In September 2025, the FDA published the Guidance on Computer Software Assurance (CSA) to provide medical device manufacturers with recommendations for risk-based validation of software used in manufacturing or in the quality system.
Already during the draft phase of the guidance, we presented the efficient and practical CSA approaches in workshops and at the DLS User Summits.
The goal of the guidance is to shift the focus away from purely formal software validation towards efficient, meaningful, risk-based software assurance.
The FDA recommends a 6-step process to determine the appropriate level of activity:
- Identification of the intended use
The first step is to determine how and for what purpose the software will be used – e.g. directly in production or to support the quality system. This determines whether and to what extent validation is required. - Risk-based analysis
The risks that could arise in the event of a failure are assessed for each relevant function. A distinction is made between “High process risk” (possible impairment of product safety) and “Not high process risk”. (See publication in GMP Compliance Adviser: 9.D System Classification and Risk Management) - Evaluation of software changes
Changes to production or quality-relevant software are checked to see whether they have an impact on safety or effectiveness.
Depending on the result, the FDA is notified either in an annual report or via a 30-day notification. - Determination of suitable assurance activities
The selection of test methods and the scope of validation depends on the risk identified. High risks usually require detailed, documented tests. Lower risks can be covered with simpler or exploratory methods. - Additional considerations for assurance activities
Existing controls, supplier evaluations and process safeguards can reduce the validation effort. Manufacturers may use existing records to avoid duplication of work. - Creation of suitable documentation
All evaluations, tests and results must be documented in a traceable manner. The FDA highly recommends using digital records such as audit trails or system logs instead of paper-based records.
“FDA’s risk-based Computer Software Assurance approach provides a practical and modern basis for the efficient evaluation and validation of computerised systems. Focusing on individual functions enables a more precise risk evaluation and strengthens traceability. This approach is consistent with our established risk evaluation procedure, which we already convey in our consultations and in the GMP Compliance Adviser. A particularly positive aspect is that existing controls and digital records can be used in a targeted manner to reduce the validation effort. This improves both regulatory compliance and practical feasibility for manufacturers,” says Dr. Dennis Sandkühler, Director Quality & Compliance at Digital Life Sciences GmbH.
