The FDA finalised its Computer Software Assurance guidance in September 2025. It codifies a risk-based, critical-thinking approach to GxP software validation — shifting the standard from uniform CSV documentation to proportionate evidence. Here's what changed, what didn't, and what your programme needs to address.
From Draft to Final: What You Need to Know
The FDA first released the CSA draft in September 2022. After three years of public comments and industry feedback, the final guidance landed in September 2025. This is no longer a "watch and wait" situation — inspectors are already evaluating validation programmes against CSA principles, whether or not your programme explicitly references them.
Draft vs Final: Key Changes
| Area | 2022 Draft | 2025 Final Guidance |
|---|---|---|
| Vendor evidence | Encouraged but not explicitly defined | Explicitly endorsed — can replace re-testing for lower-risk functions |
| Risk tiers | General framework, loosely defined | Clearer alignment with GAMP 5 categories |
| Documentation expectation | Implied reduction from CSV | Explicitly proportionate — justification must be documented |
| Critical thinking | Mentioned as principle | Formalised — documented rationale is part of the assurance package |
| 21 CFR Part 11 controls | Unchanged | Unchanged — explicitly reaffirmed |
| Periodic review | Not addressed | Continuous assurance model referenced |
GAMP 5 Risk Tiers Under CSA
- Cat 1Infrastructure Software — OS, networks, databases. Vendor evidence and configuration records sufficient. No scripted testing required.
- Cat 3Commercial Off-the-Shelf (COTS) — Used as-supplied with no configuration. Vendor documentation and basic installation verification typically sufficient.
- Cat 4Configured Commercial Software — QMS, LIMS, ERP, MES. Vendor evidence covers the base platform; your testing focuses on critical configured functions only.
- Cat 5Custom Software — Bespoke or custom-developed code. CSA does not reduce requirements here. Full SDLC lifecycle validation is still required.
Five Things Your Programme Should Address Now
- ✓Classify your inventory by GAMP 5 category. Without this, you can't apply proportionate effort — or defend your approach in an inspection.
- ✓Document your risk rationale. The "why" behind your validation scope is now a required part of the assurance package — not just an internal note.
- ✓Collect and reference vendor evidence. For Category 3 and 4 systems, formally reference vendor test packages rather than re-executing equivalent tests.
- ✓Update your Validation Master Plan. If your VMP still describes uniform CSV for all systems, update it to reflect your CSA-aligned risk rationale and scope.
- ✓Move toward continuous assurance. The final guidance references maintaining systems in an ongoing state of assurance — periodic review should be proportionate and built into the lifecycle.
How GoVal Supports CSA Implementation
GoVal classifies systems by GAMP 5 category at intake, automatically scales documentation and test scope, prompts vendor evidence referencing, and generates the risk rationale as a structured artefact — not a manual text field. Periodic review workflows are built into the lifecycle so systems stay in a continuous state of assurance between change events. If your current process still applies uniform test scripts to every GxP system, the CSA final guidance gives you both the regulatory basis and the practical reason to change that now.
Frequently Asked Questions
What did the FDA finalise in the CSA guidance September 2025? +
Does the FDA CSA final guidance apply to all pharma software? +
What are the four software categories under FDA CSA? +
Can pharma companies still use the old CSV approach after CSA? +
How does GoVal help pharma teams implement FDA CSA guidance? +
See how GoVal aligns with FDA CSA final guidance
Risk classification, proportionate documentation, vendor evidence management, and continuous assurance — built into every validation workflow from day one.
Book a Free Demo →