information and signatures for regulatory functions ought to adjust to 21 CFR Half 11⁷ or Annex 11, presently being revised, within the European Medicines Company jurisdiction.⁸

For laptop software program used as a part of manufacturing or the standard administration system, the relevant predicate guidelines embrace these below Half 820. A doc required below Half 820 (together with however not restricted to a doc required to be signed) and maintained electronically would typically be an “digital report” below Half 11 (see 21 CFR 11.3(b)(6)). To find out when a report is required below Half 820, organizations ought to contemplate if the report is important as proof of validation. If a corporation maintains a doc required below Half 820 in digital kind, then Half 11 typically applies.

Key Advantages Of CSA

Transitioning from conventional CSV to CSA affords organizations a number of advantages:

• Lowered documentation burden: As a substitute of the standard one-size-fits-all strategy to validation documentation, CSA encourages organizations to concentrate on areas the place software program failure might jeopardize affected person security and/or product high quality.
• Financial savings: By leveraging unscripted testing, advert hoc strategies, and vendor-provided testing outcomes, organizations can considerably save assets spent on validation.
• Agility and scalability: The chance-based mannequin integrates seamlessly with fashionable growth methodologies like Agile and DevOps. Organizations can deploy cloud-based instruments and new software program updates quicker.
• Improved affected person security and high quality: By decreasing paperwork, high quality and compliance groups can concentrate on areas that genuinely defend product high quality and shopper security.
• Streamlined inspection readiness: Documenting risk-based choices and their rationale and using real-time automated traceability create a extra clear validation course of.
• Stronger regulatory alignment: Following CSA ideas and suggestions helps set up goal proof that software program is match for its supposed use, decreasing potential compliance challenges.

See the choice bushes in Appendix 1 that organizations can comply with when implementing CSA in validation processes.

Conclusion

The ultimate CSA steerage doc outlines sensible steps and examples for implementing a risk-based strategy to software program validation that aligns with the FDA guideline Basic Rules of Software program Validation, the FDA Half 11 Scope and Utility Steerage Doc, and with the broader regulatory shift towards ISO 13485 harmonization below the amendments to 21 CFR 820 QMSR.^1,9,3 It supplies suggestions for fit-for-purpose assurance testing and documentation that assist organizations make the most of their assets higher whereas making certain that methods and software program they deploy are and stay match for his or her supposed use.

References:

1. Basic Rules of Software program Validation, FDA, January 2002, https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-software-validation
2. Pc Software program Assurance for Manufacturing and High quality Administration System Software program, Ultimate Steerage, February 3, 2026, https://www.fda.gov/media/188844/download
3. 21 CFR Half 820 High quality Administration System Regulation, FDA, February 2026, https://www.federalregister.gov/documents/2024/02/02/2024-01709/medical-devices-quality-system-regulation-amendments
4. GAMP® 5: A Threat-Based mostly Method to Compliant GxP Computerized Methods, ISPE, 2022 (second version)
5. ISO 14971:2019 – Medical units – Utility of threat administration to medical units
6. 21 CFR 814.39(b), 814.108, and 814.126(b)(1), and the “Annual Reports for Approved Premarket Approval Applications (PMA)” steerage
7. 21 CFR Half 11 Digital Information; Digital Signatures, FDA, https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11
8. EudraLex, The Guidelines Governing Medicinal Merchandise within the European Union, Quantity 4, Good Manufacturing Observe, Medicinal Merchandise for Human and Veterinary Use, Annex 11: Computerised Methods https://health.ec.europa.eu/document/download/8d305550-dd22-4dad-8463-2ddb4a1345f1_en?filename=annex11_01-2011_en.pdf
9. Half 11, Digital Information; Digital Signatures – Scope and Utility, FDA, 2003, https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application

About The Writer:

Kamila Novak, MSc, has been concerned in medical analysis since 1995, having labored in varied positions in pharma and CROs. Since 2010, she has run her consulting firm, focusing totally on GXP auditing. She has firsthand expertise with nations in Europe, the Center East, Africa, and North America. Kamila chairs the DIA Medical Analysis, Compliance & High quality Neighborhood and the SQA Knowledge Integrity Subcommittee, leads the DIA Working Group on System Validation, and serves as a mentor on the SQA and the DIA. As well as, Kamila is a member of the CDISC, the European Medical Writers’ Affiliation, the Florence Healthcare Web site Enablement League, the Persevering with Skilled Growth UK, and different skilled organizations. She publishes articles and speaks at webinars and conferences. She acquired the SQA Distinguished Speaker Award in 2023 – 2025, the SQA Distinguished Mentor Award in 2025, and the DIA International Encourage Award for Neighborhood Engagement in 2024. She and her firm actively help capacity-building packages in Africa.

Appendix 1 Choice Timber