Pharma Techexplained
Computer System Validation

CSA is not the end of CSV. It is CSV finally done right.

FDA's Computer Software Assurance guidance was read by half the industry as permission to stop validating. The other half read it correctly.

CSV/Jun 2, 2026/8 min

When FDA finalized its Computer Software Assurance guidance, two camps formed within the week. One declared that validation as we know it was over: less testing, less documentation, less everything. The other shrugged and said it changes nothing. Both camps are wrong, and both for the same reason: they read the headline and not the logic.

CSA does not lower the bar. It moves the effort. The guidance asks one deceptively simple question: what is the risk of this feature failing, to the patient and to product quality? High risk earns rigorous, scripted, evidenced testing. Lower risk earns unscripted or ad hoc testing with a lightweight record. The total assurance is the same or better. What shrinks is the ceremony around things that never deserved ceremony.

Where the hours actually went

Be honest about what legacy CSV looked like in practice. Test scripts with thirty steps of navigation to reach one assertion. Screenshots of login pages. Three signatures on a test that verified a date picker. None of that ever protected a patient. It protected the company from an imagined inspector who was never as literal-minded as the procedure assumed.

We were not validating systems. We were validating our ability to produce documents about systems.
A QA director, who has asked to remain a QA director

The uncomfortable truth is that the old model optimized for evidence volume because volume was easy to audit. CSA optimizes for critical thinking, which is harder to audit but is the thing that actually finds defects. Unscripted exploratory testing by someone who understands the process finds more real problems per hour than any scripted regression pack. The guidance simply lets you write that down as your strategy.

What changes on the ground

  • Risk assessment moves from a template you fill in after the fact to the actual planning instrument that decides test depth.
  • Vendor evidence finally counts. If a supplier tested a standard function and you assessed the supplier, you do not retest it from scratch.
  • The record of an unscripted test can be a short narrative: what was tried, what was observed, who did it, what was concluded.
  • Scripted testing concentrates where it belongs: direct impact on product quality, patient safety, or data integrity.

The quiet implication

The deeper shift is cultural. CSV grew into a documentation discipline because the people doing it were measured on audit outcomes, not on system quality. CSA only works when QA, IT and the process owner sit in the same risk conversation, which is exactly why some organizations will struggle with it. The methodology is easy. The meeting is hard.

If your validation plan for the next system still opens with a copy-pasted scope section and twelve pages of roles and responsibilities, you have your answer about which camp you are in. The good news: the way out is a decision, not a budget.